OpenVPN general usage

keithellis · 18 July 2016 16:03

Hi there, Been using DietPi for a while now since I heard about it on the The Pi Podcast and really like how it works. I have a couple of questions about OpenVPN.

What I want to be able to do with this is connect to a Raspberry Pi OpenVPN server whilst I am out and about using public wifi hotspots, redirecting all traffic through the OpenVPN server thus creating a secure connection on an otherwise insecure network. I assume this is possible.

Does the default setup do this out of the box?

In my current setup I don’t think it does, but this may be related to my second question below.

On my home network I already have an ownCloud setup on a separate Raspberry Pi, so I have port 443 port forwarded to my ownCloud server. As such I cannot open up port 443 for my OpenVPN server. Is there a way around this, can I specify a different port for the OpenVPN https traffic?

Many thanks,
Regards,
Keith Ellis

k-plan · 18 July 2016 17:53

Hi keithellis,

You can as well use UDP Port:1194 for open VPN connections.
Forward UDP (protocol 17) with port 1194 on your home router (with PAT/NAT) to ip address of you RPi running open VPN server.
You have to edit your config file: DietPi_OpenVPN_Client.ovpn

No need for tcp port 443 or 943 ( UDP hole punching - Wikipedia )

Please have a look in Fourdee description: https://dietpi.com/forum/t/dietpi-software-details-for-all-installation-options/22/37

If you use UDP, a keepalive of the VPN connection is obligation, ( https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage )

If you have only dynamic ip address on your home router (with NAT/PAT), Dyn DNS for open VPN server entry will by usefull: DietPi Community Forum - Welcome to the DietPi OS Community Forum

cu
k-plan

keithellis · 28 July 2016 21:32

k-plan:

Hi keithellis,

keithellis:

As such I cannot open up port 443 for my OpenVPN server.

You can as well use UDP Port:1194 for open VPN connections.
Forward UDP (protocol 17) with port 1194 on your home router (with PAT/NAT) to ip address of you RPi running open VPN server.
You have to edit your config file: DietPi_OpenVPN_Client.ovpn

No need for tcp port 443 or 943 ( UDP hole punching - Wikipedia )

Please have a look in Fourdee description: https://dietpi.com/forum/t/dietpi-software-details-for-all-installation-options/22/37

If you use UDP, a keepalive of the VPN connection is obligation, ( https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage )

If you have only dynamic ip address on your home router (with NAT/PAT), Dyn DNS for open VPN server entry will by usefull: DietPi Community Forum - Welcome to the DietPi OS Community Forum

cu
k-plan

Hi k-plan,

thanks for this. I am now using UDP port 1194 and I can connect to my OpenVPN server. I have a static external IP address so all is good there. However once connected my client cannot connect to the internet. Probably an OpenVPN question more than a DietPi one, but since I don’t know how OpenVPN has been setup in DietPi are you able to give me any further guidance. Thank You
Keith Ellis

Gabba · 31 July 2016 01:45

Just to tack on to the end of this, what’s the best way to load OpenVPN on startup?

To start it I use the below command or a sh file with the command in it. I’m just not sure how to start it. My rc.local file fails to load on startup.

sudo openvpn --config /etc/openvpn/Startup.ovpn --script-security 2 --up /etc/openvpn/up.sh

Cheers,
Gabbe

k-plan · 3 August 2016 17:57

Hi keithellis,

Edit DietPi_OpenVPN_Client.ovpn :

client
proto udp
dev tun
link-mtu 1400

#IP/Domain name of DietPi system, running OpenVPN server plus Port-No.
remote !!!wan-ip-address-here!!! 1194

resolv-retry infinite
nobind

user nobody
group nogroup

persist-key
persist-tun

ns-cert-type server
comp-lzo
verb 3

## VPN Server is default Gateway for all connections
redirect-gateway

## Windows Client method
route-method exe
route-delay 2

## DNS Server from  LAN  for VPN Servers Clients (local DNS Server)
dhcp-option DNS 192.168.0.1

dhcp-option DNS 8.8.4.4


<ca>
-----BEGIN CERTIFICATE-----
....

ssh into your openVPN server and execute:

# delete all old iptables 
iptables -F
iptables -X
iptables -t nat -F


## Forwarding u. NAT for openVPN Cients
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -F POSTROUTING
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

Test it. Will it works?
The iptable rules are not persistent. After a reboot they are gone. So they must be set via start up script.

cu
K-plan

Ferdnand · 11 August 2016 19:18

Hello, was looking at dietPi, and was wondering if I can set this up as a wifi repeater, with a OpenVPN account I have from liquidvpn,

Any help will be greatly appreciated…

Thanks keep up the great work…

helio58 · 23 June 2017 06:22

k-plan:

Hi keithellis,

keithellis:

Hi k-plan,

thanks for this. I am now using UDP port 1194 and I can connect to my OpenVPN server. I have a static external IP address so all is good there. However once connected my client cannot connect to the internet. Probably an OpenVPN question more than a DietPi one, but since I don’t know how OpenVPN has been setup in DietPi are you able to give me any further guidance. Thank You
Keith Ellis

Edit DietPi_OpenVPN_Client.ovpn :
client
proto udp
dev tun
link-mtu 1400

#IP/Domain name of DietPi system, running OpenVPN server plus Port-No.
remote !!!wan-ip-address-here!!! 1194

resolv-retry infinite
nobind

user nobody
group nogroup

persist-key
persist-tun

ns-cert-type server
comp-lzo
verb 3

## VPN Server is default Gateway for all connections
redirect-gateway

## Windows Client method
route-method exe
route-delay 2

## DNS Server from  LAN  for VPN Servers Clients (local DNS Server)
dhcp-option DNS 192.168.0.1

dhcp-option DNS 8.8.4.4


<ca>
-----BEGIN CERTIFICATE-----
....
ssh into your openVPN server and execute:
# delete all old iptables 
iptables -F
iptables -X
iptables -t nat -F


## Forwarding u. NAT for openVPN Cients
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -F POSTROUTING
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
Test it. Will it works?
The iptable rules are not persistent. After a reboot they are gone. So they must be set via start up script.

cu
K-plan

This worked , but please how can i make the iptable rules persistent ?
Thanks

k-plan · 25 June 2017 15:14

To get this changes persistent on every boot, you have to edit /etc/rc.local

Make a backup:

cp /etc/rc.local /etc/rc.local.bac

Edit:

nano /etc/rc.local

Add following lines before "exit 0 ":

. . . .

    /DietPi/dietpi/dietpi-services start

fi
/DietPi/dietpi/dietpi-banner 0
echo -e " Default Login:\n Username = root\n Password = dietpi\n"

### - addition for openVPN Cients - ###
## delete all old iptables 
iptables -F
iptables -X
iptables -t nat -F


## Forwarding a. NAT for openVPN Cients
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -F POSTROUTING
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE


exit 0

helio58 · 26 June 2017 18:42

Thanks k-plan

JimrMazk · 16 February 2019 06:13

This thread might help you. Is it possible to configure WiFi AP on RPI Zero W?

WarHawk · 18 February 2019 04:01

Default port to forward thru firewall is UDP/1194

Mine works like a champ…never had a problem

Graybush · 30 April 2019 21:01

Will it work together with the tool from this website? I’ve heard good reviews about positive technologies.

WarHawk · 1 May 2019 03:06

No idea…what is that product?

MichaIng · 1 May 2019 13:12

As long as you allow incoming connections through the tun0 interface by this firewall it should generally work. But with pre-configured firewalls you never know exactly, e.g. in comparison to iptables where you explicitly need to block certain requests so you know exactly what is blocked in which circumstances.