VPN instructions for a newbie

[elorimer]

@elorimer - Great post! IMO this should be in the wiki for sure!

Any specific reason to not use "TLS control channel security:" ?

I kept the default; no particular reason or experience.

EDIT: I edited the post above to add tls-auth. Note the ONC format doesn't support tls-crypt yet, but the Chromebook apps do.

 

[Centrifuge]

6. OpenVPN by default binds to all interfaces, and therefore is listening on both the LAN side and the WAN side. It isn't clear to me why anyone would want to access the Openvpn servers from the LAN side--you already have physical access--so use the "local <ddns name>" command in the custom configuration box, which instructs OpenVPN to only bind on the WAN side. This is useful if, for example, you have pixelserv already listening on port 443 and you want one server on port 443.

@elorimer -thanks for this indispensable guide.
I've setup a vpn server as above, works great.

Minor issue when connected at home LAN on the vpn server router, ovpn client refuses to connect to the server with poll timeout errors on the client log, TLS key negotiation failed on the server log, handshake failed. Not a big deal just want to understand what the solution is.

Second more important issue, when on "free" wireless networks with vpn being blocked, your suggestion of using port 443 as a get around, I didn't understand the instructions on how to make that work when also using pixelserve on said port. My solution has been to use wireguard through Mullvad but I'm really missing the benefit of Diversion/Skynet. Can a server coexist with pixelserve or is there a different port to skirt this issue.

 

[Martineau]

Can a server coexist with pixelserve [both on port 443]?

Yes

I didn't understand the instructions on how to make that work when also using pixelserve on said port.

Unless you truly need access from the LAN to the OpenVPN Server, simply add in the OpenVPN Server Custom Configuration GUI

Here is @elorimer's 'hard to understand' instruction in visual format:

where 'xxxxxxxxxxxxxxxx' is your DDNS name (or if you have a static IP from your ISP then use xxx.xxx.xxx.xxx)

and in Syslog you should now see an entry:

ovpn-serverX[nnnn]: UDPv4 link local (bound): [AF_INET]xxx.xxx.xxx.xxx:443

 

[Centrifuge]

add in the OpenVPN Server Custom Configuration GUI

Thanks for this.

local xxxxxxxxxxxxxxxxxxxx.freemyip.com

Added to both servers: server1 1194/UDP server2: 443/TCP.
Results access to server1 from both LAN and WAN, server2 polling timeout.
I tried

service start_ddns

Didn't make a difference.
Trashed the ovpn profile for server2 and re-exported fixed it, doh. Now both connect on LAN and WAN.
Working on custom ddns script. Respect.

 

[Martineau]

Working on custom ddns script.

For fame and prosperity, don't forget to add your working DDNS script here

 

[elorimer]

Trashed the ovpn profile for server2 and re-exported fixed it, doh.

Check the exported .ovpn file though. It should say "remote xxxx.freemyip.com"" and not "remote xxx.xxx.xxx.xxx" IP address. The first will cause the client to connect to the ddns address, the second will work only so long as the IP doesn't change.

 

[Centrifuge]

Check the exported .ovpn file

It shows my IP not the ddns...manual edit? I have a dynamic IP but it hasn't changed maybe ever.

Looks like the setting took though:

@RT-AC86U-AD98:/tmp/home/root# nvram show | grep ddns
ddns_enable_x=1
ddns_hostname_old=
ddns_hostname_x=xxxxxxxxxxxxxxxx.freemyip.com
ddns_hostname_x_old=
ddns_ipcheck=0
ddns_last_wan_unit=0
size: 63032 bytes (68040 left)
ddns_passwd_x=
ddns_refresh_x=21
ddns_regular_check=0
ddns_regular_period=60
ddns_return_code=ddns_query
ddns_return_code_chk=200
ddns_server_x=CUSTOM
ddns_server_x_old=
ddns_transfer=
ddns_update_by_wdog=1
ddns_username_x=
ddns_wan_unit=-1
ddns_wildcard_x=0

 

[elorimer]

Yes, manual edit. 384.6 exported the ddns address; 384.13.1 exported the IP address, and 384.14a1 is back to exporting the ddns address.

The config file tells OpenVPN where to try to make a connection; if you specify the ddns address it looks up the ddns address and then connects to that IP. When you reexported your config file, it picked up the current IP address, and you were able to connect, but if the IP changes, and the config file is coded for the old IP, you won't.

 

[Chuckles67]

Following on @martinr's notes, I thought I would put down my preferred setup. Comments welcome.

Edited 12/28/19 to clarify a few things.

Thank you for this incredibly helpful post: working through helped my remote working setup:
1) home VPN Servers on an AX-86U with 100/15
2) remote VPN Client on AC-66U_B1 (connected through LAN to the remote router; for WiFi devices without a native VPN client) or remote VPN clients on Apple devices (connected through WiFi to the remote router), also tested GL.iNet Mango router.
Both running 386.1_2

Some things in my case:

1) when several VPN clients are connecting at the same time through a single router to a single VPN Server, each client with a unique ID in the VPN Server, I needed to add this to the VPN Sever config (thanks to @eibgrad) otherwise the clients would disconnect intermittently:

username-as-common-name

I have done this for both VPN Servers on my home AX-86U router during setup before saving the .OVPN files.

2) loved the idea to setup two VPN Servers to Both, and remotely set "pull-filter ignore redirect-gateway" in a VPN client config to switch to LAN only. However I could only get it to work on MacBook OS X with Tunnelblick (not sure why but didn't work on the remote AC-66U_B1 VPN client, nor on iOS devices with Open VPN ap, nor on a GL.iNet mango router). Thus for me, I set VPN Server 1 as LAN only, and VPN Server 2 as Both.

3) the remote GL.iNet Mango router connecting to VPN Server 1 (LAN only) has no internet through the remote router/ISP: all other devices work fine on VPN Server 1 with access to home LAN and internet service through remote router/ISP. So Mango router VPN Client is set to use VPN Server 2 (BOTH).

I'll only use the Mango router for backup as using the internet speeds are half of the remote AC66U_B1/Apple devices (likely due to Mango CPU limitations), and the data connection to home LAN devices are much slower (possibly due to WiFi-N and/or Mango CPU).

4) setting Advertise DNS to Clients in the VPN Servers was helpful: all remote devices use the home router DNS (DoT) setup (otherwise Advertise DNS to Clients set off, DNS would be provided by remote ISP or Google depending on the client).

Thanks again - really helpful post!

 

[elorimer]

2) loved the idea to setup two VPN Servers to Both, and remotely set "pull-filter ignore redirect-gateway" in a VPN client config to switch to LAN only. However I could only get it to work on MacBook OS X with Tunnelblick (not sure why but didn't work on the remote AC-66U_B1 VPN client, nor on iOS devices with Open VPN ap, nor on a GL.iNet mango router). Thus for me, I set VPN Server 1 as LAN only, and VPN Server 2 as Both.

3) the remote GL.iNet Mango router connecting to VPN Server 1 (LAN only) has no internet through the remote router/ISP: all other devices work fine on VPN Server 1 with access to home LAN and internet service through remote router/ISP. So Mango router VPN Client is set to use VPN Server 2 (BOTH).

I'll only use the Mango router for backup as using the internet speeds are half of the remote AC66U_B1/Apple devices (likely due to Mango CPU limitations), and the data connection to home LAN devices are much slower (possibly due to WiFi-N and/or Mango CPU).

GL-inet's routers are a bit of a work in progress for this still in 2024. For some reason they do not process pull-filter commands. Part of that is that they are trying out their own VPN policies. While those include allowing the configuration file to control, that isn't working.

 

[elorimer]

Extending this slightly to cover setting up a site-to-site connection between two Merlin routers:

1. On the openvpn server that will handle the site to site connection, create a username/password specifically for the openvpn site-to-site client. Insert into the custom configuration box

username-as-common-name

This is so the client can be distinguished from any other client connecting to the server. Make sure the server is set to LAN or BOTH. When the client connects, any machine on its own LAN will be able to reach any machine on the server's LAN.
2. On the openvpn server advanced settings, set "manage client-specific settings" to "yes". This will expose additional settings.
3. Under "Allowed Clients", create an entry for the username for the openvpn client, and enter its LAN network, in the form of 192.168.xx.0/255.255.255.0; set push to "no" since the client doesn't need to have a route to its own LAN. This will allow any machine on the server's LAN to reach any machine on the client's LAN (with the change noted below), but won't allow any other client connecting to the server to see any machine on the client's LAN.
4. Set "allow client <> client" to yes if you want any other client connecting to the server to reach the client's LAN, or if you will have a site to site setup for three or more sites.
5. On the client router, set "inbound firewall" to "no", so machines on the server LAN can reach machines on the client LAN; note that individual machines may have a firewall setting too, that prevents access from machines not on the client LAN.
6. On the client router, set "create NAT" to 'no'; we don't need this. Set redirect traffic through tunnel to "no"; this will mean that internet traffic from the client LAN will go out through its own ISP in a split configuration. You usually want this because both LANs are presumably under your control, and you don't want to limit your internet download speeds to the upload speed of the server's ISP. However, if you want specific machines to go out from the server's internet connection (like geolocating an Android TV box), then set this to VPN Director and create a rule for that device.