OpenVPN general usage

Hi there, Been using DietPi for a while now since I heard about it on the The Pi Podcast and really like how it works. I have a couple of questions about OpenVPN.

What I want to be able to do with this is connect to a Raspberry Pi OpenVPN server whilst I am out and about using public wifi hotspots, redirecting all traffic through the OpenVPN server thus creating a secure connection on an otherwise insecure network. I assume this is possible.

Does the default setup do this out of the box?

In my current setup I don’t think it does, but this may be related to my second question below.

On my home network I already have an ownCloud setup on a separate Raspberry Pi, so I have port 443 port forwarded to my ownCloud server. As such I cannot open up port 443 for my OpenVPN server. Is there a way around this, can I specify a different port for the OpenVPN https traffic?

Many thanks,
Regards,
Keith Ellis

Hi keithellis,

You can as well use UDP Port:1194 for open VPN connections.
Forward UDP (protocol 17) with port 1194 on your home router (with PAT/NAT) to ip address of you RPi running open VPN server.
You have to edit your config file: DietPi_OpenVPN_Client.ovpn

No need for tcp port 443 or 943 ( https://en.wikipedia.org/wiki/UDP_hole_punching )

Please have a look in Fourdee description: https://dietpi.com/forum/t/dietpi-software-details-for-all-installation-options/22/37

If you use UDP, a keepalive of the VPN connection is obligation, ( https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage )

If you have only dynamic ip address on your home router (with NAT/PAT), Dyn DNS for open VPN server entry will by usefull: http://dietpi.com/phpbb/viewtopic.php?f=8&t=5&start=10#p58

cu
k-plan

Hi k-plan,

thanks for this. I am now using UDP port 1194 and I can connect to my OpenVPN server. I have a static external IP address so all is good there. However once connected my client cannot connect to the internet. Probably an OpenVPN question more than a DietPi one, but since I don’t know how OpenVPN has been setup in DietPi are you able to give me any further guidance. Thank You
Keith Ellis

Just to tack on to the end of this, what’s the best way to load OpenVPN on startup?

To start it I use the below command or a sh file with the command in it. I’m just not sure how to start it. My rc.local file fails to load on startup.

sudo openvpn --config /etc/openvpn/Startup.ovpn --script-security 2 --up /etc/openvpn/up.sh

Cheers,
Gabbe

Hi keithellis,

Edit DietPi_OpenVPN_Client.ovpn :

client
proto udp
dev tun
link-mtu 1400

#IP/Domain name of DietPi system, running OpenVPN server plus Port-No.
remote !!!wan-ip-address-here!!! 1194

resolv-retry infinite
nobind

user nobody
group nogroup

persist-key
persist-tun

ns-cert-type server
comp-lzo
verb 3

## VPN Server is default Gateway for all connections
redirect-gateway

## Windows Client method
route-method exe
route-delay 2

## DNS Server from  LAN  for VPN Servers Clients (local DNS Server)
dhcp-option DNS 192.168.0.1

dhcp-option DNS 8.8.4.4


<ca>
-----BEGIN CERTIFICATE-----
....

ssh into your openVPN server and execute:

# delete all old iptables 
iptables -F
iptables -X
iptables -t nat -F


## Forwarding u. NAT for openVPN Cients
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -F POSTROUTING
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

Test it. Will it works?
The iptable rules are not persistent. After a reboot they are gone. So they must be set via start up script.

cu
K-plan

Hello, was looking at dietPi, and was wondering if I can set this up as a wifi repeater, with a OpenVPN account I have from liquidvpn,

Any help will be greatly appreciated…

Thanks keep up the great work…

This worked :smiley: , but please how can i make the iptable rules persistent ?
Thanks





To get this changes persistent on every boot, you have to edit /etc/rc.local

Make a backup:

cp /etc/rc.local /etc/rc.local.bac

Edit:

nano /etc/rc.local

Add following lines before "exit 0 ":

. . . .

    /DietPi/dietpi/dietpi-services start

fi
/DietPi/dietpi/dietpi-banner 0
echo -e " Default Login:\n Username = root\n Password = dietpi\n"

### - addition for openVPN Cients - ###
## delete all old iptables 
iptables -F
iptables -X
iptables -t nat -F


## Forwarding a. NAT for openVPN Cients
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -F POSTROUTING
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE


exit 0

Thanks k-plan

This thread might help you. https://dietpi.com/forum/t/is-it-possible-to-configure-wifi-ap-on-rpi-zero-w/2305/1

Default port to forward thru firewall is UDP/1194

Mine works like a champ…never had a problem

Will it work together with the tool from this website? I’ve heard good reviews about positive technologies.

No idea…what is that product?

As long as you allow incoming connections through the tun0 interface by this firewall it should generally work. But with pre-configured firewalls you never know exactly, e.g. in comparison to iptables where you explicitly need to block certain requests so you know exactly what is blocked in which circumstances.