In this post I want to show you my OpenVPN LAN tunneling solution 📶. I wanted to access my homeserver and NAS from outside my LAN. There are many options for this problem. You could setup a dynamic DNS service or write a script to report a changing public ip from your router. But you had to rely on for e.g. your DynDNS provider and.. yeah a public ip reporting script is shitty. Cool stuff you could do? Accessing your NAS, using your piHole to block ads or just remote control local computers and printers.
- you need a small VPS
- I’m using the stardust instance at scaleway.com (I am not getting paid by scaleway, it is just cheap)
- raspi, odroid or a small LXC container to run a OpenVPN client for 24/7
- may adjust your LAN network address
- install and configure the openvpn server on your VPS instance
- create the VPN users
- configure VPN client at your raspi or LXC container
install and configure the openvpn server on your VPS instance
Well. I’m lazy and others have create some pretty nice installation scripts. I’ve used this: OpenVPN Install from Angristan at github.com
- there is many techical stuff if you want setup a secured openvpn server
- if you don’t have any knowledge about openvpn setups I recommend use this script
curl -O https://raw.githubusercontent.com/angristan/openvpn-install/master/openvpn-install.sh
chmod +x openvpn-install.sh
This command download the installation script and make it executeable.
The next step is to run it.
It will install and configure your openvpn server automatically. The setup is interactive and you could change many stuff if you want. We will adjust some settings later.
create the VPN users
Welcome to OpenVPN-install!
The git repository is available at: https://github.com/angristan/openvpn-install
It looks like OpenVPN is already installed.
What do you want to do?
1) Add a new user
2) Revoke existing user
3) Remove OpenVPN
Select an option [1-4]: 1
Tell me a name for the client.
The name must consist of alphanumeric character. It may also include an underscore or a dash.
Client name: ENTER_YOUR_CLIENTNAME
Do you want to protect the configuration file with a password?
(e.g. encrypt the private key with a password)
1) Add a passwordless client
2) Use a password for the client
Select an option [1-2]: 1
Write out database with 1 new entries
Data Base Updated
Client ENTER_YOUR_CLIENTNAME added.
The configuration file has been written to /yourusername/ENTER_YOUR_CLIENTNAME.ovpn.
Download the .ovpn file and import it in your OpenVPN client.
Now just download your .ovpn files to your client maschines. For example with:
scp yourusername@server:/PATHTOFILE ~/Downloads/CLIENT.ovpn
(you need to exchange ssh keys with ssh-copy-id before)
Then just import the .ovpn file and test the connection.
configure your LAN to VPN client
In my case I’m using an LXC container at my proxmox homeserver. I’m using a Ubuntu template for the container so..
to setup openvpn in my lxc container
sudo apt-get install openvpn
than we copy our created and downloaded .ovpn file to the server and move it to:
cp ~/client.ovpn /etc/openvpn/vpn-gw.conf
now we activate ip-forwarding and some NAT-rules for iptables
sudo sysctl -w net/ipv4/ip_forward=1
sudo iptables -t nat -F POSTROUTING
sudo iptables -t nat -A POSTROUTING -o eth0 -s 10.8.0.0/24 -j MASQUERADE
for loading this settings after reboot create a /etc/rc.local textfile and insert:
root@openvpn-client:~# cat /etc/rc.local
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -F POSTROUTING
iptables -t nat -A POSTROUTING -o eth0 -s 10.8.0.0/24 -j MASQUERADE
now we start and enable our openVPN client service with:
sudo ln -s /lib/systemd/system/openvpn@.service /email@example.com
sudo systemctl start firstname.lastname@example.org
adjust the openvpn server settings
add the following lines to your /etc/openvpn/server.conf
;route 192.168.1.0 255.255.255.0 # optional route to your LAN from openvpn client maschine
push "route 192.168.1.0 255.255.255.0" # route for all openvpn user devices
push "dhcp-option DNS 192.168.1.1" # your pihole for example
push "dhcp-option DNS 22.214.171.124" # some other nice dns servers
push "dhcp-option DNS 126.96.36.199"
also we have to create the directory /etc/openvpn/ccd
ifconfig-push 10.8.0.50 255.255.255.0 # static ip for your openvpn lan client maschine
iroute 192.168.1.0 255.255.255.0 # internal routing to the lan from this client
now we only restart the openvpn server
sudo systemctl restart openvpn