LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 06-16-2014, 03:54 PM   #1
esso82
Member
 
Registered: Aug 2013
Location: Plymouth, UK
Distribution: SolydK
Posts: 45

Rep: Reputation: Disabled
Help setting up openVPN server


Hello guys, I know there is few topics about this, but reading them, I couldn't use anything I'd understand, so creating new one.
I am going away from home and I'd like to access my home server like I'd be physicaly connected to my home network. Past 2 days I spent googling and setting up openVPN server on my home server, but I don't get much success so far. I must admit I don't understand everything around openVPN, so I came to ask you.

My goal:
Connect my laptop from outside of my home network to my home network using openVPN server installed on my home server and use home network resources, mainly samba shares and my home internet IP address. Also, is it possible to only get openVPN-server's public IP address, but use internet connection of the device connecting to it?

I've generated all keys and certificates, TLS not working yet, so I commented that out in server.conf, will make that working after I'll be able to get everything working the way I want.

I can connect to the server, and ping it from laptop, but DNS is not working, I can ping it only using it's IP address.

My home network:
DHCP server + DNS server 192.168.0.1 (router)
Home Server 192.168.0.200 (running Debian 7.0)
Laptop DHCP assigned (usually 192.168.0.14)

my server.conf:
Code:
port 443
proto udp
dev tun
ca ca.crt
cert myserver.crt
key myserver.key
dh dh1024.pem
#tls-server
#tls-auth ta.key 0
ifconfig-pool-persist ipp.txt
server 10.1.0.0 255.255.255.0
ifconfig 10.1.0.1 255.255.255.0
push "dhcp-option DNS 192.168.0.1"
push "route 192.168.0.0 255.255.255.0 10.1.0.1"
client-config-dir ccd
route 192.168.1.0 255.255.255.0
route 192.168.2.0 255.255.255.0
client-to-client
push “route 192.168.1.0 255.255.255.0″
push “route 192.168.2.0 255.255.255.0″
keepalive 10 120
comp-lzo
persist-key
persist-tun
log /var/log/openvpn-server.log
status /var/log/openvpn-status.log
verb 6
If it looks messed up, it's because I followed multiple tutorials and I couldn't get any of them working, so I started to play with it and now I can at least connect, but that's about it.

Can anyone help please?
 
Old 06-16-2014, 04:45 PM   #2
smallpond
Senior Member
 
Registered: Feb 2011
Location: Massachusetts, USA
Distribution: Fedora
Posts: 4,123

Rep: Reputation: 1260Reputation: 1260Reputation: 1260Reputation: 1260Reputation: 1260Reputation: 1260Reputation: 1260Reputation: 1260Reputation: 1260
You have a choice to make when setting up a VPN that seems to be poorly explained in the documentation. Do you want your remote laptop to be:

a) Bridged: looks like it is connected directly to your home network. Uses DHCP and DNS of the home net. All packets go through the tunnel and back out through the home gateway, so browsing will be slow. This is a layer 2 VPN and uses a "tap" interface on the server.

b) Routed: has two ports on the laptop. Those destined for the home network go through the VPN to a "tun" interface on the server, but you can route (layer 3) other traffic through the direct connection to the internet. This would make browsing faster, but doesn't give you the protection of going through your home server (and firewall). In this case, the laptop is NOT on the same subnet as the home network and will not see broadcast packets - so no DHCP, network neighborhood, browsing samba shares, home DNS, etc. You can still do most things by typing IP addresses or adding names+IPs to your hosts table.
 
Old 06-16-2014, 05:39 PM   #3
esso82
Member
 
Registered: Aug 2013
Location: Plymouth, UK
Distribution: SolydK
Posts: 45

Original Poster
Rep: Reputation: Disabled
thank you for a reply smallpond

so, if I understand, using the "tun" method I should be able to do those things I described in first post, but basically, I'll loose home DNS servicing but I need to add home machines to the hosts table (on laptop?) and everything is fine ...

or should I come back to ppptp? There, it was easy to configure range of "home" IP addresses and it "just" worked. My ISP at home is not blocking ppptp port (1173 I think it is? ... can't remember right now), and as it is "just" for my private use (thus 5 star security is not really needed), is there a big advantage of using openVPN over ppptp?

EDIT: I just went googling again and found this: http://openvpn.net/index.php/open-so...wto.html#scope
It's late night here, so my brain is not running full speed, but I reckon that's what I'm looking for, but I must admit that linux networking is my weak point so can you please have a quick look and tell me wheter I'm going the right direction?

Last edited by esso82; 06-16-2014 at 05:48 PM.
 
Old 06-16-2014, 06:17 PM   #4
jlinkels
LQ Guru
 
Registered: Oct 2003
Location: Bonaire, Leeuwarden
Distribution: Debian /Jessie/Stretch/Sid, Linux Mint DE
Posts: 5,195

Rep: Reputation: 1043Reputation: 1043Reputation: 1043Reputation: 1043Reputation: 1043Reputation: 1043Reputation: 1043Reputation: 1043
I think you are missing something.

You set up a VPN server at home. In order to connect to that server you have to be able to reach it from outside your LAN. That is, reach it from the public internet.

You need the public IP address of your internet connection. I assume you have it because you said you were using pptp. If you don't have it, you have to find it (whatsmyip.com). If it is not fixed you need to rely on a service like dyndns.

Secondly, if you know your IP address you need to be sure your modem (which usually holds the firewall) forwards any incoming connection to your OpenVPN server. That is port 1194 which need to be forwarded through your firewall.

jlinkels
 
Old 06-16-2014, 06:24 PM   #5
esso82
Member
 
Registered: Aug 2013
Location: Plymouth, UK
Distribution: SolydK
Posts: 45

Original Poster
Rep: Reputation: Disabled
thank you jlnkels for your answer

yes, I use no-ip.org to catch my dynamic public IP

also, I forwarded UDP 443 on my router to look at the openVPN server host and added iptables rule to allow tun traffic

what looks weird to me is, that if I ping 192.16.0.200 (openVPN server) - it's a success,but pinging 192.168.0.1 (router) returns all packets dropped. Also I can't browse internet with the current setup.
 
Old 06-17-2014, 12:15 PM   #6
smallpond
Senior Member
 
Registered: Feb 2011
Location: Massachusetts, USA
Distribution: Fedora
Posts: 4,123

Rep: Reputation: 1260Reputation: 1260Reputation: 1260Reputation: 1260Reputation: 1260Reputation: 1260Reputation: 1260Reputation: 1260Reputation: 1260
Your OpenVPN server also needs to be routing packets. Check /proc/sys/net/ipv4/ip_forward
 
Old 06-17-2014, 01:47 PM   #7
esso82
Member
 
Registered: Aug 2013
Location: Plymouth, UK
Distribution: SolydK
Posts: 45

Original Poster
Rep: Reputation: Disabled
yes it's allowed, /proc/sys/net/ipv4/ip_forward returns net.ipv4.ip_forward = 1

I think you didn't understand what I need help with. All I need is get someone to write those "route" and "push route" directives for my case. i.e: is this correct?
Code:
server 10.8.0.0 255.255.255.0
ifconfig 10.8.0.1 255.255.255.0
push "dhcp-option DNS 192.168.0.1"
push "route 192.168.0.0 255.255.255.0 10.1.0.1"
I roughly understand that when I, say, ping a machine (192.168.0.15) on server's side network from outside using the VPN tunnel, the packet goes from my laptop (10.8.0.2) via the tunnel to the openVPN server (10.8.0.1 / 192.168.0.200-home network) and there the magic happens. Does the packet's destination IP translate to the server's side network? (192.168.0.15) Or do I need to somehow set up the router as well? When the machine on server's side network answers, where does the packet go? To the gateway? (router - 192.168.0.1) How does the gateway know that packet for 192.168.0.10 should be routed to 192.168.0.200 and that machine will know where to send it?

And this is what I don't understand - how exactly it works. And mainly, what do I put into server.conf to make it work that way?
----------------------------------------------------------------
EDIT: I played around with it now, and it still confuses me, this is server.conf I use now:
Code:
port 443
proto udp
dev tun
ca ca.crt
cert myserver.crt
key myserver.key
dh dh1024.pem
#tls-server
#tls-auth ta.key 0
ifconfig-pool-persist ipp.txt
server 10.8.0.0 255.255.255.0
push "dhcp-option DNS 192.168.0.1"
push "route 192.168.0.0 255.255.255.0"
client-config-dir ccd
push "redirect-gateway def1"
client-to-client
keepalive 10 120
comp-lzo
persist-key
persist-tun
log /var/log/openvpn-daemon.log
status /var/log/openvpn-status.log
verb 6
ccd/myclient contains single line:
Code:
192.168.0.15 255.255.255.0
and this is what I get: WHY 192.168.43.195?
Code:
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.8.0.6  P-t-P:10.8.0.5  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1542  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:49 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:0 (0.0 B)  TX bytes:2832 (2.7 KiB)

wlan0     Link encap:Ethernet  HWaddr 0c:84:dc:88:0f:b5  
          inet addr:192.168.43.195  Bcast:192.168.43.255  Mask:255.255.255.0
          inet6 addr: fe80::e84:dcff:fe88:fb5/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:13297 errors:0 dropped:0 overruns:0 frame:0
          TX packets:13370 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:10435229 (9.9 MiB)  TX bytes:2412493 (2.3 MiB)
EDIT AGAIN: ahh ... 192.168.43.195 is IP assigned from my phone, atm I'm connected to internet via phone

Last edited by esso82; 06-17-2014 at 02:34 PM.
 
Old 06-18-2014, 02:28 AM   #8
esso82
Member
 
Registered: Aug 2013
Location: Plymouth, UK
Distribution: SolydK
Posts: 45

Original Poster
Rep: Reputation: Disabled
OK, I was reading some more about networking generally and understood that in order to run openVPN server on other machine than the gateway itself (in "tun" mode), one must set a static route for the virtual subnet on the gateway. Unfortunately, my router (BT Home Hub 3) doesn't have such option, so I give up for now and when I'll upgrade the router, then I'll try again. I know that I could turn my home server into DNS server, but it's not running 24/7 just yet and I don't have much free time to play around with it.

At least, I understand the concept of network routing and vpn now.

Thank you everyone for your answers.
 
Old 06-19-2014, 07:14 PM   #9
nisqr
LQ Newbie
 
Registered: Jun 2014
Posts: 2

Rep: Reputation: Disabled
have you tried this tutorial: http://www.vpntips.com/how-to-setup-a-vpn-server/
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Directing OpenVPN client's traffic through the OpenVPN server mohtasham1983 Linux - Networking 1 01-17-2012 06:44 PM
LXer: Setting Up An OpenVPN Server With Authentication Against OpenLDAP On Ubuntu 10.04 LTS LXer Syndicated Linux News 0 09-29-2010 12:30 PM
OpenVPN client has not default gateway when connect to OpenVPN server sailershen Linux - Security 3 03-04-2010 02:20 AM
How does OpenVPN Linux server issues IP and netmask to OpenVPN clients on Windows XP pssompura Linux - Networking 0 12-24-2009 02:42 AM
Some good tricks/advices to start setting up a Openvpn server ? Xeratul Linux - General 1 05-30-2007 08:42 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 10:27 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration