Hi there, Been using DietPi for a while now since I heard about it on the The Pi Podcast and really like how it works. I have a couple of questions about OpenVPN.
What I want to be able to do with this is connect to a Raspberry Pi OpenVPN server whilst I am out and about using public wifi hotspots, redirecting all traffic through the OpenVPN server thus creating a secure connection on an otherwise insecure network. I assume this is possible.
Does the default setup do this out of the box?
In my current setup I don't think it does, but this may be related to my second question below.
On my home network I already have an ownCloud setup on a separate Raspberry Pi, so I have port 443 port forwarded to my ownCloud server. As such I cannot open up port 443 for my OpenVPN server. Is there a way around this, can I specify a different port for the OpenVPN https traffic?
Many thanks,
Regards,
Keith Ellis
OpenVPN general usage
Re: OpenVPN general usage
Hi keithellis,
Forward UDP (protocol 17) with port 1194 on your home router (with PAT/NAT) to ip address of you RPi running open VPN server.
You have to edit your config file: DietPi_OpenVPN_Client.ovpn
No need for tcp port 443 or 943 ( https://en.wikipedia.org/wiki/UDP_hole_punching )
Please have a look in Fourdee description: http://dietpi.com/phpbb/viewtopic.php?f ... p=613#p613
If you use UDP, a keepalive of the VPN connection is obligation, ( https://community.openvpn.net/openvpn/w ... n23ManPage )
If you have only dynamic ip address on your home router (with NAT/PAT), Dyn DNS for open VPN server entry will by usefull: http://dietpi.com/phpbb/viewtopic.php?f ... art=10#p58
cu
k-plan
You can as well use UDP Port:1194 for open VPN connections.keithellis wrote:As such I cannot open up port 443 for my OpenVPN server.
Forward UDP (protocol 17) with port 1194 on your home router (with PAT/NAT) to ip address of you RPi running open VPN server.
You have to edit your config file: DietPi_OpenVPN_Client.ovpn
No need for tcp port 443 or 943 ( https://en.wikipedia.org/wiki/UDP_hole_punching )
Please have a look in Fourdee description: http://dietpi.com/phpbb/viewtopic.php?f ... p=613#p613
If you use UDP, a keepalive of the VPN connection is obligation, ( https://community.openvpn.net/openvpn/w ... n23ManPage )
If you have only dynamic ip address on your home router (with NAT/PAT), Dyn DNS for open VPN server entry will by usefull: http://dietpi.com/phpbb/viewtopic.php?f ... art=10#p58
cu
k-plan
-
- Posts: 41
- Joined: Mon May 23, 2016 2:55 pm
Re: OpenVPN general usage
Hi k-plan,k-plan wrote:Hi keithellis,
You can as well use UDP Port:1194 for open VPN connections.keithellis wrote:As such I cannot open up port 443 for my OpenVPN server.
Forward UDP (protocol 17) with port 1194 on your home router (with PAT/NAT) to ip address of you RPi running open VPN server.
You have to edit your config file: DietPi_OpenVPN_Client.ovpn
No need for tcp port 443 or 943 ( https://en.wikipedia.org/wiki/UDP_hole_punching )
Please have a look in Fourdee description: http://dietpi.com/phpbb/viewtopic.php?f ... p=613#p613
If you use UDP, a keepalive of the VPN connection is obligation, ( https://community.openvpn.net/openvpn/w ... n23ManPage )
If you have only dynamic ip address on your home router (with NAT/PAT), Dyn DNS for open VPN server entry will by usefull: http://dietpi.com/phpbb/viewtopic.php?f ... art=10#p58
cu
k-plan
thanks for this. I am now using UDP port 1194 and I can connect to my OpenVPN server. I have a static external IP address so all is good there. However once connected my client cannot connect to the internet. Probably an OpenVPN question more than a DietPi one, but since I don't know how OpenVPN has been setup in DietPi are you able to give me any further guidance. Thank You
Keith Ellis
Re: OpenVPN general usage
Just to tack on to the end of this, what's the best way to load OpenVPN on startup?
To start it I use the below command or a sh file with the command in it. I'm just not sure how to start it. My rc.local file fails to load on startup.
Cheers,
Gabbe
To start it I use the below command or a sh file with the command in it. I'm just not sure how to start it. My rc.local file fails to load on startup.
Code: Select all
sudo openvpn --config /etc/openvpn/Startup.ovpn --script-security 2 --up /etc/openvpn/up.sh
Gabbe
Re: OpenVPN general usage
Hi keithellis,
ssh into your openVPN server and execute:
Test it. Will it works?
The iptable rules are not persistent. After a reboot they are gone. So they must be set via start up script.
cu
K-plan
Edit DietPi_OpenVPN_Client.ovpn :keithellis wrote: Hi k-plan,
thanks for this. I am now using UDP port 1194 and I can connect to my OpenVPN server. I have a static external IP address so all is good there. However once connected my client cannot connect to the internet. Probably an OpenVPN question more than a DietPi one, but since I don't know how OpenVPN has been setup in DietPi are you able to give me any further guidance. Thank You
Keith Ellis
Code: Select all
client
proto udp
dev tun
link-mtu 1400
#IP/Domain name of DietPi system, running OpenVPN server plus Port-No.
remote !!!wan-ip-address-here!!! 1194
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
ns-cert-type server
comp-lzo
verb 3
## VPN Server is default Gateway for all connections
redirect-gateway
## Windows Client method
route-method exe
route-delay 2
## DNS Server from LAN for VPN Servers Clients (local DNS Server)
dhcp-option DNS 192.168.0.1
dhcp-option DNS 8.8.4.4
<ca>
-----BEGIN CERTIFICATE-----
....
Code: Select all
# delete all old iptables
iptables -F
iptables -X
iptables -t nat -F
## Forwarding u. NAT for openVPN Cients
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -F POSTROUTING
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
The iptable rules are not persistent. After a reboot they are gone. So they must be set via start up script.
cu
K-plan
Re: OpenVPN general usage
Hello, was looking at dietPi, and was wondering if I can set this up as a wifi repeater, with a OpenVPN account I have from liquidvpn,
Any help will be greatly appreciated....
Thanks keep up the great work....
Any help will be greatly appreciated....
Thanks keep up the great work....
Re: OpenVPN general usage
This workedk-plan wrote:Hi keithellis,
Edit DietPi_OpenVPN_Client.ovpn :keithellis wrote: Hi k-plan,
thanks for this. I am now using UDP port 1194 and I can connect to my OpenVPN server. I have a static external IP address so all is good there. However once connected my client cannot connect to the internet. Probably an OpenVPN question more than a DietPi one, but since I don't know how OpenVPN has been setup in DietPi are you able to give me any further guidance. Thank You
Keith Ellis
ssh into your openVPN server and execute:Code: Select all
client proto udp dev tun link-mtu 1400 #IP/Domain name of DietPi system, running OpenVPN server plus Port-No. remote !!!wan-ip-address-here!!! 1194 resolv-retry infinite nobind user nobody group nogroup persist-key persist-tun ns-cert-type server comp-lzo verb 3 ## VPN Server is default Gateway for all connections redirect-gateway ## Windows Client method route-method exe route-delay 2 ## DNS Server from LAN for VPN Servers Clients (local DNS Server) dhcp-option DNS 192.168.0.1 dhcp-option DNS 8.8.4.4 <ca> -----BEGIN CERTIFICATE----- ....
Test it. Will it works?Code: Select all
# delete all old iptables iptables -F iptables -X iptables -t nat -F ## Forwarding u. NAT for openVPN Cients iptables -A INPUT -i tun+ -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -t nat -F POSTROUTING iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
The iptable rules are not persistent. After a reboot they are gone. So they must be set via start up script.
cu
K-plan

Thanks
Re: OpenVPN general usage
helio58 wrote:This worked , but please how can i make the iptable rules persistent ?
k-plan wrote: So they must be set via start up script.
To get this changes persistent on every boot, you have to edit /etc/rc.local
Make a backup:
Code: Select all
cp /etc/rc.local /etc/rc.local.bac
Code: Select all
nano /etc/rc.local
Add following lines before "exit 0 ":
Code: Select all
. . . .
/DietPi/dietpi/dietpi-services start
fi
/DietPi/dietpi/dietpi-banner 0
echo -e " Default Login:\n Username = root\n Password = dietpi\n"
### - addition for openVPN Cients - ###
## delete all old iptables
iptables -F
iptables -X
iptables -t nat -F
## Forwarding a. NAT for openVPN Cients
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -F POSTROUTING
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
exit 0
Re: OpenVPN general usage
This thread might help you. viewtopic.php?t=3847Ferdnand wrote: ↑Thu Aug 11, 2016 9:18 pm Hello, was looking at dietPi, and was wondering if I can set this up as a wifi repeater, with a OpenVPN account I have from liquidvpn,
Any help will be greatly appreciated....
Thanks keep up the great work....
My favorite reviews: mini size crib & steel wok carbon