openVPN setup script

I just set up my dockstar as an openVPN end-point so I can VPN in to my home network. Its set up so that if I connect remotely (from somewhere like a hotel) all traffic will go over the VPN - this means I can access servers and mount shares on my home network and if I surf the web it will use my home ISP's DNS servers and route web traffic via my home ISP.

Web traffic goes like this (VPN bit is in [ ] )
[laptop--->internet--->home_router--->dockstar]--->home_router--->internet

I'm a VPN noob so I was happy when I found a setup script and blog entry that helped my get it up and running easily.

I have attached a modified version of the script that is more dockstar debian friendly and does not add duplicate config to the system if its restarted or run multiple times.

It takes about 10-15 minutes to generate the keys & certificates during setup.

No warranty on the script. If you want to give it a whirl:
1) set up a static IP address for your dockstar eth0 in /etc/network/interfaces then reboot
2) open (or map) port 1194 UDP from your router/firewall to the dockstar IP
3) ssh to dockstar, edit the LAN_DHCP_SERVER= entry in the script and then run the script as root
4) use the keys & certs from keys.tgz to your client PC for your openVPN client

On my Ubuntu laptop I installed the network-manager-openvpn-gnome package then configured the VPN by using the VPN Connections... > Configure VPN... option from the nm-applet on the Gnome Panel. I had to manually select LZO compression and my custom port in the 'Advanced...' options. Seems to work well.

Update: Latest setup_vpn.sh in available from http://jeff.doozan.com/debian/lcd/

-PG



Edited 2 time(s). Last edit at 01/06/2011 05:48PM by petergunn.

Just wanted to say thanks for the tutorial and script. I had to run it twice as the first time the "client1.crt" file was empty - no idea why...

Anyhow, ran it again and everything worked. I'm running Ubuntu 10.10 64-bit on my client machine - I installed network-manager-openvpn-gnome and then set up a VPN connection using the following parameters (click on network manager and select VPN Connections > Configure VPN > Add):

Gateway: Your home IP Address/Domain
Type: Certificate (TLS)
User Certificate: client1.crt
CA Certificate: ca.crt
Private Key: client1.key
Private Key Password: (leave blank)
Advanced: (Click and check "Use LZO data compression")

Good to hear its working.

FYI - I've collected together some of my setup scripts and put them on the web site Jeff gave me. There may be small tweaks to the scripts you can find there, but I dont think I've changed the openVPN setup script.

-PG

Thanks petergunn for the link to your other setup scripts - they look VERY useful!

Quick question for you:
My OpenVPN setup was working well until I rebooted my Dockstar. As of now, I'm still able to establish a VPN connection with the Dockstar from my Ubuntu 10.10 laptop (from an outside network) and ssh into the Dockstar but I can no longer use a browser (Chrome, Firefox) to access the Internet. When I open a browser and attempt to visit a website I receive the "This webpage is not available" message.

As an aside, I am able to access the Internet if I establish a VPN connection from my Ubuntu 10.10 laptop, ssh into my Dockstar and then use a terminal-based browser (w3m & elinks).

Any help would be much appreciated - thanks!

Need some more info...

From your laptop over VPN:
* can you ping your home gateway (router)?
* can you ping news.bbc.co.uk?
* can you ping 212.58.244.57?
* does DNS work? (i.e. nslookup www.demon.net)
* does your laptop /etc/rescolv.conf look like your dockstar's /etc/resolv.conf ?

Not over VPN:
* have you tried restarting openvpn on the dockstar? (/etc/init.d/openvpn restart)

-PG

petergunn Wrote:
-------------------------------------------------------
> Need some more info...
>
> From your laptop over VPN:
> * can you ping your home gateway (router)?
> * can you ping news.bbc.co.uk?
> * can you ping 212.58.244.57?

No, I can't ping my gateway/router or any external websites (news.bbc.co.uk, etc). I can, however, successfully ping the Debian server.

> * does DNS work? (i.e. nslookup www.demon.net)
DNS seems to work - here's what I received in response to nslookup www.demon.net:

Server:		192.168.42.129
Address:	192.168.42.129#53

Non-authoritative answer:
Name:	www.demon.net
Address: 212.69.213.230

> * does your laptop /etc/rescolv.conf look like your dockstar's /etc/resolv.conf ?

No, not when the VPN connection is active. Here's the laptop's /etc/resolv.conf:

# Generated by NetworkManager
nameserver 192.168.42.129

And here's the Dockstar's /etc/resolv.conf:

 nameserver 192.168.1.1

*Note: 192.168.1.1 is the IP of my home network's gateway/router.

>
> Not over VPN:
> * have you tried restarting openvpn on the
> dockstar? (/etc/init.d/openvpn restart)
Yes, I've tried this multiple times. I've also tried rebooting the Dockstar and my laptop.

Thanks very much for your help!!

PS - I did notice what appears to be a typo in the openvpn install script/openvpn.config
I believe the line: push "redirect-gateway defl" should be: push "redirect-gateway def1"

More info here: http://openvpn.net/index.php/open-source/documentation/howto.html

I've tried changing this variable in my /etc/openvpn/openvpn.conf file and restarted everything but still no Internet...

Here's a copy of my current openvpn.conf fyi.

#verb 3
#log-append /var/log/openvpn.log

dev tun
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
push "route 10.8.0.0 255.255.255.0"
push "redirect-gateway def1"
comp-lzo
keepalive 10 60
ping-timer-rem
persist-tun
persist-key

Also, not sure this will be of value but here are the contents of my /etc/network/interfaces file:

# The loopback interface
auto lo
iface lo inet loopback

# The first network card - this entry was created during the Debian installation
# (network, broadcast and gateway are optional)
auto eth0

iface eth0 inet static
       #set your static IP below
       address 192.168.1.169

       #set your default gateway IP here
       gateway 192.168.1.1

       netmask 255.255.255.0
       network 192.168.1.0
       broadcast 192.168.1.255

What is the output of the route command on laptop & dockstar when vpn is active?

route -n

-PG

Looking like a DNS issue - when you activate the VPN on the laptop its supposed to replace the active DNS server (/etc/resolv.conf) with the one from VPN server (192.168.1.1 - your router's DNS proxy) and it doesn't seem to be doing that.

The "dhcp-option DNS $LAN_DHCP_SERVER" bit in the setup script is supposed to force that change when you activate VPN.

-PG

petergunn Wrote:
-------------------------------------------------------
> What is the output of the route command on laptop
> & dockstar when vpn is active?
>
> route -n

Laptop:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.8.0.5        0.0.0.0         255.255.255.255 UH    0      0        0 tun0
69.203.125.72   192.168.42.129  255.255.255.255 UGH   0      0        0 usb0
10.8.0.1        10.8.0.5        255.255.255.255 UGH   0      0        0 tun0
10.8.0.0        10.8.0.5        255.255.255.0   UG    0      0        0 tun0
192.168.42.0    0.0.0.0         255.255.255.0   U     1      0        0 usb0
169.254.0.0     0.0.0.0         255.255.0.0     U     1000   0        0 usb0
0.0.0.0         10.8.0.5        0.0.0.0         UG    0      0        0 tun0

Dockstar:

~# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.8.0.2        0.0.0.0         255.255.255.255 UH    0      0        0 tun0
10.8.0.0        10.8.0.2        255.255.255.0   UG    0      0        0 tun0
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
0.0.0.0         192.168.1.1     0.0.0.0         UG    0      0        0 eth0

From the laptop with VPN active can you try...

ifconfig | grep -A1 '^[^ ]'
traceroute -n 192.168.1.1        # you may need to apt-get install traceroute
traceroute -n 192.168.42.129
traceroute -n 212.69.213.230

-PG

petergunn Wrote:
-------------------------------------------------------
> Looking like a DNS issue - when you activate the
> VPN on the laptop its supposed to replace the
> active DNS server (/etc/resolv.conf) with the one
> from VPN server (192.168.1.1 - your router's DNS
> proxy) and it doesn't seem to be doing that.
>
> The "dhcp-option DNS $LAN_DHCP_SERVER" bit in the
> setup script is supposed to force that change when
> you activate VPN.
>
Well, I decided to run the OpenVPN install script again which generated new keys. I then saved them to my client Ubuntu 10.10 laptop, set up a new VPN connection and was able to establish a connection and access web pages through my client's browser. Everything was going great until I restarted the server. Once again, I was able to establish a VPN connection but can no longer access web pages from my client Ubuntu laptop.

I'm going to keep fiddling around with it but any other suggestions are most welcome...

Thanks!

Alright, so I decided to install the unmodified openvpn install script from the blog that petergunn referenced in his first post and now everything seems to work, even after multiple reboots.

Here's the workflow...

First, download and launch the script:

cd /tmp
wget http://vpsnoc.com/scripts/debian-openvpn.sh
cd /tmp
chmod +x dbian-openvpn.sh
./debian-openvpn.sh

After the keys have been generated, you should copy them to your client machine. You can find them in your root directory:

scp keys.tgz username@IP_Address_of_Your_Client_Computer:~/Desktop

Now right click on the key file and extract the certificates.

Next, click on the Network Manager daemon at the top right of your screen and select: VPN Connections > Configure VPN > Add). Use the following settings and certificates:

Gateway: Your home IP Address/Domain (the URL you created with DynDNS)
Type: Certificate (TLS) 
User Certificate: client1.crt 
CA Certificate: ca.crt 
Private Key: client1.key 
Private Key Password: (leave blank) 
Advanced: (Click and check "Use LZO data compression")

Save and give it a try.

Key differences between the original & the altered script:

Original: dhcp-option DNS 10.8.0.1
     New: dhcp-option DNS $LAN_DHCP_SERVER

I think this means the original assumes there should be a DNS proxy on the OpenVPN end-point when VPN is active. Most people (like me :-) will have a DNS proxy on their router so thats why I changed it. Either way the setting seemed to be ignored with your old config as /etc/resolv/.conf didnt change when VPN was active.

Original: push "redirect-gateway"
     New: push "redirect-gateway local defl"

This should be "def1" rather than "defl" but this isnt actually used unless you use the openvpn.conf file to connect rather than the Ubuntu VPN manager. I have fixed this in the latest setup_vpn.sh

Original: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j MASQUERADE
     New: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o $LAN_IFACE -j MASQUERADE

I cant see how this would work on your dockstar? Do you have a venet0 interface?

-PG



Edited 1 time(s). Last edit at 01/01/2011 08:24AM by petergunn.

Semi-off topic. Do you run ddclient or something similar on the DockStar to keep your IP address up to date?

> I cant see how this would work on your dockstar?
> Do you have a venet0 interface?

No, my interface is eth0 but so far everything works great (I'm using OpenVPN right now to post this reply). Fyi, my router is running DD-WRT firmware. DD-WRT has Dynamic DNS support which I was originally using to update my hostname via DynDNS but I've recently installed ddclient on the Dockstar instead. Both methods seem to work well.

Anyway, thanks again for your help!

funtoy1001 Wrote:
-------------------------------------------------------
> Semi-off topic. Do you run ddclient or something
> similar on the DockStar to keep your IP address up
> to date?

Yes, ddclient seems to work well. After you install it, the "wizard" will ask you some basic configuration questions (e.g. hostname, username and password from your Dynamic IP service). You can also edit the config file manually with:

nano /etc/ddclient.conf

Here's what my config file looks like fyi:

# Configuration file for ddclient generated by debconf
#
# /etc/ddclient.conf

protocol=dyndns2
use=web, web=checkip.dyndns.com, web-skip='IP Address'
server=members.dyndns.org
login=My_Username
password='My_Password'
My_Hostname.dyndns.org

More semi-off topic questions. If I install this, can I ssh into my DockStar remotely? What IP address will the DockStar have?

funtoy1001 Wrote:
-------------------------------------------------------
> More semi-off topic questions. If I install this,
> can I ssh into my DockStar remotely? What IP
> address will the DockStar have?

Once VPN is connected you can ssh to your dockstar at ether its LAN IP or 10.8.0.1

If question is how can you find the public IP of your dockstar in order to connect the VPN in the first place the answer is you need to have a hostname that you can resolve via DNS. If you dont have a hostname you can get a free one from DynDNS.

-PG

If the DockStar takes 10.8.0.1, what about rest of the machines on my home network? Do I access them with their 192.168.1.xxx address or do they take on 10.8.0.xxx?

Once the VPN was connected you would access them via their 192.168.1.xxx addresses. You can access the dockstar by its 192.168.1.xxx address as well as 10.8.0.1

-PG

Almost working...

Thu Jan 06 06:42:44 2011 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct  1 2006
Thu Jan 06 06:42:44 2011 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Thu Jan 06 06:42:44 2011 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Thu Jan 06 06:42:44 2011 LZO compression initialized
Thu Jan 06 06:42:44 2011 UDPv4 link local (bound): [undef]:1194
Thu Jan 06 06:42:44 2011 UDPv4 link remote: xxx.xxx.xxx.xxx:1194
Thu Jan 06 06:42:44 2011 [dockstar] Peer Connection Initiated with xxx.xxx.xxx.xxx:1194
Thu Jan 06 06:42:46 2011 Options error: unknown --redirect-gateway flag: defl
Thu Jan 06 06:42:46 2011 Options error: Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:4: topology (2.0.9)
Thu Jan 06 06:42:46 2011 TAP-WIN32 device [OpenVPN] opened: \\.\Global\{A....}.tap
Thu Jan 06 06:42:46 2011 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.8.0.6/255.255.255.252 on interface {A....} [DHCP-serv: 10.8.0.5, lease-time: 31536000]
Thu Jan 06 06:42:46 2011 Successful ARP Flush on interface [50] {A.....}
 OK!
 OK!
 OK!
 OK!
Thu Jan 06 06:42:48 2011 Initialization Sequence Completed
Thu Jan 06 06:42:50 2011 TCP/UDP: Incoming packet rejected from 192.168.1.xx:1194[2], expected peer address: xxx.xxx.xxx.xxx:1194 (allow this incoming source address/port by removing --remote or adding --float)
Thu Jan 06 06:43:46 2011 [dockstar] Inactivity timeout (--ping-restart), restarting
 OK!
 OK!
 OK!
 OK!
Thu Jan 06 06:43:46 2011 SIGUSR1[soft,ping-restart] received, process restarting
Thu Jan 06 06:43:48 2011 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Thu Jan 06 06:43:48 2011 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Thu Jan 06 06:43:48 2011 LZO compression initialized
Thu Jan 06 06:43:48 2011 UDPv4 link local (bound): [undef]:1194
Thu Jan 06 06:43:48 2011 UDPv4 link remote: xxx.xxx.xxx.xxx:1194
Thu Jan 06 06:43:48 2011 [dockstar] Peer Connection Initiated with xxx.xxx.xxx.xxx:1194
Thu Jan 06 06:43:49 2011 Options error: unknown --redirect-gateway flag: defl
Thu Jan 06 06:43:49 2011 Options error: Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:4: topology (2.0.9)
Thu Jan 06 06:43:49 2011 TAP-WIN32 device [OpenVPN] opened: \\.\Global\{A......}.tap
Thu Jan 06 06:43:49 2011 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.8.0.6/255.255.255.252 on interface {A....} [DHCP-serv: 10.8.0.5, lease-time: 31536000]
Thu Jan 06 06:43:49 2011 Successful ARP Flush on interface [50] {A....}
 OK!
 OK!
 OK!
 OK!
Thu Jan 06 06:44:05 2011 Initialization Sequence Completed

The log is from a Winodws laptop. When VPN is connected locally, my browsers (IE and Firefox) can't display any websites. Will try it remotely later today.


UPDATE: I removed and re-install using the link from the blog in the OP and IE is able to browse web pages. Have not take the laptop out of the house yet.

UPDATE 2: Took my Windows laptop to Barnes & Noble and verified VPN is working by browsing to checkmyip.com before and after VPN is established.



Edited 5 time(s). Last edit at 01/07/2011 11:19PM by funtoy1001.

> Thu Jan 06 06:43:49 2011 Options error: unknown --redirect-gateway flag: defl

Looks like the bug that MediaMind noticed. It should be "def1" rather than "defl".

It was fixed in the latest setup_vpn.sh script.

-PG

Quick update to get this working on Ubuntu 12.04 Precise... I needed to

apt-get install openvpn network-manager-openvpn-gnome

Ubuntu doesn't seem to accept the pushed DNS settings from the server like it used to.

To make it work for now using Google's 8.8.8.8 DNS pool I selected nm-applet then...

VPN Connections > Configure VPN... > Add or Edit... > IPv4 Settings ...

Method: Automatic (VPN) Addresses Only
DNS Servers: 8.8.8.8

Didn't have to change anything on the Dockstar side (been the same for years now :-)

-PG

Hey! Have some problems with the script. i installed it but i have no access to the local lan or to the internet.

My current config is:

IP Dockstar: 192.168.1.2
IP Router: 192.168.1.1



Laptop:

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.8.0.6  P-t-P:10.8.0.5  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:354 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:0 (0.0 B)  TX bytes:22962 (22.9 KB)

Dockstar:

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.8.0.1  P-t-P:10.8.0.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:662 errors:0 dropped:0 overruns:0 frame:0
          TX packets:11 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:85872 (83.8 KiB)  TX bytes:924 (924.0 B)

From your laptop over VPN:
* can you ping your home gateway (router)?

PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.
^C
--- 192.168.1.1 ping statistics ---
19 packets transmitted, 0 received, 100% packet loss, time 18144ms

No.


* can you ping news.bbc.co.uk?

No.

* can you ping 212.58.244.57?

PING 212.58.244.57 (212.58.244.57) 56(84) bytes of data.
	^C
	--- 212.58.244.57 ping statistics ---
	10 packets transmitted, 0 received, 100% packet loss, time 9070ms

No.

* does DNS work? (i.e. nslookup www.demon.net)

No.

* does your laptop /etc/rescolv.conf look like your dockstar's /etc/resolv.conf ?

Dockstar:

nameserver 192.168.1.1

Laptop:

# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
	#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
	nameserver 127.0.1.1

No.

Here's a copy of my current openvpn.conf:

#verb 3
#log-append /var/log/openvpn.log

dev tun
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
push "route 10.8.0.0 255.255.255.0"
push "redirect-gateway local def1"
comp-lzo
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
group daemon
daemon

Routes dockstar:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.1.1     0.0.0.0         UG    0      0        0 eth0
10.8.0.0        10.8.0.2        255.255.255.0   UG    0      0        0 tun0
10.8.0.2        0.0.0.0         255.255.255.255 UH    0      0        0 tun0
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0

Routes Laptop:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.8.0.5        0.0.0.0         UG    0      0        0 tun0
10.2.0.0        0.0.0.0         255.255.0.0     U     9      0        0 wlan0
10.8.0.0        10.8.0.5        255.255.255.0   UG    0      0        0 tun0
10.8.0.1        10.8.0.5        255.255.255.255 UGH   0      0        0 tun0
10.8.0.5        0.0.0.0         255.255.255.255 UH    0      0        0 tun0
169.254.0.0     0.0.0.0         255.255.0.0     U     1000   0        0 tun0
178.*.*.*  10.2.0.1        255.255.255.255 UGH   0      0        0 wlan0

Thanks for your help!

EDIT:

ok i think i know now what my problem is:

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o $LAN_IFACE -j MASQUERADE

Result:

iptables v1.4.14: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

Edited 1 time(s). Last edit at 07/10/2013 08:47AM by syro.

Another quick update to use Android Phone as VAP...

VAP: "Virtual-Access-Point" acts as a wifi hotspot and tunnels all traffic over OpenVPN through phones mobile data connection. This allows you simply attach your computer, tablet, or other device without installing OpenVPN client software.

Data paths:
<LAN>---<dockstar OpenVPN server>---<router>---internet---<Android Phone>---<wifi clients>

modified dockstar /etc/openvpn/openvpn.conf

verb 3
log-append /var/log/openvpn.log
dev tun
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
push "route 10.8.0.0 255.255.255.0"
push "redirect-gateway local def1"
push "dhcp-option DNS 8.8.8.8"
link-mtu 512
comp-lzo
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
group daemon
daemon

Note: link-mtu was required to tunnel over 3G/4G. I also added an option to push a DNS server which wasnt in the original script. Not sure if thats necessary.

Android Phone: (mine is cheap Pantech Burst running Slimrom 3.1) needs to be rooted
OpenVPN Client: OpenVPN for Android
Wifi Tether App: wifi_tether_v3_3-pre2.apk
Note: other tether apps will not work with OpenVPN tunnel due to routing/DNS issues. You may also need busybox installed.

No special config is required on OpenVPN - just use the certificates created by the dockstar setup script (Im still using the ones generated when I created the original post). Test its working before you start the wifi tether app.

When I start the tether app I get an error "mss clamping failed" but it all seems to work as expected and routes all data over the OpenVPN tunnel.

Wifi Tether settings to enable 128bit WEP on Pantech Burst:

Device Profile: Generic
Setup Method: WEXT(ad-hoc)
Enable Wifi-Encryption: checked
Encryption Setup method: wpa_supplicant
Routing Fix: checked

Note: depending on your Rom you may need to replace /system/bin/wpa_supplicant with the version from this thread. I downloaded from here and used Root Browser to rename the old version and copy the new version to /system/bin/ (remember to gunzip it and chmod 755).

Note: after using OpenVPN+trevE wifi tether the builtin SlimRom wifi tether will no longer work correctly until I reboot. I suspect this is due to bad routes left behind. Everything else seems fine tho.

-PG



Edited 7 time(s). Last edit at 08/26/2013 08:53PM by petergunn.

I've found my phone makes a pretty good OpenVPN Virtual Access Point but unfortunately it only tunnels over 3g/4g and wont work as a Wireless Universal Repeater which would be ideal for places like Hotel rooms or coffee shops where free wifi is available. So I picked up a TP-Link WR703n (SLBoat modified) usb-powered router that runs OpenWRT and configured that to work as a Universal Repeater with embedded OpenVPN client so that I can connect devices as if it was a regular Wireless AP but all the data gover over the OpenVPN tunnel, over the underlying Wireless client link back to my LAN at home (and then on to the Internet if needed).

Its a little off topic here since no mods were made on the Dockstar side but I can post a basic guide if anyone is interested.

-PG

Hi, PeterGunn:
Looks like you are still active on this board.
I am recently interested in OpenVPN for the application as you described. I installed a openvpn server on Dockstar a few times including using your scripts and did some initial testing. Everytime, I can ping the server (10.8.0.1) from the windows 7 notebook using Openvpn-GUI but cannot ping from Dockstar side to the client (10.8.0.6) with W7 firewall on. If I disable the notebook firewall, I can ping the client. Do you have any idea why and how to fix? I may have other questions once I tested it more but right now, this is the first problem I encountered.
Thanks in advance.

You probably need a W7 firewall rule... see OpenVPN forum bottom post on first page

-PG

PG:
Thanks.
It works to ping both ways now using the method you pointed me to. Thank you very much.
However, I can only ping the VPN subnet (170.17.0.x or 10.8.0.x). I cannot ping other ip numbers on my home network (192.168.2.x). I added "push "route 192.168.2.0 255.255.255.0"" in server.conf, according from Googling but still does not work. Do you have any idea what else I should do?
- FL

Edit:
I figured out how to make it work. As shown in here, I need to excute the following two commands:

sh -c ‘echo 1 > /proc/sys/net/ipv4/ip_forward’
iptables -t nat -A POSTROUTING -s 10.0.0.0/8 ! -d 10.0.0.0/8 -o eth0 -j MASQUERADE

After that everything work as expected.



Edited 2 time(s). Last edit at 01/10/2014 10:08PM by twinclouds.