Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Howto: OpenVPN server
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks
View previous topic :: View next topic  
Author Message
sephora
n00b
n00b


Joined: 28 Nov 2022
Posts: 40

PostPosted: Sat Dec 02, 2023 12:44 pm    Post subject: Howto: OpenVPN server Reply with quote

Hello everyone!

A few weeks back I build a OpenVPN server, which was a bit of a struggle to get everything working. So I decided to share my setup. Maybe someone finds this usefull.

This is a short summery and configuration example.

Scenario:
I have a router that's running Gentoo (of course!).
My router handles the internet connection for my LAN and WLAN.
I want remote clients to connect to my local LAN via OpenVPN.
All machines in the LAN should be able to see each other.
As network protocol I use UDP. UDP because I want the clients to access a TeamSpeak server located in my local LAN. The clients should also be able to play old LAN games together that often use UDP.

Step 1:
Build a bridge of the routers LAN device and a TAP device to be used by OpenVPN.

Kernel config:
Code:
CONFIG_BRIDGE=y

Stop LAN device:
Your going to loose your SSH-session at this point if your access the router from local LAN!
Code:
rc-service stop enp3s0

Setup bridge device:
Code:

ip link add br0 type bridge
ip link set dev enp3s0 master br0
ip link set dev tap0 master br0
ln -s /etc/init.d/net.lo /etc/init.d/net.tap0
ln -s /etc/init.d/net.lo /etc/init.d/net.br0

OpenRC net config:
Code:

#bridge configuration
tuntap_tap0="tap"
config_tap0="null"
config_enp3s0="null"
bridge_br0="enp3s0 tap0"
config_br0="<static router ip address>/24"
bridge_forward_delay_br0=0
bridge_hello_time_br0=1000

depend_br0() {
    need net.enp3s0
    need net.tap0
}

OpenRC updates:
Code:

rc-update del net.enp3s0 default
rc-update add net.tap0 default
rc-update add net.br0 default

More detailed information can be found in the Gentoo Wiki.

Step 2:
OpenVPN server configuration:
Code:

port <myOpenVPN port>
proto udp
dev tap0

# keys configuration, use generated keys
askpass <myOpenVPN>/<myOpenVPN>.pass
ca   <myOpenVPN>/ca.crt
cert <myOpenVPN>/<myOpenVPN>.crt
key  <myOpenVPN>/<myOpenVPN>.key
dh   <myOpenVPN>/dh.pem

# optional tls-auth key to secure identifying
tls-auth <myOpenVPN>/<myOpenVPN>_tls.key 0

# OpenVPN 'virtual' network information, network and mask
server-bridge
mode server
tls-server

push "route-gateway dhcp"
push "explicit-exit-notify 3"

# persistent device and key settings
persist-key
persist-tun
cipher                AES-256-GCM
data-ciphers          AES-256-GCM
data-ciphers-fallback AES-256-CBC
auth SHA512
auth-nocache
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384

tun-mtu 1500
mssfix 1104

# connection
keepalive 10 120

max-clients 50

user nobody
group nobody

# logging
status openvpn-status.log
log /var/log/openvpn.log
verb 3


Step 3:
Generate root certificate.
I used Easy-RSA to create the server certificate and keypairs.
Here is the link to the OpenVPN-Wiki that I used to get the CA and keypairs: EasyRSA3-OpenVPN-Howto
Easy-RSA can be found here: Easy-RSA

Remember to also generate keys for the clients.
Code:
./easyrsa build-client-full <client1>

Generate shared key for tls-auth:
Code:
openvpn --genkey --secret <myOpenVPN>.key


Create server config directory and copy certificate and keys:
Code:
cd /etc/openvpn
mkdir <myOpenVPN>
cp <Easy-RSA>/pki/ca.crt <myOpenVPN>
cp <Easy-RSA>/pki/<myOpenVPN>.key <myOpenVPN>
cp <Easy-RSA>/pki/dh.pem <myOpenVPN>
cp <Easy-RSA>/pki/issued/<myOpenVPN>.crt <myOpenVPN>
cp <Easy-RSA>/pki/issued/<client1>.crt <myOpenVPN>
cp <Easy-RSA>/pki/private/<client1>.key <myOpenVPN>


Step 4:
OpenVPN client config.
Code:
client
proto udp
dev tap0
key-direction 1
persist-key
persist-tun
cipher AES-256-GCM
data-ciphers AES-256-GCM
auth SHA512
remote <myOpenVPN public adress> <myOpenVPN port>
remote-cert-tls server
float
auth-nocache
<ca>
...
</ca>
<cert>
...
</cert>
<key>
...
</key>
<tls-auth>
...
</tls-auth>


To ease the build of client config files I use this simple script that I found online (unfortunately I forgot where):
Code:
#!/bin/sh

# Default Variable Declarations
DEFAULT="client.conf"
FILEEXT=".ovpn"
CRT=".crt"
KEY=".key"
CA="ca.crt"
TA="<myOpenVPN>.key"
kPath="/etc/openvpn/<myOpenVPN>/"

#Ask for a Client name
echo "Please enter an existing Client Name:"
read NAME

ovpnName=$NAME$FILEEXT

#echo "Please enter an Name for the output file"
#read ovpnName

#1st Verify that client's Public Key Exists
if [ ! -f $kPath$NAME$CRT ]; then
   echo "[ERROR]: Client Public Key Certificate not found: $kPath$NAME$CRT"
   exit
fi
echo "Client's cert found: $kPath$NAME$CRT"

#Then, verify that there is a private key for that client
if [ ! -f $kPath$NAME$KEY ]; then
   echo "[ERROR]: Client 3des Private Key not found: $kPath$NAME$KEY"
   exit
fi
echo "Client's Private Key found: $kPath$NAME$KEY"

#Confirm the CA public key exists
if [ ! -f $kPath$CA ]; then
   echo "[ERROR]: CA Public Key not found: $kPath$CA"
   exit
fi
echo "CA public Key found: $kPath$CA"

#Confirm the tls-auth ta key file exists
if [ ! -f $kPath$TA ]; then
   echo "[ERROR]: tls-auth Key not found: $kPath$TA"
   exit
fi
echo "tls-auth Private Key found: $kPath$TA"

#Ready to make a new .opvn file - Start by populating with the

cat $DEFAULT > $ovpnName

#Now, append the CA Public Cert
echo "<ca>" >> $ovpnName
cat $kPath$CA | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' >> $ovpnName
echo "</ca>" >> $ovpnName

#Next append the client Public Cert
echo "<cert>" >> $ovpnName
cat $kPath$NAME$CRT | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' >> $ovpnName
echo "</cert>" >> $ovpnName

#Then, append the client Private Key
echo "<key>" >> $ovpnName
cat $kPath$NAME$KEY >> $ovpnName
echo "</key>" >> $ovpnName

#Finally, append the TA Private Key
echo "<tls-auth>" >> $ovpnName
cat $kPath$TA >> $ovpnName
echo "</tls-auth>" >> $ovpnName

echo "Done! $ovpnName Successfully Created."


To use this script you need a default config 'client.conf' which, in my case, looks like this:
Code:
proto udp
dev tap0
key-direction 1
persist-key
persist-tun
cipher AES-256-GCM
data-ciphers AES-256-GCM
auth SHA512
remote <myOpenVPN public adress> <myOpenVPN port>
remote-cert-tls server
float
auth-nocache


And the certificates and keys for the client have to be placed in '/etc/openvpn/<myOpenVPN>'.

Step 5:
Start the OpenVPN-Server.
Create a link that matches your server config file name '/etc/openvpn/<myOpenVPN>.conf':
Code:
ln -s /etc/init.d/openvpn /etc/init.d/openvpn.<myOpenVPN>
rc-service openvpn.<myOpenVPN> start


Remember to open the UDP port for <myOpenVPN port> in your firewall!

Monitor your log file:
Code:
watch -cn 15 tail -n 40 /var/log/openvpn.log


Step 6:
Client service.
In my setup the client machines are running Windows.
And since this config uses TAP as network device i use the OpenVPN community client you can find here:
OpenVPN 2.6.8

I won't go into Windows firewall setup here. Therefore just a hint:
Setting the TAP device on the Windows client to 'private network' makes it more easy to configure the firewall on the client machine. Also enabling 'ping' helps with trouble shooting.


Have fun! :)
Back to top
View user's profile Send private message
pa4wdh
l33t
l33t


Joined: 16 Dec 2005
Posts: 892

PostPosted: Sat Dec 02, 2023 3:24 pm    Post subject: Reply with quote

Thanks for sharing your work and experience.

Be aware that the general advice is against tap unless you have a use-case that absolutely requires it (i've even seen claims like "if you need tap you're doing something wrong"). Configuration wise the difference is that tun doesn't require a bridge device, but you'll need to set up routing and probably firewalling.
_________________
The gentoo way of bringing peace to the world:
USE="-war" emerge --newuse @world

My shared code repository: https://code.pa4wdh.nl.eu.org
Music, Free as in Freedom: https://www.jamendo.com
Back to top
View user's profile Send private message
fedeliallalinea
Administrator
Administrator


Joined: 08 Mar 2003
Posts: 31343
Location: here

PostPosted: Sun Dec 03, 2023 7:41 am    Post subject: Reply with quote

Moved from Networking & Security to Documentation, Tips & Tricks.
_________________
Questions are guaranteed in life; Answers aren't.
Back to top
View user's profile Send private message
sephora
n00b
n00b


Joined: 28 Nov 2022
Posts: 40

PostPosted: Sun Dec 03, 2023 9:19 am    Post subject: Reply with quote

pa4wdh wrote:
Thanks for sharing your work and experience.

Be aware that the general advice is against tap unless you have a use-case that absolutely requires it (i've even seen claims like "if you need tap you're doing something wrong"). Configuration wise the difference is that tun doesn't require a bridge device, but you'll need to set up routing and probably firewalling.


Yes. I read that too.
In fact my first approach was to setup TUN with TCP as protocol. And this did work.
Except for VoIP. I was able to connect to my TeamSpeak but audio didn't work. Since audio is transferred via UDP.
The same is true for the LAN-Lobbys in many (all) games. Though direct connect using the IP address did work.

To solve this issue I switched my OpenVPN server to UDP.
And this is the point were my struggle started. I wasn't able to connect the client to the server. It was a real challenge to find out what went wrong and why.
I have to say that the community client does a really good job in helping to debug the config. It's quite verbose and does also a good job in explaining whats going on.
For debugging the routing I used one or two VMs with Windows installed. The VMs were connect to the LAN via NAT and/or bridged, I played around with that. Using VMs is helpful but is also adds an additional level of complexity. Especially if NAT is used. But using VMs only brings you that far since they are all running on the same machine which is connected to my LAN.
So I ask one of my friends to help with the debugging from the outside. Manly to debug my firewall script.

After reading the logs and grepping network packets with tcpdump I came to the conclusion that for some reason when the clients try to connect the packets that the server sends back to the client get lost. Which points to a routing problem. But even after spending hours I couldn't get it to work. At some point the packets got lost. I still don't know why. Maybe it's routing or they get dropped. Either way there was no log entry and, at least for me, that didn't make sense.

And here I took a step back and rethought about what I really want to built here.
In the end I just want my friends to connect to my local LAN. Been able to talk to each other using TeamSpeak. And spend now and then a evening together playing games.

That's when I decided to go for the TAP device. Since it's totally sufficient to bridge the VPN-clients to my LAN. I know that using TAP adds latency. But since I have only a hand full machines connected that doesn't really matter. Also setting up the VPN via TAP makes the config and firewall (and routing) much cleaner and much easier to handle, in my opinion. I don't recommend using this config for large scale but for a small setup it's totally fine.

It's absolutely possible that I made a mistake somewhere along the line and maybe it's a easy fix to get the TUN setup to work. But at this point I'm happy with the solution I have. :)
Back to top
View user's profile Send private message
pa4wdh
l33t
l33t


Joined: 16 Dec 2005
Posts: 892

PostPosted: Sun Dec 03, 2023 6:04 pm    Post subject: Reply with quote

Running a TCP based VPN always gives bad results, especially for latency sensitive protocols like VoIP, it's can even run into a deadlock when you run a TCP based protocol inside your VPN. UDP is the right choice :).

The main difference between TUN and TAP is that TAP bridges the client to the server lan (layer 2) and TUN will make a subnet available to the clients and you'll have to route that to your server lan (layer 3). So with TAP the networks on both sides of the VPN are in the same subnet, with TUN you'll get a new subnet with your VPN clients and you'll have to take care of routing to create connectivity between them.
_________________
The gentoo way of bringing peace to the world:
USE="-war" emerge --newuse @world

My shared code repository: https://code.pa4wdh.nl.eu.org
Music, Free as in Freedom: https://www.jamendo.com
Back to top
View user's profile Send private message
sephora
n00b
n00b


Joined: 28 Nov 2022
Posts: 40

PostPosted: Mon Dec 04, 2023 7:59 am    Post subject: Reply with quote

True.
And thank you for your feedback.

For some reason I couldn't get the UDP routing to play along while TCP was working fine.
I did spend a lot of time in debugging there.

Anyway, my VPN is working as it is right now.
Maybe, if I feel very bored, I give it another try.
But I have to say to debug firewalls and routing tables is one of my least favorite topics. -.-
Back to top
View user's profile Send private message
Hund
Apprentice
Apprentice


Joined: 18 Jul 2016
Posts: 218
Location: Sweden

PostPosted: Mon Dec 04, 2023 8:07 am    Post subject: Reply with quote

What's your reasoning for choosing something like OpenVPN, when we have better options like Wireguard? :)
_________________
Collect memories, not things.
Back to top
View user's profile Send private message
sephora
n00b
n00b


Joined: 28 Nov 2022
Posts: 40

PostPosted: Mon Dec 04, 2023 3:30 pm    Post subject: Reply with quote

Good point.

The truth is: There's no particular reason. Except that I did work with OpenVPN before.
Maybe I'll give WireGuard a shot. But since OpenVPN is working for me now it's not a priority.

Thanks for the hint.
Back to top
View user's profile Send private message
szatox
Advocate
Advocate


Joined: 27 Aug 2013
Posts: 3477

PostPosted: Fri Dec 08, 2023 3:34 pm    Post subject: Reply with quote

Wireguard is only an IP tunnel (L3) and must be routed while openvpn can send ethernet frames (L2) as well and can be bridged. There are some thing that only be done at L2.
OpenVPN clients can have dynamic internal IPs, while wireguard must be configured manually but allows the clients to change their public IP without breaking the tunnel.

Both options will work just fine for _most_ people, but they both have their advantages in some corner cases. Use whatever gets the particular job done.
Back to top
View user's profile Send private message
pa4wdh
l33t
l33t


Joined: 16 Dec 2005
Posts: 892

PostPosted: Fri Dec 08, 2023 6:02 pm    Post subject: Reply with quote

Indeed, both do VPN's and both do them well.
In my opinion OpenVPN is a but better suited for dynamic environments (like many clients connecting to a server) because you can push settings to clients. I usually try to make the VPN config as small as possible and push the rest from the server.
_________________
The gentoo way of bringing peace to the world:
USE="-war" emerge --newuse @world

My shared code repository: https://code.pa4wdh.nl.eu.org
Music, Free as in Freedom: https://www.jamendo.com
Back to top
View user's profile Send private message
jiminwilson
n00b
n00b


Joined: 26 Nov 2024
Posts: 3

PostPosted: Wed Nov 27, 2024 11:41 am    Post subject: Reply with quote

Is this really workable solution?
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum