[Guide] OpenVPN for Security, Privacy and Gaming. How to setup a private VPN and a VLAN on a single machine

Opening Personal Notes:

Hello everyone, I want to start off by saying that I am by no means an expert on this and I might have made some errors, I’d be more than happy to receive constructive criticism and improve this guide with your feedback. I spent quite a lot of time figuring this stuff out and recently had to re-do it and I recorded my steps.

I originally set it up on my home server so that when I traveled to Turkey, I could use my VPN and access various, forbidden (in Turkey) websites, such as Wikipedia, GitHub and others.

After some time however I realized I could also use it for gaming, especially with old PC games that don’t always work with Direct IP connections or have live online matchmaking services, even some modern games (such as Dying Light) only support LAN (in the case of Dying Light, the online portion is not cross-platform compatible with Steam and GoG, hence why that was the tipping point).

Introduction:

OpenVPN is a VPN (Virtual Private Netwroking) software that is used for various reasons, for security, gaming and privacy are the main ones I know of.

In this guide I will try to explain and show the steps I took to install OpenVPN and configure it on my (X)Ubuntu 18.04 home server.

So, here is what you’ll need:

• OpenVPN-Install Script by Nyr is the one I used for my setup:

• However someone forked and created a enhanced version of the script, which you can also try out if you want to:
  https://github.com/angristan/openvpn-install

• This part is important, you need your local network IP range to be a non-common one.
  What I mean by this is, if your local network is under something like 192.168.0.XXX, you need to move it to something like 192.168.41.XXX. This is to prevent your clients connected to VLAN from having trouble connecting to games and such. Since this will be different for each router, I suggest you look this up on the internet.

• A Linux machine to run the software (I used Xubuntu 18.04, so if you use a different flavor/distro/version, you might have to look up some networking configurations specific for your flavor/distro/version).

Part One, VPN (tun):

In this first part, we will set up the privacy/security oriented service, which will work on both Mobile and Desktop machines.

1. Start by download the script of your choice, I suggest you make a OpenVPN folder in your home folder and put it there.

2. Now, make it executable with this command: chmod +x script.sh

3. Run your script: sudo ./openvpn-install.sh.
   The script will install OpenVPN as a service, create a server configuration

4. Follow the on-screen instructions and create a client configuration file.
   Since this is the VPN part, not the VLAN part, you will need to generate each client a new config file, this so each VPN config can be connected from one machine at a time, I use this for my phone and laptop, so I have one for each. If you need more, just run the script and follow instructions to generate another one.

5. Intermission: The default config generated should suffice for now, but for the sake of completion, here is how my configuration looks like (this configuration can be found at /etc/openvpn/, with the name server.conf, I suggest you rename that to tun-server.conf or vpn-server.conf, however, the script will likely be looking for a server.conf, so when you have to add a new client, you will either have to edit the script or to be safe, rename your tun-server.conf to server.conf temporarily.):

port 1194
proto udp

dev tun

sndbuf 0
rcvbuf 0

ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-auth ta.key 0
ifconfig-pool-persist ipp.txt

topology subnet

server 10.8.0.0 255.255.255.0

push "redirect-gateway def1 bypass-dhcp"

push "dhcp-option DNS 1.1.1.1"
push "dhcp-option DNS 8.8.8.8"

keepalive 10 120
cipher AES-256-CBC
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
crl-verify crl.pem

# The line below allows us to run scripts.
script-security 2

6. Check if IP Forwarding is enabled with: sysctl net.ipv4.ip_forward.
   If it returns net.ipv4.ip_forward = 1 than it’s good, if not, you will have to turn it on like so:
   sudo nano /etc/sysctl.conf
   And change: net.ipv4.ip_forward=1

7. Change default forwarding policy if UFW to ACCEPT by:
   sudo nano /etc/default/ufw
   And change: DEFAULT_FORWARD_POLICY="ACCEPT"

8. Allow connections to port 1194 (UDP) with : sudo ufw allow 1194/udp. Don’t forget to set up port forwarding on your router. (Under TP-Link Routers, it’s called virtual servers)

9. Now, this step is where you have to do a bit of work to make the VPN work with the VLAN, we need to connect the OpenVPN virtual network adapter to the bridge adapter we will set up in part two, so it’s a good idea to try out your VPN now and see if it works before this step.

Anyways, if you’re done testing or just want to continue, here are two ways to make sure the tun adapter is “connected” with the bridge adapter:

Option 1
Edit the UFW before.rules configuration file:
sudo nano /etc/ufw/before.rules
To the top, somewhere add:

# START OPENVPN RULES

# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]

# Allow traffic from OpenVPN to ethernet
# Use your bridge interface instead if you have one

-A POSTROUTING -s 10.8.0.0/8 -o br0 -j MASQUERADE
COMMIT

# END OPENVPN RULES

Option 2:
Add a custom script to the /etc/openvpn/ folder and name it tun-to-bridge.sh.
Here is what the script should contain:

#!/bin/bash

# Allow traffic initiated from VPN to access "the world"
sudo iptables -I FORWARD -i tun0 -o br0 -s 10.8.0.0/24 -m conntrack --ctstate NEW -j ACCEPT

sudo iptables -t nat -I POSTROUTING -o br0 -s 10.8.0.0/24 -j MASQUERADE

And then, at the end of your tun-server.conf add this:

script-security 2

up tun-to-bridge.sh

This concludes Part 1.

Part Two, VLAN (tap):

Now that we have our tun VPN network, we can move forward and set up Virtual LAN network so we can game on!

1. Start by heading over to /etc/openvpn/ and make a copy of tun-server.conf and name it something like tap-server.conf or vlan-server.conf.

2. We need to change a bunch of things here, so I will save you some time and post my config file, but for the most part, we need to change the port, network type, client connection policy and run a short script to ensure things run smoothly, so here is the config:

port 1294
proto udp

dev tap

sndbuf 0
rcvbuf 0

ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-auth ta.key 0
ifconfig-pool-persist tap-ipp.txt

server-bridge 192.168.41.0 255.255.255.0 192.168.41.200 192.168.41.250

client-to-client

duplicate-cn

keepalive 10 120
cipher AES-256-CBC
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status status-tap.log
verb 3
crl-verify crl.pem

# The line below allows us to run scripts.
script-security 2

up tap-to-bridge.sh

4. Now, run the script we downloaded in Part 1 and generate a new user client, this one will be used by multiple people at the same time. After you’ve generated the config file, we will have to make some changes to it, but it should look like this:

client
dev tap
proto udp
sndbuf 0
rcvbuf 0
remote YOUR_EXTERNAL_IP_ADDRESS 1294
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
auth SHA512
cipher AES-256-CBC
comp-lzo
key-direction 1
verb 3

...
certificate stuff below

So for the remote line, just change the port, leave your own external IP address / hostname as is.

3. In the config file for the tap-server, we reference a script we want it to run called tap-to-bridge.sh, you can create this script in the ``/etc/openvpn/ folder with the same name, as the name suggests, this “connects” the tap adapter with the bridge adapter we will set up shortly, here how the script looks like:

#!/bin/bash

sudo brctl addif br0 tap0
sudo ip link set dev tap0 up

I also suggest adding this following line to the end of tap-to-bridge.sh, if you have trouble playing games, it can help solve some issues with some distros. [more info needed]

sudo iptables -t nat -A POSTROUTING -s 192.168.41.0/24 -o br0 -j MASQUERADE

5. Allow connections over port 1294 (UDP) with sudo ufw allow 1294/udp. Don’t forget to set up port forwarding on your router. (Under TP-Link Routers, it’s called virtual servers)

6. Now, we need to install a common utility software for creating a bridge interface, so run:
   sudo apt-get install bridge-utils

7. IMPORTANT NOTICE!
   You may loose conenction during this step, depending on your set-up (SSH, local IP binding/assignment and etc.), so if you don’t have physical access, you might want to be careful and make sure you get it right the first time.
   I highly suggest you read the notes at the end before you begin this process.

Now, we need to tell our system network manager to set up a bridge interface and connect our default ethernet interface to it, this will be different for each distro and even computer, but I will try to explain it as best as I can, in this case my ethernet adapter is called enp3s0, this is a physical interface with which the computer connects to the local network and subsequently, the internet.
While physically speaking, that’s where the data goes in and out of, the bridge will act as a virtual hub for all network traffic and as such it will be our de-facto networking interface.

So, for those using NetPlan (Ubuntu and flavors?), here is what you do:

Head over to /etc/netplan/ and edit the network-manager-all.yaml file there, it might have prefix number there too, keep that in mind.

We want to add a bridge interface and tell it “connect” with our physical interface (in my case, enp3s0.

Here is how it looks for me:

# Let NetworkManager manage all devices on this system
network:
  version: 2
  renderer: NetworkManager

  ethernets:
  #declare the interface used y the bridge device
    enp3s0:
     dhcp4: no
     dhcp6: no

# Create the bridge device
  bridges:
    br0:
      interfaces: [enp3s0]
      dhcp4: true
      dhcp6: no

Optionally you can set a mac address for the bridge by adding macaddress: 00:11:22:33:44:55 right above interfaces: [enp3s0].

Reminder to read the notes below before this!
And now, the grand finale, apply the netplan configuration with: sudo netplan apply.

Important Notes:

• Adding a bridge network and using that as your virtual hub for network traffic can result in a change of your MAC address and as such could change your assigned IP address if you’re using DHCP.
• The last step will likely disconnect you from the network if you’re using SSH, this can make it tricky.
• YAML Files are very picky about formatting, you should verify it with online tools and such to make sure it’s ok before saving the file and applying.
• From my limited understanding of netplan and it’s yaml configuration files, you can opt to create a new file and add make your changes there, but I had trouble getting netplan to cooperate and had to resort to editing the default file.
• To ensure smooth operation especially for old windows games, make the OpenVPN Network Adapter the top priority one on all connected clients, this usually isn’t required but for some games, it might be needed.
  Here is a guide on how to change priorities (Lower numbers = Higher priority): Guide Link

And that’s it, I hope you manage to get it working, I spend a lot of time trying different things, giving up and trying again until I found out how to do it, I really hope this can save you time, effort and headaches.

If you have any suggestions or ideas, please feel free to write it, I will try to update this as often as it’s needed and I can.

Closing Personal Notes:
I usually do this only for open source and free projects of mine, but I am going trough some really tough times, and so if you found this guide useful enough and you can spare a penny or two, I would greatly appreciate it: PayPal

Hey, great guide! I feel like I almost have everything working, except I think I’m a little confused on one part. Does every client need to connect to both the tun and tap servers in order to join the vlan? And to make it clear, each client gets their own separate tun configuration, but share a single tap configuration? I’ve been connecting all clients to only the tap server, and I can’t get a ping from any of the assigned IP addresses.

Yes, every client gets their own VPN client config for added security, but with the VLAN, security is not a concern (it’s for gaming and such), so we enable multiple connections from same client configs in tap-server.conf with the line duplicate-cn.

In the past, I have had an issue with this set up that I don’t think has anything to do with using 1 client config for users, but it has to do with the network manager under windows or possibly some routers.

Try the following, under windows, let’s call the real LAN machine MA and the VLAN machine MB

Step One: On MA run cmd and run ping 192.168.41.200 -tchange the local ip in the command with that of MB

Step Two: On MB run cmd and run ping 192.168.41.100 -tchange the local ip in the command with that of MA

Step Three: On MB run cmd and run ping 192.168.41.1 -tchange the local ip in the command with that of MA's gateway/router's local IP

For Linux just use alternative commands.

So I do this, because in the past, we had an issue where people would connect but won’t be able to ping from A to B or from B to A, and pinging from both sides had some effect sometimes, but pinging the router 192.168.41.1 would do the trick most of the time.

This issue hasn’t popped up on my set up for quite a while now, I even tested before replying to you, and my friend had no trouble pinging my local machine, neither did I have trouble pinging him.

I will update the guide with a section about adapter priority for windows, while during testing you shouldn’t need to change adapter priority, some older games only check the first adapter’s IP range.

EDIT: I forgot to add that if you try to connect to the VLAN while you are already on the same local network as the VLAN itself, it will mess things up!

I can’t seem to even ping any of the clients from the server. To clarify, I’ve solely been connecting to the tap server, because when I try to connect to both tun and tap servers at the same time, I get an error message (client side) saying all TAP-Windows adapters on this system are currently in use.

Hey Dustin,
The way the OpenVPN Client usually works is you have a single virtual Network Adapter for it, and that adapter can have only one connection at a time, so if you are outside on an unsecured network, you’d want to use the VPN (tun) server/service, for a private and secure connection.

But if you want to have a Virtual LAN party, you’d want to give your friends the VLAN (tap) adapter client config (Assuming you are already on the same local network as the server).

As per this guide, our tap VLAN setup is for gaming and not very strict on security, and it doesn’t care if multiple clients use the same profile to “log in”.

But our VPN is secured and will allow only one connection per profile, at any given time.

You basically pick either the VPN or the VLAN at any given time, and since they both cover different use cases, you don’t need both at the same time. So it’s not a problem that you can’t have both types of connections active at the same time, that’s for the most part, the intended use for it.

As for your issues with pinging and establishing a working VLAN connection, I can help you better if you provide a bit more information.

Can you please provide the following information:

• Are your server and your client on different networks?
• Information from running ipconfig on your Client (Windows CMD / Command Line).
• Information from running ip a on your server (Terminal).
• Does the VPN connection work? (You can verify this by googling what your IP is on the server and on a connected client from outside of your network, if they match, that means your client is connecting to the internet trough the VPN).

I will PM you with my Discord information as well, in case you prefer to use that for troubleshooting, I will be posting our findings in a trouble shooting section later on.

Hi there,

A bit late to the party perhaps, but I’ve been attempting to follow your guide to set up a “public” VLAN.
Specifically I’m trying to play a game with a friend that uses UDP broadcasts to discover clients on the network.

I’ve tried following your guide interspersed with guides directly from OpenVPN on setting up a bridged network, but I’ve had very little luck.
I can send all kinds of diagnostics, logs and results from ipconfig on Windows and ifconfig/ip a on Ubuntu, just let me know if you need more information.

Cheers, Henrik

Hello Henrik,
Welcome to Level1,
I am more than happy to help you, I will send you my Discord Information on a message, do add me when you see fit.

Cheers!

Hey, i was trying to set this up but no luck, can you help me out?

I would love to, PM with your problem or Discord tag!

for some reason i cant find the message option, please add me “EPIC#0001” on discord

It seems @aitezaz’s issue was configuration, with some testing we pinned down the problem.

For future reference, if anybody needs help, feel free to PM me directly here or via discord (redacted).