Intro:

In this post I want to show you my OpenVPN LAN tunneling solution 📶. I wanted to access my homeserver and NAS from outside my LAN. There are many options for this problem. You could setup a dynamic DNS service or write a script to report a changing public ip from your router. But you had to rely on for e.g. your DynDNS provider and.. yeah a public ip reporting script is shitty. Cool stuff you could do? Accessing your NAS, using your piHole to block ads or just remote control local computers and printers.

requirements

you need a small VPS
- I’m using the stardust instance at scaleway.com (I am not getting paid by scaleway, it is just cheap)
raspi, odroid or a small LXC container to run a OpenVPN client for 24/7
may adjust your LAN network address

setup

install and configure the openvpn server on your VPS instance
create the VPN users
configure VPN client at your raspi or LXC container

install and configure the openvpn server on your VPS instance

Well. I’m lazy and others have create some pretty nice installation scripts. I’ve used this: OpenVPN Install from Angristan at github.com

there is many techical stuff if you want setup a secured openvpn server
if you don’t have any knowledge about openvpn setups I recommend use this script

curl -O https://raw.githubusercontent.com/angristan/openvpn-install/master/openvpn-install.sh
chmod +x openvpn-install.sh

This command download the installation script and make it executeable.

The next step is to run it.

./openvpn-install.sh

It will install and configure your openvpn server automatically. The setup is interactive and you could change many stuff if you want. We will adjust some settings later.

create the VPN users

yourusername@yourservername:~/openvpn# ./openvpn-install.sh 
Welcome to OpenVPN-install!
The git repository is available at: https://github.com/angristan/openvpn-install

It looks like OpenVPN is already installed.

What do you want to do?
   1) Add a new user
   2) Revoke existing user
   3) Remove OpenVPN
   4) Exit
Select an option [1-4]: 1

Tell me a name for the client.
The name must consist of alphanumeric character. It may also include an underscore or a dash.
Client name: ENTER_YOUR_CLIENTNAME

Do you want to protect the configuration file with a password?
(e.g. encrypt the private key with a password)
   1) Add a passwordless client
   2) Use a password for the client
Select an option [1-2]: 1

... 

Write out database with 1 new entries
Data Base Updated

Client ENTER_YOUR_CLIENTNAME added.

The configuration file has been written to /yourusername/ENTER_YOUR_CLIENTNAME.ovpn.
Download the .ovpn file and import it in your OpenVPN client.

Now just download your .ovpn files to your client maschines. For example with:

scp yourusername@server:/PATHTOFILE ~/Downloads/CLIENT.ovpn

(you need to exchange ssh keys with ssh-copy-id before)

Then just import the .ovpn file and test the connection.

configure your LAN to VPN client

In my case I’m using an LXC container at my proxmox homeserver. I’m using a Ubuntu template for the container so..

to setup openvpn in my lxc container

sudo apt-get install openvpn

than we copy our created and downloaded .ovpn file to the server and move it to:

cp ~/client.ovpn /etc/openvpn/vpn-gw.conf

now we activate ip-forwarding and some NAT-rules for iptables

sudo sysctl -w net/ipv4/ip_forward=1
sudo iptables -t nat -F POSTROUTING
sudo iptables -t nat -A POSTROUTING -o eth0 -s 10.8.0.0/24 -j MASQUERADE

for loading this settings after reboot create a /etc/rc.local textfile and insert:

root@openvpn-client:~# cat /etc/rc.local 
#!/bin/bash

echo 1 > /proc/sys/net/ipv4/ip_forward

iptables -t nat -F POSTROUTING
iptables -t nat -A POSTROUTING -o eth0 -s 10.8.0.0/24 -j MASQUERADE

exit 0

now we start and enable our openVPN client service with:

sudo ln -s /lib/systemd/system/openvpn@.service /etc/systemd/system/openvpn@vpn-gw.service
sudo systemctl start openvpn@vpn-gw.service

adjust the openvpn server settings

add the following lines to your /etc/openvpn/server.conf

client-config-dir ccd

;route 192.168.1.0 255.255.255.0 # optional route to your LAN from openvpn client maschine

push "route 192.168.1.0 255.255.255.0" # route for all openvpn user devices

push "dhcp-option DNS 192.168.1.1" # your pihole for example
push "dhcp-option DNS 1.1.1.1" # some other nice dns servers
push "dhcp-option DNS 1.0.0.1"

also we have to create the directory /etc/openvpn/ccd

mkdir /etc/openvpn/ccd
touch /etc/openvpn/ccd/vpn-gw
vim /etc/openvpn/ccd/vpn-gw

ifconfig-push 10.8.0.50 255.255.255.0 # static ip for your openvpn lan client maschine

iroute 192.168.1.0 255.255.255.0 # internal routing to the lan from this client

now we only restart the openvpn server

sudo systemctl restart openvpn

sources

[1] Peter Müller - https://crycode.de/openvpn-zugriff-auf-netzwerk-hinter-einem-client

Tunneling your LAN into your private OpenVPN network