OpenVPN: Difference between revisions

From ArchWiki
VisualWikitext
(Move section on routing all traffic to main article)
(Remove old "depreceated wiki content" section)
Line 511: Line 511:


{{Accuracy|Not quite sure where this fits into the main article yet}}
{{Accuracy|Not quite sure where this fits into the main article yet}}


=== Configuring LDAP authorization ===
=== Configuring LDAP authorization ===
Line 518: Line 516:
{{Accuracy|what does the following do, and is the package still supported?}}
{{Accuracy|what does the following do, and is the package still supported?}}
You may also want to install {{AUR|openvpn-authldap-plugin}}, available in the [[AUR]].
You may also want to install {{AUR|openvpn-authldap-plugin}}, available in the [[AUR]].
=== Deprecated older wiki content ===
{{Accuracy|See how this older content can be fitted into the new article}}
====Using PAM and passwords to authenticate====
{{bc|
port 1194
proto udp
mtu-test
dev tap
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/<MYSERVER>.crt
key /etc/openvpn/easy-rsa/keys/<MYSERVER>.key
dh /etc/openvpn/easy-rsa/keys/dh2048.pem
server 192.168.56.0 255.255.255.0
ifconfig-pool-persist ipp.txt
;learn-address ./script
client-to-client
;duplicate-cn
keepalive 10 120
;tls-auth ta.key 0
comp-lzo
;max-clients 100
;user nobody
;group nobody
persist-key
persist-tun
status /var/log/openvpn-status.log
verb 3
client-cert-not-required
username-as-common-name
plugin /usr/lib/openvpn/plugins/openvpn-plugin-auth-pam.so login
}}
==== Using certs to authenticate ====
{{bc|
port 1194
proto tcp
dev tun0
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/<MYSERVER>.crt
key /etc/openvpn/easy-rsa/keys/<MYSERVER>.key
dh /etc/openvpn/easy-rsa/keys/dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status /var/log/openvpn-status.log
verb 3
log-append /var/log/openvpn
status /tmp/vpn.status 10
}}
==== Routing traffic through the server ====
Append the following to your server's openvpn.conf configuration file:
push "dhcp-option DNS 192.168.1.1"
push "redirect-gateway def1"
Change "192.168.1.1" to your external DNS IP address.
Use an iptable for NAT forwarding:
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o enp1s0 -j MASQUERADE
If running Arch Linux in a OpenVZ VPS environment [http://thecodeninja.net/linux/openvpn-archlinux-openvz-vps/]:
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j SNAT --to (venet0 ip)
If all is well, make the changes permanent:
Edit {{ic|/etc/conf.d/iptables}} and change IPTABLES_FORWARD=1
# iptables-save > /etc/iptables/iptables.rules
==== Setting up the client ====
The client-side .conf file
===== With password authentication =====
{{bc|
client
dev tap
proto udp
mtu-test
remote <address> 1194
resolv-retry infinite
nobind
persist-tun
comp-lzo
verb 3
auth-user-pass passwd
ca ca.crt
}}
passwd file (referenced by auth-user-pass) must contain two lines:
* first line - username
* second - password
===== Certificates authentication =====
{{bc|
client
remote <MYSERVER> 1194
dev tun0
proto tcp
resolv-retry infinite
nobind
persist-key
persist-tun
verb 2
ca ca.crt
cert client1.crt
key client1.key
comp-lzo
}}
Copy three files from server to remote computer.
ca.crt
client1.crt
client1.key
Install the tunnel/tap module:
# modprobe tun
To have the '''tun''' module loaded automatically at boot, read [[Kernel_modules]].
===== DNS =====
The DNS servers used by the system are defined in {{ic|/etc/resolv.conf}}.  Traditionally, this file is the responsibility of whichever program deals with connecting the system to the network (e.g. Wicd, NetworkManager, etc...)  However, OpenVPN will need to modify this file if you want to be able to resolve names on the remote side.  To achieve this in a sensible way, install {{pkg|openresolv}}, which makes it possible for more than one program to modify resolv.conf without stepping on each-other's toes.  Before continuing, test openresolv by restarting your network connection and ensuring that resolv.conf states that it was generated by "resolvconf", and that your DNS resolution still works as before.  You should not need to configure openresolv; it should be automatically detected and used by your network system.
Next, save the following script at {{ic|/etc/openvpn/update-resolv-conf.sh}}:
https://raw.githubusercontent.com/masterkorp/openvpn-update-resolv-conf/master/update-resolv-conf.sh
Remember to make the file executable with:
  $ chmod +x /etc/openvpn/update-resolv-conf.sh
Next, add the following lines to your OpenVPN client configuration file:
script-security 2
up /etc/openvpn/update-resolv-conf.sh
down /etc/openvpn/update-resolv-conf.sh
Now, when your launch your OpenVPN connection, you should find that your resolv.conf file is updated accordingly, and also returns to normal when your close the connection.
'''''Caveat''''': The script will fail to restore the original DNS settings if your OpenVPN client configuration is set-up to drop root privileges after connection. To avoid running OpenVPN as root you can add a locked-down user which only is allowed to use [[Sudo#Example Entries|''sudo'']] on ''resolvconf''. Then you have to change the {{ic|RESOLVCONF}} variable in the script to {{ic|1=RESOLVCONF=/usr/bin/sudo /usr/bin/resolvconf}} and the DNS restoration on disconnect should work with the generally dropped root privileges as well.
===== Webmin =====
{{AUR|webmin-plugin-openvpn}} is available in the [[AUR]].
{{Note|You must add "openvpn" to the end of {{ic|/etc/webmin/webmin.acl}}.}}
==== Connecting to the server ====
You need to start the service on the server
systemctl start openvpn@server
To make it permanent:
systemctl enable openvpn@server
On the client, in the home directory create a folder that will hold your OpenVPN client config files along with the '''.crt'''/'''.key''' files. Assuming your OpenVPN config folder is called '''.openvpn''' and your client config file is '''vpn1.conf''', to connect to the server issue the following command:
# cd ~/.openvpn && openvpn vpn1.conf


== Troubleshooting ==
== Troubleshooting ==

Revision as of 15:59, 4 March 2015

zh-CN:OpenVPN

This article or section needs expansion.

Reason: (at least) add support for IPv6 and L2 Ethernet bridging (Discuss in Talk:OpenVPN)

This article describes a basic installation and configuration of OpenVPN, suitable for private and small business use. For more detailed information, please see the OpenVPN 2.3 man page and the OpenVPN documentation. OpenVPN is a robust and highly flexible VPN daemon. It supports SSL/TLS security, Ethernet bridging, TCP or UDP tunnel transport through proxies or NAT. Additionally it has support for dynamic IP addresses and DHCP, scalability to hundreds or thousands of users, and portability to most major OS platforms.

OpenVPN is tightly bound to the OpenSSL library, and derives much of its crypto capabilities from it. It supports conventional encryption using a pre-shared secret key (Static Key mode) or public key security (SSL/TLS mode) using client & server certificates. Additionally it supports unencrypted TCP/UDP tunnels.

OpenVPN is designed to work with the TUN/TAP virtual networking interface that exists on most platforms. Overall, it aims to offer many of the key features of IPSec but with a relatively lightweight footprint. OpenVPN was written by James Yonan and is published under the GNU General Public License (GPL).

Install OpenVPN

Install openvpn from the official repositories.

Note: The software contained in this package supports both server and client mode, so install it on all machines that need to create VPN connections.

Configure the system for TUN/TAP support

OpenVPN requires TUN/TAP support. Make sure to load at boot the tun module.

Read Kernel modules for more information.

The default kernel is already properly configured, but if you use another kernel make sure to enable the TUN/TAP module. If $ zgrep CONFIG_TUN /proc/config.gz returns CONFIG_TUN=n, make the following change to the kernel config file and rebuild the kernel. 

Kernel config file
 Device Drivers
  --> Network device support
    [M] Universal TUN/TAP device driver support

Connect to a VPN provided by a third party

To connect to a VPN provided by a third party, most of the following can most likely be ignored. Use the certificates and instructions given by your provider, for instance see: Airvpn.

Note: To connect to servers of the most VPN providers that offer free service, one can plainly use PPTP server since most offers only this protocol.

Create a Public Key Infrastructure (PKI) from scratch

If you are setting up OpenVPN from scratch, you will need to create a Public Key Infrastructure (PKI).

Create the needed certificates and keys by following: Create a Public Key Infrastructure Using the easy-rsa Scripts.

The final step of the key creation process is to copy the files needed to the correct machines through a secure channel.

Note: The rest of this article assumes that the keys and certificates are placed in /etc/openvpn.

The public ca.crt certificate is needed on all servers and clients. The private ca.key key is secret and only needed on the key generating machine.

A server needs server.crt, dh2048.pem (public), server.key, and ta.key (private).

A client needs client.crt (public), client.key, and ta.key (private).

A basic L3 IP routing configuration

Note: Unless otherwise explicitly stated, the rest of this article assumes this basic configuration.

OpenVPN is an extremely versatile piece of software and many configurations are possible, in fact machines can be both "servers" and "clients", blurring the distinction between server and client.

What really distinguishes a server from a client (apart from the type of certificate used) is the configuration file itself. The OpenVPN daemon start-up script reads all the .conf configuration files it finds in /etc/openvpn on start-up and acts accordingly. If it finds more than one configuration file, it will start one OpenVPN process per configuration file.

This article explains how to set up a server named elmer and a client that connects to it named bugs. More servers and clients can easily be added by creating more key/certificate pairs and adding more server and client configuration files.

The OpenVPN package comes with a collection of example configuration files for different purposes. The sample server and client configuration files make an ideal starting point for a basic OpenVPN setup with the following features:

  • Uses Public Key Infrastructure (PKI) for authentication.
  • Creates a VPN using a virtual TUN network interface (OSI L3 IP routing).
  • Listens for client connections on UDP port 1194 (OpenVPN's official IANA port number).
  • Distributes virtual addresses to connecting clients from the 10.8.0.0/24 subnet.

For more advanced configurations, please see the official OpenVPN 2.2 man page and the OpenVPN documentation.

The server configuration file

Copy the example server configuration file to /etc/openvpn/server.conf: 

# cp /usr/share/openvpn/examples/server.conf /etc/openvpn/server.conf

Edit the following:

  • The ca, cert, key, and dh parameters to reflect the path and names of the keys and certificates. Specifying the paths will allow you to run the OpenVPN executable from any directory for testing purposes.
  • Enable the SSL/TLS HMAC handshake protection. Note the use of the parameter 0 for a server.
  • It is recommended to run OpenVPN with reduced privileges once it has initialized. Do this by uncommenting the user and group directives.
/etc/openvpn/server.conf
ca /etc/openvpn/ca.crt
cert /etc/openvpn/elmer.crt
key /etc/openvpn/elmer.key

dh /etc/openvpn/dh2048.pem
.
.
tls-auth /etc/openvpn/ta.key 0
.
.
user nobody
group nobody
Note: Note that if the server is behind a firewall or a NAT translating router, you will have to forward the OpenVPN UDP port (1194) to the server.

The client configuration file

Copy the example client configuration file to /etc/openvpn/client.conf: 

# cp /usr/share/openvpn/examples/client.conf /etc/openvpn/client.conf

Edit the following:

  • The remote directive to reflect either the server's Fully Qualified Domain Name, hostname (as known to the client), or its IP address.
  • Uncomment the user and group directives to drop privileges.
  • The ca, cert, and key parameters to reflect the path and names of the keys and certificates.
  • Enable the SSL/TLS HMAC handshake protection. Note the use of the parameter 1 for a client.
/etc/openvpn/client.conf
remote elmer.acmecorp.org 1194
.
.
user nobody
group nobody
.
.
ca /etc/openvpn/ca.crt
cert /etc/openvpn/bugs.crt
key /etc/openvpn/bugs.key
.
.
tls-auth /etc/openvpn/ta.key 1

Testing the OpenVPN configuration

Run # openvpn /etc/openvpn/server.conf on the server, and # openvpn /etc/openvpn/client.conf on the client. You should see something similar to this: 

# openvpn /etc/openvpn/server.conf
Wed Dec 28 14:41:26 2011 OpenVPN 2.2.1 x86_64-unknown-linux-gnu [SSL] [LZO2] [EPOLL] [eurephia] built on Aug 13 2011
Wed Dec 28 14:41:26 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Wed Dec 28 14:41:26 2011 Diffie-Hellman initialized with 2048 bit key
.
.
Wed Dec 28 14:41:54 2011 bugs/95.126.136.73:48904 MULTI: primary virtual IP for bugs/95.126.136.73:48904: 10.8.0.6
Wed Dec 28 14:41:57 2011 bugs/95.126.136.73:48904 PUSH: Received control message: 'PUSH_REQUEST'
Wed Dec 28 14:41:57 2011 bugs/95.126.136.73:48904 SENT CONTROL [bugs]: 'PUSH_REPLY,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5' (status=1)
# openvpn /etc/openvpn/client.conf
Wed Dec 28 14:41:50 2011 OpenVPN 2.2.1 i686-pc-linux-gnu [SSL] [LZO2] [EPOLL] [eurephia] built on Aug 13 2011
Wed Dec 28 14:41:50 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Wed Dec 28 14:41:50 2011 LZO compression initialized
.
.
Wed Dec 28 14:41:57 2011 GID set to nobody
Wed Dec 28 14:41:57 2011 UID set to nobody
Wed Dec 28 14:41:57 2011 Initialization Sequence Completed

On the server, find the IP address assigned to the tunX device: 

# ip addr show
.
.
40: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100
    link/none
    inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0

Here we see that the server end of the tunnel has been given the IP address 10.8.0.1.

Do the same on the client: 

# ip addr show
.
.
37: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100
    link/none
    inet 10.8.0.6 peer 10.8.0.5/32 scope global tun0

And the client side has been given the IP address 10.8.0.6.

Now try pinging the interfaces.

On the server: 

# ping -c3 10.8.0.6
PING 10.8.0.6 (10.8.0.6) 56(84) bytes of data.
64 bytes from 10.8.0.6: icmp_req=1 ttl=64 time=238 ms
64 bytes from 10.8.0.6: icmp_req=2 ttl=64 time=237 ms
64 bytes from 10.8.0.6: icmp_req=3 ttl=64 time=205 ms

--- 10.8.0.6 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 205.862/227.266/238.788/15.160 ms

On the client: 

# ping -c3 10.8.0.1
PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.
64 bytes from 10.8.0.1: icmp_req=1 ttl=64 time=158 ms
64 bytes from 10.8.0.1: icmp_req=2 ttl=64 time=158 ms
64 bytes from 10.8.0.1: icmp_req=3 ttl=64 time=157 ms

--- 10.8.0.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2001ms
rtt min/avg/max/mdev = 157.426/158.278/158.940/0.711 ms

You now have a working OpenVPN installation, and your client (bugs) will be able to use services on the server (elmer), and vice versa.

Note: If using a firewall, make sure that IP packets on the TUN device are not blocked.

Configure the MTU with Fragment and MSS

Note: If you do not configure MTU, then you will notice that small packets like ping and DNS will work, however web browsing will not work.

Now it is time to configure the maximum segment size (MSS). In order to do this we need to discover what is the smallest MTU along the path between the client and server. In order to do this you can ping the server and disable fragmentation. Then specify the max packet size. 

# ping -c5 -M do -s 1500 elmer.acmecorp.org
PING elmer.acmecorp.org (99.88.77.66) 1500(1528) bytes of data.
From 1.2.3.4 (99.88.77.66) icmp_seq=1 Frag needed and DF set (mtu = 576)
From 1.2.3.4 (99.88.77.66) icmp_seq=1 Frag needed and DF set (mtu = 576)
From 1.2.3.4 (99.88.77.66) icmp_seq=1 Frag needed and DF set (mtu = 576)
From 1.2.3.4 (99.88.77.66) icmp_seq=1 Frag needed and DF set (mtu = 576)
From 1.2.3.4 (99.88.77.66) icmp_seq=1 Frag needed and DF set (mtu = 576)

--- core.myrelay.net ping statistics ---
0 packets transmitted, 0 received, +5 errors

We received an ICMP message telling us the MTU is 576 bytes. The means we need to fragment the UDP packets smaller then 576 bytes to allow for some UDP overhead. 

# ping -c5 -M do -s 548 elmer.acmecorp.org
PING elmer.acmecorp.org (99.88.77.66) 548(576) bytes of data.
556 bytes from 99.88.77.66: icmp_seq=1 ttl=48 time=206 ms
556 bytes from 99.88.77.66: icmp_seq=2 ttl=48 time=224 ms
556 bytes from 99.88.77.66: icmp_seq=3 ttl=48 time=206 ms
556 bytes from 99.88.77.66: icmp_seq=4 ttl=48 time=207 ms
556 bytes from 99.88.77.66: icmp_seq=5 ttl=48 time=208 ms

--- myrelay.net ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4001ms
rtt min/avg/max/mdev = 206.027/210.603/224.158/6.832 ms

After some trial and error..., we discover that we need to fragment packets on 548 bytes. In order to do this we specify this fragment size in the configuration and instruct OpenVPN to fix the Maximum Segment Size (MSS). 

/etc/openvpn/client.conf
remote elmer.acmecorp.org 1194
.
.
fragment 548
mssfix
.
.
user nobody
group nobody
.
.
ca /etc/openvpn/ca.crt
cert /etc/openvpn/bugs.crt
key /etc/openvpn/bugs.key
.
.
tls-auth /etc/openvpn/ta.key 1


Note: The following will add about 3 minutes to OpenVPN start time. It is advisable to configure the fragment size unless your client is a laptop that will be connecting over many different networks and the bottle neck is on the client side.

You can also allow OpenVPN to do this for you by having OpenVPN do the ping testing every time the client connects to the VPN. Be patient, since your client may not inform you about the test being run and the connection may appear as nonfunctional until finished. 

/etc/openvpn/client.conf
remote elmer.acmecorp.org 1194
.
.
mtu-test
.
.
user nobody
group nobody
.
.
ca /etc/openvpn/ca.crt
cert /etc/openvpn/bugs.crt
key /etc/openvpn/bugs.key
.
.
tls-auth /etc/openvpn/ta.key 1

IPv6

In order to connect to a server which is only available with IPv6 (for example with DS Lite), you have to change 

/etc/openvpn/server.conf and /etc/openvpn/client.conf
proto udp

to 

/etc/openvpn/server.conf and /etc/openvpn/client.conf
proto udp6

in both server.conf and client.conf (See OpenVPN Wiki)

Starting OpenVPN

Manual startup

To troubleshoot a VPN connection, start the client's daemon manually with openvpn /etc/openvpn/client.conf as root. The server can be started the same way using it's own configuration file (e.g., openvpn /etc/openvpn/server.conf).

systemd service configuration

To start OpenVPN automatically at system boot, either for a client or for a server, enable openvpn@<configuration>.service on the applicable machine.

For example, if the client configuration file is /etc/openvpn/client.conf, the service name is openvpn@client.service. Or, if the server configuration file is /etc/openvpn/server.conf, the service name is openvpn@server.service.

Letting NetworkManager start a connection

On a client you might not always need to run a VPN tunnel and/or only want to establish it for a specific NetworkManager connection. This can be done by adding a script to /etc/NetworkManager/dispatcher.d/. In the following example "Provider" is the name of the NetworkManager connection: 

/etc/NetworkManager/dispatcher.d/10-openvpn
#!/bin/bash

case "$2" in
  up)
    if [ "$CONNECTION_ID" == "Provider" ]; then
      systemctl start openvpn@client
    fi
  ;;
  down)
    systemctl stop openvpn@client
  ;;
esac

See NetworkManager#Network services with NetworkManager dispatcher for more details.

Gnome configuration

If you would like to connect a client to an OpenVPN server through Gnome's built-in network configuration do the following. First, install networkmanager-openvpn. Then go to the Settings menu and choose Network. Click the plus sign to add a new connection and choose VPN. From there you can choose OpenVPN and manually enter the settings, or you can choose to import #The client configuration file if you have already created one. If you followed the instructions in this article then it will be located at /etc/openvpn/client.conf. To connect to the VPN simply turn the connection on.

Routing all client traffic through the server

Note: There are potential pitfalls when routing all traffic through a VPN server. Refer to the OpenVPN documenation on this topic for more information.

By default only traffic directly to and from an OpenVPN server passes through the VPN. To have all traffic, including web traffic, pass through the VPN do the following. First add the following to your server's configuration file (i.e., /etc/openvpn/server.conf [1]: 

push "redirect-gateway def1"
push "dhcp-option DNS 10.8.0.1"

Change "10.8.0.1" to your preferred DNS IP address.

If you have problems with non responsive DNS after connecting to server, install BIND as simple DNS forwarder and push the IP address of the OpenVPN server as DNS to clients.

Now you need to enable #IPv4 forwarding on the server.

In addition to above, your firewall will need to be set up to allow VPN traffic through it, which is described below for both ufw and iptables.

Firewall configuration

ufw

In order to configure your ufw settings for VPN traffic first add the following to /etc/default/ufw: 

/etc/default/ufw
DEFAULT_FORWARD_POLICY="ACCEPT"

Now change /etc/ufw/before.rules, and add the following code after the header and before the "*filter" line. Don't forget to change the IP/subnet mask to match the one in /etc/openvpn/server.conf. 

/etc/ufw/before.rules
# NAT (Network Address Translation) table rules
*nat
:POSTROUTING ACCEPT [0:0]

# Allow traffic from clients to enp1s0
-A POSTROUTING -s 10.8.0.0/24 -o enp1s0 -j MASQUERADE

# don't delete the "COMMIT" line or the NAT table rules above won't be processed
COMMIT

Lastly, open OpenVPN port 1194: 

ufw allow 1194

iptables

In order to allow VPN traffic through your iptables firewall, first create an iptables rule for NAT forwarding [2]: 

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

If you have difficulty pinging the server through the VPN, you may need to add explicit rules to open up TUN/TAP interfaces to all traffic, do the following [3]:

Warning: There are security implications for the following rules if you don't trust all clients which connect to the server. Refer to the OpenVPN documentation on this topic for more details.
 # Allow TUN interface connections to OpenVPN server
 iptables -A INPUT -i tun+ -j ACCEPT
 # Allow TUN interface connections to be forwarded through other interfaces
 iptables -A FORWARD -i tun+ -j ACCEPT
 # Allow TAP interface connections to OpenVPN server
 iptables -A INPUT -i tap+ -j ACCEPT
 # Allow TAP interface connections to be forwarded through other interfaces
 iptables -A FORWARD -i tap+ -j ACCEPT

Additionally edit /etc/conf.d/iptables and change IPTABLES_FORWARD=1.

When you are satisfied make the changes permanent in the iptables#Configuration file.

L3 IPv4 routing

This section describes how to connect client/server LANs to each other using L3 IPv4 routing.

Prerequisites for routing a LAN

IPv4 forwarding

For a host to be able to forward IPv4 packets between the LAN and VPN, it must be able to forward the packets between its NIC and its tun/tap device.

Edit or create etc/sysctl.d/99-sysctl.conf to permanently enable IPv4 packet forwarding (takes effect at the next boot): 

/etc/sysctl.d/99-sysctl.conf
# Enable packet forwarding
net.ipv4.ip_forward=1
Tip: To temporarily enable without rebooting: # echo 1 > /proc/sys/net/ipv4/ip_forward

Routing tables

The factual accuracy of this article or section is disputed.

Reason: Investigate if a routing protocol like RIP, QUAGGA, BIRD, etc can be used (Discuss in Talk:OpenVPN)

By default, all IP packets on a LAN addressed to a different subnet get sent to the default gateway. If the LAN/VPN gateway is also the default gateway, there is no problem and the packets get properly forwarded. If not, the gateway has no way of knowing where to send the packets. There are a couple of solutions to this problem.

  • Add a static route to the default gateway routing the VPN subnet to the LAN/VPN gateway's IP address.
  • Add a static route on each host on the LAN that needs to send IP packets back to the VPN.
  • Use iptables' NAT feature on the LAN/VPN gateway to masquerade the incoming VPN IP packets.

Connect the server LAN to a client

The server is on a LAN using the 10.66.0.0/24 subnet. To inform the client about the available subnet, add a push directive to the server configuration file:

/etc/openvpn/server.conf
push "route 10.66.0.0 255.255.255.0"
Note: To route more LANs from the server to the client, add more push directives to the server configuration file, but keep in mind that the server side LANs will need to know how to route to the client.

Connect the client LAN to a server

Prerequisites:

  • Any subnets used on the client side, must be unique and not in use on the server or by any other client. In this example we will use 192.168.4.0/24 for the clients LAN.
  • Each client's certificate has a unique Common Name, in this case bugs.
  • The server may not use the duplicate-cn directive in its config file.

Create a client configuration directory on the server. It will be searched for a file named the same as the client's common name, and the directives will be applied to the client when it connects. 

# mkdir -p /etc/openvpn/ccd

Create a file in the client configuration directory called bugs, containing the iroute 192.168.4.0 255.255.255.0 directive. It tells the server what subnet should be routed to the client: 

/etc/openvpn/ccd/bugs
iroute 192.168.4.0 255.255.255.0

Add the client-config-dir and the route 192.168.4.0 255.255.255.0 directive to the server configuration file. It tells the server what subnet should be routed from the tun device to the server LAN: 

/etc/openvpn/server.conf
client-config-dir ccd
route 192.168.4.0 255.255.255.0
Note: To route more LANs from the client to the server, add more iroute and route directives to the appropriate configuration files, but keep in mind that the client side LANs will need to know how to route to the server.

Connect both the client and server LANs

Combine the two previous sections: 

/etc/openvpn/server.conf
push "route 10.66.0.0 255.255.255.0"
.
.
client-config-dir ccd
route 192.168.4.0 255.255.255.0

/etc/openvpn/ccd/bugs
iroute 192.168.4.0 255.255.255.0
Note: Remember to make sure that all the LANs or the needed hosts can route to all the destinations.

Connect clients and client LANs

By default clients will not see each other. To allow IP packets to flow between clients and/or client LANs, add a client-to-client directive to the server configuration file: 

/etc/openvpn/server.conf
client-to-client

In order for another client or client LAN to see a specific client LAN, you will need to add a push directive for each client subnet to the server configuration file (this will make the server announce the available subnet(s) to other clients): 

/etc/openvpn/server.conf
client-to-client
push "route 192.168.4.0 255.255.255.0"
push "route 192.168.5.0 255.255.255.0"
.
.
Note: As always, make sure that the routing is properly configured.

L2 Ethernet bridging

This article or section needs expansion.

Reason: Please add a well thought out section on L2 bridging. (Discuss in Talk:OpenVPN)

For now see: OpenVPN Bridge

Contributions that do not yet fit into the main article

The factual accuracy of this article or section is disputed.

Reason: Not quite sure where this fits into the main article yet (Discuss in Talk:OpenVPN)

Configuring LDAP authorization

The factual accuracy of this article or section is disputed.

Reason: what does the following do, and is the package still supported? (Discuss in Talk:OpenVPN)

You may also want to install openvpn-authldap-pluginAUR, available in the AUR.

Troubleshooting

Resolve issues

If you are having resolve issues when starting your profile: 

# journalctl _SYSTEMD_UNIT=openvpn@profile.service
RESOLVE: Cannot resolve host address: example.com: Name or service not known

The factual accuracy of this article or section is disputed.

Reason: Ordering "After=network.target" does not work universally. See network.target. Further, not the original unit in /usr/lib should be modified but a copy, cross-referencing Systemd#Editing provided unit files. (Discuss in Talk:OpenVPN)

Then, only if your network setup can be started before OpenVPN, you should force OpenVPN to wait for the network by adding Requires=network.target and After=network.target to the OpenVPN systemd service file: 

/usr/lib/systemd/system/openvpn@.service
[Unit]
Description=OpenVPN connection to %i
Requires=network.target
After=network.target
...

Don't forget to restart OpenVPN: 

# systemctl daemon-reload
# systemctl restart openvpn@profile

Client daemon not restarting after suspend

If you put your client system to sleep, and on resume openvpn doesn't restart, resulting in broken connectivity, create the following file: 

/usr/lib/systemd/system-sleep/vpn.sh
#!/bin/sh
if [ "$1" == "pre" ]
then
  killall openvpn
fi

Make it executable chmod a+x /usr/lib/systemd/system-sleep/vpn.sh 

/etc/systemd/system/openvpn@.service.d/restart.conf
[Service]
Restart=always

See Also

Retrieved from "https://wiki.archlinux.org/index.php?title=OpenVPN&oldid=363907"