VPN

What should I be used to configure a VPN?
I honestly never bothered to go above SSH tunneling, but since I have a vps w/ umetered bandwidth, I thought having a VPN could be useful.

Is OpenVPN okay or something could be a better choice?

Other urls found in this thread:

thinkpenguin.com/gnu-linux/free-software-wireless-n-mini-vpn-router-tpe-r1100
cyberciti.biz/faq/how-to-install-and-configure-an-openvpn-server-on-debian-9-in-5-minutes/
dnsleaktest.com/
test-ipv6.com/
twitter.com/NSFWRedditVideo

Openvpn is fine.

openvpn is recomened alot. It is even standard on kosher (((cisco))) routers. Is there no alternative?

OpenVPN is good. Don't use PPTP, it's insecure.

Completely fucked up grammar... anyway...

seems like everything is backed up by (((big companies))), i was hoping to find projects by FSF but they seem to care only about gpg

Name them. I am unaware of any other open source project like openvpn besides tor. I know of a few closed source ones that are useless for obvious reasons. Then there is a few proxy client/servers that aren't specifically vpns but for specific protocols.

A TPE-R1100
thinkpenguin.com/gnu-linux/free-software-wireless-n-mini-vpn-router-tpe-r1100
For one machine yes

OP here, is there any particular guide preferred?
I cannot really find any decent documentation, besides the how to on their site.

what do you mean? you can easily connect multiple clients to it.


everything you need is on the official documentation. it's formated poorly so it looks like the thing you need is not there, but it's there.
you can google up some openvpn howtos from digitalocean or linode. their community forums usually have simple to understand tutorials

Does openvpn not come with manpages? You are making it sound more kiked by the second.

I was configuring it by combining the official documentation with the tutorial of DigitalOcean, tried twice and failed.
It's a real pain in the ass. Installing Gentoo is literally nothing compared to this crap.

it's great software. I didn't mean to shit on it.
[script] openvpn(8)

NAME
openvpn - secure IP tunnel daemon.[/script]
it's there


it takes some getting used to. I went through the same thing. once you get it, you'll be set for life.
anything particular you're trying to set up?

I even had classes on DiffiHellman and IPsec, so I'm pretty confident on my understanding about the certificates mechanism, but holy shit, the configuration is really nerve-wrecking

My only experience with Openvpn is when our certs expired and I was the closest person to get onsite that night.
I spent about an hour trying to read up on the right way to do configuration changes, no dice (I think we have an older or non-standard install).
Did some filesystem exploring, here's what worked for me:
/usr/local/openvpn_as/bin/sqlite3 /usr/local/openvpn_as/etc/db/config.dbUPDATE config SET value='' WHERE key='';/etc/init.d/openvpnas restart
Also, why would I use OpenVPN instead of Wireguard or IPSec or SoftEther or even fucking OpenVPN-NL?

I had more trouble with ejabber. I really didn't understand shit there.
but yeah, openvpn also isn't very straightforward. I have a few running instances. maybe I can help?

you use sqlite3 with this? how does that work?
so you changed the pem in the database? didn't you need to replace certs on clients also?

sqlite just gives a SQL prompt, it's a breeze to use.
There's a separate cert.db with certificates for each user - I didn't fuck with that.
I was changing the certs used by the global SSL PKI. We should be using Let's Encrypt here but instead we let stuff break every year.

I know about sqlite3, i just didn't know you can use it with openvpn. I just did a quick google and found a github page with a conf paramater:
auth-user-pass-verify /etc/openvpn/openvpn-sqlite-auth/user-auth.py via-env
so yeah, great. theoretically you can get this stuff to auth with anything.

just out of curiosity. so you replaced the main cert you hot from you PKI shit, and you didn't need to update client certs?

I don't know what I'm supposed to do, but I didn't and it works right now.

apparently auth can be based on un/pw and not give that much of a shit about certs. just quick read the manpages. didn't know this. seems better if you can't reach the remote clients.

I'm setting up OpenVPN on my server (not vps it's in my apartment). I followed this guide on a clean install of debian: cyberciti.biz/faq/how-to-install-and-configure-an-openvpn-server-on-debian-9-in-5-minutes/
I can connect to it from the client but once connected I can't access the internet or anything on my LAN

it's probably a NAT thing. when you connect the client, on the server side, check if it's actually connected. run ifconfig or check the logs to see if it's there.
if it is, then this >once connected I can't access the internet or anything on my LAN
is probably a NAT/forwarding issue. since you're using ufw, I can't really help

The logs show the client is connected. And I can ping the local address of the server, but if I try to ping the address of another device on my network it won't work.
I tried disabling ufw (I only used it because the guide said so) and I still have the same issue.

ok great, so it's not a vpn issue.

for networking to work with (other) remote hosts, you need to set up forwarding and a NAT on the server side. at least that's how I did it with iptables. I made a post about it on the sticky if it helps

oh, and when you say
do you mean any other vpn connected client, or like public internet stuff?

I added those rules to ufw. Pic related is my iptables I removed my public IP.
By other devices on my network, I mean things on my private LAN, such as my media server which isn't publicly visible but I can access while at home (and I'd like a VPN to access it remotely)

jessus man, I can't read that.
just paste the config (iptables-save)

and I just compared to my setup, and all I have is this
$iptables -t nat -L -n -vChain PREROUTING (policy ACCEPT 224K packets, 14M bytes) pkts bytes target prot opt in out source destinationChain POSTROUTING (policy ACCEPT 82871 packets, 4972K bytes) pkts bytes target prot opt in out source destination 101K 6387K MASQUERADE all -- * eth0 0.0.0.0/0 0.0.0.0/0 0 0 MASQUERADE all -- * ppp0 0.0.0.0/0 0.0.0.0/0Chain OUTPUT (policy ACCEPT 184K packets, 11M bytes) pkts bytes target prot opt in out source destination
and for forwarding I have this
$iptables -L FORWARD -n -vChain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0

I've no idea what all that stuff is on your end

sorry, I'm pretty new to messing with iptables
# Generated by iptables-save v1.6.0 on Tue Aug 22 15:30:38 2017*nat:PREROUTING ACCEPT [143:10394]:INPUT ACCEPT [6:694]:OUTPUT ACCEPT [2:146]:POSTROUTING ACCEPT [2:146]-A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to-source 24.29.244.9-A POSTROUTING -s 10.8.0.0/24 -o enp0s3 -j MASQUERADE-A POSTROUTING -s 10.8.0.0/24 -o enp0s3 -j MASQUERADE-A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source 24.29.244.9-A POSTROUTING -s 10.8.0.0/24 -o enp0s3 -j MASQUERADECOMMIT# Completed on Tue Aug 22 15:30:38 2017# Generated by iptables-save v1.6.0 on Tue Aug 22 15:30:38 2017*filter:INPUT DROP [94:3008]:FORWARD DROP [0:0]:OUTPUT ACCEPT [0:0]:ufw-after-forward - [0:0]:ufw-after-input - [0:0]:ufw-after-logging-forward - [0:0]:ufw-after-logging-input - [0:0]:ufw-after-logging-output - [0:0]:ufw-after-output - [0:0]:ufw-before-forward - [0:0]:ufw-before-input - [0:0]:ufw-before-logging-forward - [0:0]:ufw-before-logging-input - [0:0]:ufw-before-logging-output - [0:0]:ufw-before-output - [0:0]:ufw-logging-allow - [0:0]:ufw-logging-deny - [0:0]:ufw-not-local - [0:0]:ufw-reject-forward - [0:0]:ufw-reject-input - [0:0]:ufw-reject-output - [0:0]:ufw-skip-to-policy-forward - [0:0]:ufw-skip-to-policy-input - [0:0]:ufw-skip-to-policy-output - [0:0]:ufw-track-forward - [0:0]:ufw-track-input - [0:0]:ufw-track-output - [0:0]:ufw-user-forward - [0:0]:ufw-user-input - [0:0]:ufw-user-limit - [0:0]:ufw-user-limit-accept - [0:0]:ufw-user-logging-forward - [0:0]:ufw-user-logging-input - [0:0]:ufw-user-logging-output - [0:0]:ufw-user-output - [0:0]-A INPUT -p udp -m udp --dport 1194 -j ACCEPT-A INPUT -j ufw-before-logging-input-A INPUT -j ufw-before-input
1/2

-A INPUT -j ufw-after-input-A INPUT -j ufw-after-logging-input-A INPUT -j ufw-reject-input-A INPUT -j ufw-track-input-A INPUT -p tcp -m state --state NEW -m tcp --dport 1194 -j ACCEPT-A INPUT -p udp -m state --state NEW -m udp --dport 1194 -j ACCEPT-A INPUT -s 10.8.0.0/24 -m state --state NEW -j ACCEPT-A INPUT -p tcp -m state --state NEW -m tcp --dport 1194 -j ACCEPT-A INPUT -p udp -m state --state NEW -m udp --dport 1194 -j ACCEPT-A INPUT -s 10.8.0.0/24 -m state --state NEW -j ACCEPT-A FORWARD -s 10.8.0.0/24 -j ACCEPT-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT-A FORWARD -j ufw-before-logging-forward-A FORWARD -j ufw-before-forward-A FORWARD -j ufw-after-forward-A FORWARD -j ufw-after-logging-forward-A FORWARD -j ufw-reject-forward-A FORWARD -j ufw-track-forward-A FORWARD -i tun+ -j ACCEPT-A FORWARD -i tun+ -o enp0s3 -m state --state RELATED,ESTABLISHED -j ACCEPT-A FORWARD -i eth0 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT-A FORWARD -i tun+ -j ACCEPT-A FORWARD -i tun+ -o enp0s3 -m state --state RELATED,ESTABLISHED -j ACCEPT-A FORWARD -i eth0 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT-A OUTPUT -j ufw-before-logging-output-A OUTPUT -j ufw-before-output-A OUTPUT -j ufw-after-output-A OUTPUT -j ufw-after-logging-output-A OUTPUT -j ufw-reject-output-A OUTPUT -j ufw-track-output-A OUTPUT -o tun+ -j ACCEPT-A OUTPUT -o tun+ -j ACCEPT-A OUTPUT -o tun+ -j ACCEPT-A ufw-after-input -p udp -m udp --dport 137 -j ufw-skip-to-policy-input-A ufw-after-input -p udp -m udp --dport 138 -j ufw-skip-to-policy-input-A ufw-after-input -p tcp -m tcp --dport 139 -j ufw-skip-to-policy-input-A ufw-after-input -p tcp -m tcp --dport 445 -j ufw-skip-to-policy-input-A ufw-after-input -p udp -m udp --dport 67 -j ufw-skip-to-policy-input-A ufw-after-input -p udp -m udp --dport 68 -j ufw-skip-to-policy-input-A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input-A ufw-after-logging-forward -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "-A ufw-after-logging-input -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT-A ufw-before-forward -p icmp -m icmp --icmp-type 3 -j ACCEPT-A ufw-before-forward -p icmp -m icmp --icmp-type 4 -j ACCEPT-A ufw-before-forward -p icmp -m icmp --icmp-type 11 -j ACCEPT-A ufw-before-forward -p icmp -m icmp --icmp-type 12 -j ACCEPT-A ufw-before-forward -p icmp -m icmp --icmp-type 8 -j ACCEPT-A ufw-before-forward -m state --state RELATED,ESTABLISHED -j ACCEPT-A ufw-before-forward -s 10.8.0.0/24 -j ACCEPT-A ufw-before-forward -i tun+ -j ACCEPT-A ufw-before-forward -i tap+ -j ACCEPT-A ufw-before-forward -i tun+ -o enp0s3 -m state --state RELATED,ESTABLISHED -j ACCEPT-A ufw-before-forward -i enp0s3 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT-A ufw-before-forward -j ufw-user-forward-A ufw-before-input -i lo -j ACCEPT-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny-A ufw-before-input -m conntrack --ctstate INVALID -j DROP-A ufw-before-input -p icmp -m icmp --icmp-type 3 -j ACCEPT-A ufw-before-input -p icmp -m icmp --icmp-type 4 -j ACCEPT-A ufw-before-input -p icmp -m icmp --icmp-type 11 -j ACCEPT-A ufw-before-input -p icmp -m icmp --icmp-type 12 -j ACCEPT-A ufw-before-input -p icmp -m icmp --icmp-type 8 -j ACCEPT-A ufw-before-input -p tcp -m state --state NEW -m tcp --dport 1194 -j ACCEPT-A ufw-before-input -p udp -m state --state NEW -m udp --dport 1194 -j ACCEPT-A ufw-before-input -s 10.8.0.0/24 -m state --state NEW -j ACCEPT-A ufw-before-input -p udp -m udp --sport 67 --dport 68 -j ACCEPT-A ufw-before-input -j ufw-not-local
2/3

-A ufw-before-input -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT-A ufw-before-input -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j ACCEPT-A ufw-before-input -j ufw-user-input-A ufw-before-output -o lo -j ACCEPT-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT-A ufw-before-output -j ufw-user-output-A ufw-logging-allow -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] "-A ufw-logging-deny -m conntrack --ctstate INVALID -m limit --limit 3/min --limit-burst 10 -j RETURN-A ufw-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny-A ufw-not-local -j DROP-A ufw-skip-to-policy-forward -j DROP-A ufw-skip-to-policy-input -j DROP-A ufw-skip-to-policy-output -j ACCEPT-A ufw-track-output -p tcp -m conntrack --ctstate NEW -j ACCEPT-A ufw-track-output -p udp -m conntrack --ctstate NEW -j ACCEPT-A ufw-user-input -p tcp -m tcp --dport 22 -j ACCEPT-A ufw-user-input -p udp -m udp --dport 22 -j ACCEPT-A ufw-user-input -p tcp -m tcp --dport 1194 -j ACCEPT-A ufw-user-input -p udp -m udp --dport 1194 -j ACCEPT-A ufw-user-limit -m limit --limit 3/min -j LOG --log-prefix "[UFW LIMIT BLOCK] "-A ufw-user-limit -j REJECT --reject-with icmp-port-unreachable-A ufw-user-limit-accept -j ACCEPTCOMMIT# Completed on Tue Aug 22 15:30:38 2017
3/3

yooo nigga what the fuck is all that shit
you really just need this
*nat:PREROUTING ACCEPT [0:0]:POSTROUTING ACCEPT [0:0]:OUTPUT ACCEPT [0:0]-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADECOMMIT*filter:INPUT ACCEPT [0:0]:FORWARD ACCEPT [0:0]:OUTPUT ACCEPT [0:0]-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT-A INPUT -m state --state NEW -m tcp -p tcp --dport 1194 -j ACCEPT-A INPUT -m state --state NEW -m udp -p udp --dport 1194 -j ACCEPT-A INPUT -m state --state NEW -s 10.8.0.0/24 -j ACCEPT-A FORWARD -i tun+ -j ACCEPT-A FORWARD -i tun+ -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT-A FORWARD -i eth0 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT-A OUTPUT -o tun+ -j ACCEPTCOMMIT
fucking ubuntu man, I swear to god. this shit is worse than firewalld

Using Debian, but yeah
What OS are you using?

centos 6
you using jesse? I thought debian was still on iptables as default

9.1 stretch
I'll give centos a try

debian is a good os. there is nothing wrong with it.
just check your ufw config or whatever. from the looks of it, you have duplicate statements. try cleaning that up first
good luck

After installing CentOS, I finally got it working

Thank you user. The world needs more people like you

glad you got it working. happy vpn-ing!

OP, make sure your DNS and Ipv6 isn't leaking:
dnsleaktest.com/ (click on extended test)
test-ipv6.com/

I had to disable my IPv6 because my VPN provider doesn't support it yet, and add some code to the .ovpn files to control what DNS my traffic goes through.

So now I have a new problem. While connected to my VPN I can connect to things on my local LAN, but I can't see my upnp server. Is there a way to route upnp traffic through the VPN?

Is openvpn intended for personal use or just server use? I was thinking if I would actually use this on my laptop but I tried reading the man page and I'm honestly completely lost and have no idea what I'm doing.

It gets used everywhere for everything but it's incredibly shit. Think of it like the PHP of VPN.

so what should I use for a VPN for myself? PIA?

To configure it, I would suggest you to follow the guide this user posted
then it can be used by running openvpn --config /path/to/file