Tunneling your LAN into your private OpenVPN network
In this post I want to show you my OpenVPN LAN tunneling solution 📶. I wanted to access my homeserver and NAS from outside my LAN. There are many options for this problem. You could setup a dynamic DNS service or write a script to report a changing public ip from your router. But you had to rely on for e.g. your DynDNS provider and.. yeah a public ip reporting script is shitty. Cool stuff you could do? Accessing your NAS, using your piHole to block ads or just remote control local computers and printers.
- you need a small VPS
- I’m using the stardust instance at scaleway.com (I am not getting paid by scaleway, it is just cheap)
- raspi, odroid or a small LXC container to run a OpenVPN client for 24/7
- may adjust your LAN network address
- install and configure the openvpn server on your VPS instance
- create the VPN users
- configure VPN client at your raspi or LXC container
install and configure the openvpn server on your VPS instance
Well. I’m lazy and others have create some pretty nice installation scripts. I’ve used this: OpenVPN Install from Angristan at github.com
- there is many techical stuff if you want setup a secured openvpn server
- if you don’t have any knowledge about openvpn setups I recommend use this script
curl -O https://raw.githubusercontent.com/angristan/openvpn-install/master/openvpn-install.sh chmod +x openvpn-install.sh
This command download the installation script and make it executeable.
The next step is to run it.
It will install and configure your openvpn server automatically. The setup is interactive and you could change many stuff if you want. We will adjust some settings later.
create the VPN users
yourusername@yourservername:~/openvpn# ./openvpn-install.sh Welcome to OpenVPN-install! The git repository is available at: https://github.com/angristan/openvpn-install It looks like OpenVPN is already installed. What do you want to do? 1) Add a new user 2) Revoke existing user 3) Remove OpenVPN 4) Exit Select an option [1-4]: 1 Tell me a name for the client. The name must consist of alphanumeric character. It may also include an underscore or a dash. Client name: ENTER_YOUR_CLIENTNAME Do you want to protect the configuration file with a password? (e.g. encrypt the private key with a password) 1) Add a passwordless client 2) Use a password for the client Select an option [1-2]: 1 ... Write out database with 1 new entries Data Base Updated Client ENTER_YOUR_CLIENTNAME added. The configuration file has been written to /yourusername/ENTER_YOUR_CLIENTNAME.ovpn. Download the .ovpn file and import it in your OpenVPN client.
Now just download your .ovpn files to your client maschines. For example with:
scp yourusername@server:/PATHTOFILE ~/Downloads/CLIENT.ovpn
(you need to exchange ssh keys with ssh-copy-id before)
Then just import the .ovpn file and test the connection.
configure your LAN to VPN client
In my case I’m using an LXC container at my proxmox homeserver. I’m using a Ubuntu template for the container so..
to setup openvpn in my lxc container
sudo apt-get install openvpn
than we copy our created and downloaded .ovpn file to the server and move it to:
cp ~/client.ovpn /etc/openvpn/vpn-gw.conf
now we activate ip-forwarding and some NAT-rules for iptables
sudo sysctl -w net/ipv4/ip_forward=1 sudo iptables -t nat -F POSTROUTING sudo iptables -t nat -A POSTROUTING -o eth0 -s 10.8.0.0/24 -j MASQUERADE
for loading this settings after reboot create a /etc/rc.local textfile and insert:
root@openvpn-client:~# cat /etc/rc.local #!/bin/bash echo 1 > /proc/sys/net/ipv4/ip_forward iptables -t nat -F POSTROUTING iptables -t nat -A POSTROUTING -o eth0 -s 10.8.0.0/24 -j MASQUERADE exit 0
now we start and enable our openVPN client service with:
sudo ln -s /lib/systemd/system/openvpn@.service /email@example.com sudo systemctl start firstname.lastname@example.org
adjust the openvpn server settings
add the following lines to your /etc/openvpn/server.conf
client-config-dir ccd ;route 192.168.1.0 255.255.255.0 # optional route to your LAN from openvpn client maschine push "route 192.168.1.0 255.255.255.0" # route for all openvpn user devices push "dhcp-option DNS 192.168.1.1" # your pihole for example push "dhcp-option DNS 220.127.116.11" # some other nice dns servers push "dhcp-option DNS 18.104.22.168"
also we have to create the directory /etc/openvpn/ccd
mkdir /etc/openvpn/ccd touch /etc/openvpn/ccd/vpn-gw vim /etc/openvpn/ccd/vpn-gw ifconfig-push 10.8.0.50 255.255.255.0 # static ip for your openvpn lan client maschine iroute 192.168.1.0 255.255.255.0 # internal routing to the lan from this client
now we only restart the openvpn server
sudo systemctl restart openvpn