Opening Personal Notes:
Hello everyone, I want to start off by saying that I am by no means an expert on this and I might have made some errors, I’d be more than happy to receive constructive criticism and improve this guide with your feedback. I spent quite a lot of time figuring this stuff out and recently had to re-do it and I recorded my steps.
I originally set it up on my home server so that when I traveled to Turkey, I could use my VPN and access various, forbidden (in Turkey) websites, such as Wikipedia, GitHub and others.
After some time however I realized I could also use it for gaming, especially with old PC games that don’t always work with Direct IP connections or have live online matchmaking services, even some modern games (such as Dying Light) only support LAN (in the case of Dying Light, the online portion is not cross-platform compatible with Steam and GoG, hence why that was the tipping point).
OpenVPN is a VPN (Virtual Private Netwroking) software that is used for various reasons, for security, gaming and privacy are the main ones I know of.
In this guide I will try to explain and show the steps I took to install OpenVPN and configure it on my (X)Ubuntu 18.04 home server.
So, here is what you’ll need:
- OpenVPN-Install Script by Nyr is the one I used for my setup:
However someone forked and created a enhanced version of the script, which you can also try out if you want to:
This part is important, you need your local network IP range to be a non-common one.
What I mean by this is, if your local network is under something like
192.168.0.XXX, you need to move it to something like
192.168.41.XXX. This is to prevent your clients connected to VLAN from having trouble connecting to games and such. Since this will be different for each router, I suggest you look this up on the internet.
A Linux machine to run the software (I used Xubuntu 18.04, so if you use a different flavor/distro/version, you might have to look up some networking configurations specific for your flavor/distro/version).
Part One, VPN (tun):
In this first part, we will set up the privacy/security oriented service, which will work on both Mobile and Desktop machines.
Start by download the script of your choice, I suggest you make a OpenVPN folder in your home folder and put it there.
Now, make it executable with this command:
chmod +x script.sh
Run your script:
The script will install OpenVPN as a service, create a server configuration
Follow the on-screen instructions and create a client configuration file.
Since this is the VPN part, not the VLAN part, you will need to generate each client a new config file, this so each VPN config can be connected from one machine at a time, I use this for my phone and laptop, so I have one for each. If you need more, just run the script and follow instructions to generate another one.
Intermission: The default config generated should suffice for now, but for the sake of completion, here is how my configuration looks like (this configuration can be found at /etc/openvpn/, with the name server.conf, I suggest you rename that to tun-server.conf or vpn-server.conf, however, the script will likely be looking for a server.conf, so when you have to add a new client, you will either have to edit the script or to be safe, rename your tun-server.conf to server.conf temporarily.):
port 1194 proto udp dev tun sndbuf 0 rcvbuf 0 ca ca.crt cert server.crt key server.key dh dh.pem auth SHA512 tls-auth ta.key 0 ifconfig-pool-persist ipp.txt topology subnet server 10.8.0.0 255.255.255.0 push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 184.108.40.206" push "dhcp-option DNS 220.127.116.11" keepalive 10 120 cipher AES-256-CBC comp-lzo user nobody group nogroup persist-key persist-tun status openvpn-status.log verb 3 crl-verify crl.pem # The line below allows us to run scripts. script-security 2
- Check if IP Forwarding is enabled with:
If it returns
net.ipv4.ip_forward = 1than it’s good, if not, you will have to turn it on like so:
sudo nano /etc/sysctl.conf
Change default forwarding policy if UFW to ACCEPT by:
sudo nano /etc/default/ufw
Allow connections to port 1194 (UDP) with :
sudo ufw allow 1194/udp. Don’t forget to set up port forwarding on your router. (Under TP-Link Routers, it’s called virtual servers)
Now, this step is where you have to do a bit of work to make the VPN work with the VLAN, we need to connect the OpenVPN virtual network adapter to the bridge adapter we will set up in part two, so it’s a good idea to try out your VPN now and see if it works before this step.
Anyways, if you’re done testing or just want to continue, here are two ways to make sure the tun adapter is “connected” with the bridge adapter:
Edit the UFW before.rules configuration file:
sudo nano /etc/ufw/before.rules
To the top, somewhere add:
# START OPENVPN RULES # NAT table rules *nat :POSTROUTING ACCEPT [0:0] # Allow traffic from OpenVPN to ethernet # Use your bridge interface instead if you have one -A POSTROUTING -s 10.8.0.0/8 -o br0 -j MASQUERADE COMMIT # END OPENVPN RULES
Add a custom script to the
/etc/openvpn/ folder and name it
Here is what the script should contain:
#!/bin/bash # Allow traffic initiated from VPN to access "the world" sudo iptables -I FORWARD -i tun0 -o br0 -s 10.8.0.0/24 -m conntrack --ctstate NEW -j ACCEPT sudo iptables -t nat -I POSTROUTING -o br0 -s 10.8.0.0/24 -j MASQUERADE
And then, at the end of your
tun-server.conf add this:
script-security 2 up tun-to-bridge.sh
This concludes Part 1.
Part Two, VLAN (tap):
Now that we have our tun VPN network, we can move forward and set up Virtual LAN network so we can game on!
Start by heading over to
/etc/openvpn/and make a copy of
tun-server.confand name it something like
We need to change a bunch of things here, so I will save you some time and post my config file, but for the most part, we need to change the port, network type, client connection policy and run a short script to ensure things run smoothly, so here is the config:
port 1294 proto udp dev tap sndbuf 0 rcvbuf 0 ca ca.crt cert server.crt key server.key dh dh.pem auth SHA512 tls-auth ta.key 0 ifconfig-pool-persist tap-ipp.txt server-bridge 192.168.41.0 255.255.255.0 192.168.41.200 192.168.41.250 client-to-client duplicate-cn keepalive 10 120 cipher AES-256-CBC comp-lzo user nobody group nogroup persist-key persist-tun status status-tap.log verb 3 crl-verify crl.pem # The line below allows us to run scripts. script-security 2 up tap-to-bridge.sh
- Now, run the script we downloaded in Part 1 and generate a new user client, this one will be used by multiple people at the same time. After you’ve generated the config file, we will have to make some changes to it, but it should look like this:
client dev tap proto udp sndbuf 0 rcvbuf 0 remote YOUR_EXTERNAL_IP_ADDRESS 1294 resolv-retry infinite nobind persist-key persist-tun remote-cert-tls server auth SHA512 cipher AES-256-CBC comp-lzo key-direction 1 verb 3 ... certificate stuff below
So for the
remote line, just change the port, leave your own external IP address / hostname as is.
- In the config file for the tap-server, we reference a script we want it to run called
tap-to-bridge.sh, you can create this script in the ``/etc/openvpn/ folder with the same name, as the name suggests, this “connects” the tap adapter with the bridge adapter we will set up shortly, here how the script looks like:
#!/bin/bash sudo brctl addif br0 tap0 sudo ip link set dev tap0 up
I also suggest adding this following line to the end of
tap-to-bridge.sh, if you have trouble playing games, it can help solve some issues with some distros. [more info needed]
sudo iptables -t nat -A POSTROUTING -s 192.168.41.0/24 -o br0 -j MASQUERADE
Allow connections over port 1294 (UDP) with
sudo ufw allow 1294/udp. Don’t forget to set up port forwarding on your router. (Under TP-Link Routers, it’s called virtual servers)
Now, we need to install a common utility software for creating a bridge interface, so run:
sudo apt-get install bridge-utils
You may loose conenction during this step, depending on your set-up (SSH, local IP binding/assignment and etc.), so if you don’t have physical access, you might want to be careful and make sure you get it right the first time.
I highly suggest you read the notes at the end before you begin this process.
Now, we need to tell our system network manager to set up a bridge interface and connect our default ethernet interface to it, this will be different for each distro and even computer, but I will try to explain it as best as I can, in this case my ethernet adapter is called
enp3s0, this is a physical interface with which the computer connects to the local network and subsequently, the internet.
While physically speaking, that’s where the data goes in and out of, the bridge will act as a virtual hub for all network traffic and as such it will be our de-facto networking interface.
So, for those using NetPlan (Ubuntu and flavors?), here is what you do:
Head over to
/etc/netplan/ and edit the
network-manager-all.yaml file there, it might have prefix number there too, keep that in mind.
We want to add a bridge interface and tell it “connect” with our physical interface (in my case,
Here is how it looks for me:
# Let NetworkManager manage all devices on this system network: version: 2 renderer: NetworkManager ethernets: #declare the interface used y the bridge device enp3s0: dhcp4: no dhcp6: no # Create the bridge device bridges: br0: interfaces: [enp3s0] dhcp4: true dhcp6: no
Optionally you can set a mac address for the bridge by adding
macaddress: 00:11:22:33:44:55 right above
Reminder to read the notes below before this!
And now, the grand finale, apply the netplan configuration with:
sudo netplan apply.
- Adding a bridge network and using that as your virtual hub for network traffic can result in a change of your MAC address and as such could change your assigned IP address if you’re using DHCP.
- The last step will likely disconnect you from the network if you’re using SSH, this can make it tricky.
- YAML Files are very picky about formatting, you should verify it with online tools and such to make sure it’s ok before saving the file and applying.
- From my limited understanding of netplan and it’s yaml configuration files, you can opt to create a new file and add make your changes there, but I had trouble getting netplan to cooperate and had to resort to editing the default file.
- To ensure smooth operation especially for old windows games, make the OpenVPN Network Adapter the top priority one on all connected clients, this usually isn’t required but for some games, it might be needed.
Here is a guide on how to change priorities (Lower numbers = Higher priority): Guide Link
And that’s it, I hope you manage to get it working, I spend a lot of time trying different things, giving up and trying again until I found out how to do it, I really hope this can save you time, effort and headaches.
If you have any suggestions or ideas, please feel free to write it, I will try to update this as often as it’s needed and I can.
Closing Personal Notes:
I usually do this only for open source and free projects of mine, but I am going trough some really tough times, and so if you found this guide useful enough and you can spare a penny or two, I would greatly appreciate it: PayPal