Re: Need Some Help Configuring OpenVPN

Top Page
Attachments:
Message as email
+ (text/plain)
+ (text/html)
+ (text/plain)
Delete this message
Reply to this message
Author: Michael Butash via PLUG-discuss
Date:  
To: Main PLUG discussion list
CC: Michael Butash, Mark Phillips
Subject: Re: Need Some Help Configuring OpenVPN
Some comments:

>> 1. I believe the client.ovpn file goes into /etc/openvpn/clients -

correct?
This is variable, depending on how you use your client. I'd say 99% of the
time you'll want to use NetworkManager to do so, install the
network-manager ovpn plugin and reproduce those settings as these are
outside those client configurations.

>> I use Cox as my Internet provider, so the remote xxxxx.hopto.org yyyyy should

take care of my changing IP from Cox. Is that correct? I have an account
with no-ip to track my changing IP from Cox.
As long as dynamic dns is updating no-ip record, it should, but test with
your IP directly if DNS isn't resolving for some reason.

>> Should proto also have TCP?

Use UDP normally, tcp over tcp is never a good thing (think duplication of
syn/ack behavior)

>> What should I call this file? Is it enabled by default since it is in

the clients folder?
This is normally used when daemonizing client in the OS, such as a
persistent gateway connection (I do this with my firewall, opnsense to
forward selective traffic out my Internet VPN). You'll want to normally
use NetworkManager as stated above, which uses its own configuration stack.

>> 2. Do I need to set up any special routes on my router to get from the

outside to my server on port 22 for ssh?
When connecting to your router, connect to the internal IP of the router
(ie. 192.168.1.1 or whatever), or setup internal dns for it.

>> 3. In the gnome settings panel there is a VPN drop down under

networking. Do I have to do anything with that?
No idea, haven't used gnome since gnome3 ruined it. Just use
NetworkManager, it will give you a wizard for setting up openvpn as a
client, and give you an easy task menu icon to turn on/off as any vpn cisco
or other.

>> 4. What command do I use to connect to my server using the vpn? I don't

want to use the VPN when I am on my network at home, just when I travel.
Yet again, use NetworkManager as your client, unless you really want to
invoke it via cli or as a daemon automatically, but these are likely NOT
your use cases.

Another comment re: certificates, not sure how your router contraption
handles ovpn and certificates, you really need a basic Certificate
Authority, and not sure most handle this well. When I've used ovpn on my
netgear with ddwrt, I used TinyCA to create my own CA trust chain certs
<https://opsec.eu/src/tinyca/>, and generate per-client certs based on
that. Unless your router is handling the CA and client certificate
creation reasonably, I'd suggest looking at tinyca as well, and just add
the appropriate cert portions in the server and client configs.

TL:DR - Any more, unless your a legacy enterprise stuck in your ways luvin
vpn long time and not up on networking, I'd look at using Zerotier or
Tailscale these days. I just helped a partner in this same boat trying to
get his accountants into his quickbook server, confused over setting up
even a Cisco Meraki VPN, and rather than even try to troubleshoot Meraki
garbage, I just set him up in a half hour using Zerotier, connected up two
of his own boxes, and the rest of his team easily himself in the next
hour. No fuss, no muss.

Think of it as VPN without a gateway, rather persistent alway-on VPN
between hosts ala software-defined networking magic, if you want to connect
to your router only, assuming it has or can install Zerotier on it
(opnsense, ddwrt/openwrt do) that is easy, or before my router could do
Zerotier direct, just connect to another box on my zerotier network at
home, and bounce off that as a bastion host.

Someone else mentioned Zerotier here recently - it's money!

HTH!

-mb


On Fri, May 19, 2023 at 8:47 AM Mark Phillips via PLUG-discuss <
> wrote:

> I know there are a lot of articles about configuring OpenVPN on the
> Internet, but I am having trouble finding one that fits my situation. I
> believe I have all the pieces, just not sure how to put them all together.
>
> I have a Ubuntu 22.04 laptop connected to my local network with OpenVPN
> installed. I have another Ubuntu 22.04 server on the same network. When I
> travel, I would like to access the server over ssh. My router has OpenVPN
> installed by default, so that seems to be a good solution. I downloaded the
> preconfigured client .ovpn file from the router.
>
> 1. I believe the client.ovpn file goes into /etc/openvpn/clients - correct?
> The client file has this configuration, and then a lot of certificates:
> client
> dev tun
> proto udp
> remote xxxxx.hopto.org yyyyy #
> resolv-retry infinite
> nobind
> persist-key
> persist-tun
> I use Cox as my Internet provider, so the remote xxxxx.hopto.org yyyyy should
> take care of my changing IP from Cox. Is that correct? I have an account
> with no-ip to track my changing IP from Cox.
> Should proto also have TCP?
> What should I call this file? Is it enabled by default since it is in the
> clients folder?
>
> 2. Do I need to set up any special routes on my router to get from the
> outside to my server on port 22 for ssh?
>
> 3. In the gnome settings panel there is a VPN drop down under networking.
> Do I have to do anything with that?
>
> 4. What command do I use to connect to my server using the vpn? I don't
> want to use the VPN when I am on my network at home, just when I travel.
>
> Thanks for your help!
>
> Mark
> ---------------------------------------------------
> PLUG-discuss mailing list:
> To subscribe, unsubscribe, or to change your mail settings:
> https://lists.phxlinux.org/mailman/listinfo/plug-discuss
>

---------------------------------------------------
PLUG-discuss mailing list:
To subscribe, unsubscribe, or to change your mail settings:
https://lists.phxlinux.org/mailman/listinfo/plug-discuss