OpenVPN: internal network

Personally, I use OpenVPN to do the connection between my server (in public internet, also OpenVPN server), my home server and my laptop (on travels).

There were few main things I needed to sort out.

For example access through proxies. I use two connections TCP port 443 (accessible through proxy) and UDP port 443 (UDP is better protocol to use when a proxy is not needed mainly due to not using double TCP acknowledgments.

My main config file looks like this

port 443
proto tcp
dev tun1
ca aws-keys/ca.crt
cert aws-keys/aws.enigma14.eu.crt
key aws-keys/aws.enigma14.eu.key
dh aws-keys/dh1024.pem
comp-lzo
log /var/log/openvpn.aws.log
keepalive 10 120
server 192.168.10.0 255.255.255.0
topology subnet
client-config-dir ccd
learn-address /etc/openvpn/tcp-route.sh

As you can see I use static script tcp-route.sh

#!/bin/bash

if [[ $1 = 'add' ]]; then
ip route add $2 dev tun1 src 192.168.10.1
fi
if [[ $1 = 'delete' ]]; then
ip route del $2 dev tun1 src 192.168.10.1
fi

I also have a similar script udp-route.sh

#!/bin/bash

if [[ $1 = 'add' ]]; then
ip route add $2 dev tun2 src 192.168.10.1
fi
if [[ $1 = 'delete' ]]; then
ip route del $2 dev tun2 src 192.168.10.1
fi

As you can see the main difference between scripts is the interface. ┬áIt is basically because I use two OpenVPN servers – one for TCP, one for UDP and I need to different traffic between them. Below you will see config file for UDP server.

port 443
proto udp
dev tun2
ca aws-keys/ca.crt
cert aws-keys/aws.enigma14.eu.crt
key aws-keys/aws.enigma14.eu.key
dh aws-keys/dh1024.pem
comp-lzo
log /var/log/openvpn.aws-udp.log
keepalive 10 120
server 192.168.10.0 255.255.255.0
topology subnet
client-config-dir ccd
learn-address /etc/openvpn/udp-route.sh

As you can see, it is using udp-route.sh. So that means when you connect to UDP part of the server, the route for traffic is correctly added.

Last part what I do is the usage of static addresses. I have a directory ccd/ and inside it, there are files with the name of keys, e.g. key1 with this content

ifconfig-push 192.168.10.100 255.255.255.0

So that’s basically how I use OpenVPN. Of course, OpenVPN is not the only solution but it is highly multiplatform due to the large availability of clients for all platforms.