Sample Config for OpenVPN (TAP) on Arch

OpenVPN tutorials ranging from configuration to hacks to compilation will be posted here.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Locked
check0104
OpenVpn Newbie
Posts: 6
Joined: Sat Nov 07, 2015 11:58 am

Sample Config for OpenVPN (TAP) on Arch

Post by check0104 » Sat Nov 07, 2015 2:29 pm

Hi there,

being a recent owner of a Raspberry Pi 2 (Arch-Linux), I have decided to set up OpenVPN to extend my home network.
Specifically, I wanted to add a samba share from my VPS and I also wanted to be able to tunnel into the network when I am abroad using an Android device or a laptop.
Most guides I found are describing the setup for TUN connections. However, in order to extend my home network to "foreign" devices a TAP connection seemed more natural to me.
Now everything is running smoothly and I have decided to post my configuration in case anyone else wants to do the same.
Most of the information came from the two excellent tutorials OpenVPN-Howto and Arch Wiki.

Disclaimer: I am quite new to linux; if you should see something I can improve: Please comment.

Basic Setup
  • Home-Network is 192.168.178.0/24
  • Standard Gateway: Router connected to WAN, 192.168.178.1
  • VPN Server using TAP on R-Pie (Arch-Linux), 192.168.178.201
Configuring the router
Set up a port forwarding. I mapped the OpenVPN standard UDP-Port 1192 to the R-Pi's 1192.
Remove an IP range from the range the router uses to allocate DHCP addresses. I decided to use 192.168.178.201-254 for the RPie and the VPN. The DCHP range of the router hence was 192.168.2-200
Also, set up Dyn-DNS for the router. If you are the lucky owner of a Fritz-Box, this step is void as it comes with Dyn-DNS already preconfigured.

Configuring the VPN-Server
Now begins the fun part.
I used netctl to manage the interfaces. Place the following three files in /etc/netctl/ and enable them with sudo netctl enable filename
Do not assign an IP adress for the ethernet adapter: This will cause errors when it is added to the bridge.
Be sure to enable packet-forwarding. Unfortunately I have not found a way to do this automatically on boot. I have to run the following command after each reboot manually: sudo sysctl net.ipv4.ip_forward=1. If anyone knows how to do that automatically, please tell me.

bridge.conf

Code: Select all

Description="Bridge for OpenVPN"
Interface=br0
Connection=bridge
BindsToInterfaces=(eth0 tap0)
IP=static
Address=('192.168.178.201/24')
Gateway='192.168.178.1'
DNS=('192.168.178.1')
ethernet.conf

Code: Select all

Description='Ethernet'
Interface=eth0
Connection=ethernet
IP=no
tap.conf

Code: Select all

Description='TAP adapter for OpenVPN'
Interface=tap0
Connection=tuntap
Mode='tap'
User='nobody'
Group='nobody'
Now setup a working PKI for OpenVPN (see OpenVPN-Howto). I decided to use a 2048-bit Diffie-Hellman key as 1024-bit might have been cracked for some primes. Being paranoid about DDOS attacks at my home (yeah...sure), I also generated a key to add an extra step of security to the first connection attempt openvpn --genkey --secret ta.key
Also I have a VPS with some samba-shares. This is supposed to have the same IP everytime it connects. I solved this by using the client-config-dir option and added a file my-vps.conf. Don't forget to adjust the IP range allocated in the server-bridge option of server.conf below. Place the server.conf file in your openvpn directory (usually /etc/openvpn) and enable the server by sudo systemctl enable openvpn@server.service.

my-vps.conf

Code: Select all

ifconfig-push 192.168.178.202 255.255.255.0
server.conf

Code: Select all

port 1194

proto udp
dev tap0

ca ./keys/ca.crt
cert ./keys/rpie.crt
key ./keys/rpie.key
dh ./keys/dh2048.pem
tls-auth ./keys/ta.key 0 #0 for the server, 1 for the client

client-config-dir ./static-clients #this is the directory of my-vps.conf
server-bridge 192.168.178.201 255.255.255.0 192.168.178.203 192.168.178.254

keepalive 10 120

cipher AES-256-CBC

comp-lzo

user nobody
group nobody
Configuring the VPN-Client
Again see OpenVPN-Howto on how to set up the public and private keys. For Android, a great client which supports OpenVPN and TAP is the OpenVPN Client. It is not free, but absolutly worth every penny.
For Windows I use the official client. My final client.ovpn (use this extension for android or windows) looks like this.

client1.ovpn

Code: Select all

remote my.dyn.dns 1194     
client              
proto udp           
dev tap0
ca ./ca.crt
cert ./client1.crt
key ./client1.key
tls-auth ./ta.key 1 #1 for the client, 0 for the server
keepalive 10 120
cipher AES-256-CBC 
comp-lzo
persist-key
persist-tun
resolv-retry infinite
verb 3
ns-cert-type server

#redirect-gateway def1 #uncomment to route all traffic through the vpn
For me this configuration works. If you should have any remarks, please comment.
I hope this guide saves some time for some people.

Best regards,

Tobias

User avatar
Traffic
OpenVPN Protagonist
Posts: 4066
Joined: Sat Aug 09, 2014 11:24 am

Re: Sample Config for OpenVPN (TAP) on Arch

Post by Traffic » Sun Nov 08, 2015 11:38 am

Good HowTo .. thanks 8-)

One comment:
I found that when using a bridge it is sometimes better to specify the default gateway not the bridge IP.

EG:
check0104 wrote:server.conf

server-bridge 192.168.178.201 255.255.255.0 192.168.178.203 192.168.178.254

Code: Select all

server-bridge 192.168.178.1 255.255.255.0 192.168.178.203 192.168.178.254
This effects broadcasts on some systems.

You may also want to use --explicit-exit-notify

check0104
OpenVpn Newbie
Posts: 6
Joined: Sat Nov 07, 2015 11:58 am

Re: Sample Config for OpenVPN (TAP) on Arch

Post by check0104 » Mon Nov 09, 2015 12:21 pm

Thanks for the advice. The server-bridge option will probably avoid some unnecessary routing. I will add this to my configuration.
Also I was not aware of the --explicit-exit-notify option. Sounds like a best practice thing. I will add it as well. 8-)

check0104
OpenVpn Newbie
Posts: 6
Joined: Sat Nov 07, 2015 11:58 am

Re: Sample Config for OpenVPN (TAP) on Arch

Post by check0104 » Mon Nov 09, 2015 12:30 pm

I realized that this post is quite off-topic in "Access Server". Could a moderator maybe move this post to the "Tutorials" section? Thanks a lot in advance!

Yanialbad
OpenVpn Newbie
Posts: 1
Joined: Wed Feb 06, 2019 7:45 am

Re: Sample Config for OpenVPN (TAP) on Arch

Post by Yanialbad » Wed Feb 06, 2019 7:50 am

Very good tutorial...thanks guys

calimeROID
OpenVpn Newbie
Posts: 1
Joined: Thu Feb 28, 2019 1:36 pm

Re: Sample Config for OpenVPN (TAP) on Arch

Post by calimeROID » Thu Feb 28, 2019 1:40 pm

To enable packet forwarding at boot, create the file /etc/sysctl.d/99-bridge.conf with the line:
net.ipv4.ip_forward=1

the systemd-sysctl.service will read it at boot.

Locked