Table of Contents

Ubuntu - VPN - OpenVPN - L3 Tunneling

L3 tunneling will route the traffic at the OpenVPN server to the destination.

A L3 tunnel is easier to implement as there is no need to change something in the infrastructure.

Create the server config

/etc/openvpn/server_l3.conf
# Port.
port 1194
 
# TCP or UDP.
proto tcp-server
mode server
tls-server
 
# tun or tap device.
# tun is an IP tunnel.
# tap an ethernet tunnel.
dev tun
 
# Our Server IP.
server 10.0.0.0 255.255.255.0
 
# Paths to the certs.
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/test.domain.local.crt
key /etc/openvpn/easy-rsa/keys/test.domain.local.key
 
# Diffie-Hellmann Parameters.
dh /etc/openvpn/easy-rsa/keys/dh2048.pem
 
# Ciphers.
cipher AES-256-CBC
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
tls-version-min 1.2
remote-cert-tls client
 
# Tests the connection with a ping like packet.
# Wait=120sec.
keepalive 10 120
 
# Authentication.
auth SHA512
 
# Compression.
comp-lzo
 
# Sets new rights after the connection.
user nobody
group nogroup
 
# This is needed because of user nobody/group nobody.
persist-key
persist-tun
 
# Logging 0.
# Testing 5.
verb 0

NOTE: Ensure the file does end with .conf.

  • A not used IP subnet is needed.
  • This IP subnet will be used by the server and the client to communicate with each other.
  • The clients will also get IP address from this subnet from the OpenVPN server.

Create the client config

client

float

dev tun

# tcp or udp.
proto tcp-client

remote test.domain.local 1194

ca ca.crt
cert client.domain.local.crt
key client.domain.local.key

cipher AES-256-CBC
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
tls-version-min 1.2

verify-x509-name test.domain.local name

remote-cert-tls server

route 123.123.123.123 255.255.255.255
route 234.234.234.234 255.255.255.255
route 192.168.2.0 255.255.255.0

auth SHA512

nobind 
comp-lzo 
persist-key 
persist-tun 
verb 1

NOTE: The client config contains the necessary certificate entries and some individual routing entries.

  • The individual routing entries will make sure, that traffic to those destinations will be routed through the tunnel.
  • All other traffic will use the normal default gateway configured on the client.

NOTE: To use the tunnel to redirect all traffic through the tunnel the individual routing entries can be removed and this entry needs to be added: 

redirect-gateway

If everything is working correctly, the client can connect to the server.

Unfortunately, communication with other destinations then the server itself will fail, as the OpenVPN server is not able to route traffic.

Enable Routing

Uncomment this line in /etc/sysctl.conf:

/etc/sysctl.conf
net.ipv4.ip_forward = 1

NOTE: This will make sure, that routing is enabled after the next system restart.

NOTE: To temporarily allow routing without a reboot: 

echo 1 > /proc/sys/net/ipv4/ip_forward

NAT the clients to the IP of the OpenVPN server

iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE

NOTE: This will instruct the system to map every packet from the 10.0.0.0/24 subnet to the IP address of the eth0 interface.

To make this permanent save the iptables rule to a file: 

iptables-save > /etc/iptables.up.rules

To load the rules on startup use put it into this file:

/etc/network/if-pre-up.d/iptables
iptables-restore < /etc/iptables.up.rules

This will make sure, that the NAT instruction is loaded after a system reboot.