# [SOLVED] Need help to configure a VPN server

## alex6

Hi, I have looked for documentation about configuring a VPN server but didn't find anything on gentoo wiki.

My goal would be to use 2 computers, one server on gentoo and a client on debian, from a distant connexion and make the applications think they are in LAN.

I installed openVPN on both machines,  but I really have no idea how to configure it ! (I'm a bit noob about network things...)

I followed this guide : http://openvpn.net/index.php/open-source/documentation/manuals/65-openvpn-20x-manpage.html#lbAV

But it seems it doesn't really explain how to configure a server...

I added the TUN module to my kernel and modprobed it, but now, what I am supposed to do ?

I found this thread but seems a bit old, maybe it's outdated ? https://forums.gentoo.org/viewtopic-t-538662-start-0.html

I have no idea what these commands on that last link would do and also what I should replace from the examples of configuration...

Any help would be appreciated  :Smile: Last edited by alex6 on Mon Aug 12, 2013 7:04 am; edited 1 time in total

----------

## gerdesj

To help point you in the right direction but there really are a huge amount of docs out there.

You can use a pre shared key rather than the full SSL/TLS thing with easy-rsa or whatever which will make starting up a lot easier!  Generate one like this:

#openvpn --secret mysecret.key

Gentoo specific stuff:

The init script is clever and allows multiple tunnels.  Decide on a name for the tunnel - eg FRED

#ln -s /etc/init.d/openvpn /etc/init.d/openvpn.FRED

Now create your config as /etc/openvpn/FRED.conf

#/etc/init.d/openvpn.FRED start

Keep it simple at first and add features later.

You will need different network address ranges local and remote otherwise direct routing wont work.

If your network and the remote one have the same range then all you will be able to do is "tether" each machine to the other one via the tunnel network.

If your machines are not the routers for their respective subnets then you will need to look into NATting to get site to site working properly.

You don't give much detail so I can't be more specific.  I run a lot of OpenVPN tunnels in one form or another but I can't read minds  :Cool: 

Cheers

Jon

----------

## alex6

Well thanks for these explanations.

I used the following config file 

```
port 9000

proto udp

dev tun

mode server

ca /usr/share/openvpn/easy-rsa/keys/ca.crt

cert /usr/share/openvpn/easy-rsa/keys/server.crt

key /usr/share/openvpn/easy-rsa/keys/server.key

dh /usr/share/openvpn/easy-rsa/keys/dh1024.pem

server <network range> 255.255.255.0 # for example 192.168.139.0

client-to-client

ifconfig-pool-persist ipp.txt

client-config-dir ccd

keepalive 10 120

tls-auth ta.key 0

tun-mtu 1500

tun-mtu-extra 32

mssfix 1200

duplicate-cn

comp-lzo

max-clients 100

persist-key

persist-tun

status openvpn-status.log

log        /var/log/openvpn.log

log-append /var/log/openvpn.log

verb 3 
```

But the problem now is to know what to replace "network range" with...

#/etc/init.d/openvpn.server start fail to start because of this...

 *Quote:*   

> You don't give much detail so I can't be more specific. I run a lot of OpenVPN tunnels in one form or another but I can't read minds 

 

Well, if you want to understand a bit more what I could try to do with that is for example being able to play old games that work only in LAN but by using internet connexion with someone else.

The idea is to make the game think he is on LAN.

That's why I don't really need a complicated config, only a simple one.

The other point I can't understand is how to use that new net interface to make the apps use it ? a dhclient on that interface name would cut my internet, right ?

And how will the client will do to make his application (for example a game) connect to my VPN server, does he also need to set up a new net interface too ?

----------

## gerdesj

You actually make up the server <network range> !

This range is purely a fiction and is implemented as a sort of virtual subnet to glue together the routing.

I would pick a random 10.x.y.0/24 range so that it stands out amongst 192.168.whatever subnets.  The opposite is true as well ie use 192.168.x/24 for 10.x.y real LANs.  It makes tracking through Wireshark and logging easier on the eyes.

Your server will become .1 and the clients will get addresses from the range.  You can literally use any range you like but I recommend a /24.  The minimum is /30 - one for the network, one for broadcast, one for the server and one address remaining for one client.

If you are not sure what I am on about then stick in:

```

server 10.33.44.0 255.255.255.0

```

You are nearly there ...

Cheers

Jon

----------

## alex6

Ok thx for these explanations  :Smile: 

I finished the config and my server now can start.

Now I will only have to find a simple way to explain the client what to do...He's using debian so I guess a few things will be different.

And last step will be understanding how to make the applications (for example wine) use the new net device...

----------

## alex6

Everything working !

In order to have applications like game working as LAN through the VPN, the tap device must be used instead of the tun device (they both are in TUN module of the kernel)

Also a route has to be made to the device :

 *Quote:*   

>  ip route add to 255.255.255.255 tap0

 

----------

