OpenVPN tips you might have not know about

Random ideas about OpenVPN

Open VPN seems to be really great tool that provides such an easy way how to connect multiple computers across the different networks into one united network and allows them to communicate among each other. Here are some ways how I’ve been utilizing OpenVPN in my home lab.

Shared network

It is kinda obvious but if you will have multiple clients connecting to the OpenVPN server they will be connecting into the same network.

Default IP address pool for OpenVPN is 10.8.0.X. From my experiance OpenVPN will assign IP addresses in ascending order based on the time of connection of the client unless specified otherwise.

If you will establish connection on your home lab services you can easily connect to them from anywhere in the world just as easily as you can from your computer in your home.

Also if you want to expose your home lab services to the public you can use reverse proxy and route the traffic through the VPN.

Autoconnect OpenVPN client to VPN server

This feature saved me in quite a few times. When I was traveling my server sometimes rebooted, from different reasons. Sometimes I was doing some updates, sometimes power went down and in those cases you really want your device to auto-connect to your VPN right after it boots.

It’s actually really easy thing to do.

First thing what you need to check is if /etc/default/openvpn has directive AUTOSTART set to either all or "specific-name-of-config" you can just check the file and read comments how to do it.

If you don’t see the file in mentioned direction. Check if your Linux distro doesn’t store it in some other place.

Next step is to copy the .conf file to the /etc/openvpn/ , after next reboot the client should automatically connect to the OpenVPN server

If you are using the OpenVPN server installation script like one of these:

• angristan /openvpn–install
• Nyr /openvpn-install

You might get config file looking like this: your-client-name.ovpn In that case you want to rename the file extention to .conf and store it in /etc/openvpn/

Now you can reboot your machine and check if VPN conenction is established by either checking ip addr show or ping 10.8.0.1 or different IP based on your configuration. If you see OpenVPN network congratulation! You are in!

Setting up a static IP for the client

From resources online it all seems to be more complicated than it needs to be… Especially part where you are extracting name from the key.

Long story short…

Step 1 – know your clients

Locate .crt/.ovpn/.conf files. You actually don’t need to do it if you are confident about the names of the clients you created. So If you know the name of the client’s feel free to proceed.

I am usuallly naming my clients based on the client’s machine and server that is hosting the OpenVPN server. E.g.: lenovolaptop2myvpnserver.ovpn workstation2myvpnserver.ovpn etc.

Since I am using Nyr / openvpn-install script. The first part of the filename is also my client name. E.g.: lenovolaptop2myvpnserver, workstation2myvpnserver.

Step 2 – prepare server config

For whatever reason Nyr script doesn’t create standard openvpn > server > server.conf file. Therefore there are no comments about how to use some extra directives.

What you need to do is to set so called client-config-directory, usually called ccd. For doing this go to /etc/openvpn/server/server.conf and add this to the very beginning of the file:

# If client-config-dir is already present,
# you can check if path matches the one you need to use
# or you can simply change the path to this one:
# (note that all configs placed in original path will be ignored)
client-config-dir /etc/openvpn/ccd

I am guessing it doesn’t need to be in the very beginning but… I put it there and it works… Now restart the OpenVPN service as root:

service open-vpn@server restart

Step 3 – set the static IP

When you configured ccd directory in server config, next thing you want to do is to configure the static IP for your client.

Let’s say we have client who’s name is workstation2myvpnserver. In that case you want to create file with this name inside /etc/openvpn/ccd directory and add entry for the static IP:

echo 'ifconfig-push 10.8.0.10 255.255.255.0' > workstation2myvpnserver

Where IP address 10.8.0.10 must belong into the OpenVPN IP address pool and must be unique. Ip address 10.8.0.1 belongs to the OpenVPN server. You can use any ip address in range from 10.8.0.2-255.

If you will have multiple clients you will create new file for each of those and set desirable unique IP address.

Step 4 – check if it works

Now you can connect to your VPN with your client as you will normally do and check if server assigned you your desired IP.

You can do it for example with ifconfig command or ip addr show command.

Don’t route traffic through the VPN

It is super useful when you want to have machine accessible through the VPN, but you don’t want to force traffic through the VPN network. For example when you are logging to some services you can create socks proxy with SSH and “pretend” to be in the Czech republic without actually being there instead you’re just routing traffic through the VPN SSH connection and your machine is serving the requests.

Well it’s quite straight forward… you can just add:

pull-filter ignore "redirect-gateway"

Into the client’s config file. If you are using auto-connect feature it will be probably in /etc/openvpn/ directory stored as .conf file. Otherwise it will be anywhere where you placed it with .ovpn extention.

Hope these tips are helpful for you. Let me know in the comments how you are using your VPN servers.