Overclock.net › Forums › Software, Programming and Coding › Networking & Security › OpenVPN server on router vs. OpenVPN server on PC behind router
New Posts  All Forums:Forum Nav:

OpenVPN server on router vs. OpenVPN server on PC behind router

post #1 of 7
Thread Starter 
I'm just trying to setup an OpenVPN server on my network for connecting to from insecure wifi hotspots. I could just enable OpenVPN server on a dd-wrt router which I already have.

Or I could run OpenVPN server on a PC that I already use as an FTP server. I tried that, spent quite a few hours following tutorials online but I eventually hit a roadblock where I couldn't find the information about how to setup the openvpn client to work on Android. I already got OpenVPN server working on my Linksys WRT router and simply copied the opvn file to my android device and inserted my dynamic dns credentials.

But it seems that setting it up when using an OpenVPN server on a PC on a LAN requires more steps, such as port forewarding on the router.

The PC-based OpenVPN server method requires you to edit the server configuration file it and tell it the path to the certificates in the openVPN folder (why they don't have a user friendly GUI method is beyond my comprehension) but I managed to get to the point where you setup the openvpn client and I can't find out how to do this on Android because the instructions tell you to copy all the files that are referenced in the server config to the client, which I didn't have to do when setting up OpenVPN on my router.
Quote:
When you import a .ovpn file, make sure that all files referenced by the .ovpn file such as ca, cert, and key files are in the same directory on the device as the .ovpn file.

If anyone has experience with connecting to an OpenVPN on their home network remotely from their Android device and can give me some idea as to exactly what files have to be on the Android device, it would be much appreciated. Do I need the client.opvn file AND the certificate files, or certificate authority file? There's quite a few files and not much explanation about what files go to the client and how to utilize a dynamic DNS IP address. there's also mention about changing the IP address of the server to something outside your LAN subnet so that if you are connected to a wifi hotspot with the same subnet IP range (192.168.0.1) your client will not attempt to connect to a non-existant openvpn server on that network and instead go to the network that the openvpn server is on (ex. 192.168.50.106)

Maybe from a security standpoint it would be better to just setup an OpenVPN server directly on the router, this way there's no open ports on my PC as an attack vector, however I don't know what the Linksys WRT router used for security (1024 vs. 2048 TLS negotiation) Or if it's using the Diffie–Hellman key exchange vs. RSA.
Edited by aweir - 5/3/17 at 10:23am
post #2 of 7
Server behind router 24/7.

How did you generate the certificates for the server? Usually you will generate a client one on the same process and those are the files you add to android (ca, key, certificate, and the .ovpn config).
Waiting on X399
(13 items)
 
  
CPUMotherboardGraphicsRAM
AMD Phenom II B57 @ X4 3.9 Gigabyte 790FXTA-UD5 Sapphire Radeon 290 8 GB G.Skill 2133 
Hard DriveCoolingOSKeyboard
250 GB 840 EVO Noctua NH-D14 Windows 10 Logitech K350 
PowerCaseMouseMouse Pad
Seasonic x750 Corsair 600T Logitech G100s Razer Goliathus Speed 
Audio
Plantronics Gamecom 788 
  hide details  
Reply
Waiting on X399
(13 items)
 
  
CPUMotherboardGraphicsRAM
AMD Phenom II B57 @ X4 3.9 Gigabyte 790FXTA-UD5 Sapphire Radeon 290 8 GB G.Skill 2133 
Hard DriveCoolingOSKeyboard
250 GB 840 EVO Noctua NH-D14 Windows 10 Logitech K350 
PowerCaseMouseMouse Pad
Seasonic x750 Corsair 600T Logitech G100s Razer Goliathus Speed 
Audio
Plantronics Gamecom 788 
  hide details  
Reply
post #3 of 7
Thread Starter 
Quote:
Originally Posted by beers View Post

Server behind router 24/7.

How did you generate the certificates for the server? Usually you will generate a client one on the same process and those are the files you add to android (ca, key, certificate, and the .ovpn config).

I tried it a couple ways so far. By following the "easy" OpenVPN Windows guide.
I just need to try it again. I generated the certiticates, and made sure the openvpn service was running, but when I tried to forward port to the pc where openvpn server was running the port scan did not show that the port was open, so I figured I set up port forwarding wrong.

So here's what I have so far:

A PC running Windows Server 2012 R2 with two network cards: One onboard NIC, and one Realtek PCIe NIC.
I would like to set up DHCP address reservation and assign one card an IP address for use with my FTP server (already accomplished) and assign the second card it's own IP address that openVPn will use. That way I can foreward port 1194 to that card's IP address at the router. So, if my network IP range is normally 192.168.1.1-255, should I set the IP address of the other network card to something like 192.168.50.1-255 that is outside the range of my regular subnet?

Also a screenshot of a probable port wording scenario. all I really need is the protocol, incoming port 1194, and destination IP? Would the destination port also be 1194?





I really think that dedicating a second network card is optimal since OpenVPN is very resource hungry, amirite? This way one network card can deal with the FTP uploads from my IP camera and one card can be reserved for OpenVPN traffic.

After I start the OpenVPN service shouldn't I be able to run "Netstat -a" in the command prompt and see the IP address of my VPN server listening on port 1194? And with the router properly port forwarded, should a site like TCP Port Scan with Nmap show an open connection on port 1194?
Edited by aweir - 5/3/17 at 8:52pm
post #4 of 7
You won't see an open port on the scan since it's udp.

The load on openvpn is more cpu based, another network card isn't going to do anything for you.

You'd need a client certificate signed by the same CA and uploading all of those client files to Android for it to work. Also you would define a VPN subnet for your VPN clients and route to that space from your router.
Edited by beers - 5/3/17 at 9:21pm
Waiting on X399
(13 items)
 
  
CPUMotherboardGraphicsRAM
AMD Phenom II B57 @ X4 3.9 Gigabyte 790FXTA-UD5 Sapphire Radeon 290 8 GB G.Skill 2133 
Hard DriveCoolingOSKeyboard
250 GB 840 EVO Noctua NH-D14 Windows 10 Logitech K350 
PowerCaseMouseMouse Pad
Seasonic x750 Corsair 600T Logitech G100s Razer Goliathus Speed 
Audio
Plantronics Gamecom 788 
  hide details  
Reply
Waiting on X399
(13 items)
 
  
CPUMotherboardGraphicsRAM
AMD Phenom II B57 @ X4 3.9 Gigabyte 790FXTA-UD5 Sapphire Radeon 290 8 GB G.Skill 2133 
Hard DriveCoolingOSKeyboard
250 GB 840 EVO Noctua NH-D14 Windows 10 Logitech K350 
PowerCaseMouseMouse Pad
Seasonic x750 Corsair 600T Logitech G100s Razer Goliathus Speed 
Audio
Plantronics Gamecom 788 
  hide details  
Reply
post #5 of 7
Thread Starter 
Quote:
Originally Posted by beers View Post

You won't see an open port on the scan since it's udp.

The load on openvpn is more cpu based, another network card isn't going to do anything for you.

OK, gotcha. Something else I forgot about was bridging the TAP interface with the ethernet interface as described in the server config file:

Configure server mode for ethernet bridging.
# You must first use your OS's bridging capability
# to bridge the TAP interface with the ethernet
# NIC interface. Then you must manually set the
# IP/netmask on the bridge interface.


So if I wanted to browse the internet through my openvpn server at a wifi hotspot, I would need bridging, and not routing? and TAP interface, not TUN interface?

"dev tun" will create a routed IP tunnel,
# "dev tap" will create an ethernet tunnel.
# Use "dev tap0" if you are ethernet bridging
# and have precreated a tap0 virtual interface
# and bridged it with your ethernet interface.
post #6 of 7
Ah I only ever use tun setups, you should be able to bridge into the same subnet using tap. You can do your browsing with either setup, it's largely a layer 2 vs layer 3 consideration.

What happens when you attempt to auth into it?
Waiting on X399
(13 items)
 
  
CPUMotherboardGraphicsRAM
AMD Phenom II B57 @ X4 3.9 Gigabyte 790FXTA-UD5 Sapphire Radeon 290 8 GB G.Skill 2133 
Hard DriveCoolingOSKeyboard
250 GB 840 EVO Noctua NH-D14 Windows 10 Logitech K350 
PowerCaseMouseMouse Pad
Seasonic x750 Corsair 600T Logitech G100s Razer Goliathus Speed 
Audio
Plantronics Gamecom 788 
  hide details  
Reply
Waiting on X399
(13 items)
 
  
CPUMotherboardGraphicsRAM
AMD Phenom II B57 @ X4 3.9 Gigabyte 790FXTA-UD5 Sapphire Radeon 290 8 GB G.Skill 2133 
Hard DriveCoolingOSKeyboard
250 GB 840 EVO Noctua NH-D14 Windows 10 Logitech K350 
PowerCaseMouseMouse Pad
Seasonic x750 Corsair 600T Logitech G100s Razer Goliathus Speed 
Audio
Plantronics Gamecom 788 
  hide details  
Reply
post #7 of 7
Thread Starter 
Sorry I didn't respond yet. I attempted to generate the keys again using TAP and then I read that Android does not support TAP, only TUN so I decided to stick with that. all day I have been comparing different tutorials and so far there are several methods.

One tutorial tells you create links to all your ca, certs, and keys in the server and client ovpn files, which is great for Windows when both OS's have a C:\Program Files\OpenVPN directories, but the issue is I'm going to be connecting from the OpenVPN Connect Android app, so I'm still not sure how to reference those files in the client.ovpn file or if I should use the unified method instead:

I'm going to have to come back to this another day.
Quote:
Consider using the unified format for OpenVPN profiles which allows all certs and keys to be embedded into the .ovpn file. This eases management of the OpenVPN configuration because it integrates all elements of the configuration into a single file.

For example, a traditional OpenVPN profile might specify certs and keys as follows:

ca ca.crt
cert client.crt
key client.key
tls-auth ta.key 1

You can convert this usage to unified form by pasting the content of the certificate and key files directly into the OpenVPN profile as follows using an XML-like syntax:


BEGIN CERTIFICATE
MIIBszCCARygAwIBAgIE...
. . .
/NygscQs1bxBSZ0X3KRk...
Lq9iNBNgWg==
END CERTIFICATE



BEGIN CERTIFICATE
. . .



BEGIN RSA PRIVATE KEY
. . .


key-direction 1

BEGIN OpenVPN Static key V1
. . .


Another approach to eliminate certificates and keys from the OpenVPN profile is to use the Android Keychain as described below.

https://docs.openvpn.net/docs/openvpn-connect/openvpn-connect-android-faq.html
Edited by aweir - 5/4/17 at 6:17pm
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Networking & Security
Overclock.net › Forums › Software, Programming and Coding › Networking & Security › OpenVPN server on router vs. OpenVPN server on PC behind router