OpenVPN general usage

Have some feedback, questions, suggestions, or just fancy a chat? Pop it in here.
keithellis
Posts: 41
Joined: Mon May 23, 2016 2:55 pm

OpenVPN general usage

Post by keithellis »

Hi there, Been using DietPi for a while now since I heard about it on the The Pi Podcast and really like how it works. I have a couple of questions about OpenVPN.

What I want to be able to do with this is connect to a Raspberry Pi OpenVPN server whilst I am out and about using public wifi hotspots, redirecting all traffic through the OpenVPN server thus creating a secure connection on an otherwise insecure network. I assume this is possible.

Does the default setup do this out of the box?

In my current setup I don't think it does, but this may be related to my second question below.

On my home network I already have an ownCloud setup on a separate Raspberry Pi, so I have port 443 port forwarded to my ownCloud server. As such I cannot open up port 443 for my OpenVPN server. Is there a way around this, can I specify a different port for the OpenVPN https traffic?

Many thanks,
Regards,
Keith Ellis
User avatar
k-plan
Posts: 416
Joined: Sun Feb 28, 2016 5:28 pm

Re: OpenVPN general usage

Post by k-plan »

Hi keithellis,
keithellis wrote:As such I cannot open up port 443 for my OpenVPN server.
You can as well use UDP Port:1194 for open VPN connections.
Forward UDP (protocol 17) with port 1194 on your home router (with PAT/NAT) to ip address of you RPi running open VPN server.
You have to edit your config file: DietPi_OpenVPN_Client.ovpn

No need for tcp port 443 or 943 ( https://en.wikipedia.org/wiki/UDP_hole_punching )

Please have a look in Fourdee description: http://dietpi.com/phpbb/viewtopic.php?f ... p=613#p613

If you use UDP, a keepalive of the VPN connection is obligation, ( https://community.openvpn.net/openvpn/w ... n23ManPage )

If you have only dynamic ip address on your home router (with NAT/PAT), Dyn DNS for open VPN server entry will by usefull: http://dietpi.com/phpbb/viewtopic.php?f ... art=10#p58

cu
k-plan
If you find our project or support useful, then we’d really appreciate it if you’d consider contributing to the project however you can.
Donating is the easiest – you can use PayPal and Bitcoin.
keithellis
Posts: 41
Joined: Mon May 23, 2016 2:55 pm

Re: OpenVPN general usage

Post by keithellis »

k-plan wrote:Hi keithellis,
keithellis wrote:As such I cannot open up port 443 for my OpenVPN server.
You can as well use UDP Port:1194 for open VPN connections.
Forward UDP (protocol 17) with port 1194 on your home router (with PAT/NAT) to ip address of you RPi running open VPN server.
You have to edit your config file: DietPi_OpenVPN_Client.ovpn

No need for tcp port 443 or 943 ( https://en.wikipedia.org/wiki/UDP_hole_punching )

Please have a look in Fourdee description: http://dietpi.com/phpbb/viewtopic.php?f ... p=613#p613

If you use UDP, a keepalive of the VPN connection is obligation, ( https://community.openvpn.net/openvpn/w ... n23ManPage )

If you have only dynamic ip address on your home router (with NAT/PAT), Dyn DNS for open VPN server entry will by usefull: http://dietpi.com/phpbb/viewtopic.php?f ... art=10#p58

cu
k-plan
Hi k-plan,

thanks for this. I am now using UDP port 1194 and I can connect to my OpenVPN server. I have a static external IP address so all is good there. However once connected my client cannot connect to the internet. Probably an OpenVPN question more than a DietPi one, but since I don't know how OpenVPN has been setup in DietPi are you able to give me any further guidance. Thank You
Keith Ellis
Gabba
Posts: 25
Joined: Tue Jun 28, 2016 1:48 pm

Re: OpenVPN general usage

Post by Gabba »

Just to tack on to the end of this, what's the best way to load OpenVPN on startup?

To start it I use the below command or a sh file with the command in it. I'm just not sure how to start it. My rc.local file fails to load on startup.

Code: Select all

sudo openvpn --config /etc/openvpn/Startup.ovpn --script-security 2 --up /etc/openvpn/up.sh
Cheers,
Gabbe
User avatar
k-plan
Posts: 416
Joined: Sun Feb 28, 2016 5:28 pm

Re: OpenVPN general usage

Post by k-plan »

Hi keithellis,
keithellis wrote: Hi k-plan,

thanks for this. I am now using UDP port 1194 and I can connect to my OpenVPN server. I have a static external IP address so all is good there. However once connected my client cannot connect to the internet. Probably an OpenVPN question more than a DietPi one, but since I don't know how OpenVPN has been setup in DietPi are you able to give me any further guidance. Thank You
Keith Ellis
Edit DietPi_OpenVPN_Client.ovpn :

Code: Select all

client
proto udp
dev tun
link-mtu 1400

#IP/Domain name of DietPi system, running OpenVPN server plus Port-No.
remote !!!wan-ip-address-here!!! 1194

resolv-retry infinite
nobind

user nobody
group nogroup

persist-key
persist-tun

ns-cert-type server
comp-lzo
verb 3

## VPN Server is default Gateway for all connections
redirect-gateway

## Windows Client method
route-method exe
route-delay 2

## DNS Server from  LAN  for VPN Servers Clients (local DNS Server)
dhcp-option DNS 192.168.0.1

dhcp-option DNS 8.8.4.4


<ca>
-----BEGIN CERTIFICATE-----
....
ssh into your openVPN server and execute:

Code: Select all

# delete all old iptables 
iptables -F
iptables -X
iptables -t nat -F


## Forwarding u. NAT for openVPN Cients
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -F POSTROUTING
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

Test it. Will it works?
The iptable rules are not persistent. After a reboot they are gone. So they must be set via start up script.

cu
K-plan
If you find our project or support useful, then we’d really appreciate it if you’d consider contributing to the project however you can.
Donating is the easiest – you can use PayPal and Bitcoin.
Ferdnand

Re: OpenVPN general usage

Post by Ferdnand »

Hello, was looking at dietPi, and was wondering if I can set this up as a wifi repeater, with a OpenVPN account I have from liquidvpn,

Any help will be greatly appreciated....

Thanks keep up the great work....
helio58
Posts: 19
Joined: Tue Jun 06, 2017 8:02 pm

Re: OpenVPN general usage

Post by helio58 »

k-plan wrote:Hi keithellis,
keithellis wrote: Hi k-plan,

thanks for this. I am now using UDP port 1194 and I can connect to my OpenVPN server. I have a static external IP address so all is good there. However once connected my client cannot connect to the internet. Probably an OpenVPN question more than a DietPi one, but since I don't know how OpenVPN has been setup in DietPi are you able to give me any further guidance. Thank You
Keith Ellis
Edit DietPi_OpenVPN_Client.ovpn :

Code: Select all

client
proto udp
dev tun
link-mtu 1400

#IP/Domain name of DietPi system, running OpenVPN server plus Port-No.
remote !!!wan-ip-address-here!!! 1194

resolv-retry infinite
nobind

user nobody
group nogroup

persist-key
persist-tun

ns-cert-type server
comp-lzo
verb 3

## VPN Server is default Gateway for all connections
redirect-gateway

## Windows Client method
route-method exe
route-delay 2

## DNS Server from  LAN  for VPN Servers Clients (local DNS Server)
dhcp-option DNS 192.168.0.1

dhcp-option DNS 8.8.4.4


<ca>
-----BEGIN CERTIFICATE-----
....
ssh into your openVPN server and execute:

Code: Select all

# delete all old iptables 
iptables -F
iptables -X
iptables -t nat -F


## Forwarding u. NAT for openVPN Cients
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -F POSTROUTING
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

Test it. Will it works?
The iptable rules are not persistent. After a reboot they are gone. So they must be set via start up script.

cu
K-plan
This worked :D , but please how can i make the iptable rules persistent ?
Thanks
User avatar
k-plan
Posts: 416
Joined: Sun Feb 28, 2016 5:28 pm

Re: OpenVPN general usage

Post by k-plan »

helio58 wrote:This worked , but please how can i make the iptable rules persistent ?
k-plan wrote: So they must be set via start up script.



To get this changes persistent on every boot, you have to edit /etc/rc.local

Make a backup:

Code: Select all

cp /etc/rc.local /etc/rc.local.bac
Edit:

Code: Select all

nano /etc/rc.local

Add following lines before "exit 0 ":

Code: Select all

. . . .

    /DietPi/dietpi/dietpi-services start

fi
/DietPi/dietpi/dietpi-banner 0
echo -e " Default Login:\n Username = root\n Password = dietpi\n"

### - addition for openVPN Cients - ###
## delete all old iptables 
iptables -F
iptables -X
iptables -t nat -F


## Forwarding a. NAT for openVPN Cients
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -F POSTROUTING
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE


exit 0
If you find our project or support useful, then we’d really appreciate it if you’d consider contributing to the project however you can.
Donating is the easiest – you can use PayPal and Bitcoin.
helio58
Posts: 19
Joined: Tue Jun 06, 2017 8:02 pm

Re: OpenVPN general usage

Post by helio58 »

Thanks k-plan
JimrMazk
Posts: 1
Joined: Thu Feb 14, 2019 8:45 am
Contact:

Re: OpenVPN general usage

Post by JimrMazk »

Ferdnand wrote: Thu Aug 11, 2016 9:18 pm Hello, was looking at dietPi, and was wondering if I can set this up as a wifi repeater, with a OpenVPN account I have from liquidvpn,

Any help will be greatly appreciated....

Thanks keep up the great work....
This thread might help you. viewtopic.php?t=3847
My favorite reviews: mini size crib & steel wok carbon
Post Reply