Network – A connection to openvpn outside of the LAN cannot be established

I am trying to host an OpenVPN server on my Jetson nano board (arm64). I followed the tutorial from a digital ocean side, but I can't connect to my VPN server outside of the network. However, I can connect when I'm inside, even if I use noips ddns. I also forwarded the port on my router.

Even if I run tcpdump -i eth0 -vv -s 1500 port 1194 I don't see any connection either.

This is my client.ovpn (of course I removed the certificate and key details)

# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client

;dev tap
dev tun

;dev-node MyTap

;proto tcp
proto udp

remote example.ddns.net 1194
;remote my-server-2 1194

;remote-random

resolv-retry infinite

nobind

user nobody
group nogroup

# Try to preserve some state across restarts.
persist-key
persist-tun

;http-proxy-retry # retry on connection failures
;http-proxy (proxy server) (proxy port #)

#ca ca.crt
#cert client.crt
#key client.key

remote-cert-tls server

#tls-auth ta.key 1

cipher AES-256-CBC
auth SHA256
key-direction 1

#comp-lzo

verb 3

;mute 20

# script-security 2
# up /etc/openvpn/update-resolv-conf
# down /etc/openvpn/update-resolv-conf

-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----



-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----


-----BEGIN PRIVATE KEY-----

-----END PRIVATE KEY-----




-----BEGIN OpenVPN Static key V1-----

-----END OpenVPN Static key V1-----

Any help is appreciated. Thank you very much.

Network – Does OpenVPN encrypt my traffic between my computer and the VPN server?

I set up my own VPN by installing OpenVPN on an Ubuntu server and then downloading it client.ovpn File from the Ubuntu server on my Windows laptop. And then I import that client.ovpn to OpenVPN GUI App on Windows and finally I connect to my Ubuntu VPN server and everything works fine.

I installed OpenVPN on an Ubuntu server using this instruction: https://github.com/angristan/openvpn-install

So I think the flow of traffic will look like this:

My computer (browser,...) --> Ubuntu OpenVPN server --> Internet.

Does the OpenVPN user interface encrypt the traffic between my computer and the Ubuntu OpenVPN server?

OpenVPN asks for a client certificate, where it shouldn't be

I imported the client configuration file into officially OpenVPN client for Android.

The configuration file contains a CA certificate, but no client certificate or key. That's fine because I have auth-user-pass Directive in it.

But when I try to connect, a window appears saying:

Select certificate

This profile does not contain a client certificate. Continue the connection
without a certificate or choose from the Android keychain?

If I want to continue, the connection will be made, but this window will appear every time I want to connect.

The same profile also works under Windows (official OpenVPN user interface) and VPN Client Pro (unofficial client from the Play Store).

Why is a client certificate searched when the authentication method is user + pass?

Thank you very much.

DEBIAN VPS – OpenVPN (All users viewing the IP of the VPS server)

I have just successfully installed a VPS server with OpenVPN (debian 9.7).

OpenVPN is installed on both my Android phone and my Windows PC.

I want to access my phone's 4G network IP on my computer.

I created a proxy on my phone that I can connect to from my computer. The only problem is that the IP address of the VPS data center is displayed.

Is there an easy way to do this so my Android phone shows the real 4G IP while I connect to my computer (instead of showing the VPS data center IP)?

How to set up the client:

client
dev tun
proto udp
remote 167.172.40.xxx  1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
auth SHA512
cipher AES-256-CBC
ignore-unknown-option block-outside-dns
block-outside-dns
verb 3

and this is server config:

local 167.172.40.xxx
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-crypt tc.key
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
crl-verify crl.pem
explicit-exit-notify

Install openvpn version2.4 on Ubuntu 16.04 xenial arm64

What is the easiest way to install openvpn version2.4 on Ubuntu 16.04 xenial arm64

Executing these commands:

echo "deb http://build.openvpn.net/debian/openvpn/release/2.4 xenial main" > /etc/apt/sources.list.d/openvpn-aptrepo.list
apt-get update && apt-get install openvpn

Results in:

N: Skipping acquire of configured file 'main/binary-arm64/Packages' as repository 'http://build.openvpn.net/debian/openvpn/release/2.4 xenial InRelease' doesn't support architecture 'arm64'

vpn – OPENVPN 2.4 in small businesses

I need to set up external access to our LAN (mainly access to the SMB file server).
I'm looking for a firewall that integrates OPNSense with OpenVPN server, but how can I disable the user to edit the configuration or add another OVPN file?

Our users are not administrators for security reasons, but I'm afraid we have openvpn with a configuration file with GPO (I'm looking for it because we don't have an MSI from openvpn) and they could add their own private VPN.

I need a different solution than to take the source and do it myself!

Thank you in advance!

vpn – Can't determine if the OpenVPN server I've set up is encrypted with Wireshark?

That may sound silly, but I set up an OpenVPN server on a Synology NAS. When I connect to the server at home through the client, everything works for.

I know you can read packages in Wireshark. When I start sniffing my WiFi to which I am connected at home, packages for the OpenVPN protocol are shown and there are only a few lines that say Synology (I think this is a handshake), but everything other, every line of data is gibberish I assume that it is encrypted?

This also means that when I connect to the VPN, a different LAN connection appears in Wireshark as an adapter for sniffing. When I sniff the new local network, it is NOT encrypted, but is it not normal?

Basically, do you sniff the new adapter yourself locally as soon as you connect via the client? Or is it NOT normal? Why does it show gibberish as if it were encrypted in WiFi via Wireshark, but not the new connection that was established when connecting to the VPN called Ethernet 2?

Network – How do I connect my home network to my OpenVPN server? (No port forwarding)

Let me anticipate this question by saying that my network knowledge is at least as good, but I've managed to set up route tables and troubleshoot problems with OpenVPN servers before.

Here is my scenario:

I have a gigabit connection at home which is fantastic and I want to use it to host things. However, my provider (Vodafone cable) provided me with a cable modem that does not support port forwarding. It allows me to see the local IPv6 addresses from the internet when the firewall is disabled, but it automatically re-enables the firewall after 24 hours (MEH). I don't know if my IP address is static, but I don't think so. I can handle this with a dynamic DNS setup.

I also have a dedicated VPS with an OpenVPN server and a static IP. I currently use this mainly when I need to connect to untrusted networks. At the moment it is only a tun server that I use to tunnel all the data traffic from the clients into my own local network in order to access the Internet from there.

My current layout:

                 Home                  +          Cloud Provider
                                       |
        +--------------------+         |      +---------------------+
        |                    |         |      |                     |
        |    Cable Modem     |         |      |    VPS - OpenVPN    |
        | (home.example.com) |         |      | (cloud.example.com) |
        |                    |         |      |                     |
        +--+-------------+---+         |      +---+-------------+---+
           ^             ^             |          ^             ^
           |             |             |          |             |
           v             v             |          v             v
+----------+-----+    +--+--------+    |     +----+---+    +----+----+
|                |    |           |    |     |        |    |         |
|  Raspberry Pi  |    |    NAS    |    |     | iPhone |    | MacBook |
| OpenVPN Server |    | NextCloud |    |     |        |    |         |
|                |    |           |    |     +--------+    +---------+
+----------------+    +-----------+    |
                                       |
                                       +

I want to accomplish the following:

My cable modem is the least configurable device on this list. So I want to use it as a DHCP server for the entire network. Since the RaspberryPi in my home network is not accessible via the Internet, it should establish a connection to my VPS and make the home network accessible to the VPS. In this way, when devices like my iPhone connect to the VPS, they communicate directly with my modem to get an IP address.

If the setup is correct, the VPS OpenVPN server (cloud.example.com) simply forwards all traffic to the RaspberryPi OpenVPN server and redirects the traffic back. Should I use a dev tap configuration for this? But on which server, the VPS? Or the RaspberryPi? Which OpenVPN servers receive which client / server configuration files?

In other words, is this a "standard" pattern that I could look up anywhere? I don't think this is an unorthodox configuration, but I don't know what to look up to find a better explanation for the setup.

Thank you for your help!

vpn – Can certain OpenVPN users have an IP from a certain range?

Is it possible to configure OpenVPN (or its DHCP more precisely) to select the IP for a specific identity (or set of identities) from a range that I have already defined? and every other identity gets its IP from another area.

Or even to prevent network communication for that identity if the user uses that identity and manually enters the IP address out of range?

An identity can be a user authenticated by a certificate or a username / password.

The goal is to be able to set some IPTables rules that prevent some users from accessing certain resources (using those users' IP).