Setting up OpenVPN was a real PIA for a number of reasons DNS, crap documentation, and general issues with vpn clients. <\/p>\n
My working notes are below:<\/p>\n
Install OPENVPN from tar.gz or apt-get install…
\nGenerate key’s etc (tons of other tutorials on that)<\/p>\n
Prelim info<\/strong> As we don’t want to have routing issues, I set openvpn to use the 10.x range for any vpn connections. I also force clients to use our DNS server (more on that later), as China does some DNS lookup interceptions which break stuff if you are using a tunnel. I also don’t use openvpn on the standard port 1194, as I was seeing mysterious tcp resets when using the common vpn ports. Amazing how that happens in China. Lastly, I’ve put in on port 8080 for our users, as this seems to work without issue. <\/p>\n To do all that, I created an openvpn.conf file with the following:<\/p>\n (You can read the standard install stuff for your own key generation)<\/p>\n Next we need to tell our server to route stuff appropriately for vpn traffic<\/p>\n (You’ll need to change the 10.1.0.0 to your actual vpn user subnet if you change in the openvpn.conf)<\/p>\n OpenVPN should start, and be connectable.<\/p>\n My client config looks approximately something like this:<\/p>\n my.crt, my.key, ca.crt should be copied \/ generated from the server, and copied over to the client machine. You should be able to connect now and ping remotely with that. For the longest time I couldn’t get this working, despite me reading and re-reading the doc’s.<\/p>\n We use dnscache for dns lookups on our servers. DNS Cache allegedly allows lookups from other ip addresses by sticking whats allowed into \/etc\/dnscache\/root\/ip<\/p>\n This wasn’t working at all.<\/p>\n Eventually I twigged that dnscache binds to one ip address, and ignores the others, which is why local lookups worked, but tunnel started ones didn’t.<\/p>\n Took me a while to see that though. Was only when I did an nmap 10.1.0.1 and saw port 53 was closed, that I realised, despite the misleading fscking documentation which says “just add the ip address for the computers allowed to connect” to the dnscachefolder\/root\/ip, you really need to bind it to all the ports you will want lookups to work for.<\/p>\n I ended up making another dnscache specifically for our tun address on 10.1.0.1, and telling it to allow queries from the actual server ip 66.x, and from 10.x, *then* it started working.<\/p>\n Hours of fun and joy.<\/p>\n Worth it though, I can now connect to bookface and toobyou, yay!<\/p>\n","protected":false},"excerpt":{"rendered":" Setting up OpenVPN was a real PIA for a number of reasons DNS, crap documentation, and general issues with vpn clients. My working notes are below: Install OPENVPN from tar.gz or apt-get install… Generate key’s etc (tons of other tutorials on that) Prelim info My vpn server has a static ip address, in the 66.xx […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[25],"tags":[146,145],"class_list":["post-286","post","type-post","status-publish","format-standard","hentry","category-technical-mumbo-jumbo","tag-dnscache","tag-openvpn"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/posts\/286","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/comments?post=286"}],"version-history":[{"count":1,"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/posts\/286\/revisions"}],"predecessor-version":[{"id":287,"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/posts\/286\/revisions\/287"}],"wp:attachment":[{"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/media?parent=286"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/categories?post=286"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/tags?post=286"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\nMy vpn server has a static ip address, in the 66.xx range. Our local client machines use a 192.x range (typically).
\nI setup a tun address for 10.1.0.1 for the server.<\/p>\n
\n(Essentially all clients connected to the openvpn ip will get a 10.1.0.x address).<\/p>\nport 8080
\n#proto tcp
\n#dev tun
\nproto udp
\ndev tap
\nca keys\/ca.crt
\ncert keys\/server.crt
\nkey keys\/server.key
\ndh keys\/dh1024.pem
\nserver 10.1.0.0 255.255.255.0
\nifconfig-pool-persist ipp.txt
\nkeepalive 10 120
\ncomp-lzo
\nuser nobody
\ngroup users
\npersist-key
\npersist-tun
\nstatus \/var\/log\/openvpn-status.log
\nverb 3
\nclient-to-client
\npush \"redirect-gateway\"
\npush \"dhcp-option DNS 10.1.0.1\"
\nlink-mtu 1456
\nmssfix 1412
\ncipher AES-256-CBC<\/code><\/p>\necho 1 > \/proc\/sys\/net\/ipv4\/ip_forward
\niptables -A INPUT -p udp --dport 8080 -j ACCEPT
\niptables -A INPUT -i tun+ -j ACCEPT
\niptables -A FORWARD -i tun+ -j ACCEPT
\niptables -A INPUT -i tap+ -j ACCEPT
\niptables -A FORWARD -i tap+ -j ACCEPT
\niptables -t nat -A POSTROUTING -s 10.1.0.0\/24 -o eth0 -j MASQUERADE<\/code><\/p>\nclient
\ndev tap
\nproto udp
\nremote mysupersekritvpnserver.com 8080
\ncomp-lzo
\nverb 3
\nmute 20
\nnobind
\npersist-key
\npersist-tun
\ncipher AES-256-CBC
\nca ca.crt
\ncert my.crt
\nkey my.key<\/code><\/p>\n
\nmysupersekritvpnserver.com should be changed to your server name.
\nWe use Mac’s mostly, so we use tunnelblick, copy that config in, check the “Set NameServer” box in Details.<\/p>\n
\nNext, we need to setup DNS<\/p>\nWhich is not clearly mentioned in any documentation I saw on the net.<\/ul>\n