You need VPN when you are connected to unsecured WIFI. Also VPN is needed when this public wifi or your ISP is restricting you. One example of such restrictions is blocking P2P programs and alike.
Good way to overcome those problems is OpenVPN. This can be quite complicated to set up but simple configurations is actually simple.
Firstly is needed server. Server can be your home router or some small server in datacentre that has extra bandwith left over. Your laptop will be called client which sends all(or some) of your traffic through one TCP/IP connection to server and server forwards it so it looks like traffic is originating from server.
Lets have our internal ips 10.66.77.1 for server and 10.66.77.2 for client. Network is selected in the middle of 10.0.0.0/24 network because then it has smaller chance of colliding with your existing network.
Server needs ip forwarding and nat to be enabled. You achieve this with following commands. 10.66.77.0/24 and eth0 needs to be changed to your actual values.
echo 1 > /proc/sys/net/ipv4/ip_forward iptables -t nat -A POSTROUTING -s 10.66.77.0/24 -o eth0 -j MASQUERADE
Next we need static key. Bear in mind that this need to be kept secret. Key generating looks like:
openvpn --genkey --secret static.key chmod 600 static.key
Now preparation is ready and you can make OpenVPN configuration file. By default OpenVPN uses UDP and port 1194. UDP is not reliable and 1194 can be blocked from where you are trying to connect. Usually open ports from everywhere are 21(ftp), 22(ssh) 80(http) and 443(https) and some more. If you are hosting websites in your server then 80 and 443 are used by webserver and not usable. There is rarely ftp actually used as there is better alternatives like ssh so I chose 21 to be my VPN port.
Server configuration file server.ovpn:
dev tun proto tcp-server port 21 ifconfig 10.66.77.1 10.66.77.2 secret static.key
Client configuration file client.ovpn:
remote yourserver.com 21 tcp-client dev tun ifconfig 10.66.77.2 10.66.77.1 secret static.key redirect-gateway def1
“redirect-gateway def1” changes client routing table so that all traffic is directed via server. Without it only traffic sent to servers ip 10.66.77.1 will be sent there. Most materials in web recommend to add to server config push “redirect-gateway def1” but this is not working in some cases so better add this config directly to client.
Now it is almost ready, just need to start up the VPN and enjoy.
Server:
openvpn --config server.ovpn
Client
openvpn --config client.ovpn
Test from client machine
ping 10.66.77.1
If ping is replied then it works. Solution works on linux machines like ubuntu or fedora. For windows configuration is same but starting client is bit different depending on client implementation.
Possible problems:
- Firewall is blocking port
- ip forwarding and nat is not set up in server
- redirect-gateway def1 is missing from cleint conf
ad
Thanks a zillion, this is the best tutorial on the net
stephen
It took me FOREVER to find a tutorial that mentioned the fact that:
redirect-gateway def1
has problems for some when imposed by the server, but works when stated in the client configuration. I thought that I was doing something wrong!
Thank you for that gem, you have saved me so much time and effort.
Andras
Big thanks for the tutorial
q23p
I am very grateful about the tutorial.
Thank you.
Quick question
will this help if public access block RDP connection?
Quick question
will this help in case public WIFI block RDP connections and other client applications?
smartman
Sure it will help. Everything will be invisible for the public wifi manager.
major Tomski
Big thanks for the write-up.
I got my VPN going with a simple static key setup; connection was happening but no routing. The answer is right here in the first set of commands – I just tweaked it a little:
# iptables -t nat -A POSTROUTING -s single_client_ip/32 -o eth0 -j SNAT –to-source server_static_ip
On Debian, afterwards, I run ‘iptables-save > iptables.rules’ and load this from a script in /etc/network/if-pre-up.d/
Numerous hours of head scratching were had until I stumbled upon your page and experienced my epiphany.
Dharmesh
Great Tutorial