Sample Config for OpenVPN (TAP) on Arch
Posted: Sat Nov 07, 2015 2:29 pm
Hi there,
being a recent owner of a Raspberry Pi 2 (Arch-Linux), I have decided to set up OpenVPN to extend my home network.
Specifically, I wanted to add a samba share from my VPS and I also wanted to be able to tunnel into the network when I am abroad using an Android device or a laptop.
Most guides I found are describing the setup for TUN connections. However, in order to extend my home network to "foreign" devices a TAP connection seemed more natural to me.
Now everything is running smoothly and I have decided to post my configuration in case anyone else wants to do the same.
Most of the information came from the two excellent tutorials OpenVPN-Howto and Arch Wiki.
Disclaimer: I am quite new to linux; if you should see something I can improve: Please comment.
Basic Setup
Set up a port forwarding. I mapped the OpenVPN standard UDP-Port 1192 to the R-Pi's 1192.
Remove an IP range from the range the router uses to allocate DHCP addresses. I decided to use 192.168.178.201-254 for the RPie and the VPN. The DCHP range of the router hence was 192.168.2-200
Also, set up Dyn-DNS for the router. If you are the lucky owner of a Fritz-Box, this step is void as it comes with Dyn-DNS already preconfigured.
Configuring the VPN-Server
Now begins the fun part.
I used netctl to manage the interfaces. Place the following three files in /etc/netctl/ and enable them with sudo netctl enable filename
Do not assign an IP adress for the ethernet adapter: This will cause errors when it is added to the bridge.
Be sure to enable packet-forwarding. Unfortunately I have not found a way to do this automatically on boot. I have to run the following command after each reboot manually: sudo sysctl net.ipv4.ip_forward=1. If anyone knows how to do that automatically, please tell me.
bridge.conf
ethernet.conf
tap.conf
Now setup a working PKI for OpenVPN (see OpenVPN-Howto). I decided to use a 2048-bit Diffie-Hellman key as 1024-bit might have been cracked for some primes. Being paranoid about DDOS attacks at my home (yeah...sure), I also generated a key to add an extra step of security to the first connection attempt openvpn --genkey --secret ta.key
Also I have a VPS with some samba-shares. This is supposed to have the same IP everytime it connects. I solved this by using the client-config-dir option and added a file my-vps.conf. Don't forget to adjust the IP range allocated in the server-bridge option of server.conf below. Place the server.conf file in your openvpn directory (usually /etc/openvpn) and enable the server by sudo systemctl enable openvpn@server.service.
my-vps.conf
server.conf
Configuring the VPN-Client
Again see OpenVPN-Howto on how to set up the public and private keys. For Android, a great client which supports OpenVPN and TAP is the OpenVPN Client. It is not free, but absolutly worth every penny.
For Windows I use the official client. My final client.ovpn (use this extension for android or windows) looks like this.
client1.ovpn
For me this configuration works. If you should have any remarks, please comment.
I hope this guide saves some time for some people.
Best regards,
Tobias
being a recent owner of a Raspberry Pi 2 (Arch-Linux), I have decided to set up OpenVPN to extend my home network.
Specifically, I wanted to add a samba share from my VPS and I also wanted to be able to tunnel into the network when I am abroad using an Android device or a laptop.
Most guides I found are describing the setup for TUN connections. However, in order to extend my home network to "foreign" devices a TAP connection seemed more natural to me.
Now everything is running smoothly and I have decided to post my configuration in case anyone else wants to do the same.
Most of the information came from the two excellent tutorials OpenVPN-Howto and Arch Wiki.
Disclaimer: I am quite new to linux; if you should see something I can improve: Please comment.
Basic Setup
- Home-Network is 192.168.178.0/24
- Standard Gateway: Router connected to WAN, 192.168.178.1
- VPN Server using TAP on R-Pie (Arch-Linux), 192.168.178.201
Set up a port forwarding. I mapped the OpenVPN standard UDP-Port 1192 to the R-Pi's 1192.
Remove an IP range from the range the router uses to allocate DHCP addresses. I decided to use 192.168.178.201-254 for the RPie and the VPN. The DCHP range of the router hence was 192.168.2-200
Also, set up Dyn-DNS for the router. If you are the lucky owner of a Fritz-Box, this step is void as it comes with Dyn-DNS already preconfigured.
Configuring the VPN-Server
Now begins the fun part.
I used netctl to manage the interfaces. Place the following three files in /etc/netctl/ and enable them with sudo netctl enable filename
Do not assign an IP adress for the ethernet adapter: This will cause errors when it is added to the bridge.
Be sure to enable packet-forwarding. Unfortunately I have not found a way to do this automatically on boot. I have to run the following command after each reboot manually: sudo sysctl net.ipv4.ip_forward=1. If anyone knows how to do that automatically, please tell me.
bridge.conf
Code: Select all
Description="Bridge for OpenVPN"
Interface=br0
Connection=bridge
BindsToInterfaces=(eth0 tap0)
IP=static
Address=('192.168.178.201/24')
Gateway='192.168.178.1'
DNS=('192.168.178.1')
Code: Select all
Description='Ethernet'
Interface=eth0
Connection=ethernet
IP=no
Code: Select all
Description='TAP adapter for OpenVPN'
Interface=tap0
Connection=tuntap
Mode='tap'
User='nobody'
Group='nobody'
Also I have a VPS with some samba-shares. This is supposed to have the same IP everytime it connects. I solved this by using the client-config-dir option and added a file my-vps.conf. Don't forget to adjust the IP range allocated in the server-bridge option of server.conf below. Place the server.conf file in your openvpn directory (usually /etc/openvpn) and enable the server by sudo systemctl enable openvpn@server.service.
my-vps.conf
Code: Select all
ifconfig-push 192.168.178.202 255.255.255.0
Code: Select all
port 1194
proto udp
dev tap0
ca ./keys/ca.crt
cert ./keys/rpie.crt
key ./keys/rpie.key
dh ./keys/dh2048.pem
tls-auth ./keys/ta.key 0 #0 for the server, 1 for the client
client-config-dir ./static-clients #this is the directory of my-vps.conf
server-bridge 192.168.178.201 255.255.255.0 192.168.178.203 192.168.178.254
keepalive 10 120
cipher AES-256-CBC
comp-lzo
user nobody
group nobody
Again see OpenVPN-Howto on how to set up the public and private keys. For Android, a great client which supports OpenVPN and TAP is the OpenVPN Client. It is not free, but absolutly worth every penny.
For Windows I use the official client. My final client.ovpn (use this extension for android or windows) looks like this.
client1.ovpn
Code: Select all
remote my.dyn.dns 1194
client
proto udp
dev tap0
ca ./ca.crt
cert ./client1.crt
key ./client1.key
tls-auth ./ta.key 1 #1 for the client, 0 for the server
keepalive 10 120
cipher AES-256-CBC
comp-lzo
persist-key
persist-tun
resolv-retry infinite
verb 3
ns-cert-type server
#redirect-gateway def1 #uncomment to route all traffic through the vpn
I hope this guide saves some time for some people.
Best regards,
Tobias