being a recent owner of a Raspberry Pi 2 (Arch-Linux), I have decided to set up OpenVPN to extend my home network.
Specifically, I wanted to add a samba share from my VPS and I also wanted to be able to tunnel into the network when I am abroad using an Android device or a laptop.
Most guides I found are describing the setup for TUN connections. However, in order to extend my home network to "foreign" devices a TAP connection seemed more natural to me.
Now everything is running smoothly and I have decided to post my configuration in case anyone else wants to do the same.
Most of the information came from the two excellent tutorials OpenVPN-Howto and Arch Wiki.
Disclaimer: I am quite new to linux; if you should see something I can improve: Please comment.
Basic Setup
- Home-Network is 192.168.178.0/24
- Standard Gateway: Router connected to WAN, 192.168.178.1
- VPN Server using TAP on R-Pie (Arch-Linux), 192.168.178.201
Set up a port forwarding. I mapped the OpenVPN standard UDP-Port 1192 to the R-Pi's 1192.
Remove an IP range from the range the router uses to allocate DHCP addresses. I decided to use 192.168.178.201-254 for the RPie and the VPN. The DCHP range of the router hence was 192.168.2-200
Also, set up Dyn-DNS for the router. If you are the lucky owner of a Fritz-Box, this step is void as it comes with Dyn-DNS already preconfigured.
Configuring the VPN-Server
Now begins the fun part.
I used netctl to manage the interfaces. Place the following three files in /etc/netctl/ and enable them with sudo netctl enable filename
Do not assign an IP adress for the ethernet adapter: This will cause errors when it is added to the bridge.
Be sure to enable packet-forwarding. Unfortunately I have not found a way to do this automatically on boot. I have to run the following command after each reboot manually: sudo sysctl net.ipv4.ip_forward=1. If anyone knows how to do that automatically, please tell me.
bridge.conf
Code: Select all
Description="Bridge for OpenVPN"
Interface=br0
Connection=bridge
BindsToInterfaces=(eth0 tap0)
IP=static
Address=('192.168.178.201/24')
Gateway='192.168.178.1'
DNS=('192.168.178.1')
Code: Select all
Description='Ethernet'
Interface=eth0
Connection=ethernet
IP=no
Code: Select all
Description='TAP adapter for OpenVPN'
Interface=tap0
Connection=tuntap
Mode='tap'
User='nobody'
Group='nobody'
Also I have a VPS with some samba-shares. This is supposed to have the same IP everytime it connects. I solved this by using the client-config-dir option and added a file my-vps.conf. Don't forget to adjust the IP range allocated in the server-bridge option of server.conf below. Place the server.conf file in your openvpn directory (usually /etc/openvpn) and enable the server by sudo systemctl enable openvpn@server.service.
my-vps.conf
Code: Select all
ifconfig-push 192.168.178.202 255.255.255.0
Code: Select all
port 1194
proto udp
dev tap0
ca ./keys/ca.crt
cert ./keys/rpie.crt
key ./keys/rpie.key
dh ./keys/dh2048.pem
tls-auth ./keys/ta.key 0 #0 for the server, 1 for the client
client-config-dir ./static-clients #this is the directory of my-vps.conf
server-bridge 192.168.178.201 255.255.255.0 192.168.178.203 192.168.178.254
keepalive 10 120
cipher AES-256-CBC
comp-lzo
user nobody
group nobody
Again see OpenVPN-Howto on how to set up the public and private keys. For Android, a great client which supports OpenVPN and TAP is the OpenVPN Client. It is not free, but absolutly worth every penny.
For Windows I use the official client. My final client.ovpn (use this extension for android or windows) looks like this.
client1.ovpn
Code: Select all
remote my.dyn.dns 1194
client
proto udp
dev tap0
ca ./ca.crt
cert ./client1.crt
key ./client1.key
tls-auth ./ta.key 1 #1 for the client, 0 for the server
keepalive 10 120
cipher AES-256-CBC
comp-lzo
persist-key
persist-tun
resolv-retry infinite
verb 3
ns-cert-type server
#redirect-gateway def1 #uncomment to route all traffic through the vpn
I hope this guide saves some time for some people.
Best regards,
Tobias