# OpenVPN as a complete encryption solution

## tsftd

OK, so I've got OpenVPN installed and running, and can connect to it no problem.  Unfortunately, at this point I'm starting to get out of my depth.  After a couple of hours on google and searching this forum, I still can't really understand what I need to do or how to do it, so I'm asking for some help.

The goal is to set up a VPN to my server and route ALL of my traffic through it.  I *could* of course use an SSH tunnel, but I'm trying to get a solution that needs to be set up once, and then works for everything, and from my understanding, a VPN is the best way to accomplish this (if not, please correct me).  I need both the traffic AND the destination of that traffic to be encrypted (ie, a simple proxy will not work as the destination address is still visible to anyone snooping).

as a simple diagram, PC<-encrypted->Server<----->endpoint (for all traffic)

The server is Gentoo on a remote box, and the client is Windows 7.  My client connects to the VPN, but has no internet access.  I would assume that I need to set up some sort of routing to get it to forward the traffic, but I'm not sure exactly what I need.  I've set up a Gentoo SOHO router before but this is a bit different, and I'd rather not bother with things such as firewalls (IPTables) if possible, as my computer is protected from this side and the server is fine as-is.

I know it's a bit of an open-ended question, but I'd appreciate any help.

openvpn.conf:

```
port [edited]

proto tcp

dev tun

ca privnet/ca.crt

cert privnet/server.crt

key privnet/server.key

dh privnet/dh1024.pem

server 10.8.0.0 255.255.255.0

ifconfig-pool-persist ipp.txt

keepalive 10 120

comp-lzo

user nobody

group nobody

persist-key

persist-tun

status openvpn-status.log

verb 3
```

client conf:

```
client

dev tun

proto tcp

remote [edited address] [edited port]

resolv-retry infinite

nobind

persist-key

persist-tun

ca ca.crt

cert client.crt

key client.key

comp-lzo

verb 3
```

----------

## MacGyver031

Hi,

I have some experience in doing this.

a) You should use bridging and "server-bridge". This makes the whole project simple.

b) You should use tap, because tap is a ethernet device.

c) I have done a per-client decision.

d) Using udp (connection less), you can save some unnecessary traffic (ack).

So your server config should be modified (I have made a star where necessary):

```

port [edited]

*proto udp

*dev tap0

ca privnet/ca.crt

cert privnet/server.crt

key privnet/server.key

dh privnet/dh1024.pem

* server-bridge

ifconfig-pool-persist ipp.txt

keepalive 10 120

comp-lzo

user nobody

group nobody

persist-key

persist-tun

status openvpn-status.log

verb 3

```

Server side you should bridge tap0 and ethernet interface.

On the client:

```

client

*dev tap0

*proto udp

remote [edited address] [edited port]

*

*

*

*

ca ca.crt

cert client.crt

key client.key

comp-lzo

verb 3

*route-gateway <ROUTER_IP>

*redirect-gateway bypass-dhcp

```

What exactly happens: By bridging openvpn interface to internal network, you have access to your home-network. With the "route-gateway" and "redirect-gateway", the client uses the openvpn channel to send all request except the point-to-point connection to your router.

This works for me.

BR.

----------

## frostschutz

Have you set up your server to do NAT for your OpenVPN clients?

----------

## MacGyver031

 *frostschutz wrote:*   

> Have you set up your server to do NAT for your OpenVPN clients?

 

If this is a question to me, then the answer is no. Because I use tap instead of tun and bridge eth0 with tap0 on serverside, I create a transparent link between the two endpoints. This puts my laptop virtually in my home network.

There is the implementation with tun, here one has to NAT.

----------

## tsftd

ok, after editing my conf file it throws the error (in syslog): 

```
Oct 14 03:18:01 ks357547 openvpn[4058]: Options error: --ifconfig-pool-persist must be used with --ifconfig-pool

Oct 14 03:18:01 openvpn[4058]: Use --help for more information.

Oct 14 03:18:01 /etc/init.d/openvpn[4057]: start-stop-daemon: failed to start `/usr/sbin/openvpn'

Oct 14 03:18:01 /etc/init.d/openvpn[4044]: ERROR: openvpn failed to start

```

i commented out the line "ifconfig-pool-persist ipp.txt" and it works, of course i'm not sure if that causes a problem or not.

working on bridging now.

----------

## frostschutz

 *MacGyver031 wrote:*   

> There is the implementation with tun, here one has to NAT.

 

And here I thought you have to NAT when you have only one public internet IP but multiple machines (server, openvpn clients, local network) behind it.

I certainly didn't try bridging a local network into a server datacenter yet.

----------

## Hu

 *frostschutz wrote:*   

> And here I thought you have to NAT when you have only one public internet IP but multiple machines (server, openvpn clients, local network) behind it.

 Yes, but that is not exactly what MacGyver031 is attempting.  He wants the machines inside his LAN to think that the laptop is also inside the LAN, when in fact it is on the far end of the VPN.  One way to achieve this is to issue its VPN interface an IP that the other LAN machines will consider to be local, then bridge its traffic into the LAN.  Additional work would be needed if he wants the laptop to send publicly destined frames over the VPN, then out to the Internet from the home connection.  This step would be useful if he expects to use the laptop on hostile networks (coffee shops, some hotels, etc.), but is unnecessary if the only point of the VPN is to access his home resources from elsewhere.

----------

## MacGyver031

 *Quote:*   

> endpoint (for all traffic) 

 

I think the configuration which I have shown should channel all traffic through the vpn.

 *Quote:*   

> This step would be useful if he expects to use the laptop on hostile networks (coffee shops, some hotels, etc.), but is unnecessary if the only point of the VPN is to access his home resources from elsewhere.

 

Hu has got it. One can also use it to make it hard for the hostile admin to track what I am doing.

----------

## tsftd

OK, so here's the deal on bridging: since it's a remote server, any time that I add eth0 to a bridge, it kills the net connection (dropping my ssh session).  i'm following http://en.gentoo-wiki.com/wiki/Bridging_Network_Interfaces as a guide, obviously excepting that instead of eth1, it's tap0.

from this section ( http://en.gentoo-wiki.com/wiki/Bridging_Network_Interfaces#Configuration ), I have tried:

ifconfig eth0 up #skip since it's already up

ifconfig tap0 up #skip since tun0 is already up

brctl addbr br0 #ok

brctl addif br0 eth0 #at this point, the ssh dies

brctl addif br0 tap0

ifconfig br0 up

figuring that it would solve the problem (since the whole operation would take place regardless of the ssh dying), I tried the permanent setup:

in /etc/conf.d/net:

bridge_br0="eth0 tap0"

config_br0=( "[my server's ip] netmask 255.255.255.0" )

routes_br0=( "default gw [my server's default route]" )

config_eth0=( "null" )

rc_need_br0="net.eth0"

note that i just renamed the config and routes options from "eth0" to "br0"

i then make the link and start /etc/init.d/net.br0 ... and again, ssh dies.  i know what's happening -- the eth0 is being added to the bridge, which apparently is either redirecting to null, or not properly set up to access the outside world, resulting in the server losing net connectivity.  what i don't know is how to fix it ;p

sorry to impose so much.

config_br0=(

----------

## MacGyver031

Here is my Config on the server. 

```
tuntap_tap0="tap"

config_eth0="null"

config_tap0="null"

RC_NEED_br0="net.eth0 net.tap0"

depend_br0() {

        need net.eth0 net.tap0

}

bridge_br0="eth0 tap0"

config_br0="192.168.2.1/24 brd 192.168.2.255"

```

the first line creates a tap0 ethernet-device, and will be bound to openvpn as soon as openvpn starts. 

BR.

----------

## tsftd

much thanks, once i fix the server (which somehow blew up while working on this), I'll try it again.  really a lifesaver, I've got a bit of an idea on this stuff but haven't really dealt with this side of it (more the routing side), and especially having a remote term where any mistake blows up the connection and i have to reboot into rescue, fix it, and try again, it would have taken forever.

EDIT:

So, i'm getting closer -- in fact, everything but the bridge is working.  I highly suspect it to be this line:

```
config_br0="192.168.2.1/24 brd 192.168.2.255"
```

now, I assumed that this needed to be replaced by my server's default eth0 config.  but I appear to have been incorrect, as that didn't work.  my server does not use DHCP, and has a static IP.  however, this setting by you looks like it's actually a subnet range, so is that supposed to be for assigning an IP to the clients?  and if so, how does the bridge get properly set up?

to be clear, here is my server config:

```
tuntap_tap0="tap"

config_eth0="null"

config_tap0="null"

RC_NEED_br0="net.eth0 net.tap0"

depend_br0() {

        need net.eth0 net.tap0

}

bridge_br0="eth0 tap0"

config_br0=( "[server ip] netmask 255.255.255.0" )

routes_br0=( "default gw [default gateway ip]" )
```

and my standard config:

```
config_eth0=( "[server ip] netmask 255.255.255.0" )

routes_eth0=( "default gw [default gateway ip]" )
```

with my original (no bridge), i can connect to the server's vpn and it works as expected (ie, i can access server services, but not the internet as the bridge isn't there to transport the traffic).  this means i'm sure the OpenVPN configs -- on both client and server -- are correct, and this bridge is the last hurdle.

----------

