The Raspberry Pi can easily be setup as an OpenVPN server. One common feature is to access servers or services on the remote network. Another use case is to provide a secure connection when you’re not at home.
You can do this by sending all traffic over the VPN connection, instead of only traffic for the remote servers. The idea is to connect your laptop to your OpenVPN server (this is encrypted by default) and access the internet from there. Whatever you send over the wifi connection, is encrypted by the VPN and thus safe. In the comments on the previous post there was someone trying to set this up. To help him solve the issue, I tested this myself, and decided to write a post showing how to do it because I really like the idea.
This is how it looks like: you’re on a untrusted network (red) and create a safe VPN connection (green) and all traffic will flow over the green network, to the also trusted home network (lighter green). People on the red network now cannot see the sites you visit.
Here’s how to set it up:
- Allow the OpenVPN server to route ip traffic
- Tell the default gw where to send traffic for OpenVPN clients
- Send DNS servers to the VPN Clients
- Configure the OpenVPN Client
- Test your setup
Allow the OpenVPN server to route ip traffic
First of all, you need to allow the OpenVPN server to route packets.
sudo vim /etc/sysctl.conf
Add this line, or alter it if it already exists:
net.ipv4.ip_forward = 1
Then activate the change:
sudo sysctl -p
The change is now activated, and persistent.
Tell the default gw where to send traffic for OpenVPN clients
Another important step is to tell the default gateway in the home network (lighter green) where to send traffic for theOpenVPN clients. If you omit this step, this traffic gets lost. More info in this post. Short story: add this static route to your default gateway. If it’s Linux, you’d run:
sudo route add -net 10.8.0.0/24 gw 10.5.5.5
Assuming 10.5.5.5 is the ip address of the OpenVPN server. When your router is not Linux, check the manual on howto add a static route.
Send DNS servers to the VPN clients
Most ISP’s restrict the usage of their DNS servers to their own network. When you connect to Wifi, you probably receive some DNS servers via DHCP. When you connect to VPN and then send all traffic through the VPN, you are effectively using the network (and internet connection) of your VPN server and not the local network. The DNS-servers you received via DHCP might not work because you access them from another network. To solve this, configure the OpenVPN server to push public DNS servers to use. Alternatively you can also push some local DNS servers or the DNS servers of your ISP.
sudo vim /etc/openvpn/server.conf
Add or edit these lines:
push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4"
These are Google’s public DNS servers. Just enter some DNS servers that work on the network of your OpenVPN server and that you are allowed to use.
Configure the OpenVPN client
I’m using Viscosity and all I have to do is enable a setting to send all traffic over the VPN connection.
Alternative way: It’s also possible to configure the ‘Send all traffic over VPN connection’ on the server-side instead of the client. Both has pros and cons, of course. To set it server-side set this option in the server config:
push "redirect-gateway def1"
Test your setup
The final step: test your setup! Make sure you’re connected through some other network than the one the OpenVPN server is in. Use some public Wifi service of connect over 3G. My iPhone can share its 3G connection and start a Wifi hotspot. My MacBook connects via Wifi, then does the OpenVPN connection to the Pi. The expected behavior is then to see the public ip address of the OpenVPN server’s internet connection, instead of the 3G ip address. Use a website like whatismyip.com to test this. Do this before connecting the VPN, and after. It should be different.
Enjoy your secure browsing experience!
Remi Bergsma's blog 
Thank you for the tutorial. I’d like to do the same thing on
-Server: TomatoUSB w/ VPN
http://tomato.groov.pl/?page_id=31
-Client: Tunnelblick
http://code.google.com/p/tunnelblick/
Would you be able to give me a clue how to configure these GUIs?
Thank you!
For the server, look at the menu: VPN tunneling | OpenVPN server. There are multiple tabs with config settings. Never used this, but I assume you can find the needed settings there.
For the client, Tunnelblick allows you to edit the config file, so you can simply add the lines you want. Although Tunnelblick proved to be very unstable to me. I’m using Viscosity instead.
It’s not clear to me how to do the first two steps with the TomatoUSB GUI:
up:
1. Allow the OpenVPN server to route ip traffic
2. Tell the default gw where to send traffic for OpenVPN clients
And it’s not clear to me what the OpenVPN Client configuration looks like given the Viscosity settings.
Since you use a router device for VPN you probably do not to do anything to make it do routing. It is enabled automatically. I also expect it to add a static route automatically.
It’s probably easiest to find a manual and follow that. I am not familiar with the device but since it is just OpenVPN with a GUI I’m sure it can be done.
Good luck!
I’m using TomatoUSB w/ OpenVPN, trying to follow a recipe from Jan Just Keijser’s book, OpenVPN Cookbook. My server configuration file and the log from starting it up are below.
Is the OpenVPN server starting correctly?
It all looks reasonable to me except this line:
Feb 4 13:35:08 router daemon.err openvpn[2642]: event_wait : Interrupted system call (code=4)
I don’t know what it means and I have no idea how to fix it if it’s a probem.
Thank you for taking a look.
– nello
OpenVPN Server Configuration Created by TomatoUSB GUI
root@router:/tmp/home/root# cat /etc/openvpn/server2/config.ovpn
# Automatically generated configuration
daemon
server 192.168.200.0 255.255.255.0
proto udp
port 1194
dev tun22
comp-lzo adaptive
keepalive 15 60
verb 3
push "redirect-gateway def1"
tls-auth static.key 0
ca ca.crt
dh dh.pem
cert server.crt
key server.key
status-version 2
status status
# Custom Configuration
push "route 10.198.0.0 255.255.0.0"
user nobody
group nobody
persist-key
persist-tun
Starting OpenVPN from TomatoUSB GUI
root@router:/tmp/home/root# cat /tmp/var/log/messages
Feb 4 13:35:03 router user.info kernel: tun: Universal TUN/TAP device driver, 1.6
Feb 4 13:35:03 router user.info kernel: tun: (C) 1999-2004 Max Krasnyansky
Feb 4 13:35:03 router user.info kernel: device tun22 entered promiscuous mode
Feb 4 13:35:03 router daemon.notice openvpn[2633]: OpenVPN 2.2.2 mipsel-linux [SSL] [LZO2] [EPOLL] built on Oct 20 2012
Feb 4 13:35:03 router daemon.warn openvpn[2633]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Feb 4 13:35:05 router daemon.notice openvpn[2633]: Diffie-Hellman initialized with 2048 bit key
Feb 4 13:35:05 router daemon.notice openvpn[2633]: Control Channel Authentication: using 'static.key' as a OpenVPN static key file
Feb 4 13:35:05 router daemon.notice openvpn[2633]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Feb 4 13:35:05 router daemon.notice openvpn[2633]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Feb 4 13:35:05 router daemon.notice openvpn[2633]: TLS-Auth MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ]
Feb 4 13:35:05 router daemon.notice openvpn[2633]: Socket Buffers: R=[112640->131072] S=[112640->131072]
Feb 4 13:35:05 router daemon.notice openvpn[2633]: TUN/TAP device tun22 opened
Feb 4 13:35:05 router daemon.notice openvpn[2633]: TUN/TAP TX queue length set to 100
Feb 4 13:35:05 router daemon.notice openvpn[2633]: /sbin/ifconfig tun22 192.168.200.1 pointopoint 192.168.200.2 mtu 1500
Feb 4 13:35:05 router daemon.notice openvpn[2633]: /sbin/route add -net 192.168.200.0 netmask 255.255.255.0 gw 192.168.200.2
Feb 4 13:35:05 router daemon.notice openvpn[2633]: Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Feb 4 13:35:05 router daemon.notice openvpn[2642]: GID set to nobody
Feb 4 13:35:05 router daemon.notice openvpn[2642]: UID set to nobody
Feb 4 13:35:05 router daemon.notice openvpn[2642]: UDPv4 link local (bound): [undef]:1194
Feb 4 13:35:05 router daemon.notice openvpn[2642]: UDPv4 link remote: [undef]
Feb 4 13:35:05 router daemon.notice openvpn[2642]: MULTI: multi_init called, r=256 v=256
Feb 4 13:35:05 router daemon.notice openvpn[2642]: IFCONFIG POOL: base=192.168.200.4 size=62
Feb 4 13:35:05 router daemon.notice openvpn[2642]: Initialization Sequence Completed
Feb 4 13:35:08 router daemon.err openvpn[2642]: event_wait : Interrupted system call (code=4)
Feb 4 13:35:08 router daemon.notice openvpn[2642]: TITLE,OpenVPN 2.2.2 mipsel-linux [SSL] [LZO2] [EPOLL] built on Oct 20 2012
Feb 4 13:35:08 router daemon.notice openvpn[2642]: TIME,Mon Feb 4 13:35:08 2013,1360006508
Feb 4 13:35:08 router daemon.notice openvpn[2642]: HEADER,CLIENT_LIST,Common Name,Real Address,Virtual Address,Bytes Received,Bytes Sent,Connected Since,Connected Since (time_t)
Feb 4 13:35:08 router daemon.notice openvpn[2642]: HEADER,ROUTING_TABLE,Virtual Address,Common Name,Real Address,Last Ref,Last Ref (time_t)
Feb 4 13:35:08 router daemon.notice openvpn[2642]: GLOBAL_STATS,Max bcast/mcast queue length,0
Feb 4 13:35:08 router daemon.notice openvpn[2642]: END
Hi Nello,
It’s not an error that looks too serious on its own. Is there any other error message? What happens when you try to connect a client? Does it work, or log any errors?
What exactly isn’t working and what did you try?
As I do not have such a device of my own I cannot test nor debug it. I’ve also read that some bugs are fixed and you need to run the latest firmware.
When I tried to connect with a client I always get an error that the TLS handshake is not completed within 60 seconds. (See my Tunnelblick connection log below).
I interpret this to mean that I have a connectivity problem.
So, I tried working backwards:
1. Is the service started? You say ‘yes’.
2. What IP/port is listening for a connection? I thought 192.168.200.1 on port 1194; is that correct?
3. Is that IP/port blocked by a firewall? I have a port forwarding rule to forward both UDP/TCP received from any IP on port 1194 to 192.168.200.1 on port 1194. Is there a way to test that it’s working?
Does this analysis seem correct?
See below for client information.
I’m running Tunnelblick on the LAN, behind my router; my Mac’s IP is 10.10.49.134; the router’s internal IP is 10.10.49.1; is there a routing problem from my 10.10… IP to the VPN service on my router if it’s 192.168… ? Do I need to change the VPN service to be on 10.10… too?
I’m at my wit’s end and you are the only person responding to my posts. I really appreciate your help.
Thank you.
– nello
OpenVPN Client Configuration
# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client
proto udp
remote 192.168.200.1
port 1194
dev tun
nobind
# SSL/TLS parms.
ca ca.crt
cert nello.crt
key nello.key
ns-cert-type server
# tls-auth key is used on the server
tls-auth ta.key 1
# Downgrade privileges after initialization (non-Windows only)
;user nobody
;group nobody
# Try to preserve some state across restarts.
persist-key
persist-tun
# Select a cryptographic cipher.
;cipher x
# Enable compression on the VPN link.
comp-lzo
# Log file verbosity.
#
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 6
# Silence repeating messages
mute 5
# Silence duplicate packet warnings
mute-replay-warnings
Tunnelblick Connection Log
2013-02-05 14:52:03 *Tunnelblick: OS X 10.8.2; Tunnelblick 3.3beta32 (build 3183)
2013-02-05 14:52:03 *Tunnelblick: Attempting connection with VPN Client Config using shadow copy; Set nameserver = 1; monitoring connection
2013-02-05 14:52:03 *Tunnelblick: openvpnstart start VPN\ Client\ Config.tblk 1337 1 0 1 0 370 -atADGNWradsgnw
2013-02-05 14:52:03 *Tunnelblick: openvpnstart log:
Loading tap.kext
OpenVPN started successfully. Command used to start OpenVPN (one argument per displayed line):
/Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.2.1/openvpn
--cd
/Library/Application Support/Tunnelblick/Users/nello/VPN Client Config.tblk/Contents/Resources
--daemon
--management
127.0.0.1
1337
--config
/Library/Application Support/Tunnelblick/Users/nello/VPN Client Config.tblk/Contents/Resources/config.ovpn
--log
/Library/Application Support/Tunnelblick/Logs/-SUsers-Snello-SLibrary-SApplication Support-STunnelblick-SConfigurations-SVPN Client Config.tblk-SContents-SResources-Sconfig.ovpn.1_0_1_0_370.1337.openvpn.log
--management-query-passwords
--management-hold
--script-security
2
--up
/Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -m -w -d -a -f -atADGNWradsgnw
--down
/Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -m -w -d -a -f -atADGNWradsgnw
--up-restart
2013-02-05 14:52:03 *Tunnelblick: Established communication with OpenVPN
2013-02-05 14:52:03 OpenVPN 2.2.1 i386-apple-darwin10.8.0 [SSL] [LZO2] [PKCS11] [eurephia] built on Oct 20 2012
2013-02-05 14:52:03 MANAGEMENT: TCP Socket listening on 127.0.0.1:1337
2013-02-05 14:52:03 Need hold release from management interface, waiting...
2013-02-05 14:52:03 MANAGEMENT: Client connected from 127.0.0.1:1337
2013-02-05 14:52:03 MANAGEMENT: CMD 'pid'
2013-02-05 14:52:03 MANAGEMENT: CMD 'state on'
2013-02-05 14:52:03 MANAGEMENT: CMD 'state'
2013-02-05 14:52:03 MANAGEMENT: CMD 'bytecount 1'
2013-02-05 14:52:03 MANAGEMENT: CMD 'hold release'
2013-02-05 14:52:03 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2013-02-05 14:52:03 LZO compression initialized
2013-02-05 14:52:03 Control Channel MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
2013-02-05 14:52:03 Socket Buffers: R=[196724->65536] S=[9216->65536]
2013-02-05 14:52:03 MANAGEMENT: >STATE:1360097523,RESOLVE,,,
2013-02-05 14:52:03 *Tunnelblick: openvpnstart starting OpenVPN:
* /Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.2.1/openvpn --cd /Library/Application Support/Tunnelblick/Users/nello/VPN Client Config.tblk/Contents/Resources --daemon --management 127.0.0.1 1337 --config /Library/Application Support/Tunnelblick/Users/nello/VPN Client Config.tblk/Contents/Resources/config.ovpn --log /Library/Application Support/Tunnelblick/Logs/-SUsers-Snello-SLibrary-SApplication Support-STunnelblick-SConfigurations-SVPN Client Config.tblk-SContents-SResources-Sconfig.ovpn.1_0_1_0_370.1337.openvpn.log --management-query-passwords --management-hold --script-security 2 --up /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -m -w -d -a -f -atADGNWradsgnw --down /Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -m -w -d -a -f -atADGNWradsgnw --up-restart
2013-02-05 14:52:04 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
2013-02-05 14:52:04 Local Options hash (VER=V4): 'd79ca330'
2013-02-05 14:52:04 Expected Remote Options hash (VER=V4): 'f7df56b8'
2013-02-05 14:52:04 UDPv4 link local: [undef]
2013-02-05 14:52:04 UDPv4 link remote: 99.31.123.157:443
2013-02-05 14:52:04 MANAGEMENT: >STATE:1360097524,WAIT,,,
2013-02-05 14:53:04 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2013-02-05 14:53:04 TLS Error: TLS handshake failed
2013-02-05 14:53:04 TCP/UDP: Closing socket
I will look into this more closely tomorrow. For now: could you try setting up the connection from outside your normal network? I suspect this is why it does not work.
Try from some public wifi, the neighbor’s home or 3G (with an iPhone or similar) and connect to your public ip on the VPN port. If it does not work, please send those logs as well.
Could you also provide a (simple) network drawing explaining how everything is connected?
Hi Nello, did you have a chance to look at my previous questions? That will help me figure out what’s wrong. Thx!
Remi please can you help me, openvpn is driving me wild.
You are the only tutorial I could find that actually makes perfect sense.
I can connect to the openvpn server but can’t seem to browse the internet. No traffic passes through.
I have a pretty standard setup, here is ifconfig tun0:
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:516 errors:0 dropped:0 overruns:0 frame:0
TX packets:99 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:39910 (38.9 KiB) TX bytes:9858 (9.6 KiB)
Here is my the output of netstat -rn:
13:09:17 $ netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 192.168.1.254 0.0.0.0 UG 0 0 0 eth0
10.8.0.0 10.8.0.1 255.255.255.0 UG 0 0 0 tun0
10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0
10.8.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
My client config is as follows:
client1
dev tun
proto tcp
remote *external_ip* 443
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
comp-lzo
pull dhcp-options
My server config is:
port 443
proto tcp
dev tun
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
and finally the internal ip of my vpn server is 192.168.1.68
Hi Mat,
You probably need to add this line to the server config, to push the route to the vpn clients:
push "route 192.168.1.0 255.255.255.0"Also, make sure the 192.168.1.254 router knows the route back to the 10.8.0.0/24 network by adding a route to 192.168.1.68. You probably need to add a static route somewhere in the web interface.
Final thing to check, make sure the firewall allows the traffic you want. Turn the firewall off to see if that works. If it does, tweak it to allow what you want.
I’ve written three posts about this, when you search on OpenVPN you can browse them all to see some more examples.
Let me know if this helps or whether you need more help!
It is working!!!
You were right that I had to be outside my firewall.
I do have a few warnings though.
Could you read through the log and suggest any improvements?
Thank you!
– nello
2013-02-06 17:12:27 *Tunnelblick: OS X 10.8.2; Tunnelblick 3.3beta32 (build 3183)
2013-02-06 17:12:27 *Tunnelblick: Attempting connection with TLS Config using shadow copy; Set nameserver = 0; not monitoring connection
2013-02-06 17:12:27 *Tunnelblick: openvpnstart start TLS\ Config.tblk 1337 0 0 1 1 305 -atADGNWradsgnw
2013-02-06 17:12:28 *Tunnelblick: openvpnstart log:
Loading tun.kext
OpenVPN started successfully. Command used to start OpenVPN (one argument per displayed line):
/Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.2.1/openvpn
--cd
/Library/Application Support/Tunnelblick/Users/nello/TLS Config.tblk/Contents/Resources
--daemon
--management
127.0.0.1
1337
--config
/Library/Application Support/Tunnelblick/Users/nello/TLS Config.tblk/Contents/Resources/config.ovpn
--log
/Library/Application Support/Tunnelblick/Logs/-SUsers-Snello-SLibrary-SApplication Support-STunnelblick-SConfigurations-STLS Config.tblk-SContents-SResources-Sconfig.ovpn.0_0_1_1_305.1337.openvpn.log
--management-query-passwords
--management-hold
--script-security
2
2013-02-06 17:12:28 *Tunnelblick: Established communication with OpenVPN
2013-02-06 17:12:28 us=51262 Current Parameter Settings:
2013-02-06 17:12:28 us=51603 config = '/Library/Application Support/Tunnelblick/Users/nello/TLS Config.tblk/Contents/Resources/config.ovpn'
2013-02-06 17:12:28 us=51614 mode = 0
2013-02-06 17:12:28 us=51622 show_ciphers = DISABLED
2013-02-06 17:12:28 us=51630 show_digests = DISABLED
2013-02-06 17:12:28 us=51637 NOTE: --mute triggered...
2013-02-06 17:12:28 us=51655 255 variation(s) on previous 5 message(s) suppressed by --mute
2013-02-06 17:12:28 us=51665 OpenVPN 2.2.1 i386-apple-darwin10.8.0 [SSL] [LZO2] [PKCS11] [eurephia] built on Oct 20 2012
2013-02-06 17:12:28 us=51790 MANAGEMENT: TCP Socket listening on 127.0.0.1:1337
2013-02-06 17:12:28 us=57425 Need hold release from management interface, waiting...
2013-02-06 17:12:28 us=170179 MANAGEMENT: Client connected from 127.0.0.1:1337
2013-02-06 17:12:28 us=193148 MANAGEMENT: CMD 'pid'
2013-02-06 17:12:28 us=193319 MANAGEMENT: CMD 'state on'
2013-02-06 17:12:28 us=193434 MANAGEMENT: CMD 'state'
2013-02-06 17:12:28 us=193559 MANAGEMENT: CMD 'bytecount 1'
2013-02-06 17:12:28 us=193680 MANAGEMENT: CMD 'hold release'
2013-02-06 17:12:28 us=194013 WARNING: Make sure you understand the semantics of --tls-remote before using it (see the man page).
2013-02-06 17:12:28 us=194109 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2013-02-06 17:12:28 us=197891 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file
2013-02-06 17:12:28 us=198041 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2013-02-06 17:12:28 us=198136 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2013-02-06 17:12:28 us=198256 LZO compression initialized
2013-02-06 17:12:28 us=198489 Control Channel MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ]
2013-02-06 17:12:28 us=198653 Socket Buffers: R=[196724->65536] S=[9216->65536]
2013-02-06 17:12:28 us=198763 MANAGEMENT: >STATE:1360192348,RESOLVE,,,
2013-02-06 17:12:28 us=296005 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
2013-02-06 17:12:28 us=296186 Local Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
2013-02-06 17:12:28 us=296286 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
2013-02-06 17:12:28 us=296376 Local Options hash (VER=V4): '504e774e'
2013-02-06 17:12:28 us=296459 Expected Remote Options hash (VER=V4): '14168603'
2013-02-06 17:12:28 us=296535 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
2013-02-06 17:12:28 us=296617 UDPv4 link local: [undef]
2013-02-06 17:12:28 us=296694 UDPv4 link remote: :443
2013-02-06 17:12:28 us=296792 MANAGEMENT: >STATE:1360192348,WAIT,,,
RWed Feb 6 17:12:28 2013 us=403875 MANAGEMENT: >STATE:1360192348,AUTH,,,
2013-02-06 17:12:28 us=404042 TLS: Initial packet from :443, sid=c0206280 1ab42cc2
RWRWRWRWed Feb 6 17:12:29 2013 us=613197 Replay-window backtrack occurred [2]
RWRWRWRWRWRWRWRWed Feb 6 17:12:30 2013 us=236383 VERIFY OK: depth=1,
2013-02-06 17:12:30 us=237082 VERIFY OK: nsCertType=SERVER
2013-02-06 17:12:30 us=237178 VERIFY X509NAME OK:
2013-02-06 17:12:30 us=237255 VERIFY OK: depth=0,
RWRWRWRWRWRWRWRWRWRWRWRWRWRWWWWRRRRWRWed Feb 6 17:12:32 2013 us=696030 NOTE: Options consistency check may be skewed by version differences
2013-02-06 17:12:32 us=696253 WARNING: 'version' is used inconsistently, local='version V4', remote='version V0 UNDEF'
2013-02-06 17:12:32 us=696421 WARNING: 'dev-type' is present in local config but missing in remote config, local='dev-type tun'
2013-02-06 17:12:32 us=696583 WARNING: 'link-mtu' is present in local config but missing in remote config, local='link-mtu 1542'
2013-02-06 17:12:32 us=696741 WARNING: 'tun-mtu' is present in local config but missing in remote config, local='tun-mtu 1500'
2013-02-06 17:12:32 us=696888 NOTE: --mute triggered...
2013-02-06 17:12:32 us=697321 9 variation(s) on previous 5 message(s) suppressed by --mute
2013-02-06 17:12:32 us=697479 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
2013-02-06 17:12:32 us=697638 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
2013-02-06 17:12:32 us=697861 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
2013-02-06 17:12:32 us=698019 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
WWed Feb 6 17:12:32 2013 us=698285 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
2013-02-06 17:12:32 us=698474 [October-Group-VPN] Peer Connection Initiated with :443
RWed Feb 6 17:12:33 2013 us=201563 MANAGEMENT: >STATE:1360192353,GET_CONFIG,,,
2013-02-06 17:12:34 us=375369 SENT CONTROL [October-Group-VPN]: 'PUSH_REQUEST' (status=1)
2013-02-06 17:12:34 us=491530 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,route 10.10.50.0 255.255.0.0,route 10.10.50.1,topology net30,ping 15,ping-restart 60,ifconfig 10.10.50.6 10.10.50.5'
2013-02-06 17:12:34 us=491756 OPTIONS IMPORT: timers and/or timeouts modified
2013-02-06 17:12:34 us=491853 OPTIONS IMPORT: --ifconfig/up options modified
2013-02-06 17:12:34 us=491943 OPTIONS IMPORT: route options modified
2013-02-06 17:12:34 us=492154 ROUTE default_gateway=192.168.101.1
2013-02-06 17:12:34 us=492433 TUN/TAP device /dev/tun0 opened
2013-02-06 17:12:34 us=492531 MANAGEMENT: >STATE:1360192354,ASSIGN_IP,,10.10.50.6,
2013-02-06 17:12:34 us=492639 /sbin/ifconfig tun0 delete
ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address
2013-02-06 17:12:34 us=498556 NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
2013-02-06 17:12:34 us=498753 /sbin/ifconfig tun0 10.10.50.6 10.10.50.5 mtu 1500 netmask 255.255.255.255 up
2013-02-06 17:12:34 us=503706 /sbin/route add -net 192.168.101.1 255.255.255.255
add net : gateway 192.168.101.1
2013-02-06 17:12:34 us=507376 /sbin/route add -net 0.0.0.0 10.10.50.5 128.0.0.0
add net 0.0.0.0: gateway 10.10.50.5
2013-02-06 17:12:34 us=509669 /sbin/route add -net 128.0.0.0 10.10.50.5 128.0.0.0
add net 128.0.0.0: gateway 10.10.50.5
2013-02-06 17:12:34 us=511751 MANAGEMENT: >STATE:1360192354,ADD_ROUTES,,,
2013-02-06 17:12:34 us=511962 /sbin/route add -net 10.10.50.0 10.10.50.5 255.255.0.0
add net 10.10.50.0: gateway 10.10.50.5
2013-02-06 17:12:34 us=514896 /sbin/route add -net 10.10.50.1 10.10.50.5 255.255.255.255
add net 10.10.50.1: gateway 10.10.50.5
2013-02-06 17:12:34 us=519574 GID set to nobody
2013-02-06 17:12:34 us=519757 UID set to nobody
2013-02-06 17:12:34 us=519858 Initialization Sequence Completed
2013-02-06 17:12:34 us=519978 MANAGEMENT: >STATE:1360192354,CONNECTED,SUCCESS,10.10.50.6,
2013-02-06 17:12:40 *Tunnelblick: This computer's apparent public IP address changed from 50.76.81.125 before connection to after connection
2013-02-06 17:14:26 *Tunnelblick: Disconnecting; 'disconnect' button pressed
2013-02-06 17:14:26 *Tunnelblick: Disconnecting using 'killall'
2013-02-06 17:14:26 us=310834 event_wait : Interrupted system call (code=4)
2013-02-06 17:14:26 us=311443 TCP/UDP: Closing socket
2013-02-06 17:14:26 us=311623 /sbin/route delete -net 10.10.50.1 10.10.50.5 255.255.255.255
route: must be root to alter routing table
2013-02-06 17:14:26 us=315519 ERROR: OS X route delete command failed: external program exited with error status: 77
2013-02-06 17:14:26 us=315736 /sbin/route delete -net 10.10.50.0 10.10.50.5 255.255.0.0
route: must be root to alter routing table
2013-02-06 17:14:26 us=318596 ERROR: OS X route delete command failed: external program exited with error status: 77
2013-02-06 17:14:26 us=318750 /sbin/route delete -net 192.168.101.1 255.255.255.255
route: must be root to alter routing table
2013-02-06 17:14:26 us=321549 ERROR: OS X route delete command failed: external program exited with error status: 77
2013-02-06 17:14:26 us=321710 /sbin/route delete -net 0.0.0.0 10.10.50.5 128.0.0.0
route: must be root to alter routing table
2013-02-06 17:14:26 us=324686 ERROR: OS X route delete command failed: external program exited with error status: 77
2013-02-06 17:14:26 us=324920 /sbin/route delete -net 128.0.0.0 10.10.50.5 128.0.0.0
route: must be root to alter routing table
2013-02-06 17:14:26 us=327484 ERROR: OS X route delete command failed: external program exited with error status: 77
2013-02-06 17:14:26 us=327618 Closing TUN/TAP interface
2013-02-06 17:14:26 us=328040 SIGTERM[hard,] received, process exiting
2013-02-06 17:14:26 us=328167 MANAGEMENT: >STATE:1360192466,EXITING,SIGTERM,,
That’s cool!
The warnings are about differences in the client and server config. You specify some options in the client vpn config, that are not properly set on the server. It isn’t a big deal, you can either remove them from the client or add the right ones to the server as well.
Hi Remi
Many thanks, it did help a little, I have read your other posts too before asking anything else so I’m not repeating anything you’ve already posted about.
Just one last question, I’ve turned off the firewall completely. The only obstacle I have is that I currently have a bthomehub2 which doesn’t support static routes.
Does this mean openvpn is an impossibility?
It connects fine internally and browses the internet, however when I use my phone as a hotspot to simulate a remote connection, the vpn client connects but no internet browsing ability.
I’ve port forwarded all traffic on 443 to the raspberry pi openvpn server and added the route like you said to server.conf. I’m just under the impression that perhaps the traffic is getting lost due to the lack of a static route.
Hi Mat,
Feel free to ask questions when something is not clear!
I think you’re right. Without a static route, your router does not know what to do with the 10.8.0.0/24 OpenVPN network. Traffic will be sent to the default gateway where it is dropped.
If you cannot add a static route, you can use a small trick to get it to work. You use iptable’s MASQUERADE (NAT) function, to translate your OpenVPN network (probably 10.8.0.0/24) to the address of the Pi on your local network. All hosts on your local network, then ‘see’ the OpenVPN clients as if it was the Pi. While this might not be ideal, it at least makes things work because this way you no longer need the static route.
Run this command on the Pi, and test again with your phone:
sudo iptables -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADELet me know if this solves your problem! If it does, we’ll need to create something that runs this command when the Pi boots because it is not persistent like this.
Hi Remi
Thanks so much, your solution has ended 2 months of frustration for me, it certainly did work with masquerade. However, initially I with your command I was getting a response of:
11:04:06 $ sudo iptables -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
iptables: No chain/target/match by that name.
So after a little more research I thought it might be because of the iptables_nat module not being loaded or even perhaps masquerade. A quick:
lsmod | grep ip
Solved that by telling me that these were indeed loaded. So digging further into the error that I originally got back, I was able to find I was missing a little part and run your suggestion by adding -t nat to the start of the command as follows:
sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
This succeeded without errors and after connecting via my phone hotspot, I got my home network ip and was able to browse the internet.
Tunnelblick seems to be stuck on *Tunnelblick: openvpnstart: etc etc.
Viscosity seems a little more polished and works without errors, so I think I will stick with that.
As per your previous post, is there something I could do to ensure this is persistent when I reboot the pi?
I can’t thank you enough for your help.
Hi Mat,
Sorry, I posted that too quick I guess.. well done you figured it out 🙂
Using ‘iptables-save’ and ‘iptables-restore’ you can save and restore the iptables rules. In the past, I found it to work best to create a small shell script and place it in ‘/etc/network/if-pre-up.d’. Just before the network interface is brought up, the iptables rules will be restored. The idea is to do the same when the interface goes down (use the ‘/etc/network/if-post-down.d’ folder to place the script in). Using these thechniques, you can create something and have fine control over it.
However, I recently heard about a tool called ‘iptables-persistent’ that makes life easier. Here’s the description:
iptables-persistent - boot-time loader for iptables rules:Current iptables rules can be saved to the configuration file /etc/iptables/rules.v4. These rules will then be loaded automatically during system startup.
Sounds like what we want :-). Now, all you have to do is:
sudo apt-get install iptables-persistentDuring install, the program asks to save both ipv4 and ipv6 iptables rules. Do you need to make changes later on, you need to save them before this package restores them. This is how:
iptables-save > /etc/iptables/rules.v4About Tunnelblick, I’ve used it for years, and it has been great, but since Mountain Lion it doesn’t work too well for me. I switched to Viscosity last summer and I really like it. Well worth the $9 if you ask me!
Have fun and take care!
Would you consider adding a tutorial on certificate revocation as it applies to OpenVPN?
Nice idea, I will! Stay tuned..
Edit:
The post can be found here!
I used OpenVPN in bridged mode, i.e:
# Trying to use the DHCP server itself so all the routing mess is left off
server-bridge 192.168.1.1 255.255.255.0 192.168.1.221 192.168.1.231
Of course I did the rest as well (summarizing):
# The routes given to other private subnets
push “route add -net 192.168.1.1 netmask 255.255.255.0 dev tap0” # IP and SUBNET of local network
# Unknown if this will work, but the router is the real DNS anyway
push “dhcp-option DNS 192.168.1.1”
Then, isn’t the following true and simple in my setup?
# If enabled, this directive will configure
# all clients to redirect their default
# network gateway through the VPN
push “redirect-gateway”
Hi,
I’d suggest changing
push “redirect-gateway”
to
push “redirect-gateway def1”
This keeps the local network reachable (for example the DHCP server).
Hi Remi,
As others have noted, your post is probably the most sensible and nicely written on to explain the intricacies of setting up OpenVPN for secure browsing. Unfortunately, I managed to mess it up, and now I must also come to you for assistance on this matter. 🙂
My situation is a bit unique in the sense that I have an OpenVPN server in the form of an old Router running TomatoUSB VPN sitting behind a standard router.
The Tomato VPN server is configured with a static IP 192.168.1.2 as a client of my primary router on 192.168.1.1. It has DHCP disabled, and it’s wifi off.
The openVPN is configured with a PKI cert and I have a client which is able to connect from within the LAN, however once connected, none of the internet traffic from the VPN client goes anywhere. I believe I probably need to somehow tell the VPN to push traffic from the VPN clients to 192.168.1.1 but I’m not exactly sure how.
I have the following entries in my server configuration:
push “redirect-gateway def1”
push “route 192.168.1.0 255.255.255.0”
Thanks to the tomato firmware I have decent control over the routes defined on the Tomato router, but the primary router is not so accessible.
Thanks,
Ed
Hi Ed,
Glad you like the posts 🙂 I think you need to tell the real router in your network (192.168.1.1) about the network of the OpenVPN clients. Right now, the router does not know where to send this traffic to.
You should route the 10.8.0.0/24 network (OpenVPN clients) to 192.168.1.2 (OpenVPN server). Depending on the router, this has to be done in a GUI or on the command line. Let me know if you need help setting this up.
I suppose it will work once you do this. If it doesn’t, tell me what goes wrong, what error you’ve got etc and I’ll do my best to help!
Mr. Bergsma,
Good afternoon. I’m fascinated with this capability and have endeavored to mimic it. However, I have one significant difference. I’d like to have my linux box which sits behind my router/firewall both function as the OpenVPN server and route the packets via tunnel appropriately through my LAN router. I.e., I have a router that must run NAT without any static routes installed – that is, unless, you know how to setup static routes and NAT on the same router (Engenius 9250) – I have to disable NAT to enable static routing on the router.
Here’s my private network provided by the router: 10.66.77.0/24. Gateway address: 10.66.77.1.
Here’s my OpenVPN network on the linux box: 10.8.0.0/24. Linux server on LAN is 10.66.77.4, IP for OpenVPN on Linux is: 10.8.0.1.
I have successfully connected from my IOS devices (using Guizmopenvpn on jailbroken iphone/ipad – works great!). I.e., I can ping the openvpn server once connected (tested over 3G connection), but, as you would expect, I can not browse through the router to the Internet because the packets aren’t getting out.
I performed both the “sysctl -p” and “sudo route add -net 10.8.0.0/24 gw 10.66.77.1” commands plus pushed the DNS servers in the server.conf.
Again – pretty sure its a routing issue. Any ideas of HOWTO?
Thank you,
Dane
Update 1: I read a bit more on this post and performed the following actions from the linux openvpn server:
1. sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
2. Apt-get install iptables-persistent did not work (apparently that file is no longer available?) so I added it to a file: /etc/network/if-up.d which executes iptables-restore < /etc/firewall.conf
Now I can connect over 3G (to test) and authenticate with my openvpn server and ping the router. However, browsing still does not work.
Any ideas on what I am leaving out?
– thanks
Dane
Figured it out – case closed.
Hi Dane,
Sorry for not getting back to you any sooner. Did you solve the issue by now or do you still need help?
I’m curious about this comment:
It’s also possible to configure the ‘Send all traffic over VPN connection’ on the server-side instead of the client. Both has pros and cons, of course.
Would you please expand on the advantages and disadvantages of these two techniques of routing DNS traffic:
push “redirect-gateway def1”
versus
push “dhcp-option DNS 8.8.8.8”
Presumably, redirecting DNS traffic through the VPN is more secure because there’s no DNS linkage. But, as I understand, it prevents a DHCP lease renewal and therefore may result in loss of the local connection.
If I’ve understood the tradeoff correctly, then is there anyway to maintain a connection to the local DHCP server and yet restrict all but renewal requests from routing to it?
Finally, what happens if both re-direct and push dhcp-option are specified as shown below?
Thank you for your help.
– nello
Tomato v1.28.0000 MIPSR2-102 K26 USB AIO
# Automatically generated configuration
daemon
server 10.10.50.0 255.255.255.0
proto udp
port 443
dev tun22
comp-lzo adaptive
keepalive 15 60
verb 3
push “route 10.10.49.0 255.255.255.0”
push “dhcp-option DOMAIN OctoberGroup.local”
push “dhcp-option DNS 10.10.49.1”
push “redirect-gateway def1”
tls-auth static.key 0
ca ca.crt
dh dh.pem
cert server.crt
key server.key
status-version 2
status status
# Custom Configuration
push “route 10.10.50.0 255.255.0.0”
user nobody
group nobody
persist-key
persist-tun
ping-timer-rem
verb 3
# Client Configuration
client
proto udp
remote 443
dev tun
nobind
ca ca.crt
cert nello.crt
key nello.key
ns-cert-type server
tls-remote October-Group-VPN
tls-auth ta.key 1
user nobody
group nobody
persist-key
persist-tun
comp-lzo
verb 6
mute 10
mute-replay-warnings
Remi:
I using a Raspberry PI and your instructions. Thanks to you I am 97.3% successful.
From my iPhone I can connect into the RasPI via OpenVPN. I can even launch a VNC terminal from my iPhone to see the RasPI in all it’s color GUI glory and run programs.
I CANNOT, however, get the the chrome browser on the iPhone to connect to a webpage (ex: whatismyip.com). At first I thought is may be the DNS setup, but I tried to go to google.com via a direct IP (http://74.125.224.72/) and still could not connect to the website.
Any hints?
Many thanks!
Hi!
This sounds like a routing issue.
Did you enable routing on the Pi? See the part about the sysctl setting ‘net.ipv4.ip_forward’.
Remi
Remi:
Is it possible my keys ‘expired’? Just a thought on why my VPN connection may be failing. I generated them some time ago with the method you described.
Remi:
Okay. Back on track from the 2-3 comments right above this.
My keys are good. For reasons unknown to me
sudo /etc/init.d/openvpn start
would not run the VPN. I had to point to the conf file with:
sudo openvpn –config server.conf
Not sure why, but maybe that isn’t important anyway (?). Connecting via the RasPI VPN is solid again and I’m back on trying to get a browser allow web surfing.
Adding the line
net.ipv4.ip_forward = 1
prevents the VPN from running with the error
“Options error: In [CMD-LINE]:1: Error opening configuration file: server.conf”
If I comment the net.ipv4.ip_forward = 1 line the VPN runs without error.
My server.conf file reads as below. I would be thankful for any opinions:
port 443
proto tcp
dev tun
ca easy-rsa/1.0/keys/ca.crt
cert easy-rsa/1.0/keys/server.crt
key easy-rsa/1.0/keys/server.key # This file should be kept secret
dh easy-rsa/1.0/keys/dh1024.pem
server 10.40.40.40.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-to-client
#net.ipv4.ip_forward = 1
push “redirect-gateway def1”
push “dhcp-option DNS 8.8.8.8”
push “dhcp-option DNS 8.8.4.4”
keepalive 10 120
comp-lzo
persist-key
persist-tun
status status.log
verb 3
Hi Remi, great blog you have! Running Openvpn is driving me a little bit crazy.
If I connect from the local network, everything runs smooth but not from outside. I’m using Openvpn for Android as client.
I can connect to the openvpn server but can’t seem to browse the internet. No traffic passes through apparently.
I have a pretty standard setup, here is ifconfig tun0:
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:228 errors:0 dropped:0 overruns:0 frame:0
TX packets:292 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:24069 (23.5 KiB) TX bytes:201642 (196.9 KiB)
Here is my the output of netstat -rn:
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 192.168.0.254 0.0.0.0 UG 0 0 0 eth0
10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0
10.8.0.0 192.168.0.46 255.255.255.0 UG 0 0 0 eth0
10.8.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
My server config is:
ev tun
proto udp
port 1194
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
user nobody
group nogroup
server 10.8.0.0 255.255.255.0
persist-key
persist-tun
status /var/log/openvpn-status.log
verb 3
client-to-client
push “redirect-gateway def1”
#set the dns servers
push “dhcp-option DNS 8.8.8.8”
push “dhcp-option DNS 8.8.4.4”
push “route 192.168.0.0 255.255.255.0”
log-append /var/log/openvpn
comp-lzo
The local IP address of my server is 192.168.0.46
Hi,
I just want to give you many thanks for this great post! I have been struggling with openvpn settings a long time and with this article it was done in almost 10 minutes!