
I am trying to setup VPN, as in picture, mainly for gaming, samba, for securing ssh/sftp and for access to other services with no forwarded ports in router A.
Until now, I successfully installed and run as services:
server on NAS / Debian
client on NAS / Debian
client on PC1 / Windows7
No errors on logs.
The problem (1):
From PC1, I can ping 192.168.254.2 which is localhost.
From NAS, I can ping 192.168.254.254 which is localhost.
From NAS, I cannot ping 192.168.254.2
From PC1, I cannot ping 192.168.254.254
Question (2):
On NAS / Debian, which is the OpenVPN server, I installed and run OpenVPN client too, with different certification. Is this correct?
Question (3):
If I understand correctly the bridging, if (see picture) PC4 runs on a physical subnet 192.168.20.x, as OpenVPN client, and PC1 with NAS runs on its physical subnet 192.168.1.x, where NAS is OpenVPN server and PC1 is neither OpenVPN server or client, then OpenVPN bridges 192.168.20.x with 192.168.1.x and from PC4 I can ping PC1?
If yes, how all of these port forwarding takes place? How PC1 which is not an OpenVPN client knows where to find 192.168.20.x?
Question (4):
I forward from Router A to NAS, port 1194, because many clients exist on internet. OpenVPN server needs more ports? (like FTP or FTPS).
OpenVPN clients have listening ports?
What I did:
- I use this guide: https://community.openvpn.net/openvpn/w ... edwithOVPN
- I generated certification authority with my script:
Code: Select all
#!/bin/sh
openssl genrsa -des3 -out ca.key 4096
chmod 600 ca.key
openssl req -new -x509 -days 36500 -key ca.key -out ca.crt
Code: Select all
#!/bin/sh
if [ $# -lt 2 ] || [ "$1" != "client" ] && [ "$1" != "server" ]; then
echo "Syntax is:\n<client|server> <certification_name>. E.g. 'client client_1'."
exit 1
fi
openssl genrsa -out "$2.key" 4096
chmod 600 "$2.key"
openssl req -new -key "$2.key" -out "$2.csr"
openssl x509 -req -days 36500 -in "$2.csr" -CA ca.crt -CAkey ca.key -set_serial 01 -out "$2.crt" -extfile openssl.x509.$1.conf
rm "$2.csr"
Code: Select all
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage=serverAuth
Code: Select all
keyUsage = digitalSignature
extendedKeyUsage=clientAuth
Server Config
port 1194
proto udp
dev tap
ca ca.crt
cert server.crt
key server.key
dh dh4096.pem # Generated with: openssl dhparam -out dh4096.pem 4096
topology subnet
ifconfig-pool-persist ipp.txt
server-bridge 192.168.254.1 255.255.255.0 192.168.254.2 192.168.254.254
client-to-client
keepalive 60 120
tls-auth ta.key 0 # Generated with: openvpn --genkey --secret ta.key
cipher AES-256-CBC
persist-key
persist-tun
status openvpn-status.log
verb 3
explicit-exit-notify 1
proto udp
dev tap
ca ca.crt
cert server.crt
key server.key
dh dh4096.pem # Generated with: openssl dhparam -out dh4096.pem 4096
topology subnet
ifconfig-pool-persist ipp.txt
server-bridge 192.168.254.1 255.255.255.0 192.168.254.2 192.168.254.254
client-to-client
keepalive 60 120
tls-auth ta.key 0 # Generated with: openvpn --genkey --secret ta.key
cipher AES-256-CBC
persist-key
persist-tun
status openvpn-status.log
verb 3
explicit-exit-notify 1
- All client.conf /client.ovpn are:
Client Config
client
dev tap
proto udp
remote ODROID-HC2 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt # Common with server
cert client.crt # Distinct for each client
key client.key # Distinct for each client
remote-cert-tls server
tls-auth ta.key 1 # Common with server
cipher AES-256-CBC
verb 3
dev tap
proto udp
remote ODROID-HC2 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt # Common with server
cert client.crt # Distinct for each client
key client.key # Distinct for each client
remote-cert-tls server
tls-auth ta.key 1 # Common with server
cipher AES-256-CBC
verb 3
- On NAS, I started services and get logs with:
Code: Select all
systemctl start openvpn@server.service
systemctl enable openvpn@server.service
systemctl start openvpn@client.service
systemctl enable openvpn@client.service
systemctl status openvpn@server.service
systemctl status openvpn@client.service
Code: Select all
sc delete OpenVPNServiceLegacy
net stop OpenVPNServiceInterface # I don't remember the exact name
sc delete OpenVPNServiceInterface # I don't remember the exact name
net start OpenVPNService
Code: Select all
sysctl net.ipv4.ip_forward=1
sysctl net.ipv6.conf.all.forwarding=1
- There is no firewalls on any machine. I hate firewalls.
Code: Select all
iptables -L
- ifconfig is not exist on NAS /Debian because it is deprecated. ip exists instead.