You shouldn't ask people for the .ovpn file for security reason. The .ovpn file is like a key. Will you share your key with strangers? If you are using a VPN service provider, the service provider will provide you the .ovpn file. If you are using your own OpenVPN server, you should generate your own .ovpn file. Anyway, .ovpn files are not for sharing!
It all depends on how the user has setup their .ovpn file.
If the keys/certs are in separate files linked to the .ovpn it is relatively benign to share, though you may want to X out your server ip/host and port.
If you have your keys/certs in the .ovpn file itself then you should surely not share the full contents of the file.
This is the config I ended up with after about a week of fussing with openvpn and giving up several times to come back with a fresh mind.
This is running on
DD-WRT v3.0-r31722 std (03/21/17) on a WRT1200AC
To explain some of it
10.10.10.x is my local lan ip range
10.10.11.x is a guest wifi network
10.10.12.x as my vpn ip range
Under additional config, this is my understanding of the options I have put
push "dhcp-option DNS 10.10.10.1" /////forces the VPN clients to use my router's DNS server
push "redirect-gateway def1" /////forces the VPN clients to route all traffic over the VPN
reneg-bytes 64000000 ///// forces the client/server to renegotiate the encryption keys after every 64MB of data transfer for extra security
For the firewall commands.
iptables -I FORWARD 1 -source 10.10.2.0/24 -j ACCEPT /////allows the VPN clients to communicate with the LAN clients
iptables -t nat -A POSTROUTING -s 10.10.12.0/24 -j MASQUERADE ///// allows the VPN clients to obtain an internet connection through the router.
I know for a fact that these firewall rules are required, without the 1st one I was unable to connect to local LAN clients and without the 2nd one I could not get internet connectivity once I was on the VPN.
for my .ovpn file I have the following
remote xxxx.com 1194
This is working great on my phone running Android 7.1.2 with the latest OpenVPN client from the play store
I see that some people in here have choosen to go with AES-128-CBC. You might as well bump it up to 256bit for some extra security, I cannot find any performance differences between 128 and 256 on my WRT1200AC which is in the lower end of this hardware series.
Posted: Wed May 03, 2017 21:47 Post subject: HappyDaddy, you are AMAZING
Thank you thank you thank you!
I've been trying to get this working for days (getting just close enough that I couldn't give up completely) and you got me up and running in less than 5 minutes. Is it possible to add your guide to the Wiki? If we ever meet in the wild, drinks are on me. Thanks again!
After years trying to get OpenVPN to work, after following HappyDaddy's (Thank you!) guide, I finally got it to work with a few modifications to get it working on Android.
I kept start type at System
For Network, it's the subnet that you want your OpenVPN clients to be in. For example, if you use the 192.168.1.0 subnet for your LAN, then you might choose something say 192.168.10.0. This should be different than your LAN subnet. The last octet should be a 0.
All other settings according to HappyDaddy's post. It worked for me with either the Additional Config filled in or empty.
At this point, I could connect, but have no internet access. I had to add the following under the Administration -> Command Tab and save it to the firewall. The IP should be the same as the subnet you entered for the Network setting.
Posting the same question in two forums fragments the replies and causes confusion.
Copy that. I just deleted the post in this thread, and asked an additional question over in my thread.
In response to this thread, I did everything according to the quazi-guide listed here, and I can in fact now connect to the router through the tunnel, but I cannot connect to the internet from my client.
I have these exact settings in my Administration/Commands section:
Posted: Sun Oct 29, 2017 3:23 Post subject: MAJOR UPDATE
I finally succeeded in making this work by following this guide and reading every post in it to find the tidbits necessary for a successful set up.
After many failed attempts, what I learned was that I needed to hard reset my router and set it back to DD-WRT defaults and start from zero. That was the best thing I did in this whole process.
I also deleted my entire OpenVPN folder and every .ovpn file I had created in previous attempts so that I could start fresh all across the board. That was the second best thing I did.
Next, I followed the process outlined by HappyDaddy (thank you) and used the firewall code supplied by StanleyCup (thank you) and started out to get one client up and running with internet and lan access.
The fresh start approach was the key and it worked like a charm.
My set up:
(1) Linksys WRT-1900AC (v2) running build r33555 10/20/17 (std).
Behind a FIOS router with 150/150 speed.
(2) Windows 7 client (same machine I built the certs/keys on).
The system has been up and running stable for the last 8 hours now, with zero issues.
My WRT-1900ACv2 has the same processor speed as a 1900ACS (1600 mhz). Speed test results indicate I am losing right around 40 Mbps through the VPN with 2048 level encryption set up. I am getting anywhere between 113 and 108 Mbps results which is totally acceptable to me, considering that the PiVPN I was using could only chug out between 20-30 Mbps... The speed hit was enormous through the Pi.
I went back in and generated 5 more keys for the various devices in my LAN successfully, and as of this post, I have 5 devices connected to and routing traffic through the VPN. To say that I am ecstatic is the understatement of the year indeed.
I am using a slightly different process in my .ovpn files, in that I have the certs and key within each .ovpn file.
I also put the "auth-nocache" line in my client files because I have always hated the RED WARNING message that flashes by during connection, so I just added it, even though I know it is probably not an issue. Now the red warning message is no longer there...
Again, I did NOT have to put ANY additional "code" in the "Additional Config" section at all. My set up works perfectly without it.
I did however, use the following firewall settings provided by StanleyCup (modified the port # I am actually using):
Prior to starting fresh with clean everything, I was able to connect via lan only. I could not get internet access until I placed StanleyCup's code in the firewall and saved the firewall. I did not have to reboot the router for that setting to take, although it did take a minute or 2 of refreshing web pages to finally get a connection, but it happened and it was a beautiful thing.
Not sure what else I can share with everyone that may be helpful, but if you can think of anything let me know and I will post it up.
P.S. 3 of the devices I have connected using this set up are Android.
Last edited by Boogalooz on Tue Oct 31, 2017 3:22; edited 1 time in total
# open the OpenVPN server port
iptables -I INPUT -i $WAN_IF -p $OVPN_PROTO --dport $OVPN_PORT -j ACCEPT
# allow OpenVPN clients to access the OpenVPN server
iptables -I INPUT -i $OVPN_DEV -m state --state NEW -j ACCEPT
# allow OpenVPN clients to access ALL other devices on the LAN
iptables -I FORWARD -i $OVPN_DEV -o -m state --state NEW -j ACCEPT
# nat OpenVPN clients over the local internet gateway
iptables -t nat -A POSTROUTING -s $OVPN_SERVER -o $WAN_IF -j MASQUERADE