Mini-HOWTO for OpenVPN with FLI4L

Please note: Since May 2014 I don’t use FLI4L any longer. The following information is only kept for archival purposes.

The OpenVPN package is the replacement for the former VPN solutions in FLI4L as OPT_VPND or OPT_CIPE.

The biggest advantage of OpenVPN is the availability for nearly all important platforms, like Linux and Windows but also MacOS, and the extensive configuration options. To download client software, see http://openvpn.net/.

OpenVPN as a “road warrior” (tunnel)

With a “road warrior” configuration the router provides LAN access for one or more clients using OpenVPN. This is similar to OPT_VPND in FLI4L 2.0.8. The difference to OPT_VPND is, that the clients don’t get an IP address of the LAN and that not the whole internet traffic is automatically forwarded to the router, but only the packages, which are addressed to the LAN behind the router. Furthermore additional software is needed on the client, which is only available since Windows 2000 or XP. If you used Windows 98 with PPTP, you have to upgrade to a newer version of Windows (which makes sense anyway for other reasons as well).

In this constellation the clients do not see each other. If you need this, e.g. for games, you should have a look at the bridge configuration below by Andreas Winkler.

I’ve tested the following configuration successfully with FLI4L 2.1.9 including patch 6 and OpenVPN 2.0 rc18 and OpenVPN 2.0 rc21 including GUI 1.0 rc5 under Windows 2000 and Windows XP. It also works with FLI4L 3.0.0 and FLI4L 3.2.0 (see remarks at the end).

Configuring OpenVPN on the router

The configuration of the router is done in the file openvpn.txt. There you need the following entries:

OPT_OPENVPN='yes'
OPENVPN_FEATURES='std'

OPENVPN_N='2'                            # Number of clients - two here

# Configuration of the first client

OPENVPN_1_NAME='client1'                 # Name of the client
OPENVPN_1_LOCAL_PORT='10020'             # Incoming port for the connection
OPENVPN_1_SECRET='client1.secret'        # key file of the client
OPENVPN_1_TYPE='tunnel'
OPENVPN_1_REMOTE_VPN_IP='10.0.0.2'       # IP address of the client
OPENVPN_1_LOCAL_VPN_IP='10.0.0.1'        # IP address of the server
OPENVPN_1_ROUTE_N='0'
OPENVPN_1_INPUT_LIST_N='1'
OPENVPN_1_INPUT_LIST_1='ACCEPT'
OPENVPN_1_FORWARD_LIST_N='1'
OPENVPN_1_FORWARD_LIST_1='IP_NET_1 ACCEPT BIDIRECTIONAL'

# Configuration of the second client

OPENVPN_2_NAME='client2'                 # Name of the client
OPENVPN_2_LOCAL_PORT='10021'             # Incoming port for the connection
OPENVPN_2_SECRET='client2.secret'        # key file of the clients
OPENVPN_2_TYPE='tunnel'
OPENVPN_2_REMOTE_VPN_IP='10.0.0.6'       # IP address of the client
OPENVPN_2_LOCAL_VPN_IP='10.0.0.5'        # IP address of the server
OPENVPN_2_ROUTE_N='0'
OPENVPN_2_INPUT_LIST_N='1'
OPENVPN_2_INPUT_LIST_1='ACCEPT'
OPENVPN_2_FORWARD_LIST_N='1'
OPENVPN_2_FORWARD_LIST_1='IP_NET_1 ACCEPT BIDIRECTIONAL'

Important: Every client needs its own section in the configuration and its own “dial in port”. Instead of the port numbers 10020 or 10021 you can use any other port number you like, but you should be careful only to use ports, which are not already in use by existing services – therefore its recommended to use port numbers above 10000, as all services of FLI4L use ports numbers below 10000.

The IP adresses for server and client (10.0.0.1, 10.0.0.2 and 10.0.0.5, 10.0.0.6) must meet a number of requirements:

  1. They must not exist in the LAN – neither on the side of FLI4L nor within the LAN of the clients.
  2. They must be “private” addresses (192.168.*.* or 10.*.*.*)
  3. Under Windows, they must be in a 255.255.255.252 subnet, so that only the following combinations are valid
[  1,  2] [  5,  6] [  9, 10] [ 13, 14] [ 17, 18]
[ 21, 22] [ 25, 26] [ 29, 30] [ 33, 34] [ 37, 38]
[ 41, 42] [ 45, 46] [ 49, 50] [ 53, 54] [ 57, 58]
[ 61, 62] [ 65, 66] [ 69, 70] [ 73, 74] [ 77, 78]
[ 81, 82] [ 85, 86] [ 89, 90] [ 93, 94] [ 97, 98]
[101,102] [105,106] [109,110] [113,114] [117,118]
[121,122] [125,126] [129,130] [133,134] [137,138]
[141,142] [145,146] [149,150] [153,154] [157,158]
[161,162] [165,166] [169,170] [173,174] [177,178]
[181,182] [185,186] [189,190] [193,194] [197,198]
[201,202] [205,206] [209,210] [213,214] [217,218]
[221,222] [225,226] [229,230] [233,234] [237,238]
[241,242] [245,246] [249,250] [253,254]

This list can be obtained by using the following command line

openvpn --show-valid-subnets

after installing OpenVPN under Windows.

Instead of “client1” and “client2” you can of course use meaningful names, so that you later still know, which connection is used by whom.

The files client1.secret and client2.secret contain the keys for the connections and have to be created before updating the FLI4L installation – see also “Creating the key file” below.

Configuring the clients

On the client, OpenVPN has to be installed separately – the client software is not part of FLI4L. I’ve successfully tested the shown examples with OpenVPN 2.0 rc21 und OpenVPN 2.0 rc18 with GUI 1.0 rc5. See also http://www.openvpn.org or http://openvpn.se. Furthermore i assume a Windows installation.

“Disconnected” network connection in the sys tray?

After installing OpenVPN an additional icon is shown in the sys tray indicating a “disconnected” network connection. This is no problem – it’s just the virtual network connection, which is later used by the OpenVPN client. You must not delete this connection, since it is not possible to establish a VPN connection then.

A solution to avoid showing the network connection is installing the driver “invisible” (the version with GUI from http://openvpn.se offers this as an option when installing the software). To do so, you have to edit the text file OemWin2k.inf in the directory drivers of OpenVPN as follows – change the entry for “Characteristics” in the section [tap0801.ndi] from 0x81 to 0x89:

[tap0801.ndi]
CopyFiles       = tap0801.driver, tap0801.files
AddReg          = tap0801.reg
AddReg          = tap0801.params.reg
Characteristics = 0x89

Note: The value for “Characteristics” is usually 0x81. By setting the flag 0x08 (NCF_HIDDEN) the driver will neither be visible in the device manager nor the network connections. This also means, you can only remove the driver using the appropriate tool of OpenVPN and not in the Windows device manager.

If you want to “hide” the virtual network connection, you have to delete the existing driver first (“Delete ALL TAP-Win32 virtual ethernet adapters” in the Windows start menu), apply the changes above and then install the driver again (“Add a new TAP-Win32 virtual ethernet adapter” in the Windows start menu).

Creating the key file

After installing OpenVPN you will find a new menu “OpenVPN” in the Windows start menu. There is also a menu command “Generate a static OpenVPN key”.

With this menu command you can generate a static key for the client. After selecting the menu command, a new console windows should be opened and display the following message:

Randomly generated 2048 bit key written to C:\Programme\OpenVPN\config\key.txt

This file should be renamed (according the example this would be client1.secret or client2.secret), so it will not be overwritten when selecting the menu command by accident. A copy of this file is also needed by FLI4L and has to be copied to /config/etc/openvpn, where you have to create openvpn if neccessary – e.g. when FLI4L is stored at C:\fli4l, the directory should be C:\fli4l\config\etc\openvpn.

On the client, the file stays in the config directory of OpenVPN.

Configuring the connection

For the connection you need a text file with the extension .ovpn (e.g. client.ovpn) and the following entry in the config directory of OpenVPN. In this example, only the first client is described. The second client will be configured similar – you just have to change IP adresses, port for the connection and the name of the “secret” file.

remote my.dyndns.domain
rport 10020
secret client1.secret
dev tun
ifconfig 10.0.0.2 10.0.0.1
route 192.168.1.0 255.255.255.0
comp-lzo
persist-tun
persist-key
ping-timer-rem
ping-restart 60
proto udp
tun-mtu 1500
fragment 1300
mssfix

At remote you have to specify the address of the router. Therefore it makes sense, to use a service like DynDNS or similar, to make the router available at a domain name.

rport is the port number, which is used on the router.

At ifconfig you have to specify the same addresses, which are used in the OpenVPN configuration on the router (in the order client and then server), and at route the LAN address of the router.

Additionally you can provide other options here as needed. Details see the documentation of OpenVPN.

Finally you have to make sure, that the key file client.secret exists on the client and on the router.

Opening the ports on the router for incoming connections

Usually it is not neccessary to open the ports of the OpenVPN server manually, since this is done automatically (if you don’t want this, you can add OPENVPN_DEFAULT_OPEN_OVPNPORT='no‘ in the OpenVPN configuration).

If you have OPENVPN_DEFAULT_OPEN_OVPNPORT='no‘ in your OpenVPN configuration, you have to open the ports for the incoming connections with appropriate rules in the base configuration of FLI4L:

INPUT_LIST_N='2'

INPUT_LIST_1='10020 ACCEPT'
INPUT_LIST_2='10021 ACCEPT'

If you already have other INPUT rules defined, you have to adapt the numbers of course.

Establishing a connection on the client

For establishing a OpenVPN connection you have several possibilities:

Variant 1: Using the context menu of the Windows explorer

Click the configuration file in the Windows explorer with the right mouse key and select “Start OpenVPN on this config file”. A new console window will be opened, showing the status messages of OpenVPN.

To close the connection, press F4 in the console window (not Alt+F4, just F4 alone!).

Variant 2: Using a script

Create a CMD script (e.g. vpnconnect.cmd) with the following commands:

c:
cd \Programme\OpenVPN\config
c:\Programme\OpenVPN\bin\openvpn.exe --pause-exit --config client.ovpn

The names of directories and files have to be adapted to the own installation. When starting the script, the connection will be established in the same way like using the context menu.

Variant 3: OpenVPN-GUI

If you don’t want the console window of OpenVPN, you can optionally use an additional tool for Windows – the OpenVPN-GUI (see also http://openvpn.se). This tool is meanwhile also part of the Windows version of OpenVPN. If you downloaded only the GUI, just copy it to the bin directory of OpenVPN.

The GUI provides an icon in the sys tray, where you can establish or shut down connections by a mouse click.

Connection will be established, but data transfer is not possible?

An important prerequisite for a working VPN connection is, that the client and FLI4L use different network addresses!

Example: FLI4L is configured to use the network 192.168.0.0-192.168.0.255. When a client connects using OpenVPN, its network must not use any adress in the range 192.168.0.0-192.168.0.255, since then the client can not decide, which packets stay in the own network and which packets have to be forwarded to the OpenVPN connection. I am not talking about the “VPN sub network” (client addresse 10.0.0.2, server address 10.0.0.1), but the local networks of the client and FLI4L.

Connection will be established, but accessing Windows shares is not possible?

In general: The “Windows network neighorhood” does generally not work over a OpenVPN – you have to access using UNC paths or connect the shares as network drives.

Did you try to access using the computer names (\\pcname\data)? This will not work, because the name resolution uses broadcasts, which will not transmitted through the tunnel. You either have to use the IP address, e.g. \\192.168.3.1\data, or use a bridge instead of a tunnel.

Is the Windows firewall active on the target computers? Then either it turn off or add an exception for the access from outside.

Bridge configuration

Andreas Winkler suggests the following configuration for using a bridge. This configuration is also very suitable for games. Any other things, which are not mentioned below (creating the secret file, selecting the IP addresses etc.) – see above.

Configuring the router

It is neccessary to install advanced_networking with the following configuration in the file advanced_networking.txt:

OPT_BRIDGE_DEV='yes'
BRIDGE_DEV_N='1'
BRIDGE_DEV_BOOTDELAY='no'

BRIDGE_DEV_1_NAME='root_bridge' # Any name is ok
BRIDGE_DEV_1_DEVNAME='br0'
BRIDGE_DEV_1_DEV_N='1'
BRIDGE_DEV_1_DEV_1_DEV='eth0' # the device, which connects to the internet

Furthermore, the following extensions have to be added to the file base.txt:

IP_NET_1_DEV='br0' # name has to be changed to br0 for the first bridge

DHCP should be configured as well, since it provides the pool for the VPN clients. You can also use fixed IP addresses.

The configuration on the router is done in the file openvpn.txt. There you have to use the following entries – here for three clients (if you need more clients, just add a section for each clients with its own incoming port):

OPT_OPENVPN='yes'
OPENVPN_FEATURES='std'
OPENVPN_WEBGUI='yes'

OPENVPN_N='3'                      # Number of clients

OPENVPN_1_NAME='client1'           # Name of the first client
OPENVPN_1_LOCAL_PORT='10020'       # Incoming port for the connection
OPENVPN_1_SECRET='client1.secret'  # Name of the key file for for the client
OPENVPN_1_TYPE='bridge'            # Mode: bridge
OPENVPN_1_BRIDGE='root_bridge'     # Bridge name, as in BRIDGE_DEV_1_NAME
OPENVPN_1_COMPRESS='yes'           # Compress data transfer

OPENVPN_2_NAME='client2'
OPENVPN_2_LOCAL_PORT='10021'
OPENVPN_2_SECRET='client2.secret'
OPENVPN_2_TYPE='bridge'
OPENVPN_2_BRIDGE='root_bridge'
OPENVPN_2_COMPRESS='yes'

OPENVPN_3_NAME='client3'
OPENVPN_3_LOCAL_PORT='10023'
OPENVPN_3_SECRET='client3.secret'
OPENVPN_3_TYPE='bridge'
OPENVPN_3_BRIDGE='root_bridge'
OPENVPN_3_COMPRESS='yes'

Configuring the client

For the connection you need a text file with the extension .ovpn (e.g. client.ovpn) and the following entry in the config directory of OpenVPN, where the port number has to be specified according the router configuration:

remote my.dyndns.domain
port 10021
secret client1.secret
dev tap
ping 60
ping-restart 180
proto udp
fragment 1300
mssfix
mute 50
verb 4
nobind
comp-lzo
float

Changes since FLI4L 3.2.0

In FLI4L 3.2.0 the naming of the packet filter rules was changed. Therefore, the INPUT- and FORWARD-rules have to be specified in another way. Instead of INPUT_LIST you have to use PF_INPUT and instead of FORWARD_LIST use PF_FORWARD:

OPENVPN_1_PF_INPUT_N='1'
OPENVPN_1_PF_INPUT_1='ACCEPT'
OPENVPN_1_PF_FORWARD_N='1'
OPENVPN_1_PF_FORWARD_1='IP_NET_1 ACCEPT BIDIRECTIONAL'

OPENVPN_2_PF_INPUT_N='1'
OPENVPN_2_PF_INPUT_1='ACCEPT'
OPENVPN_2_PF_FORWARD_N='1'
OPENVPN_2_PF_FORWARD_1='IP_NET_1 ACCEPT BIDIRECTIONAL'

PF_INPUT_N='2'

PF_INPUT_1='10020 ACCEPT'
PF_INPUT_2='10021 ACCEPT'

Further information

Android and OpenVPN