Openvpn help

[timonoj]

Hi guys!

It's been quite a while since I last used a openvpn server...Last time (maybe 8 years ago) I still didn't have a nice router presenting a form with all the options needed. However I'm a bit confused, and seems I fail to connect my KDE laptop to the VPN...

Can you help walking me through some of the options?
-TAP/TUN. It's a single client (my KDE laptop) connecting to the VPN router, where all my homelab is. I would like to be able to reach the individual servers behind this router. Should I choose TAP, or this can be done already by TUN?
-I'll be choosing TCP for a bit more reliability (right?).
-Keys/certs...I shouldn't need to touch this unless I'd use my own...Otherwise, I'm assuming they autofill?
-User/pass authentication, I'd choose no, with the cert should be enough for me I think.
-TLS control...what do these mean? Should I just choose Encrypt Channel?
-HMAC Auhtentication? I reckon SHA512 should do...any drawbacks/better suggestion?
-Cypher negotiation? I'm a bit unsure of the option. I wouldn't like to allow fallback to a weaker cypher. Should it just be enabled?
-Compression...It chooses LZO-Adaptive by default. But I've read LZ4-v2 should provide better compression/speed vs LZO. Not sure against Adaptive. Which is best?

Can you guys give me a hand?

Thanks!

 

[L&LD]

What router do you have? What firmware version (be specific)?

The easiest way is to just use the defaults as provided and generate an OPVN file to use on your client device.

Once you have seen it work, you can continue tweaking it if necessary.

 

[timonoj]

AC68U, with firmware v384.11_2...Thanks!

 

[doczenith1]

I would recommend using the newish GCM cipher as it is faster than the older CBC cipher. With the GCM cipher the HMAC authentication is built in so you set it to none in the settings. I pretty much used the defaults with a few changes. I agree with @L&LD in that you should set up the server and then generate the OVPN file to import into your client devices.

My reason for using a VPN server on my router is mostly so I can router my traffic through my router when I am not at home to take advantage of the ad blocking on my router via the Diversion script. For that to happen you'll need to set:

Advertise DNS to clients: Yes
Client will use VPN to access: Both

It seems I remember reading in these forums that using compression over a VPN does not gain much but I could be mistaken. I'm sure someone more knowledgeable than myself will chime in with some accurate information regarding compression.

With the 68U expect around 50 Mbps of throughput via the VPN.