Emaculation.com

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
bridged_openvpn_server_setup [2020/05/01 11:44] nucarbridged_openvpn_server_setup [2023/05/28 14:14] (current) nucar
Line 1: Line 1:
 ====== Bridged OpenVPN Server Setup ====== ====== Bridged OpenVPN Server Setup ======
  
-(Last updated May 12020.  The forum thread is [[https://www.emaculation.com/forum/viewtopic.php?f=3&t=8336|here]].)+(Last updated May 282023.  The forum thread is [[https://www.emaculation.com/forum/viewtopic.php?f=3&t=8336|here]].)
  
 ===== Introduction ===== ===== Introduction =====
  
-This guide describes how to set up a bridge-mode [[https://openvpn.net/community/|OpenVPN]] server in a Linux virtual machine (VM).  These instructions are intended for home users who wish to run the VM on a Mac or Windows PC.  We'll use only free and open-source software:  DebianVirtualBox, and the required packages for use with OpenVPN.  This guide may look long and intimidating, but that's only because many of the steps are spelled out in detail so that it can be as beginner-friendly as possible.  A lot just involves copying and pasting.  You don't need to read the appendices unless you're interested in their specific topics.+This guide describes how to set up a bridge-mode [[https://openvpn.net/community/|OpenVPN]] server in a Linux virtual machine (VM).  These instructions are intended for home users who wish to run the VM on a Mac or Windows PC.  The focus is on using VMware Fusion on a Mac hostbut the instructions can easily be adapted for use with VirtualBox or VMware Workstation on other platforms.  VMware Fusion Player (for macOS) and VMware Workstation Player (for Windows) are free for non-commercial use, and VirtualBox is free, open-source software.
  
-An OpenVPN server in a bridged configuration creates a virtual private network (VPN) that can be thought of as a virtual Ethernet switch to your network.  It allows people you trust to make a virtual Ethernet connection to your LAN from over the Internet.  Therefore, people that connect, called clients, are able to send and receive all the same data that they could if they were physically connected to your LAN by Ethernet, while still maintaining their own normal LAN and Internet connections.  Local traffic of any protocol (TCP, UDP, AppleTalk, IPX, etc.) going to and from the clients, including broadcasts, will be tunneled over a single UDP port.  All data over the VPN connection is encrypted and compressed.+An OpenVPN server in a bridged configuration creates a virtual private network (VPN) that can be thought of as a virtual Ethernet switch to your network.  It allows people you trust to make a virtual Ethernet connection to your LAN from over the Internet.  Therefore, people that connect, called clients, are able to send and receive all the same data that they could if they were physically connected to your LAN by Ethernet, while still maintaining their own normal LAN and Internet connections.  Local traffic of any protocol (TCP, UDP, AppleTalk, IPX, etc.) going to and from the clients, including broadcasts, will be tunneled over a single UDP port.  All data over the VPN connection is encrypted.
  
 Possible uses of this VPN include:\\ Possible uses of this VPN include:\\
Line 23: Line 23:
 ===== Using a Unique Subnet ===== ===== Using a Unique Subnet =====
  
-If you're going to run a VPN server on your home network, I highly recommend that you change your private IP subnet to some uncommon numbering, i.e., not 0 or 1 in the third octet. The third octet is x.x.this.x number of the IP address. Your router software should be able to accomplish this. Machines using static IP addresses will have to be changed manually on the respective machines. Using a unique subnet is important because many services require that clients enter the IP address of the host. If there are conflicting (identical) private IP addresses on both the server side and client sides, then things can't be expected to work. So, for example, a numbering such as 10.0.149.x or 192.168.37.x should be fine.+If you're going to run a VPN server on your home network, it's a good idea to change your private IP subnet to some uncommon numbering, i.e., not 0 or 1 in the third octet. The third octet is x.x.this.x number of the IP address. Your router software should be able to accomplish this. Machines using static IP addresses will have to be changed manually on the respective machines. Using a unique subnet is important because many services require that clients enter the IP address of the host. If there are conflicting (identical) private IP addresses on both the server side and client sides, then things can't be expected to work. So, for example, a numbering such as 10.0.149.x or 192.168.37.x should be fine.
  
 To be clear, only the server's network has to worry about having a different subnet numbering than the numberings of each of the clients.  The clients can't see each other's LANs, so their comparative numberings don't matter.  Clients can see only each other's OpenVPN-assigned private IP addresses in addition to the machines on the server side. To be clear, only the server's network has to worry about having a different subnet numbering than the numberings of each of the clients.  The clients can't see each other's LANs, so their comparative numberings don't matter.  Clients can see only each other's OpenVPN-assigned private IP addresses in addition to the machines on the server side.
  
-===== Linux VM Setup =====+===== Linux VM Setup and Usage =====
  
-This section provides procedure for setting up a simple Debian 10 "Buster" VM for beginners.  If you already have your Linux machine set up, then proceed to the [[bridged_openvpn_server_setup#openvpn_server_setup|OpenVPN Server Setup]] section.  Note that, to run an OpenVPN server, a VM's virtual network adapter must be in a //bridged// configuration.+This guide will assume that you're running [[https://www.debian.org|Debian]] 11 "Bullseye" VM.  Guides on installing Debian in a VM can be found on the Web and YouTube.  This section covers only some of the steps, mainly those important to this particular application and the rest of this guide.  If you already have your Linux machine set up, you should note the requirements below regarding the VM's virtual network adapter settings before proceeding to the [[bridged_openvpn_server_setup#openvpn_server_setup|OpenVPN Server Setup]] section.
  
 ==== VM Settings ==== ==== VM Settings ====
  
-Download the Debian network installer disc image from the upper right of the [[https://www.debian.org|Debian home page]].+The VM software's defaults for the memory and storage space allocated to the VM should be sufficient.
  
-Download and install [[https://www.virtualbox.org/wiki/Downloads|VirtualBox]].  In VirtualBox, create a new VM with the following settings:+The VM's virtual network adapter must be //bridged// to the host's Ethernet connection.  It must also be allowed to enter promiscuous mode to monitor all network traffic.  In VirtualBox, in the VM's network settings, under Advanced, set Promiscuous Mode: Allow All.  In VMware Fusion, if starting the VM using the GUI, you have to wait for the guest OS to boot and then enter your administrator password every time you start the VM (except during an administrator password timeout).  To avoid this, use the following Terminal command (not now, but after you've finished setting up OpenVPN):
  
-Name and operating system:\\ +<code>sudo vmrun start "/Users/username/Virtual Machines.localized/Debian 11.x 64-bit.vmwarevm/Debian 11.x 64-bit.vmx" nogui</code>
-Name:  Debian (or whatever you want)\\ +
-Type:  Linux\\ +
-Version:  Debian (64 bit) if you have a 64-bit host, (32 bit) otherwise+
  
-Allocate at least the default 1024 MB of memoryand choose the default hard drive settings.  In the newly created VM's settings, set:+This will start the VM in "headless" modei.e., as a background process.  The VM can be shut down gracefully using the command
  
-General Advanced:\\ +<code>sudo vmrun stop "/Users/username/Virtual Machines.localized/Debian 11.x 64-bit.vmwarevm/Debian 11.x 64-bit.vmx" soft</code>
-Shared Clipboard:  Bidirectional\\ +
-Drag'n'Drop:  Bidirectional+
  
-Display > Screen:\\ +In both commands, edit the path to the .vmx file, mainly replacing "username" with your username and both instances "Debian 11.x 64-bit" with whatever you named the VM.  Save these commands in shell scripts or .command files for quick usage.
-Graphics Controller:  VBoxVGA+
  
-Network > Adapter 1:\\ +Record the VM's MAC address for use laterwhich is found in the VM's network settings.
-Attached to:  Bridged Adapter\\ +
-Name:  select your Ethernet interface/adapter\\ +
-Under AdvancedPromiscuous Mode:  Allow All+
  
-Shared Folders:\\ +Add a folder to the VM's list of shared folders. This setup assumes that you added a shared folder named "vmshared".
-Add a shared folder to the host OS, and check Auto-mount. This setup assumes that you added a shared folder named "vmshared"+
- +
-All other settings can be left as their defaults.+
  
 ==== Debian Installation ==== ==== Debian Installation ====
  
-Start the VM, point the window that pops up to your Debian disc image, and hit Start.  Use the arrow keys to select "Install. The installer program proceeds as follows:+You may find it easier to use "Install" rather than "Graphical install" since, in a VM, the mouse pointer may not work well until the VM's support software is installed.
  
-Select your language, location and keyboard configuration.+The hostname doesn't matter unless you're planning to use it (I just use IP addresses).  The domain name can be left blank if your ISP's domain name wasn't detected automatically.
  
-For the hostname, the default "debianis okay.  The domain name can be left blank if your ISP's domain name wasn't detected automatically.+At the software selection screen, the default choices are fine, but the SSH server software is useful for accessing the Linux terminal remotely or when the VM is run in "headlessmode (see the [[bridged_openvpn_server_setup#ssh_server|SSH Server]] appendix).  If changing your selections, use the **space bar**.  Pressing return will proceed to the next screen.
  
-Enter and verity **root password**.+After the installation is complete, and Debian has booted to the login screen, log in and set up shortcut to the Terminal application.  If using the default GNOME desktop environment, press the command key on a Mac, or the Windows key in Windows, search for "terminal", and drag the Terminal icon to the dock for quick access in the future.
  
-Enter the user's name.  This is not the username.+==== VM Support Software ====
  
-Enter username.+In VMware VM, Open VM Tools should have been installed automatically in Debian when following the default installation, so you should be able to copy and paste into the VM.  The keyboard shortcut for pasting into the Linux terminal is shift+control+V, as seen in the terminal's Edit menu.
  
-Enter and verify a **user password**.  For the purposes of this VM, it's simplest to make this the same as the **root password**.+Open Terminal, and **become root** by entering
  
-Select your time zone.+<code>su -</code>
  
-Select the default choices at the "Partition disks" screens.  Hit tab and return to select "Yes" when it asks whether to write changes to disk.+Create a mount point for shared folders:
  
-Select No when asked whether to scan another CD or DVD.+<code>sudo mkdir -p /mnt/hgfs</code>
  
-Select your country for the Debian archive mirror, and the default choice for the archive mirror URL.  Leave the HTTP proxy information blank.+We'll use the text editor "nano" throughout this guide to edit text files.  To make shared folders mount automatically, enter
  
-Choose whether you want to participate in the package usage survey.+<code>nano /etc/fstab</code>
  
-Use the **space bar** and arrow keys to select only "standard system utilities," then hit return.  The SSH server software is useful for accessing the Linux terminal remotely or when the VM is run in "headless" mode (as a background process).  These features help to streamline your usage of the OpenVPN server, but aren't covered in this guide.+and add to the file the line
  
-Select "Yes" to install the GRUB boot loader, use the down arrow key to choose the /dev/sda device, and hit return.+<code>.host:/ /mnt/hgfs fuse.vmhgfs-fuse auto,allow_other 0 0</code>
  
-When the installation is completeselect Continue.  The VM will reboot into the newly installed Debian. +Press control+Xthen Y to accept changesand return to save the file.  Reboot the VM by entering
- +
-At the login promptenter +
- +
-<code>root</code> +
- +
-followed by the **root password**.  Enter +
- +
-<code>apt-get install gnome-core xorg</code> +
- +
-to install a basic graphical user interface (GUI).  Enter Y to continue. +
- +
-When the prompt returns, reboot the VM by entering+
  
 <code>reboot</code> <code>reboot</code>
  
-The VM will reboot into the newly installed GUI.  Select the user.  Click on the small gear icon next to the "Sign In" button and select "GNOME Classic."  Enter the **user password** to log in.  Go to Applications > Utilities, and scroll down to select Terminal.  You will not yet be able to copy and paste into the VM, and VM's cursor may be sluggish, because Guest Additions are not yet installed.+Open Terminal and enter
  
-**Become root** by entering+<code>ls /mnt/hgfs</code>
  
-<code>su -</code> +The shared folder "vmsharedshould now be visible.
- +
-followed by the **root password**.  Enter +
- +
-<code>apt-get install gcc make linux-headers-$(uname -r)</code> +
- +
-In the VM's Devices menu, select "Insert Guest Additions CD image..." Select Cancel on the window that pops up.  In Terminal, enter +
- +
-<code>umount /media/cdrom</code> +
- +
-<code>mount -o exec /media/cdrom</code> +
- +
-<code>/media/cdrom/VBoxLinuxAdditions.run</code> +
- +
-Reboot the VM by entering +
- +
-<code>reboot</code> +
- +
-Open Terminal and enter+
  
-<code>ls /media</code>+If using VirtualBox, you'll have to install Guest Additions before being able to copy and paste into the VM and access shared folders.  Again, consult a separate guide.  Shared folders will appear in /media, and will have "sf_" prepended to their names if using auto-mount.
  
-The shared folder "vmshared" should now be visible as "sf_vmshared". Also, you will now have the ability to copy and paste into the VM. The keyboard command for pasting into the Linux terminal is shift+control+V, as seen in the terminal's Edit menu.+==== Other Terminal Commands ====
  
-Note that the command to shut down the VM **as root** is+The command to shut down the VM **as root** is
  
 <code>shutdown -h now</code> <code>shutdown -h now</code>
Line 141: Line 99:
 You can also run **as root** You can also run **as root**
  
-<code>apt-get update</code>+<code>apt update</code>
  
 followed by followed by
  
-<code>apt-get upgrade</code>+<code>apt upgrade</code>
  
 once in a while to update the operating system and its software packages. once in a while to update the operating system and its software packages.
Line 151: Line 109:
 ===== OpenVPN Server Setup ===== ===== OpenVPN Server Setup =====
  
-The instructions in this section can be used for running OpenVPN 2.in Debian 10 (proceeding from the VM setup above) or some similar Linux distribution.+The instructions in this section can be used for running OpenVPN 2.in Debian 11 (proceeding from the VM setup above) or some similar Linux distribution.
  
 ==== Authentication Setup with Easy-RSA ====  ==== Authentication Setup with Easy-RSA ==== 
Line 157: Line 115:
 Open Terminal, and **become root**.  You should **always become root** before running the commands below.  Install OpenVPN, Easy-RSA and the Linux Ethernet bridge utilities: Open Terminal, and **become root**.  You should **always become root** before running the commands below.  Install OpenVPN, Easy-RSA and the Linux Ethernet bridge utilities:
  
-<code>apt-get install openvpn easy-rsa bridge-utils</code>+<code>apt install openvpn easy-rsa bridge-utils</code>
  
 Copy Easy-RSA to OpenVPN's directory: Copy Easy-RSA to OpenVPN's directory:
Line 175: Line 133:
 <code>./easyrsa build-ca nopass</code> <code>./easyrsa build-ca nopass</code>
  
-For Common Name, enter "OpenVPN-CA" (without quotes).+The Common Name will be set to "Easy-RSA CA" by default, so no entry is required.
  
 Create the server credentials by entering Create the server credentials by entering
Line 183: Line 141:
 The Common Name will be set to "openvpnserver" by default, so no entry is required. The Common Name will be set to "openvpnserver" by default, so no entry is required.
  
-Sign server credentials by entering+Sign the server credentials by entering
  
 <code>./easyrsa sign-req server openvpnserver</code> <code>./easyrsa sign-req server openvpnserver</code>
Line 207: Line 165:
 Enter "yes" (without quotes) as requested. Enter "yes" (without quotes) as requested.
  
-You can make more client credentials using different Common Names.+You can make more client credentials by changing "joe" in the previous two commands.  Each client'Common Name must be unique.
  
 **IMPORTANT**:  If you ever come back later to /etc/openvpn/easy-rsa to create credentials for additional clients, do **NOT** run "./easyrsa init-pki" again since this would wipe out your existing credentials. **IMPORTANT**:  If you ever come back later to /etc/openvpn/easy-rsa to create credentials for additional clients, do **NOT** run "./easyrsa init-pki" again since this would wipe out your existing credentials.
Line 213: Line 171:
 Create the HMAC signature: Create the HMAC signature:
  
-<code>openvpn --genkey --secret /etc/openvpn/easy-rsa/pki/private/ta.key</code>+<code>openvpn --genkey secret /etc/openvpn/easy-rsa/pki/private/ta.key</code>
  
 Certificate and key files will be given to the clients.  Copy these files to the host OS via the shared folder by entering Certificate and key files will be given to the clients.  Copy these files to the host OS via the shared folder by entering
  
-<code>mkdir /media/sf_vmshared/credentials</code>+<code>mkdir /mnt/hgfs/vmshared/credentials</code>
  
-<code>cp /etc/openvpn/easy-rsa/pki/ca.crt /etc/openvpn/easy-rsa/pki/issued/*.crt /etc/openvpn/easy-rsa/pki/private/*.key /media/sf_vmshared/credentials</code>+followed by 
 + 
 +<code>cp /etc/openvpn/easy-rsa/pki/ca.crt /etc/openvpn/easy-rsa/pki/issued/*.crt /etc/openvpn/easy-rsa/pki/private/*.key /mnt/hgfs/vmshared/credentials</code> 
 + 
 +If using VirtualBox, /mnt/hgfs/vmshared would be replaced by /media/sf_vmshared in the above two commands.
  
-More information on revoking client certificates, see [[https://wiki.archlinux.org/index.php/Easy-RSA|this guide]].+For information on revoking client certificates, see [[https://wiki.archlinux.org/index.php/Easy-RSA|this guide]].
  
 ==== VPN Setup ==== ==== VPN Setup ====
Line 227: Line 189:
 Now we'll configure the OpenVPN server.  First, you must obtain some information about your network's private IP address numbering. Now we'll configure the OpenVPN server.  First, you must obtain some information about your network's private IP address numbering.
  
-On an macOS host, open System Preferences and go to Network.  On the left, select the active interface (Ethernet), click "Advanced..." and select the "TCP/IP" tab.  Look for the values for Subnet Mask (netmask) and Router.  On a Windows host, this information can be obtained by running the command "ipconfig" (without quotes) in the Windows command prompt, cmd.exe.  "Default Gateway" is the router's address.  You will also need to know your broadcast address, which is simply the first three octets of your subnet plus 255.  Finally, decide on a free IP address on your network, which will be assigned to the Linux VM.+On an macOS host, open System Preferences and go to Network.  On the left, select the active interface (Ethernet), click "Advanced..." and select the "TCP/IP" tab.  Look for the values for Subnet Mask (netmask) and Router.  On a Windows host, this information can be obtained by running the command "ipconfig" (without quotes) in the Windows command prompt, cmd.exe.  "Default Gateway" is the router's address.  You'll also need to know your broadcast address, which is simply the first three octets of your subnet plus 255.  Finally, decide on a free IP address on your network, which will be assigned to the Linux VM.
  
 This guide will use the following example private IP address numbering (adjust this to your numbering): This guide will use the following example private IP address numbering (adjust this to your numbering):
Line 234: Line 196:
 Subnet mask (netmask):  255.255.255.0 (/24 following the Free IP address in [[https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing#IPv4_CIDR_blocks|CIDR notation]])\\ Subnet mask (netmask):  255.255.255.0 (/24 following the Free IP address in [[https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing#IPv4_CIDR_blocks|CIDR notation]])\\
 Broadcast address:  192.168.5.255\\ Broadcast address:  192.168.5.255\\
-Router's IP address:  192.168.5.1+Router's IP address:  192.168.5.1\\ 
 +VM's MAC address: 08:00:27:e7:0e:0a (found in the VM's network settings)
  
-We'll use the text editor "nano" to create a script called "openvpn-bridge" that performs the Ethernet bridging.  Enter+We'll create a script called "openvpn-bridge" that performs the Ethernet bridging.  Enter
  
 <code>nano /etc/openvpn/openvpn-bridge</code> <code>nano /etc/openvpn/openvpn-bridge</code>
Line 253: Line 216:
 # Define physical ethernet interface to be bridged # Define physical ethernet interface to be bridged
 # with TAP interface(s) above. # with TAP interface(s) above.
-eth="enp0s3"+eth="ens33"
 eth_ip_netmask="192.168.5.100/24" eth_ip_netmask="192.168.5.100/24"
 eth_broadcast="192.168.5.255" eth_broadcast="192.168.5.255"
 eth_gateway="192.168.5.1" eth_gateway="192.168.5.1"
 +eth_mac="08:00:27:e7:0e:0a"
  
 case "$1" in case "$1" in
Line 280: Line 244:
  
     ip addr add $eth_ip_netmask broadcast $eth_broadcast dev $br     ip addr add $eth_ip_netmask broadcast $eth_broadcast dev $br
 +    ip link set $br address $eth_mac
     ip link set $br up     ip link set $br up
  
Line 293: Line 258:
  
     ip link set $eth promisc off up     ip link set $eth promisc off up
-    ip route add default via $eth_gateway 
-    ip addr flush dev $eth 
     ip addr add $eth_ip_netmask broadcast $eth_broadcast dev $eth     ip addr add $eth_ip_netmask broadcast $eth_broadcast dev $eth
 +
 +    ip route add default via $eth_gateway
     ;;     ;;
 *) *)
Line 304: Line 269:
 exit 0</code> exit 0</code>
  
-Use the arrow keys to edit the script.  Edit the three lines beginning with eth_ip_netmask, eth_broadcast and eth_gateway.  Those three variables must be set equal to the free IP address for the Linux VM and its subnet mask, broadcast address, and router's IP address, respectively, in quotes as shown.  (If not using VirtualBox, you also might have to change the "eth" variable to match the name of your Ethernet interface.  Use the command "ip a" in Terminal to find this name.)  Press control+X, then Y to accept changes, and return to save the file.  Entering "ls" should now show the file "openvpn-bridge" in the list of files in the directory.  If you need to edit the script again, enter the same command above used to create it.+Use the arrow keys to edit the script.  Edit the four lines beginning with eth_ip_netmask, eth_broadcasteth_gateway and eth_mac.  Those four variables must be set equal to the free IP address for the Linux VM and its subnet mask, broadcast address, router's IP address, and VM's Mac address, respectively, in quotes as shown.  (Depending on your VM software, you may also have to change the "eth" variable to match the name of your Ethernet interface.  Use the command "ip a" in Terminal to find this name.)  Exit and save.  Entering "ls" should now show the file "openvpn-bridge" in the list of files in the directory.  If you need to edit the script again, enter the same command above used to create it.
  
-This script is adapted from the "bridge-start" and "bridge-stop" scripts at OpenVPN's [[https://openvpn.net/community-resources/ethernet-bridging/|Ethernet bridging page]], with the now-deprecated "ifconfig" commands replaced with the equivalent "ip" (iproute2) commands.  It bridges the Ethernet interface, eth0, and OpenVPN's TAP interfacetap0as members of the bridge interfacebr0.  It also sets the Linux VM's private IP address to the free address that you chose, **effectively giving the server a static IP address**.+This script is adapted from the "bridge-start" and "bridge-stop" scripts at OpenVPN's [[https://openvpn.net/community-resources/ethernet-bridging/|Ethernet bridging page]], with the now-deprecated "ifconfig" commands replaced with the equivalent "ip" (iproute2) commands.  It bridges the Ethernet interface (the "eth" variable) and OpenVPN's TAP interface (tap0as members of the bridge interface (br0).  It also sets the Linux VM's private IP address to the free address that you chose, **effectively giving the server a static IP address**.
  
 Make the script executable by entering Make the script executable by entering
Line 331: Line 296:
 tls-auth /etc/openvpn/easy-rsa/pki/private/ta.key 0 tls-auth /etc/openvpn/easy-rsa/pki/private/ta.key 0
 cipher AES-256-GCM cipher AES-256-GCM
-compress lz4-v2 
-push "compress lz4-v2" 
 persist-key persist-key
 persist-tun persist-tun
Line 339: Line 302:
 verb 3</code> verb 3</code>
  
-The line beginning with "server-bridge" must be changed to match your private IP addresses.  Set the first and second addresses of that line to the free IP address for the Linux VM and your subnet mask, respectively.  The third and fourth addresses of that line denote the private IP address range to be allocated to clients.  This must be set to an unused address range on your network.  This range ideally should be outside your router's DHCP range, but it doesn't need to be.  As can be seen, in this example, ten addresses are allocated, ending with 101 through 110.  More information on the server configuration file can be found at [[https://openvpn.net/community-resources/how-to/|OpenVPN's HOWTO page]] and [[https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage|the OpenVPN 2.4 manual]].+The line beginning with "server-bridge" must be changed to match your private IP addresses.  Set the first and second addresses of that line to the free IP address for the Linux VM and your subnet mask, respectively.  The third and fourth addresses of that line denote the private IP address range to be allocated to clients.  This must be set to an unused address range on your network.  This range ideally should be outside your router's DHCP range, but it doesn't need to be.  As can be seen, in this example, ten addresses are allocated, ending with 101 through 110.
  
 ==== Port Forwarding ===== ==== Port Forwarding =====
Line 376: Line 339:
 <code>systemctl status openvpn@server.service</code> <code>systemctl status openvpn@server.service</code>
  
-Hit Q to finish.+Press Q to exit.
  
 Stop the OpenVPN server by entering, as root, Stop the OpenVPN server by entering, as root,
Line 404: Line 367:
 tls-auth ta.key 1 tls-auth ta.key 1
 cipher AES-256-GCM cipher AES-256-GCM
-compress lz4-v2 
 verb 3</code> verb 3</code>
  
-PUBLIC_IP_ADDRESS must be replaced with the public IP address of the server side. Google "ip" on the server side to get this address.  A client already on the server side could use the private IP address of the Linux VM instead of the public IP address.  Tunneling [[bridged_openvpn_server_setup#lan_gaming|non-IP protocols]], such as AppleTalk and IPX, over wireless is one reason to do this.  Clients over the Internet must use the public IP address.+PUBLIC_IP_ADDRESS must be replaced with the public IP address of the server side. Google "my ip" on the server side to get this address.  A client already on the server side could use the private IP address of the Linux VM instead of the public IP address.  Tunneling [[bridged_openvpn_server_setup#lan_gaming|non-IP protocols]], such as AppleTalk and IPX, over wireless is one reason to do this.  Clients over the Internet must use the public IP address.
  
 The lines beginning with "cert" and "key" must be changed to match the file names of the .crt and .key files for the given client.  Save the file as "joe.conf", and give ca.crt, joe.crt, joe.key, ta.key and joe.conf to the client. The lines beginning with "cert" and "key" must be changed to match the file names of the .crt and .key files for the given client.  Save the file as "joe.conf", and give ca.crt, joe.crt, joe.key, ta.key and joe.conf to the client.
- 
-More information on the client configuration file can be found at [[https://openvpn.net/community-resources/how-to/|OpenVPN's HOWTO page]] and [[https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage|the OpenVPN 2.4 manual]]. 
  
 ==== Mac Client Software:  Tunnelblick ==== ==== Mac Client Software:  Tunnelblick ====
Line 421: Line 381:
 ==== Windows Client Software:  Securepoint SSL VPN Client ==== ==== Windows Client Software:  Securepoint SSL VPN Client ====
  
-For Windows clients, the Windows version of OpenVPN can be used, but here we'll go over using the [[https://sourceforge.net/projects/securepoint/|Securepoint SSL VPN Client]], which is very easy to use.  When installing, select "Mangagement" for the starting context.  Run the desktop shortcut, right-click the program's padlock icon in the taskbar, and select "Show window."  Click on the gear icon, select "New", and give the VPN connection a name.  Enter the public IP address of the server, and keep the default protocol (UDP) and port (1194).  For the client "joe", point "Root CA" to ca.crt, "Certificate" to joe.crt, and "Key" to joe.key.  Leave "Server certificate" unchecked.  Click Next, Next and Finish.  Copy ta.key to the folder with the VPN connection's name, found in the user's "AppData\Roaming\Securepoint SSL VPN\config" folder, the folder to which the other certificate and key files have been copied.  Open joe.conf (with WordPad if it was written in macOS or Linux), select all, and copy. In Securepoint, right-click on the VPN connection's name, select "Quick edit", delete everything, and paste.  Now you can connect.  The client doesn't need to keep the original client files after the configuration is created, since they get copied to the folder mentioned above.+For Windows clients, the Windows version of OpenVPN can be used, but here we'll go over using the [[https://sourceforge.net/projects/securepoint/|Securepoint SSL VPN Client]], which is very easy to use.  When installing, select "Mangagement" for the starting context.  Run the desktop shortcut, right-click the program's padlock icon in the taskbar, and select "Show window."  Click on the gear icon, select "New", and give the VPN connection a name.  Enter the public IP address of the server, keep the default protocol (UDP) and port (1194), and click Add and Next.  For the client "joe", point "Root CA" to ca.crt, "Certificate" to joe.crt, and "Key" to joe.key.  Leave "Server certificate" unchecked.  Click Next, Next and Finish.  Copy ta.key to the folder with the VPN connection's name, found in the user's "AppData\Roaming\Securepoint SSL VPN\config" folder, the folder to which the other certificate and key files have been copied.  Open joe.conf (with WordPad if it was written in macOS or Linux), select all, and copy. In Securepoint, right-click on the VPN connection's name, select "Quick edit", delete everything, and paste.  Now you can connect.  The client doesn't need to keep the original client files after the configuration is created, since they get copied to the folder mentioned above.
  
-If you ever accidentally delete the desktop shortcut, and need to create another one, the executable, SSLVpnClient.exe, is in the user's "AppData\Local\Apps\Securepoint SSL VPN" folder.  The shortcut must have+If you ever accidentally delete the desktop shortcut, and need to create another one, the executable, SSLVpnClient.exe, may be in the user's "AppData\Local\Apps\Securepoint SSL VPN" folder, depending on how it was installed.  The shortcut must have
  
 -manage -manage
Line 443: Line 403:
 To test whether the client's request to connect is reaching the VM, use tcpdump in the VM.  Install tcpdump as root in Terminal: To test whether the client's request to connect is reaching the VM, use tcpdump in the VM.  Install tcpdump as root in Terminal:
  
-<code>apt-get install tcpdump</code>+<code>apt install tcpdump</code>
  
 To listen, for example, for packets passing through the br0 interface on port 1194 (both TCP and UPD), enter To listen, for example, for packets passing through the br0 interface on port 1194 (both TCP and UPD), enter
Line 482: Line 442:
 <code>port-share 192.168.5.25 443</code> <code>port-share 192.168.5.25 443</code>
  
-into your server.conf file.  Set your router to forward public and private (external and internal) TCP port 443 to the private IP address of the Linux VM (OpenVPN server).  Non-OpenVPN traffic will be redirected to the other service's address.  See [[https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage|the OpenVPN 2.4 manual]] for more details.+into your server.conf file.  If sharing port 443 with another service within the VM itself, replace the IP address with "localhost".  Set your router to forward public and private (external and internal) TCP port 443 to the private IP address of the Linux VM (OpenVPN server).  Non-OpenVPN traffic will be redirected to the other service's address. 
 + 
 +==== SSH Server ==== 
 + 
 +The SSH server is useful for managing the VM from the terminal of another machine, such as Terminal in macOS, or [[https://www.putty.org/|PuTTY]] in Windows.  If you didn't select "SSH server" in Debian's software selection screen during installation, install it manually (as root): 
 + 
 +<code>apt install openssh-server</code> 
 + 
 +To be able to log in as root, edit the configuration file, 
 + 
 +<code>nano /etc/ssh/sshd_config</code> 
 + 
 +and uncomment (delete the "#") and edit the line with the PermitRootLogin field to be 
 + 
 +<code>PermitRootLogin yes</code> 
 + 
 +Restart the SSH service (or just reboot): 
 + 
 +<code>service ssh restart</code> 
 + 
 +To log in to the server from another Mac or Linux terminal, use the command 
 + 
 +<code>ssh root@192.168.5.100</code> 
 + 
 +where the IP address is that chosen for the Linux VM In PuTTY, it's sufficient to enter the IP address into the "Host Name (or IP address)" field, then log in as "root" If you remake the VM in the future, the macOS terminal will notice that the machine is not the same one as before, and, as a safety precaution, not let you proceed.  If you don't use SSH with any other machines, the quickest remedy to this problem is to delete the SSH known hosts file: 
 + 
 +<code>sudo rm ~/.ssh/known_hosts</code>
  
 ==== Client Usage with Virtual Machines ==== ==== Client Usage with Virtual Machines ====
Line 515: Line 501:
  
   *Some LAN-based programs don't specify which ports they use.  Unless you can determine the ports, a VPN is necessary for networking these programs over the Internet.   *Some LAN-based programs don't specify which ports they use.  Unless you can determine the ports, a VPN is necessary for networking these programs over the Internet.
 +===== More References =====
 +
 +OpenVPN 2.5 manual:\\
 +https://openvpn.net/community-resources/reference-manual-for-openvpn-2-5/
 +
 +OpenVPN HOW-TO page:\\
 +https://openvpn.net/community-resources/how-to/
  
-  *You can play shared-screen and "hot seat" games over the Internet using remote desktop software.+Deprecated Options in OpenVPN:\\ 
 +https://community.openvpn.net/openvpn/wiki/DeprecatedOptions