OpenVPN Tunnels

Fri Jan 28 14:04:45 2005 by Eric Hokanson
Modified Thu Nov 8 06:15:55 2012

Intro

So, what exactly is a VPN or tunnel? Basically it is a connection between two systems that can be encrypted, authenticated, and/or compressed. This allows your plaintext traffic such as telnet, ftp and X to be protected from snooping. Another benefit is to tunnel data through a firewall that would normally block it. While there are numerous uses for a VPN tunnel I will show you one of the most common and easy-to-use VPN configurations.

The Idea

My current high bandwidth "ISP" blocks all UDP traffic in either direction. I like to play some of the leading online games with my friends and when we all play together we like to use Teamspeak. Teamspeak is just a UDP based VoIP program so that we can talk to each other while we play. A friend of mine has a Linux box connected to the Internet across town and he hosts the Teamspeak server. The idea is to tunnel between my home Windows PC and my friends Linux box using the unblocked TCP protocol and tunnel UDP traffic through it. I will then tell Teamspeak to use the tunnel to send data. It will be like the firewall isn't even there.

The Software

After testing out several different VPN software programs I decided upon OpenVPN. It's free, easy to use and works under Windows, Linux, and Mac OS X. Unlike some VPN software it is completely userspace so no kernel recompiles needed (although it does require your kernel to support virtual tun or tap adapters but most distros include support). It can also do simple IP encapsulation to handle your basic TCP and UDP packets or it will do entire ethernet encapsulation to handle Netware IPX or AppleTalk.

The Setup

Using the latest 2.0.X release, installation was a breeze on both Windows and Linux. The Windows version uses a simple windows installer and the Linux install was a simple ./configure; make install. Using the Windows based tool, I made a new static key file and copied it over to the Linux box. Because all I wanted to do is route UDP packets I decided to go with the simpler IP encapsulation. On the server my configuration looked like this:

proto tcp-server
dev tun
# 10.1.0.1 is our local VPN endpoint (server).
# 10.1.0.2 is our remote VPN endpoint (client).
ifconfig 10.1.0.1 10.1.0.2
ping 15
persist-key persist-tun
secret static.key
comp-lzo
verb 3
mute 10

...and on the client:

proto tcp-client
dev tun
remote myvpnserver.com
# 10.1.0.2 is our local VPN endpoint (client).
# 10.1.0.1 is our remote VPN endpoint (server).
ifconfig 10.1.0.2 10.1.0.1
ping 15
secret static.key
comp-lzo
verb 3
mute 10

Feel free to change the IP addresses listed above, just as long as they match on both the client and server. Now you'll have to make sure port 1194 is not blocked on your server. You will also need to forward your tun device on the server. You can go here for information on how to do this.

 

Moment of Truth

Now that you've got it all configured lets start up the server in daemon mode. You can accomplish this by typing:

openvpn --daemon --cd /path/to/config/and/static/key --config server.conf

On the Windows client you can just right click on your .ovpn config file and select Start OpenVPN... Mathias Sundman has made an excellent system tray tool to make connections easy and fast. You can download the tool from his web site. After a short negotiation the client should connect. You should be able to verify this by pinging the server from the client and vise versa. If you are unable to ping check all firewall and port forwarding configurations as described above.

Now you should be able to start Teamspeak or other UDP programs and enter the server's VPN address (10.1.0.1). Hit connect and you should now have a fully functional encrypted tunnel. OpenVPN features hundreds of configuration options such as turning off encryption or authentication if you fell the need to tweak. You can find them all list on OpenVPN's site. Enjoy!