OpenVPN

Links of value:

• TKL OpenVPN appliance page (or on GitHub)
• TurnKey Linux OpenVPN appliance specific docs:
  • README
  • Site-to-Site (office to Amazon VPC)
  • Gateway (secure internet access)

Container Configuration Considerations

If your OpenVPN server or client is failing with errors like:

ERROR: Cannot open TUN/TAP dev /dev/net/tun: No such file or directory

You are probably missing the tun0 interface, which is the network interface for your encrypted tunnel. Try these steps to see if you are able to start your VPN service:

service openvpn stop
mkdir /dev/net
mknod /dev/net/tun c 10 200
chmod 666 /dev/net/tun
service openvpn start

If your OpenVPN server starts successfully, you can add a startup script to create the tun0 interface at boot time:

#! /bin/sh
# Script originally developed by Wolfgang
### BEGIN INIT INFO
# Provides:          tun
# Required-Start:    $network
# Required-Stop:     $openvpn
# Default-Start:     S 1 2
# Default-Stop:      0 6
# Short-Description: Make a tun device.
# Description:       Create a tundev for openvpn
### END INIT INFO

# Aktionen
case "$1" in
    start)
        mkdir /dev/net
        mknod /dev/net/tun c 10 200
        chmod 666 /dev/net/tun
        ;;
    stop)

Then activate the script at boot time:

chmod 755 /etc/init.d/tun
update-rc.d tun defaults

Be sure to reboot your container to make sure that your VPN service starts properly.

OpenVPN Client as a Router

You may want your Turnkey Linux OpenVPN appliance to connect to an OpenVPN Server or Gateway in order to route network traffic. Example uses might be a Site-to-Site VPN where the remote site (client) connects to the central office (server), or when securing the traffic of another host, such as a Turnkey Linux Torrent Server.

In either case, you will need to first set up your client.ovpn file as your OpenVPN default configuration file. You do this by copying the client.ovpn file to a .conf file in /etc/openvpn:

cp /root/client.ovpn /etc/openvpn/client.conf

 Then you want to make sure that the OpenVPN server starts successfully by:

openvpn --config /etc/openvpn/client.conf

Now you need to make sure that OpenVPN starts your client connection when the server boots by editing the OpenVPN configuration file and uncommenting the "client" autostart entry:

nano /etc/default/openvpn
AUTOSTART="client"

Note that the "AUTOSTART" value must match the name of the /etc/openvpn.conf file, without the ".conf" at the end. If your .ovpn file had a different name, like "user1.conf" you will have to change the value of AUTOSTART="user1"

Finally, you need to enable routing between the eth0 and the tun0 interface using IPTables:

iptables -A FORWARD -o tun0 -i eth0 -s 192.168.1.0/24 -m conntrack --ctstate NEW -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A POSTROUTING -t nat -j MASQUERADE

Note that you will need to replace "192.168.1.0/24" with the IP and subnet of your local network.

At this point, you should be able to test your routing with another computer. You will need to set an IP address with a the default gateway that is the static IP address of your Turnkey Linux OpenVPN server. You can then access a website that will display your IP to you to make sure that your IP matches that of your VPN server rather than that of your ISP.

Once your IPTables rules are working and your traffic is routing, you need to save the rules to a specific file:

iptables-save | tee /etc/iptables.up.rules

The file name and path are important because the IPTables rules file already exists and is called when networking starts in /etc/network/interfaces, so don't change the name.

Other places to get (non TKL specific) OpenVPN info:

• Debian Wiki (TKL v14 is built on Debian Jessie)
• Official OpenVPN docs (note: the Jessie version is 2.3.4)