OpenVPN for n00bs guide?

Predki

n3wb
Joined
Oct 14, 2019
Messages
16
Reaction score
1
Location
Canada
Hi all,

I've tried and failed (twice) to set up an OpenVPN server on my windows 10 machine, along with the corresponding OpenVPN client (using OpenVPN Connect app) on my iPhone.

I have followed online guides that I found on google but they are all either outdated, or incomplete. I will get as far as uploading the certificates onto the iPhone but I will get a 'failed to connect to server' message which leads me nowhere.

most of the guides online are for PC to PC connections, or Mac to PC. since I am essentially a noob, im looking for a guide that breaks down the steps so that they are fool proof to follow. I understand there can be some incompatibilities when translating a text file from windows to unix machines (some recommend using dos2unix to translate it, however I don't know how to use this app). There is also a GPG key on the latest versions of OpenVPN -> I haven't found a guide that mentions how to work with this.

can anyone lead me to an up to date guide that breaks down the instructions for noobs?

thanks

Matt
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
12,343
Reaction score
4,063
Location
Scotland
can anyone lead me to an up to date guide that breaks down the instructions for noobs?
This one has proven pretty useful :

And a forum search will yield quite a few more how-tos.
 
Joined
Jul 12, 2018
Messages
8
Reaction score
5
Location
Oregon
@Predki, I just redid some OpenVPN <=> iDevice stuff last week, so it's fresh in my mind.

I won't attempt to rehash all the guides that are out there, from people who know more than me about this topic. Instead, I'll give you a grab bag of stuff that would have helped me along with what's currently working for us. I don't claim it's optimal, but it's doing what we want.

First off, just knowing that it can/will ultimately work and be great is good to keep yourself going. There are a lot of potential blind alleys so knowing it ultimately will work might be one of the most helpful things! Now that ours is set up, it's working great... connecting quickly, stable, etc.

Some of the config I'm including is exact and some has been redacted/replaced with fake stuff. You can always compare to what you have and consider whether any differences might be relevant. This is pretty randomly "organized" but here we go.

The iPhone/iPad app is this one:

Our setup allows us to connect with e.g. an iPhone and access our home network which includes 192.168.34.* and 192.168.200.*

The latter corresponds to a new VLAN 200 that we've recently set up for our IP cameras. This VLAN is L3 routed by a pfsense device. You might or might not have something like that, but the parts of config that correspond to it are probably pretty obvious so if you don't have it, those can be cut out.

Background info for you to substitute against your setup:
Router to Comcast (our ISP)'s internal interface: 192.168.34.1
OpenVPN server: 192.168.34.47 # I'll pretend this machine's host name is OpenVpnServer1
pfsense firewall: 192.168.34.3 (not our main router/firewall at this time but it does L3 routing between 192.168.34.* and 192.168.200.*)
Cameras: 192.168.200.*
OpenVPN IP space: 10.* (yeah, that's a huge range; could be tightened)
On external router (192.168.34.1):
Add static routes
192.168.200.0/24 => 192.168.34.3 # not needed unless separately routed subnet; you can probably ignore
10.0.0.0/8 => 192.168.34.47 # send OpenVPN stuff to OpenVpnServer1
Forward UDP on some random port; for example 33333, so
Map UDP/33333 => 192.168.34.47

Open Windows firewall on OpenVpnServer1... allow UDP port 33333 from any host, any port.

Be sure IP routing on OpenVpnServer1 (192.168.34.47) is enabled.
Go through certificate generation for each iPhone/iPad/client. Follow other guides for this. I have nothing to add at this time.

The way we did it, for each client there are 3 files that differ {x.crt, x.key, x.ovpn} and one that stays the same OpenVpnServer1-ca.crt.

Keep these named consistently and organized.

For example:

Scott's iPhone8, the physical device, gets these 4 files:
OpenVpnServer1-ca.crt
Scott-iPhone8.crt
Scott-iPhone8.key
Scott-iPhone8.ovpn

Scott's iPad Air 2 gets:
OpenVpnServer1-ca.crt
Scott-iPadAir2.crt
Scott-iPadAir2.key
Scott-iPadAir2.ovpn
etc.

Here are the contents of Scott-iPhone8.ovpn; others are almost identical, with some obvious substitutions

client
dev tun
proto udp
remote yourhome-external-ip.whatever.com 33333 # you need some kind of stable name to access your home's external IP; dyndns or static IP
ca OpenVpnServer1-ca.crt
cert Scott-iPhone8.crt # generate this pair for each iDevice or other client
key Scott-iPhone8.key # generate this pair for each iDevice or other client
ns-cert-type server # I think this is officially obsolete but we didn't change yet
keepalive 10 70 # might not be needed


Here is the server config; it lives in the config subfolder of the OpenVPN installation.

\\openvpnserver\path\to\openvpn\config\OpenVpnServer1.ovpn:

port 33333
proto udp
dev tun
ca OpenVpnServer1-ca.crt # this same file goes onto the clients
cert 20190303.crt # name unimportant.. was generated March 3
key 20190303.key # name unimportant.. was generated March 3
dh dh2048.pem
server 10.18.34.0 255.255.255.0 # could be anything in 10...*
client-to-client
keepalive 5 25
persist-key
persist-tun
push "route 192.168.34.0 255.255.255.0"
push "route 192.168.200.0 255.255.255.0"
# leave these next two out if you don't have an internal DNS server for your home network
push "dhcp-option DNS 192.168.34.32" # our internal DNS server for ourdomain1234.com
push "dhcp-option DOMAIN ourdomain1234.com"


Another thing that's helpful is the iPhone log and the following debug cycle.

On iPhone, disable wifi to take that out of the mix. Use LTE or 4G or whatever cellular option you have going.

Be sure you can ping the actual IP 8.8.8.8 (google DNS) to be sure your ping tool is working. (I used Fing; more on this elsewhere)
Be sure you can ping yourhome-external-ip.whatever.com or otherwise access your router's external address; do this by name to be sure resolution is working ok.

Repeat the following within the iPhone's OpenVPN app as you alter config:
  • disconnect (if connection was successful)
  • clear the log
  • connect (or try to connect)
  • read the log (Really read this carefully and try to understand it. Pay special attention to "ignored options" if you see them there)
There are lots of places for the process to break down... certificate issues, routing, DNS, etc. We also had some ping tools on our iPhones that didn't appear to work correctly (seriously! ping didn't work with a ping application), so we lost lots of time there.

We ended up using Fing, which I didn't love in terms of UI, but it did work.

Start very simple with one stable and constant goal and don't move on until that's achieved.

First try to get connectivity and rule out any certificate issues. Next, e.g., move on to IP based pinging to establish that routing is working. Be sure ping is enabled and not firewalled on the target. Watch out for Windows firewall's detestable (IMO) profiles and be sure any rules apply to the current profile, or just "All".

Use Windows "route print" on OpenVpnServer1 to see if OpenVPN is successfully updating routes that "make sense".

At one point, years ago, we have two lines at the top of our ovpn configs:
route-method exe
route-delay 40


These used to be necessary but we found out that now they were making things slow and/or ignored now. At least for us, these are not needed anymore and these might have been from pre-Windows-7.

Watch out for the fact that OpenVPN reads every .ovpn file in its config directory. If you like to make a copy of your ovpn file within the config directory, like Old20200217-OpenVpnServer1.ovpn, you can end up with OpenVPN reading that config in addition to the "real one". Even moving it into a subfolder doesn't solve the problem, so move it into a sibling of config, like config-obsolete. (Or, use git or other version control or find another way to record changes over time... or just don't)

Some options can be set in either the server ovpn config file or the client ovpn config file. "push" generally corresponds to something in the server ovpn file that could have been set without the "push" statement in the client. In the case of iPhone configs, updating them is more work than changing it on the client, so we keep the client config minimal and modify the server config more than the client.

If you're running OpenVPN as a service, which you probably ultimately want to be doing, it can be handy to have a cmd window open as administrator and to frequently do the following to restart the service as you make config changes:
net stop openvpnservice
net start openvpnservice


I like to see a connection go down after the net stop before attempting to revive it with net start. Basically, I like to see evidence of each step having its expected effect.
It can be critical to run OpenVPN Gui as administrator, if you're running OpenVPN as a service.

It can be helpful to have a ping monitor going somewhere to see changes quickly. I use this PingInfoView - Ping to multiple host names/IP addresses on the Windows. This probably helps more with site-to-site vs. iPhone. For the iPhone ping tool, we used Fing. It's ok... free with ads. I'm sure there are better options, but it's one that worked and another one we used did not work correctly.

There is a client config directory option (often conventionally called 'ccd') that we actually use, but is not included in the examples above, for simplicity. This is really nice for testing options with multiple clients (e.g. multiple phones) if they either need different options or you just want to test something without breaking a working config. If you're starting with just one phone and one Windows machine, you may or may not find this worthwhile. It does let you test changes without restarting the server side, which is nice.

So... lots to digest there but perhaps some of it will help. I wanted to document some of this for myself anyway, so I thought I'd share.
 

Predki

n3wb
Joined
Oct 14, 2019
Messages
16
Reaction score
1
Location
Canada
@ScottOregon you have certainly given me more than enough information to hash through. I will follow your advice to take away small wins in order to keep motivated because, as you know, it can get frustrating to say the least.

i really appreciate all the effort you took in this post and I will try some of it over the weekend.

All the best!!

Matt
 
Top