VPN instructions for a newbie

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

elorimer

Very Senior Member
@elorimer - Great post! IMO this should be in the wiki for sure!

Any specific reason to not use "TLS control channel security:" ?
I kept the default; no particular reason or experience.

EDIT: I edited the post above to add tls-auth. Note the ONC format doesn't support tls-crypt yet, but the Chromebook apps do.
 
Last edited:

Centrifuge

Senior Member
6. OpenVPN by default binds to all interfaces, and therefore is listening on both the LAN side and the WAN side. It isn't clear to me why anyone would want to access the Openvpn servers from the LAN side--you already have physical access--so use the "local <ddns name>" command in the custom configuration box, which instructs OpenVPN to only bind on the WAN side. This is useful if, for example, you have pixelserv already listening on port 443 and you want one server on port 443.

@elorimer -thanks for this indispensable guide.
I've setup a vpn server as above, works great.

Minor issue when connected at home LAN on the vpn server router, ovpn client refuses to connect to the server with poll timeout errors on the client log, TLS key negotiation failed on the server log, handshake failed. Not a big deal just want to understand what the solution is.

Second more important issue, when on "free" wireless networks with vpn being blocked, your suggestion of using port 443 as a get around, I didn't understand the instructions on how to make that work when also using pixelserve on said port. My solution has been to use wireguard through Mullvad but I'm really missing the benefit of Diversion/Skynet. Can a server coexist with pixelserve or is there a different port to skirt this issue.
 

Martineau

Part of the Furniture
Can a server coexist with pixelserve [both on port 443]?
Yes
I didn't understand the instructions on how to make that work when also using pixelserve on said port.
Unless you truly need access from the LAN to the OpenVPN Server, simply add in the OpenVPN Server Custom Configuration GUI

Here is @elorimer's 'hard to understand' instruction in visual format:

upload_2019-11-14_8-41-18.png


where 'xxxxxxxxxxxxxxxx' is your DDNS name (or if you have a static IP from your ISP then use xxx.xxx.xxx.xxx)

and in Syslog you should now see an entry:
Code:
ovpn-serverX[nnnn]: UDPv4 link local (bound): [AF_INET]xxx.xxx.xxx.xxx:443
 
Last edited:

Centrifuge

Senior Member
add in the OpenVPN Server Custom Configuration GUI
Thanks for this.
Code:
local xxxxxxxxxxxxxxxxxxxx.freemyip.com
Added to both servers: server1 1194/UDP server2: 443/TCP.
Results access to server1 from both LAN and WAN, server2 polling timeout.
I tried
Code:
service start_ddns
Didn't make a difference.
Trashed the ovpn profile for server2 and re-exported fixed it, doh. Now both connect on LAN and WAN.
Working on custom ddns script. Respect.
 

Martineau

Part of the Furniture

elorimer

Very Senior Member
Trashed the ovpn profile for server2 and re-exported fixed it, doh.
Check the exported .ovpn file though. It should say "remote xxxx.freemyip.com"" and not "remote xxx.xxx.xxx.xxx" IP address. The first will cause the client to connect to the ddns address, the second will work only so long as the IP doesn't change.
 

Centrifuge

Senior Member
Check the exported .ovpn file
It shows my IP not the ddns...manual edit? I have a dynamic IP but it hasn't changed maybe ever.

Looks like the setting took though:
Code:
@RT-AC86U-AD98:/tmp/home/root# nvram show | grep ddns
ddns_enable_x=1
ddns_hostname_old=
ddns_hostname_x=xxxxxxxxxxxxxxxx.freemyip.com
ddns_hostname_x_old=
ddns_ipcheck=0
ddns_last_wan_unit=0
size: 63032 bytes (68040 left)
ddns_passwd_x=
ddns_refresh_x=21
ddns_regular_check=0
ddns_regular_period=60
ddns_return_code=ddns_query
ddns_return_code_chk=200
ddns_server_x=CUSTOM
ddns_server_x_old=
ddns_transfer=
ddns_update_by_wdog=1
ddns_username_x=
ddns_wan_unit=-1
ddns_wildcard_x=0
 
Last edited:

elorimer

Very Senior Member
Yes, manual edit. 384.6 exported the ddns address; 384.13.1 exported the IP address, and 384.14a1 is back to exporting the ddns address.

The config file tells OpenVPN where to try to make a connection; if you specify the ddns address it looks up the ddns address and then connects to that IP. When you reexported your config file, it picked up the current IP address, and you were able to connect, but if the IP changes, and the config file is coded for the old IP, you won't.
 
Last edited:

Chuckles67

Regular Contributor
Following on @martinr's notes, I thought I would put down my preferred setup. Comments welcome.
Edited 12/28/19 to clarify a few things.
Thank you for this incredibly helpful post: working through helped my remote working setup:
1) home VPN Servers on an AX-86U with 100/15
2) remote VPN Client on AC-66U_B1 (connected through LAN to the remote router; for WiFi devices without a native VPN client) or remote VPN clients on Apple devices (connected through WiFi to the remote router), also tested GL.iNet Mango router.
Both running 386.1_2

Some things in my case:

1) when several VPN clients are connecting at the same time through a single router to a single VPN Server, each client with a unique ID in the VPN Server, I needed to add this to the VPN Sever config (thanks to @eibgrad) otherwise the clients would disconnect intermittently:
Code:
username-as-common-name
I have done this for both VPN Servers on my home AX-86U router during setup before saving the .OVPN files.

2) loved the idea to setup two VPN Servers to Both, and remotely set "pull-filter ignore redirect-gateway" in a VPN client config to switch to LAN only. However I could only get it to work on MacBook OS X with Tunnelblick (not sure why but didn't work on the remote AC-66U_B1 VPN client, nor on iOS devices with Open VPN ap, nor on a GL.iNet mango router). Thus for me, I set VPN Server 1 as LAN only, and VPN Server 2 as Both.

3) the remote GL.iNet Mango router connecting to VPN Server 1 (LAN only) has no internet through the remote router/ISP: all other devices work fine on VPN Server 1 with access to home LAN and internet service through remote router/ISP. So Mango router VPN Client is set to use VPN Server 2 (BOTH).

I'll only use the Mango router for backup as using the internet speeds are half of the remote AC66U_B1/Apple devices (likely due to Mango CPU limitations), and the data connection to home LAN devices are much slower (possibly due to WiFi-N and/or Mango CPU).

4) setting Advertise DNS to Clients in the VPN Servers was helpful: all remote devices use the home router DNS (DoT) setup (otherwise Advertise DNS to Clients set off, DNS would be provided by remote ISP or Google depending on the client).

Thanks again - really helpful post!
 
Last edited:

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top