OpenVPN Support Forum

Posted: **Sun Apr 14, 2013 5:09 am**

Hey,
maybe someone can help me with my project

I want to setup a OpenVPN-Server for playing some games with LAN-play.

I know there are alternatives like Hamachi, Tunngle, Garena and so on, but it should be possible with OpenVPN too or not?

As far as I have read, I´ll have to use TAP for this, because games need broadcast-messages, which are only transferred in layer-2.
So I´ll have to focus on the bridged-solution.

The next thing and my first question would be, if the games use UDP and TCP traffic, do the clients have to establish more than one connection?
Due to the fact I read this line in the HOWTO-section(http://openvpn.net/index.php/open-sourc ... ml#vpntype) I found out, that I have to run two OpenVPN instances

If you want OpenVPN to listen on both a UDP and TCP port, you must run two separate OpenVPN instances

1. So I think they handle the authentication and so on seperatly or am I wrong?
If so the clients would need more adapters, which would not be able to handle by the games?

The next thing, would be the IP-ranges.
2. Which ones would you recommend for that?

Usually my friends use 192.168.178.0/24 for their LAN, so am I.

Is it possible to create a new LAN with layer-2, which is not directly accessable(only via VPN) for me?
If it helps, I can set static routes in my router(192.168.178.1)
I dont know exactly what they do.

3. If it is possible, what kind of settings do I have to make for eth0, br0 and tap0 and the server.conf(especially the server-bridged- ... and push- part)?

4. If everything would be configured fine. Do I have to still use a tool like http://www.hanksoft.de/service/46-udpbroadcastforwarder which copies the UDP-broadcasts to the client-tap-adapter? Or is it gamespecific?

5. Do I have to change the priority of the network adapters in windows(client)?

I think 4. and 5. influence themselves.

The server would run on Debian 6.0.7 i386 for the beginning in a (bridged) vm provided by virtualbox.

The clients would mostly use Windows 7 x64.

As for now I was able to create a OpenVPN setup with routing(non bridged) config and a OpenVPN setup with bridged config.
But the bridged one ran in a 192.168.179.0/16 network. So the clients got a warning, because the subnets(friends lan and vpn) would conflict.
Maybe there was a configuration mistake by me though.

But we were able to access smb-fileshares and other services like http of each other.
Sadly we were not able to play games with it or browse in the internet(probably an dns error, because ip´s(google) could be browsed... Or it was cached, if I think about it now... hmmm)

Maybe this problem was discussed more often than I think in this forum, but I can´t search for it because searching for "game" or "games" or "game bridged" are too common words it says. If so a Link would be nice, too

Anyway I would be very thankful for any help or suggestions.

Posted: **Mon Apr 15, 2013 10:43 am**

before thinking about setting up a VPN for games, think about things like bandwidth and latency: with an OpenVPN VPN all traffic from all clients will flow via the VPN server (Hamachi does this differently). If the server either has a small up- or download bandwidth then this will choke your games as the number of clients increases.

some answers to your questions:

1. So I think they handle the authentication and so on seperatly or am I wrong?

this has nothing to do with the authN; the way openvpn is currently designed is that it can listen on a single port only (TCP or UDP); thus if you need both ports, you need two instances.

The next thing, would be the IP-ranges.
2. Which ones would you recommend for that?

Pick anything that is not commonly used, e.g. 172.28.111.0/24; that way you'll have the least chance of an IP subnet conflict.

Is it possible to create a new LAN with layer-2, which is not directly accessable(only via VPN) for me?

yes this is possible, with or without bridging; this is exactly what a VPN is supposed to do.

4. If everything would be configured fine. Do I have to still use a tool like http://www.hanksoft.de/service/46-udpbroadcastforwarder which copies the UDP-broadcasts to the client-tap-adapter? Or is it gamespecific?

if you're using bridging then a udp broadcast forwarder should not be required. could be game specific, though

5. Do I have to change the priority of the network adapters in windows(client)?

could be game specific,but IMHO this should not be required.

Posted: **Mon Apr 15, 2013 12:42 pm**

Hey,
thanks so far

Bandwith and latency should be no problem.
I´ve got a 50mbit connection

this has nothing to do with the authN; the way openvpn is currently designed is that it can listen on a single port only (TCP or UDP); thus if you need both ports, you need two instances.

Ok then I´ve to start two server instances with different ports. But how is it handled at the clientside?
One instance, which could be configured like this:

Code: Select all

client

dev tap

proto tcp
proto udp

remote myvpn.server.dyndns.ws 1194
remote myvpn.server.dyndns.ws 1195

resolv-retry infinite

nobind

persist-key
persist-tun

ca ca.crt
cert clientname.crt
key clientname.key

ns-cert-type server

comp-lzo

verb 3

Or does the clientside need two instances as well, which use the same adapter?
Or does the clientside need two instances as well, which use different adapters?

yes this is possible, with or without bridging; this is exactly what a VPN is supposed to do.

Are non-bridged networks layer-2 or layer-3? Or is it unnecessary if it´s bridged or not? So the thing that matters is, if you use TUN or TAP?

Because i found a tutorial on http://judebert.com/progress/permalink/GameVPN.html which says:

About Bridging

Since we're talking about a gaming VPN, we need to support more than TCP/IP. Stuff like IPX and UDP are common for multiplayer games. That means we can't use standard "tunnel" mode. We need "bridging" mode. Everything from the internal LAN and the connected machines will get copied across the Internet. Including your Windows shares, your network printers... everything. That's why we want encryption. Yes, you CAN turn off encryption to squeeze a bit of extra performance out, but then everything on your network is easily deciphered by outsiders. Don't do it!

That said, bridging will solve all our gaming problems. And it's easy to set up: just use "dev tap0" in your configuration file, as we'll see below.

At last, lets say i would create two instances of OpenVPN with TCP and UDP.
It would be bridged. Then the OpenVPN-Server would run for example on 172.28.111.1 / 255.255.255.0 and distributes IP of the same subnet.
My normal LAN would continue running on 192.168.178.0/24.
How do I reach the server?
1. with a static route in the internet-router?
2. with another subnetmask for the internet-router, but not for the normal LAN-clients?
3. with another network card on the OpenVPN-server, so it would be in both networks?

Because the server can only bridge in networks, which are in the same subnet of itself, or am I wrong?

Maybe I´m a bit confused about this stuff right now.

But i´ll go on and test a bit later and post my results I´ve got so far.

Posted: **Mon Apr 15, 2013 4:24 pm**

Ok I read a little bit in the FAQ...

Are non-bridged networks layer-2 or layer-3? Or is it unnecessary if it´s bridged or not? So the thing that matters is, if you use TUN or TAP?

I´ll definitly have to use tap with bridged configuration, beacuse routing does not transport broadcast packages and so on.

Next... I want a vpn-network, which is not directly accessable from my normal LAN 192.168.178.0/24(which should continue running)... Like you said I could use 172.28.111.0/24

But to do so, the VPN-Server needs a IP from 172.28.111.0/24...
So now it´s not accessable at all. Because noone except the server itself can access it...
Now I have to reach the OpenVPN-Server somehow.
The only thing I know I could use is a second NIC in the server.

I created one with an IP-adress in the normal LAN. (192.168.178.22)

So now i can connect to the OpenVPN with myvpn.server.dyndns.ws 1194...
1194 is forwarded by my internet-router(192.168.178.1) to 192.168.178.22...

I get an IP-address from the 172.28.111.0/24 network...
But now I´am not able to browse any website which IP-address is not in cache...
Browsing an IP-address works.

btw: a ping on 192.168.178.1 doesn´t work anymore, though.

Here are some config files I´ve created so far:

bridge-start:

Code: Select all

#!/bin/bash

br="br0"

tap="tap0"

eth="eth1"
eth_ip="172.28.111.1"
eth_netmask="255.255.255.0"
eth_broadcast="172.28.111.255"
eth_defaultgw="192.168.178.1"

route del default

for t in $tap; do
    openvpn --mktun --dev $t
done

brctl addbr $br
brctl addif $br $eth

for t in $tap; do
    brctl addif $br $t
done

for t in $tap; do
    ifconfig $t 0.0.0.0 promisc up
done

ifconfig $eth 0.0.0.0 promisc up

ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast
route add default gw $eth_defaultgw

bridge-stop:

Code: Select all

#!/bin/bash

br="br0"

tap="tap0"

ifconfig $br down
brctl delbr $br

for t in $tap; do
    openvpn --rmtun --dev $t
done

server.conf:

Code: Select all

proto udp

dev tap0

ca ./easy-rsa2/keys/ca.crt
cert ./easy-rsa2/keys/server.crt
key ./easy-rsa2/keys/server.key  # This file should be kept secret

dh ./easy-rsa2/keys/dh1024.pem

server-bridge 172.28.111.1 255.255.255.0 172.28.111.128 172.28.111.254

ifconfig-pool-persist ipp.txt

push "route 192.168.178.0 255.255.255.0"

keepalive 10 120

comp-lzo

user openvpn
group openvpn

persist-key
persist-tun

status openvpn-status.log

log         openvpn.log

verb 6

client.ovpn:

Code: Select all

client

dev tap

proto udp

remote myvpn.server.dyndns.ws 1194

resolv-retry infinite

nobind

persist-key
persist-tun

ca ca.crt
cert clientname.crt
key clientname.key

ns-cert-type server

comp-lzo

verb 3

I think I´ve to configure something else in the bridge-start script, because I don´t think the gateway configuration is senseless... But this is what I tried at last... As I said, I´m very confused at the moment xD

As you see I also changed the bridge-start script a little bit, because the normal one doesn´t work for me.
I got a TLS-handshake timeout with the normal script.

So I addded the following lines:

eth_defaultgw="192.168.178.1"
route del default

And at the End:

route add default gw $eth_defaultgw

Posted: **Tue Apr 16, 2013 1:04 pm**

bridging is tricky - the IP range of the bridge should be in the same range as your local network (the bridge is between the local network and the 'tap' adapter, after all).

First try to get things running using 'dev tap' - broadcasts will work within the VPN itself (esp if you add 'client-to-client').

As for your 50 Mbps connection - is that both up and down? in a bridged setup you can easily saturate both.

Posted: **Wed Apr 17, 2013 5:41 am**

Ok thanks...
I´ll try to do it with the same range as my local network first.
Upload seems to be at 1 MB/s

Download is at 5 MB/s

When everything is running fine, i want to create a VPN-Server on my V-Server, which connection is even better.

You said, it can easily saturated?

What traffic is going to go through the VPN?
Everything? Including HTTP/FTP(Downloads?) and so on?

If so, I´ve got do something about it... But it would only be turned on if we want to play and I would tell my friends to turn e.g. downloads off.

I´am currently not at home. Here my connection is very worse.
But I think it´s enough for testing with 1-2 clients.
Also my Range is another here.
(192.168.1.0/24)...
Should be unreachable for the 192.168.178.0/24, which my friends are usually using.

I´ll test a little bit today evening or tomorrow afternoon.

Posted: **Wed Apr 17, 2013 8:25 am**

no it's not required to send all traffic via the VPN, but some games send a lot of broadcast traffic and/or many small packets - all of this traffic is sent by the client to the VPN server, which then retransmits it to all other clients (that's how bridging works, more or less). This can easily saturate a 5/1 MB/s line, if the number of clients increases (and depending on the game).

Posted: **Sat Apr 20, 2013 11:45 pm**

Hey...
I I had no free time in the last few days...
I´ll post my progress later...
I think in the next few days.

OpenVPN Support Forum

VPN for Games

VPN for Games

Re: VPN for Games

Re: VPN for Games

Re: VPN for Games

Re: VPN for Games

Re: VPN for Games

Re: VPN for Games

Re: VPN for Games