OpenVPN general usage

[keithellis]

Hi there, Been using DietPi for a while now since I heard about it on the The Pi Podcast and really like how it works. I have a couple of questions about OpenVPN.

What I want to be able to do with this is connect to a Raspberry Pi OpenVPN server whilst I am out and about using public wifi hotspots, redirecting all traffic through the OpenVPN server thus creating a secure connection on an otherwise insecure network. I assume this is possible.

Does the default setup do this out of the box?

In my current setup I don't think it does, but this may be related to my second question below.

On my home network I already have an ownCloud setup on a separate Raspberry Pi, so I have port 443 port forwarded to my ownCloud server. As such I cannot open up port 443 for my OpenVPN server. Is there a way around this, can I specify a different port for the OpenVPN https traffic?

Many thanks,
Regards,
Keith Ellis

[k-plan]

Hi keithellis,

As such I cannot open up port 443 for my OpenVPN server.

You can as well use UDP Port:1194 for open VPN connections.
Forward UDP (protocol 17) with port 1194 on your home router (with PAT/NAT) to ip address of you RPi running open VPN server.
You have to edit your config file: DietPi_OpenVPN_Client.ovpn

No need for tcp port 443 or 943 ( https://en.wikipedia.org/wiki/UDP_hole_punching )

Please have a look in Fourdee description: http://dietpi.com/phpbb/viewtopic.php?f ... p=613#p613

If you use UDP, a keepalive of the VPN connection is obligation, ( https://community.openvpn.net/openvpn/w ... n23ManPage )

If you have only dynamic ip address on your home router (with NAT/PAT), Dyn DNS for open VPN server entry will by usefull: http://dietpi.com/phpbb/viewtopic.php?f ... art=10#p58

cu
k-plan

[keithellis]

Hi keithellis,

As such I cannot open up port 443 for my OpenVPN server.

You can as well use UDP Port:1194 for open VPN connections.
Forward UDP (protocol 17) with port 1194 on your home router (with PAT/NAT) to ip address of you RPi running open VPN server.
You have to edit your config file: DietPi_OpenVPN_Client.ovpn

No need for tcp port 443 or 943 ( https://en.wikipedia.org/wiki/UDP_hole_punching )

Please have a look in Fourdee description: http://dietpi.com/phpbb/viewtopic.php?f ... p=613#p613

If you use UDP, a keepalive of the VPN connection is obligation, ( https://community.openvpn.net/openvpn/w ... n23ManPage )

If you have only dynamic ip address on your home router (with NAT/PAT), Dyn DNS for open VPN server entry will by usefull: http://dietpi.com/phpbb/viewtopic.php?f ... art=10#p58

cu
k-plan

Hi k-plan,

thanks for this. I am now using UDP port 1194 and I can connect to my OpenVPN server. I have a static external IP address so all is good there. However once connected my client cannot connect to the internet. Probably an OpenVPN question more than a DietPi one, but since I don't know how OpenVPN has been setup in DietPi are you able to give me any further guidance. Thank You
Keith Ellis

[Gabba]

Just to tack on to the end of this, what's the best way to load OpenVPN on startup?

To start it I use the below command or a sh file with the command in it. I'm just not sure how to start it. My rc.local file fails to load on startup.

Code: Select all

sudo openvpn --config /etc/openvpn/Startup.ovpn --script-security 2 --up /etc/openvpn/up.sh

Cheers,
Gabbe

[k-plan]

Hi keithellis,

Hi k-plan,

thanks for this. I am now using UDP port 1194 and I can connect to my OpenVPN server. I have a static external IP address so all is good there. However once connected my client cannot connect to the internet. Probably an OpenVPN question more than a DietPi one, but since I don't know how OpenVPN has been setup in DietPi are you able to give me any further guidance. Thank You
Keith Ellis

Edit DietPi_OpenVPN_Client.ovpn :

Code: Select all

client
proto udp
dev tun
link-mtu 1400

#IP/Domain name of DietPi system, running OpenVPN server plus Port-No.
remote !!!wan-ip-address-here!!! 1194

resolv-retry infinite
nobind

user nobody
group nogroup

persist-key
persist-tun

ns-cert-type server
comp-lzo
verb 3

## VPN Server is default Gateway for all connections
redirect-gateway

## Windows Client method
route-method exe
route-delay 2

## DNS Server from  LAN  for VPN Servers Clients (local DNS Server)
dhcp-option DNS 192.168.0.1

dhcp-option DNS 8.8.4.4


<ca>
-----BEGIN CERTIFICATE-----
....

ssh into your openVPN server and execute:

Code: Select all

# delete all old iptables 
iptables -F
iptables -X
iptables -t nat -F


## Forwarding u. NAT for openVPN Cients
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -F POSTROUTING
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

Test it. Will it works?
The iptable rules are not persistent. After a reboot they are gone. So they must be set via start up script.

cu
K-plan

[Ferdnand]

Hello, was looking at dietPi, and was wondering if I can set this up as a wifi repeater, with a OpenVPN account I have from liquidvpn,

Any help will be greatly appreciated....

Thanks keep up the great work....

[helio58]

Hi keithellis,

Hi k-plan,

thanks for this. I am now using UDP port 1194 and I can connect to my OpenVPN server. I have a static external IP address so all is good there. However once connected my client cannot connect to the internet. Probably an OpenVPN question more than a DietPi one, but since I don't know how OpenVPN has been setup in DietPi are you able to give me any further guidance. Thank You
Keith Ellis

Edit DietPi_OpenVPN_Client.ovpn :

Code: Select all

client
proto udp
dev tun
link-mtu 1400

#IP/Domain name of DietPi system, running OpenVPN server plus Port-No.
remote !!!wan-ip-address-here!!! 1194

resolv-retry infinite
nobind

user nobody
group nogroup

persist-key
persist-tun

ns-cert-type server
comp-lzo
verb 3

## VPN Server is default Gateway for all connections
redirect-gateway

## Windows Client method
route-method exe
route-delay 2

## DNS Server from  LAN  for VPN Servers Clients (local DNS Server)
dhcp-option DNS 192.168.0.1

dhcp-option DNS 8.8.4.4


<ca>
-----BEGIN CERTIFICATE-----
....

ssh into your openVPN server and execute:

Code: Select all

# delete all old iptables 
iptables -F
iptables -X
iptables -t nat -F


## Forwarding u. NAT for openVPN Cients
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -F POSTROUTING
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

Test it. Will it works?
The iptable rules are not persistent. After a reboot they are gone. So they must be set via start up script.

cu
K-plan

This worked , but please how can i make the iptable rules persistent ?
Thanks

[k-plan]

This worked , but please how can i make the iptable rules persistent ?

So they must be set via start up script.

To get this changes persistent on every boot, you have to edit /etc/rc.local

Make a backup:

Code: Select all

cp /etc/rc.local /etc/rc.local.bac

Edit:

Code: Select all

nano /etc/rc.local

Add following lines before "exit 0 ":

Code: Select all

. . . .

    /DietPi/dietpi/dietpi-services start

fi
/DietPi/dietpi/dietpi-banner 0
echo -e " Default Login:\n Username = root\n Password = dietpi\n"

### - addition for openVPN Cients - ###
## delete all old iptables 
iptables -F
iptables -X
iptables -t nat -F


## Forwarding a. NAT for openVPN Cients
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -F POSTROUTING
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE


exit 0

[helio58]

Thanks k-plan

[JimrMazk]

Hello, was looking at dietPi, and was wondering if I can set this up as a wifi repeater, with a OpenVPN account I have from liquidvpn,

Any help will be greatly appreciated....

Thanks keep up the great work....

This thread might help you. viewtopic.php?t=3847