Internet & LAN Over VPN Using OpenVPN – Linux Server – Windows/Linux Clients – Works For Gaming & Through Firewalls
The aim of this tutorial is to enable you to set up a little VPN that will let you do many things – but my primary goal when trying to get this to work was to allow me and my friend (who sits behind a firewalled network at University) to play the new games that would not work over Hamachi because they did not ship with LAN and required an always-on internet connection (DRM). His network also uses traffic shaping and blocks UDP packets, making online gaming impossible.
This tutorial is heavily based on the one found here but i have updated it and added some more information.
You will need
A Linux Server or Linux VPS – although this tutorial is specifically aimed at Debian based distributions, the OpenVPN configurations will be the same across the board – you will just have to tweak a few of the commands and directories. I tested this on OpenVZ but it should work on other virtualisation platforms.
A couple of kernel modules enabled – You will need to be able to use the NAT table functionality of IP Tables. You will also need to have the Tap/Tun device enabled. If you are using a VPS you will need to contact your hosting provider to enable these if they are not available – I point out during the tutorial where you will find out if these are not enabled.
A client – You will need at least one client to connect to your VPN – this can be with either a Windows or Linux client, but I will be showing a tutorial for Windows only – Linux client configuration will be the same however so you should have no trouble.
The Server
Install OpenVPN – we also need openssl later so might as well install it here:
apt-get install openvpn openssl
Open /etc/default/openvpn and comment everything out – this means that OpenVPN will automatically start any VPN’s for which it finds a configuration. Configurations are stored in /etc/openvpn and have the .conf extension
Now we need to create some certificates.
cd /etc/openvpn
cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0 ./easy-rsa
Now we need to edit the variables of the certificates we are about to create.
nano easy-rsa/vars
Now you need to change this line (somewhere near the top) export EASY_RSA="`pwd`" to export EASY_RSA="/etc/openvpn/easy-rsa"
Then you should edit the following to reflect your information:
export KEY_COUNTRY="US" export KEY_PROVINCE="CA" export KEY_CITY="SanFrancisco" export KEY_ORG="Fort-Funston" export KEY_EMAIL="me@myhost.mydomain"
I however left all this stuff the same because I didn’t really care about the security of my gaming LAN. If you don’t care either then leave them all as default.
Save and quit.
Now you need to run this command – the command is a dot followed by a space followed by a dot followed by /easy-rsa/vars – if you do not include the space it will not work
. ./easy-rsa/vars
It might say something like NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/keys - This is normal.
Then run this command which will not give you any output.
./easy-rsa/clean-all
Now we run build-ca to get the certificate authority (ca) file. You can use all the variables you just set in the vars file, just press enter to all the questions, you should see OpenVPN as the common name.
./easy-rsa/build-ca OpenVPN
Once that is done we will build the server keys. You will be asked a load of questions again, just enter through them all making sure that server is the default value for common name. You will be asked two yes / no questions at the end – put y and hit enter for both.
./easy-rsa/build-key-server server
Now we will build the client keys – repeat this step for how ever many clients you want to allow on your VPN – 1 for each client. Just change the client1 to client2… client3 etc and run the command as many times as needed. Same deal as above, just enter through the questions and make sure the common name is the same as the variable passed on the command line and nothing else. Say yes to the last two questions.
./easy-rsa/build-key client1
Now let's create Diffie Hellman parameters:
./easy-rsa/build-dh
Now all that is done you should have a new directory called keys located here: /etc/openvpn/easy-rsa/keys
We need to make the server configuration file – you can call this whatever you want because we told OpenVPN to load all configurations it finds.
nano /etc/openvpn/openvpn.conf
And put all of this in there after making the following changes if you want – the default configuration should work straight out of the box though:
- I have set the port to 8080. The default port is 1194. I made this change because some firewalls will not allow connections to various port numbers. You can use anything, but make sure you change it on both the clients and the server.
- I also use tcp for proto. udp is likely to give you better performance, but again, I had to set tcp as udp was blocked by the firewall. You can switch it to udp if you wish but make sure you do it on both the clients and the server.
- You can change the two lines where we set the DNS servers if you wish. These must be accessible servers for name resolution on the VPN. The ones in the configuration file are Google’s public DNS Nameservers so they should be fine unless you have your own that you need to use.
- You might want to disable compression of the data stream to squeeze out that extra performance. i have not experienced any problems as all of the clients and the server are fairly high powered. Just comment out comp-lzo if you notice a problem– make sure you do this in the server and the client configurations!
- You might want to change the user and group settings if you want to run the server as a different user or remove them altogether to run as root.
dev tun proto tcp port 8080 ca /etc/openvpn/easy-rsa/keys/ca.crt cert /etc/openvpn/easy-rsa/keys/server.crt key /etc/openvpn/easy-rsa/keys/server.key dh /etc/openvpn/easy-rsa/keys/dh1024.pem user nobody group nogroup server 10.8.0.0 255.255.255.0 persist-key persist-tun status /var/log/openvpn-status.log verb 3 client-to-client push "redirect-gateway def1" #set the dns servers push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4" log-append /var/log/openvpn comp-lzo
Once you have saved all of that and made any changes we need to tell our server how to handle internet packets from the various clients on the network:
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
To ensure that IP forwarding will be enabled after the server is rebooted, you should edit "/etc/sysctl.conf" and uncomment "net.ipv4.ip_forward=1".
The iptables command assumes that the device with internet access is eth0. If you are using an OpenVZ VPS then replace eth0 with venet0. To get a list of all your devices type ifconfig and change the command as needed. This command will fail if you do not have the right kernel modules enabled with something like this:
WARNING: Deprecated config file /etc/modprobe.conf, all config files belong into /etc/modprobe.d/.
FATAL: Module ip_tables not found.
iptables v1.4.10: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
You can verify the rule was written correctly with this command:
sudo iptables -L -t nat
And, if you make a mistake and want to remove all the offending rules from IPTables:
sudo iptables -F -t nat
Now we are done with the server and ready to start it.
/etc/init.d/openvpn start
You should get a success message. If not then check the error log by typing
cat /var/log/openvpn
This is where you might find out you need the tun/tap tunneling kernel module enabling. If you get a load of junk about the tun/tap adapter being unavailable or write protected then this is most likely the case. You should google any other errors.
The Client
You remember all of those security certificates we made, you need to send some of them over to the client. Now, you should really send them in some sort of secure manner so I would recommend ssh file transfer.
You need to transfer the following files:
ca.crt
client1.crt
client1.key
If you have more than one client, they need to get their individual key and crt files, as well as the ca.crt file.
Copy the 3 files you just got from the server to the openvpn/config directory. You then need to create a configuration file in this directory. On Windows this file has the extension ovpn. I called mine gamevpn.ovpn but it doesn’t really matter.
The contents of the file follows, you will need to make any changes in this confugiration to reflect any server configuration changes you may have made earlier. If you did not make any changes to the server then the only things you need to worry about are.
- The remote configuration option needs to be changed to the ip and port of the host server.
- The cert and key files need to match those which you downloaded from the server.
dev tun client proto tcp remote w.x.y.z 8080 resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert client1.crt key client1.key comp-lzo verb 3
Save the file.
There are no more Linux instructions after this point for the client.
On Windows you now need to run the OpenVPN GUI application, a shortcut for which will be on your desktop if you have not removed it. Make sure you run this application as an administrator or it will not be able to add the relevant routing bits and pieces to the routing table.
Once this application starts up, right click the tray icon and click connect – note: if after connecting you loose internet access just disconnect and the normal routing table will be restored.
You should be given an IP and all should be well. To test it, open a command prompt window (start, cmd) and type ping 10.8.0.1 – if you get replies then all is good. You should also be able to ping your computer from the server and ping any other clients on the new VPN. It is not the end of the world if you can not ping ALL of the other clients on the network – if you can ping at least a few then the network is working and it is just the individual clients that are configured not to reply to ping requests. If no client on the network can ping any other client then you might have a problem.
We now need to test the internet connectivity – but before we do we need to configure windows to use the VPN connection by default – these are Windows vista / 7 instructions but something similar will work on XP.
- Go to control panel > network and internet > network and sharing centre > change adapter settings
- You need to right click on the adapter that is displayed in this window which has the information “Tap-Win32 (or 64) .....” under it. Click rename. Rename it to GameVPN, OpenVPN or similar.
- Right click the newly renamed network connection and select properties
- Untick the box next to QoS packet scheduler and internet protocol version 6.
- Once you have done this click ok.
- You now need to press alt to display the menu at the top of the connections window.
- Click advanced > advanced settings
- In the top box there will be a list of your connections, you need to use the arrows on the right to move GameVPN or whatever you called it to the top of the list then click ok.
- Go to http://www.whatsmyip.org/
Your IP address should now be that of the server.
This should be it, you should be able to play games, browse the internet, download torrents etc through the VPN. You should be able to run games in either LAN mode and connect to the other clients via their internal IP’s or connect to games on the internet.
You may find that some applications ignore your best efforts and use your default internet connection anyway, in which case look up an application called ForceBindIP
Hope this helped someone because it took me ages to find a way of getting this to work!
I did read somewhere else that 90% of problems with OpenVPN are firewall related - good luck!