blogpages:vpn_setup

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision		 Previous revision
blogpages:vpn_setup [2024/10/07 06:30] – created jcoronablogpages:vpn_setup [2025/08/22 17:27] (current) jcorona
Line 1: Line 1:
 +
 ====== OpenVPN Setup Guide ====== ====== OpenVPN Setup Guide ======
  
Line 4: Line 5:
  
 Problem is, I cant seem to get ta.key to generate but im not worried about it right now: Problem is, I cant seem to get ta.key to generate but im not worried about it right now:
 +
 +**Future Update**: Tailscale is here, use this instead, not worth the hassle of using anything else or setting up VPN. 
  
 ====== OpenVPN Setup on Windows ====== ====== OpenVPN Setup on Windows ======
Line 17: Line 20:
  
   * Open **Command Prompt as Administrator**:   * Open **Command Prompt as Administrator**:
-    Click the Start menu, type `cmd`, right-click on **Command Prompt**, and choose **Run as administrator**.+    Click the Start menu, type `cmd`, right-click on **Command Prompt**, and choose **Run as administrator**.
      
   * Navigate to the EasyRSA folder:   * Navigate to the EasyRSA folder:
-    Type the following in CMD (assuming OpenVPN is installed in the default location):+    Type the following in CMD (assuming OpenVPN is installed in the default location):
       <code>       <code>
       cd "C:\Program Files\OpenVPN\easy-rsa"       cd "C:\Program Files\OpenVPN\easy-rsa"
Line 26: Line 29:
  
   * Initialize the Public Key Infrastructure (PKI):   * Initialize the Public Key Infrastructure (PKI):
-    Run the following commands in the Command Prompt:+    Run the following commands in the Command Prompt:
       <code>       <code>
       EasyRSA-Start.bat       EasyRSA-Start.bat
Line 33: Line 36:
  
   * Build the Certificate Authority (CA):   * Build the Certificate Authority (CA):
-    Create the Certificate Authority to sign the certificates:+    Create the Certificate Authority to sign the certificates:
       <code>       <code>
       ./easyrsa build-ca       ./easyrsa build-ca
       </code>       </code>
-    You will be prompted to set a password for the CA and provide details for the certificate (such as country, organization, etc.).+    You will be prompted to set a password for the CA and provide details for the certificate (such as country, organization, etc.).
  
   * Generate the Server Certificate and Key:   * Generate the Server Certificate and Key:
-    Run this command to create the server certificate:+    Run this command to create the server certificate:
       <code>       <code>
       ./easyrsa gen-req server nopass       ./easyrsa gen-req server nopass
Line 47: Line 50:
  
   * Generate Diffie-Hellman Parameters:   * Generate Diffie-Hellman Parameters:
-    For secure key exchange, run:+    For secure key exchange, run:
       <code>       <code>
       ./easyrsa gen-dh       ./easyrsa gen-dh
Line 53: Line 56:
  
   * Generate a Client Certificate and Key:   * Generate a Client Certificate and Key:
-    Create a certificate for your laptop (client):+    Create a certificate for your laptop (client):
       <code>       <code>
       ./easyrsa gen-req client1 nopass       ./easyrsa gen-req client1 nopass
Line 60: Line 63:
  
   * Generate the HMAC Key for TLS Authentication:   * Generate the HMAC Key for TLS Authentication:
-    For additional security, create a TLS-auth key (HMAC):+    For additional security, create a TLS-auth key (HMAC):
       <code>       <code>
       openvpn --genkey --secret ta.key       openvpn --genkey --secret ta.key
Line 74: Line 77:
  
   * Create a **Server Configuration File (server.ovpn)**:   * Create a **Server Configuration File (server.ovpn)**:
-    Use Notepad or another text editor to create a file named `server.ovpn` with the following content:+    Use Notepad or another text editor to create a file named `server.ovpn` with the following content:
       <code>       <code>
       port 1194       port 1194
Line 94: Line 97:
  
   * Copy the certificates:   * Copy the certificates:
-    Move the following files into the `C:\Program Files\OpenVPN\config` folder: +    Move the following files into the `C:\Program Files\OpenVPN\config` folder: 
-      `ca.crt` +      `ca.crt` 
-      `server.crt` +      `server.crt` 
-      `server.key` +      `server.key` 
-      `dh.pem` +      `dh.pem` 
-      `ta.key`+      `ta.key`
  
 ===== Step 4: Enable Port Forwarding on Your Router ===== ===== Step 4: Enable Port Forwarding on Your Router =====
Line 107: Line 110:
 ===== Step 5: Set Up the OpenVPN Client on Your Laptop ===== ===== Step 5: Set Up the OpenVPN Client on Your Laptop =====
   * Create a **Client Configuration File** on your laptop:   * Create a **Client Configuration File** on your laptop:
-    Use Notepad to create a file called `client1.ovpn` with the following content:+    Use Notepad to create a file called `client1.ovpn` with the following content:
       <code>       <code>
       client       client
Line 126: Line 129:
  
   * Transfer the following files from your home computer to your laptop (via USB or cloud storage):   * Transfer the following files from your home computer to your laptop (via USB or cloud storage):
-    `ca.crt` +    `ca.crt` 
-    `client1.crt` +    `client1.crt` 
-    `client1.key` +    `client1.key` 
-    `ta.key`+    `ta.key`
  
   * **Install OpenVPN Client**: Install OpenVPN on your laptop from the OpenVPN download page.   * **Install OpenVPN Client**: Install OpenVPN on your laptop from the OpenVPN download page.
Line 141: Line 144:
 ===== Step 7: Additional Windows Configurations ===== ===== Step 7: Additional Windows Configurations =====
   * **Firewall**: Ensure that the Windows Firewall or any security software allows VPN connections.   * **Firewall**: Ensure that the Windows Firewall or any security software allows VPN connections.
-   +  * **Dynamic DNS**: If your home network's public IP changes regularly, set up Dynamic DNS (DDNS) so you can connect to your home network with a domain name rather than the IP.
-  +
  
  
 +====== Losing Internet Access After Connecting to a VPN ======
  
 +Losing internet access after connecting to a VPN is a common issue, especially when you configure OpenVPN to route all traffic through the VPN (full tunneling). Here are the most common reasons for this issue and how to fix it:
  
 +===== Possible Causes: =====
 +  * Missing or incorrect NAT configuration on the VPN server: The VPN server is not properly routing traffic from VPN clients to the internet.
 +  * IP forwarding not enabled on the server: The server is not forwarding traffic between the VPN subnet and the external network (your home network).
 +  * DNS issues: The VPN client may not be able to resolve domain names because DNS traffic is not being routed properly.
 +  * Firewall blocking traffic: A firewall on the VPN server may be blocking traffic from the VPN clients.
 +
 +===== Step-by-Step Troubleshooting =====
 +
 +**1. Ensure IP Forwarding Is Enabled on the VPN Server**
 +
 +The server must forward traffic between the VPN network and the internet.
 +
 +On Linux:
 +  * Enable IP forwarding by modifying the system configuration:
 +    * Open the file `/etc/sysctl.conf`:
 +      <code>
 +      sudo nano /etc/sysctl.conf
 +      </code>
 +    * Find the line:
 +      <code>
 +      #net.ipv4.ip_forward = 1
 +      </code>
 +    * Remove the `#` (uncomment the line) and save the file, or add the line if it doesn't exist:
 +      <code>
 +      net.ipv4.ip_forward = 1
 +      </code>
 +    * Apply the changes:
 +      <code>
 +      sudo sysctl -p
 +      </code>
 +
 +On Windows:
 +  * Ensure that the Routing and Remote Access feature is enabled in Windows to allow IP forwarding.
 +    * Go to Control Panel > Network and Sharing Center > Change Adapter Settings.
 +    * Right-click on the OpenVPN TAP Adapter, select Properties, and then go to the Sharing tab.
 +    * Ensure Internet Connection Sharing is enabled and the correct network (Wi-Fi or Ethernet) is selected for sharing.
 +
 +**2. Set Up NAT (Network Address Translation) on the VPN Server**
 +
 +If NAT isn't properly set up, traffic won't be routed to the internet from the VPN clients. This is common in full tunneling setups.
 +
 +On Linux:
 +  * Run the following command to set up NAT, replacing `eth0` with your internet-facing interface:
 +    <code>
 +    sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
 +    </code>
 +    * `10.8.0.0/24` is the default OpenVPN subnet (adjust if you're using a different subnet).
 +    * `eth0` is your internet-facing network interface (this could also be `wlan0` if using Wi-Fi).
 +  * Make sure the rule persists after reboot:
 +    <code>
 +    sudo iptables-save > /etc/iptables/rules.v4
 +    </code>
 +
 +On Windows:
 +  * Enable Internet Connection Sharing (ICS) between your internet-facing adapter (Wi-Fi or Ethernet) and the OpenVPN TAP adapter:
 +    * Right-click on your main network adapter (Wi-Fi or Ethernet), select Properties, then go to the Sharing tab.
 +    * Select **Allow other network users to connect through this computer's Internet connection** and choose the OpenVPN TAP adapter from the dropdown.
 +
 +**3. Verify the DNS Configuration on the Client**
 +
 +Sometimes, even if traffic is being routed through the VPN, the DNS settings may not be configured properly, preventing domain names from being resolved (for example, if you can access websites by IP but not by domain name).
 +
 +* Ensure DNS Servers Are Pushed from the Server:
 +  In your server configuration file (`server.ovpn` or `server.conf`), make sure DNS servers are being pushed to the clients. Add the following lines if they are missing:
 +  <code>
 +  push "dhcp-option DNS 8.8.8.8"  # Google's DNS
 +  push "dhcp-option DNS 8.8.4.4"  # Secondary DNS
 +  </code>
 +
 +* Modify the Client Configuration (`client.ovpn`):
 +  In your client configuration file (`client.ovpn`), ensure DNS settings are configured correctly:
 +  <code>
 +  dhcp-option DNS 8.8.8.8  # Google DNS
 +  dhcp-option DNS 8.8.4.4
 +  </code>
 +* Reconnect the client and verify if the DNS issues are resolved.
 +
 +**4. Test and Verify Routing**
 +
 +After implementing these fixes, reconnect to the VPN and test if the internet connection is working:
 +
 +  * **Check your external IP**: Visit WhatIsMyIP.com and verify that the IP address shown is your home network’s public IP (indicating that all traffic is routed through the VPN).
 +  * **Ping a website**:
 +    Open Command Prompt (on Windows) or a terminal (on macOS/Linux) and type:
 +    <code>
 +    ping google.com
 +    </code>
 +    * If you can ping the domain, DNS is working correctly.
 +    * If the ping succeeds with an IP address but fails with a domain name, DNS may still be misconfigured.
 +  * **Check the routing table (optional)**:
 +    On Windows, open Command Prompt and type:
 +    <code>
 +    route print
 +    </code>
 +    On Linux/macOS, use:
 +    <code>
 +    netstat -rn
 +    </code>
 +    Ensure that the default gateway (`0.0.0.0`) is pointing to the VPN interface (`10.8.0.1` or similar).
 +
 +**5. Check Firewall Rules**
 +
 +If the above solutions don’t work, verify that firewalls on both the server and the client are not blocking the VPN traffic.
 +
 +On the VPN server:
 +  * Ensure the firewall is not blocking outbound traffic from the VPN subnet (`10.8.0.0/24` by default).
 +  * On Linux, check iptables rules to ensure traffic from the VPN interface is allowed.
 +
 +On the client machine:
 +  * Check if the local firewall (e.g., Windows Defender Firewall) is blocking VPN traffic.
 +
 +===== Conclusion =====
 +
 +To fix the issue where you lose internet connectivity after connecting to the VPN:
 +  * Enable IP forwarding on the VPN server.
 +  * Set up NAT to route VPN client traffic to the internet.
 +  * Push DNS settings from the server and configure them on the client.
 +  * Test the internet connection and verify the routing table.
 +  
 +Let me know if you'd like more detailed help with any of the steps!