OpenVPN FAQ
by on 2017-05-29On r/OpenVPN, I see numerous posts about simple issues that people encounter. I hope to tackle the most frequently asked ones here.
§ Keys and Certificate Authority
If you’re using login/password on your own instance, think again: they can be brute-forced. They’re a pain to remember and really don’t have anything more that certificate-based authentication doesn’t.
Use certificates. This guide is great.
§ Reaching your LAN over the VPN
In these scenarii, you have control over the VPN server.
§ Everyone is a client
A very simple case would be that you want to reach one of the VPN
clients. You simply need to have the client-to-client
directive in the server config file. That way you (home-away)
can reach the other machine, because you’re part of the same network.
Nothing difficult here.
We can expand on this example and connect to several services across a number of hosts at different locations.
§ VPN server that you control at home
§ My router is the VPN server at home
Because your VPN server is the one handling all the traffic at home, it sees incoming communication from your home-away client to the internal resources, and also the replies of your home devices. It can then direct them correctly to you.
If you have issues with this setup, it’s most probably firewalling.
§ My VPN server is not the router
In this scenario, you must enable port forwarding: any incoming packet from the outside world (where your client is) on the OpenVPN port (udp/1194) must be sent to your VPN server inside.
Now, what happens when you try to reach your internal network?
First, the client must be told that the LAN is reachable over the
LAN. Read the man
page. You should end up with something like
push "route 192.168.0.0 255.255.255.0"
inside the server
configuration
In this setup, the client outside is connected to your internal VPN server and tries to access the home NAS. With no further configuration, this will fail because the home NAS has no idea where to send the answer to the VPN client, even though the client knows how to reach the home NAS.
To achieve an actual connection to inside resources, your home router must be configured to push the static route to the VPN subnet as part of the DHCP lease. See static-routes. Note that most consummer-grade routers have a shiny web interface for this job (e.g. Netgear).