1

I have been a linux user for some years although I'm very new to the networking aspects. This is the first time I will use OpenVPN and I have been strugling to make it work for a few days. I need to connect my home and work PCs (just two computers, each in a different location and with a different network) to use ssh in a way that I can access either computer. Then I could syncronize my files using the commands: sync, unison, etc. Both computers are using Debian 12. In case this info could be relevant, one computer has the default Debian kernel: 6.1.0-30-amd64, arch: x86_64. The other computer is using a newer kernel to achieve wifi compatibility: Kernel: 6.10.11+bpo-amd64 arch: x86_64. I would like to set both as server and client to access them from either location.

The router at home and work provides different types of subnets: 192.168.home.255 and 192.168.work.255 (home and work are different values).

I installed the default OpenVPN in Debian 12: OpenVPN 2.6.3 x86_64-pc-linux-gnu library versions: OpenSSL 3.0.15 3 Sep 2024, LZO 2.10 Originally developed by James Yonan Copyright (C) 2002-2023 OpenVPN Inc [email protected]

First I followed the wiki debian page: https://wiki.debian.org/OpenVPN: In that page they first cover how to install and run openvpn in a raw unsecure connection just for testing. But the test didn't go well for me. Later they continue to configure openvpn which I also did, but still it seem not to work. Then I went through more complex guides on the net, configuring certificates, etc.... no luck. I think I should focus on that first step on the debian wiki page and find out why the raw test doesn't work.

So here are the steps I followed from the debian wiki:

sudo apt-get install openvpn sudo apt-get install network-manager-openvpn-gnome

On the server's firewall, open up UDP 1194 (default port).

I accomplished this using firewalld (which is the recommended program to reach the nftables in Debian).

sudo apt install firewalld sudo systemctl start firewalld sudo systemctl enable firewalld sudo firewall-cmd --add-port=1194/udp

I also check that the openvpn service was active and enable: sudo systemctl start openvpn.service sudo systemctl enable openvpn.service

And I included OpenVPN in the firewall too:

sudo firewall-cmd --add-service openvpn.service

Here is the output of my firewalld configuration with the command:

> sudo firewall-cmd --list-all public (active) target: default icmp-block-inversion: no interfaces: wlp7s0 sources: services: dhcpv6-client openvpn ssh ports: 1194/udp protocols: forward: yes masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:

Since I want to use both computers as servers, I did all those steps in both computers.

From one computer (let's call it the server now) I run an openvpn instance:

sudo openvpn --remote CLIENT_IP --dev tun1 --ifconfig 10.9.8.1 10.9.8.2

If I understood it well, I have to replace CLIENT_IP with the public IP of the other computer (let's call it the client). I opted to get the IP using the command:

curl https://api.ipify.org

and copy/paste the IP, replacing the CLIENT_IP part in the command above.

So here is the final command and output:

> sudo openvpn --remote xxx.xxx.xxx.xxx. --dev tun1 --ifconfig 10.9.8.1 10.9.8.2. 2025-01-23 19:42:08 DEPRECATION: No tls-client or tls-server option in configuration detected. OpenVPN 2.7 will remove the functionality to run a VPN without TLS. See the examples section in the manual page for examples of a similar quick setup with peer-fingerprint. 2025-01-23 19:42:08 OpenVPN 2.6.3 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO] 2025-01-23 19:42:08 library versions: OpenSSL 3.0.15 3 Sep 2024, LZO 2.10 2025-01-23 19:42:08 DCO version: N/A 2025-01-23 19:42:08 ******* WARNING *******: '--cipher none' was specified. This means NO encryption will be performed and tunnelled data WILL be transmitted in clear text over the network! PLEASE DO RECONSIDER THIS SETTING! 2025-01-23 19:42:08 ******* WARNING *******: '--auth none' was specified. This means no authentication will be performed on received packets, meaning you CANNOT trust that the data received by the remote side have NOT been manipulated. PLEASE DO RECONSIDER THIS SETTING! 2025-01-23 19:42:08 ******* WARNING *******: All encryption and authentication features disabled -- All data will be tunnelled as clear text and will not be protected against man-in-the-middle changes. PLEASE DO RECONSIDER THIS CONFIGURATION! 2025-01-23 19:42:08 TUN/TAP device tun1 opened 2025-01-23 19:42:08 net_iface_mtu_set: mtu 1500 for tun1 2025-01-23 19:42:08 net_iface_up: set tun1 up 2025-01-23 19:42:08 net_addr_ptp_v4_add: 10.9.8.1 peer 10.9.8.2 dev tun1 2025-01-23 19:42:08 TCP/UDP: Preserving recently used remote address: [AF_INET]xxx.xxx.xxx.xxx:1194 2025-01-23 19:42:08 UDPv4 link local (bound): [AF_INET][undef]:1194 2025-01-23 19:42:08 UDPv4 link remote: [AF_INET]xxx.xxx.xxx.xxx:1194

So I got this "good" line saying: TUN/TAP device tun1 opened

While openvpn is running, I execute from another terminal the command "ip a" and get this output:

tun1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500 link/none inet 10.9.8.1 peer 10.9.8.2/32 scope global tun1 valid_lft forever preferred_lft forever

I then continue with the debian wiki page, go to the client and run:

> sudo openvpn --remote SERVER_IP --dev tun1 --ifconfig 10.9.8.2 10.9.8.1

replacing now the SERVER_IP too with the public IP of the "server" computer. I get a very similar output as before, just exchanging the 10.9.8.1 and 10.9.8.2.

I am also supposed to be able to ping the server but it doesn't work:

> ping 10.9.8.1 PING 10.9.8.1 (10.9.8.1) 56(84) bytes of data. --- 10.9.8.1 ping statistics --- 11 packets transmitted, 0 received, 100% packet loss, time 10312ms

So please, could anyone help me about how and where could I start searching for the issue in my openvpn or my computers? What commands could I run for debugging? Could it be something with my router instead? In that case, how can I configure my router to let openvpn connections?

Improve this question

1 Answer 1

Reset to default
0

The two subnets 192.168.x.0/24 are from private IP address space, so they cannot be directly reached from the public Internet. Your router at home and the firewall at work will be performing NAT, and so you need to port forward 1194/udp through one of them to the corresponding client or server

Improve this answer
3
  • Thank you very much @Chris Davies. I will try port forwarding in my router, that for now I hadn't touched much and comes with the factory settings. I checked that in the security tab, the firewall level can be set to disable/standard. It is set to standard by default. Commented Jan 25 at 6:48
  • This will be my first time forwarding ports. Please, assist to check if I got the idea right. I found in the "Forward tab" (my router is a Huaewi EG8145X6-10), the "IPv4 Port Mapping" tab. Then what I should do is click on "new" to create a new rule and select the internal host, which is the internal (private) ip of my computer (192.168.....), then select protocol UDP, and in the internal port number and in the external port number write 1194 (there are four fields, to specify ranges, so I will write four 1194's in all). Commented Jan 25 at 6:51
  • At the computer level, as I said in my post, I already allowed the port 1194/UDP via firewalld. Will all theses steps be enough? Commented Jan 25 at 6:51

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.