====== Ubuntu - VPN - OpenVPN - L3 Tunneling ======

L3 tunneling will route the traffic at the OpenVPN server to the destination.

A L3 tunnel is easier to implement as there is no need to change something in the infrastructure.

----

===== Create the server config =====

<file bash /etc/openvpn/server_l3.conf>
# Port.
port 1194

# TCP or UDP.
proto tcp-server
mode server
tls-server

# tun or tap device.
# tun is an IP tunnel.
# tap an ethernet tunnel.
dev tun

# Our Server IP.
server 10.0.0.0 255.255.255.0

# Paths to the certs.
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/test.domain.local.crt
key /etc/openvpn/easy-rsa/keys/test.domain.local.key

# Diffie-Hellmann Parameters.
dh /etc/openvpn/easy-rsa/keys/dh2048.pem

# Ciphers.
cipher AES-256-CBC
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
tls-version-min 1.2
remote-cert-tls client

# Tests the connection with a ping like packet.
# Wait=120sec.
keepalive 10 120

# Authentication.
auth SHA512

# Compression.
comp-lzo

# Sets new rights after the connection.
user nobody
group nogroup

# This is needed because of user nobody/group nobody.
persist-key
persist-tun

# Logging 0.
# Testing 5.
verb 0
</file>

<WRAP info>
**NOTE:**  Ensure the file does end with **.conf**.

  * A not used IP subnet is needed.
  * This IP subnet will be used by the server and the client to communicate with each other.
  * The clients will also get IP address from this subnet from the OpenVPN server.
</WRAP>

----

===== Create the client config =====

<file>
client

float

dev tun

# tcp or udp.
proto tcp-client

remote test.domain.local 1194

ca ca.crt
cert client.domain.local.crt
key client.domain.local.key

cipher AES-256-CBC
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
tls-version-min 1.2

verify-x509-name test.domain.local name

remote-cert-tls server

route 123.123.123.123 255.255.255.255
route 234.234.234.234 255.255.255.255
route 192.168.2.0 255.255.255.0

auth SHA512

nobind 
comp-lzo 
persist-key 
persist-tun 
verb 1
</file>

<WRAP info>
**NOTE:**  The client config contains the necessary certificate entries and some individual routing entries.

  * The individual routing entries will make sure, that traffic to those destinations will be routed through the tunnel.
  * All other traffic will use the normal default gateway configured on the client.

</WRAP>

<WRAP info>
**NOTE:**  To use the tunnel to redirect all traffic through the tunnel the individual routing entries can be removed and this entry needs to be added:

<code>
redirect-gateway
</code>

If everything is working correctly, the client can connect to the server.

Unfortunately, communication with other destinations then the server itself will fail, as the OpenVPN server is not able to route traffic.

</WRAP>

----

===== Enable Routing =====

Uncomment this line in /etc/sysctl.conf:

<file bash /etc/sysctl.conf>
net.ipv4.ip_forward = 1
</file>

<WRAP info>
**NOTE:**  This will make sure, that routing is enabled after the next system restart.
</WRAP>

<WRAP info>
**NOTE:**  To temporarily allow routing without a reboot:

<code bash>
echo 1 > /proc/sys/net/ipv4/ip_forward
</code>

</WRAP>

----

===== NAT the clients to the IP of the OpenVPN server =====

<code bash>
iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE
</code>

<WRAP info>
**NOTE:**  This will instruct the system to map every packet from the 10.0.0.0/24 subnet to the IP address of the eth0 interface.
</WRAP>


To make this permanent save the iptables rule to a file:

<code bash>
iptables-save > /etc/iptables.up.rules
</code>

To load the rules on startup use put it into this file:

<file bash /etc/network/if-pre-up.d/iptables>
iptables-restore < /etc/iptables.up.rules
</file>

This will make sure, that the NAT instruction is loaded after a system reboot.