Sample Config for OpenVPN (TAP) on Arch

OpenVPN tutorials ranging from configuration to hacks to compilation will be posted here.
OpenVpn Newbie
Posts: 6
Joined: Sat Nov 07, 2015 11:58 am

Sample Config for OpenVPN (TAP) on Arch

Post by check0104 » Sat Nov 07, 2015 2:29 pm

Hi there,

being a recent owner of a Raspberry Pi 2 (Arch-Linux), I have decided to set up OpenVPN to extend my home network.
Specifically, I wanted to add a samba share from my VPS and I also wanted to be able to tunnel into the network when I am abroad using an Android device or a laptop.
Most guides I found are describing the setup for TUN connections. However, in order to extend my home network to "foreign" devices a TAP connection seemed more natural to me.
Now everything is running smoothly and I have decided to post my configuration in case anyone else wants to do the same.
Most of the information came from the two excellent tutorials OpenVPN-Howto and Arch Wiki.

Disclaimer: I am quite new to linux; if you should see something I can improve: Please comment.

Basic Setup
  • Home-Network is
  • Standard Gateway: Router connected to WAN,
  • VPN Server using TAP on R-Pie (Arch-Linux),
Configuring the router
Set up a port forwarding. I mapped the OpenVPN standard UDP-Port 1192 to the R-Pi's 1192.
Remove an IP range from the range the router uses to allocate DHCP addresses. I decided to use for the RPie and the VPN. The DCHP range of the router hence was 192.168.2-200
Also, set up Dyn-DNS for the router. If you are the lucky owner of a Fritz-Box, this step is void as it comes with Dyn-DNS already preconfigured.

Configuring the VPN-Server
Now begins the fun part.
I used netctl to manage the interfaces. Place the following three files in /etc/netctl/ and enable them with sudo netctl enable filename
Do not assign an IP adress for the ethernet adapter: This will cause errors when it is added to the bridge.
Be sure to enable packet-forwarding. Unfortunately I have not found a way to do this automatically on boot. I have to run the following command after each reboot manually: sudo sysctl net.ipv4.ip_forward=1. If anyone knows how to do that automatically, please tell me.


Code: Select all

Description="Bridge for OpenVPN"
BindsToInterfaces=(eth0 tap0)

Code: Select all


Code: Select all

Description='TAP adapter for OpenVPN'
Now setup a working PKI for OpenVPN (see OpenVPN-Howto). I decided to use a 2048-bit Diffie-Hellman key as 1024-bit might have been cracked for some primes. Being paranoid about DDOS attacks at my home (yeah...sure), I also generated a key to add an extra step of security to the first connection attempt openvpn --genkey --secret ta.key
Also I have a VPS with some samba-shares. This is supposed to have the same IP everytime it connects. I solved this by using the client-config-dir option and added a file my-vps.conf. Don't forget to adjust the IP range allocated in the server-bridge option of server.conf below. Place the server.conf file in your openvpn directory (usually /etc/openvpn) and enable the server by sudo systemctl enable openvpn@server.service.


Code: Select all


Code: Select all

port 1194

proto udp
dev tap0

ca ./keys/ca.crt
cert ./keys/rpie.crt
key ./keys/rpie.key
dh ./keys/dh2048.pem
tls-auth ./keys/ta.key 0 #0 for the server, 1 for the client

client-config-dir ./static-clients #this is the directory of my-vps.conf

keepalive 10 120

cipher AES-256-CBC


user nobody
group nobody
Configuring the VPN-Client
Again see OpenVPN-Howto on how to set up the public and private keys. For Android, a great client which supports OpenVPN and TAP is the OpenVPN Client. It is not free, but absolutly worth every penny.
For Windows I use the official client. My final client.ovpn (use this extension for android or windows) looks like this.


Code: Select all

remote my.dyn.dns 1194     
proto udp           
dev tap0
ca ./ca.crt
cert ./client1.crt
key ./client1.key
tls-auth ./ta.key 1 #1 for the client, 0 for the server
keepalive 10 120
cipher AES-256-CBC 
resolv-retry infinite
verb 3
ns-cert-type server

#redirect-gateway def1 #uncomment to route all traffic through the vpn
For me this configuration works. If you should have any remarks, please comment.
I hope this guide saves some time for some people.

Best regards,


User avatar
OpenVPN Protagonist
Posts: 4081
Joined: Sat Aug 09, 2014 11:24 am

Re: Sample Config for OpenVPN (TAP) on Arch

Post by Traffic » Sun Nov 08, 2015 11:38 am

Good HowTo .. thanks 8-)

One comment:
I found that when using a bridge it is sometimes better to specify the default gateway not the bridge IP.

check0104 wrote:server.conf


Code: Select all

This effects broadcasts on some systems.

You may also want to use --explicit-exit-notify

OpenVpn Newbie
Posts: 6
Joined: Sat Nov 07, 2015 11:58 am

Re: Sample Config for OpenVPN (TAP) on Arch

Post by check0104 » Mon Nov 09, 2015 12:21 pm

Thanks for the advice. The server-bridge option will probably avoid some unnecessary routing. I will add this to my configuration.
Also I was not aware of the --explicit-exit-notify option. Sounds like a best practice thing. I will add it as well. 8-)

OpenVpn Newbie
Posts: 6
Joined: Sat Nov 07, 2015 11:58 am

Re: Sample Config for OpenVPN (TAP) on Arch

Post by check0104 » Mon Nov 09, 2015 12:30 pm

I realized that this post is quite off-topic in "Access Server". Could a moderator maybe move this post to the "Tutorials" section? Thanks a lot in advance!

OpenVpn Newbie
Posts: 1
Joined: Wed Feb 06, 2019 7:45 am

Re: Sample Config for OpenVPN (TAP) on Arch

Post by Yanialbad » Wed Feb 06, 2019 7:50 am

Very good tutorial...thanks guys

OpenVpn Newbie
Posts: 1
Joined: Thu Feb 28, 2019 1:36 pm

Re: Sample Config for OpenVPN (TAP) on Arch

Post by calimeROID » Thu Feb 28, 2019 1:40 pm

To enable packet forwarding at boot, create the file /etc/sysctl.d/99-bridge.conf with the line:

the systemd-sysctl.service will read it at boot.