Sample Config for OpenVPN (TAP) on Arch

OpenVPN tutorials ranging from configuration to hacks to compilation will be posted here.
check0104
OpenVpn Newbie
Posts: 3
Joined: Sat Nov 07, 2015 11:58 am

Sample Config for OpenVPN (TAP) on Arch

Postby check0104 » Sat Nov 07, 2015 2:29 pm

Hi there,

being a recent owner of a Raspberry Pi 2 (Arch-Linux), I have decided to set up OpenVPN to extend my home network.
Specifically, I wanted to add a samba share from my VPS and I also wanted to be able to tunnel into the network when I am abroad using an Android device or a laptop.
Most guides I found are describing the setup for TUN connections. However, in order to extend my home network to "foreign" devices a TAP connection seemed more natural to me.
Now everything is running smoothly and I have decided to post my configuration in case anyone else wants to do the same.
Most of the information came from the two excellent tutorials OpenVPN-Howto and Arch Wiki.

Disclaimer: I am quite new to linux; if you should see something I can improve: Please comment.

Basic Setup
  • Home-Network is 192.168.178.0/24
  • Standard Gateway: Router connected to WAN, 192.168.178.1
  • VPN Server using TAP on R-Pie (Arch-Linux), 192.168.178.201

Configuring the router
Set up a port forwarding. I mapped the OpenVPN standard UDP-Port 1192 to the R-Pi's 1192.
Remove an IP range from the range the router uses to allocate DHCP addresses. I decided to use 192.168.178.201-254 for the RPie and the VPN. The DCHP range of the router hence was 192.168.2-200
Also, set up Dyn-DNS for the router. If you are the lucky owner of a Fritz-Box, this step is void as it comes with Dyn-DNS already preconfigured.

Configuring the VPN-Server
Now begins the fun part.
I used netctl to manage the interfaces. Place the following three files in /etc/netctl/ and enable them with sudo netctl enable filename
Do not assign an IP adress for the ethernet adapter: This will cause errors when it is added to the bridge.
Be sure to enable packet-forwarding. Unfortunately I have not found a way to do this automatically on boot. I have to run the following command after each reboot manually: sudo sysctl net.ipv4.ip_forward=1. If anyone knows how to do that automatically, please tell me.

bridge.conf

Code: Select all

Description="Bridge for OpenVPN"
Interface=br0
Connection=bridge
BindsToInterfaces=(eth0 tap0)
IP=static
Address=('192.168.178.201/24')
Gateway='192.168.178.1'
DNS=('192.168.178.1')

ethernet.conf

Code: Select all

Description='Ethernet'
Interface=eth0
Connection=ethernet
IP=no

tap.conf

Code: Select all

Description='TAP adapter for OpenVPN'
Interface=tap0
Connection=tuntap
Mode='tap'
User='nobody'
Group='nobody'


Now setup a working PKI for OpenVPN (see OpenVPN-Howto). I decided to use a 2048-bit Diffie-Hellman key as 1024-bit might have been cracked for some primes. Being paranoid about DDOS attacks at my home (yeah...sure), I also generated a key to add an extra step of security to the first connection attempt openvpn --genkey --secret ta.key
Also I have a VPS with some samba-shares. This is supposed to have the same IP everytime it connects. I solved this by using the client-config-dir option and added a file my-vps.conf. Don't forget to adjust the IP range allocated in the server-bridge option of server.conf below. Place the server.conf file in your openvpn directory (usually /etc/openvpn) and enable the server by sudo systemctl enable openvpn@server.service.

my-vps.conf

Code: Select all

ifconfig-push 192.168.178.202 255.255.255.0

server.conf

Code: Select all

port 1194

proto udp
dev tap0

ca ./keys/ca.crt
cert ./keys/rpie.crt
key ./keys/rpie.key
dh ./keys/dh2048.pem
tls-auth ./keys/ta.key 0 #0 for the server, 1 for the client

client-config-dir ./static-clients #this is the directory of my-vps.conf
server-bridge 192.168.178.201 255.255.255.0 192.168.178.203 192.168.178.254

keepalive 10 120

cipher AES-256-CBC

comp-lzo

user nobody
group nobody


Configuring the VPN-Client
Again see OpenVPN-Howto on how to set up the public and private keys. For Android, a great client which supports OpenVPN and TAP is the OpenVPN Client. It is not free, but absolutly worth every penny.
For Windows I use the official client. My final client.ovpn (use this extension for android or windows) looks like this.

client1.ovpn

Code: Select all

remote my.dyn.dns 1194     
client             
proto udp           
dev tap0
ca ./ca.crt
cert ./client1.crt
key ./client1.key
tls-auth ./ta.key 1 #1 for the client, 0 for the server
keepalive 10 120
cipher AES-256-CBC
comp-lzo
persist-key
persist-tun
resolv-retry infinite
verb 3
ns-cert-type server

#redirect-gateway def1 #uncomment to route all traffic through the vpn


For me this configuration works. If you should have any remarks, please comment.
I hope this guide saves some time for some people.

Best regards,

Tobias

User avatar
Traffic
OpenVPN Protagonist
Posts: 4081
Joined: Sat Aug 09, 2014 11:24 am

Re: Sample Config for OpenVPN (TAP) on Arch

Postby Traffic » Sun Nov 08, 2015 11:38 am

Good HowTo .. thanks 8-)

One comment:
I found that when using a bridge it is sometimes better to specify the default gateway not the bridge IP.

EG:
check0104 wrote:server.conf

server-bridge 192.168.178.201 255.255.255.0 192.168.178.203 192.168.178.254

Code: Select all

server-bridge 192.168.178.1 255.255.255.0 192.168.178.203 192.168.178.254
This effects broadcasts on some systems.

You may also want to use --explicit-exit-notify

check0104
OpenVpn Newbie
Posts: 3
Joined: Sat Nov 07, 2015 11:58 am

Re: Sample Config for OpenVPN (TAP) on Arch

Postby check0104 » Mon Nov 09, 2015 12:21 pm

Thanks for the advice. The server-bridge option will probably avoid some unnecessary routing. I will add this to my configuration.
Also I was not aware of the --explicit-exit-notify option. Sounds like a best practice thing. I will add it as well. 8-)

check0104
OpenVpn Newbie
Posts: 3
Joined: Sat Nov 07, 2015 11:58 am

Re: Sample Config for OpenVPN (TAP) on Arch

Postby check0104 » Mon Nov 09, 2015 12:30 pm

I realized that this post is quite off-topic in "Access Server". Could a moderator maybe move this post to the "Tutorials" section? Thanks a lot in advance!


Return to “Tutorials”

Who is online

Users browsing this forum: No registered users and 1 guest