Please note: Since May 2014 I don’t use FLI4L any longer. The following information is only kept for archival purposes.
The OpenVPN package is the replacement for the former VPN solutions in FLI4L as OPT_VPND or OPT_CIPE.
The biggest advantage of OpenVPN is the availability for nearly all important platforms, like Linux and Windows but also MacOS, and the extensive configuration options. To download client software, see http://openvpn.net/.
OpenVPN as a “road warrior” (tunnel)
With a “road warrior” configuration the router provides LAN access for one or more clients using OpenVPN. This is similar to OPT_VPND in FLI4L 2.0.8. The difference to OPT_VPND is, that the clients don’t get an IP address of the LAN and that not the whole internet traffic is automatically forwarded to the router, but only the packages, which are addressed to the LAN behind the router. Furthermore additional software is needed on the client, which is only available since Windows 2000 or XP. If you used Windows 98 with PPTP, you have to upgrade to a newer version of Windows (which makes sense anyway for other reasons as well).
In this constellation the clients do not see each other. If you need this, e.g. for games, you should have a look at the bridge configuration below by Andreas Winkler.
I’ve tested the following configuration successfully with FLI4L 2.1.9 including patch 6 and OpenVPN 2.0 rc18 and OpenVPN 2.0 rc21 including GUI 1.0 rc5 under Windows 2000 and Windows XP. It also works with FLI4L 3.0.0 and FLI4L 3.2.0 (see remarks at the end).
Configuring OpenVPN on the router
The configuration of the router is done in the file openvpn.txt
. There you need the following entries:
OPT_OPENVPN='yes' OPENVPN_FEATURES='std' OPENVPN_N='2' # Number of clients - two here # Configuration of the first client OPENVPN_1_NAME='client1' # Name of the client OPENVPN_1_LOCAL_PORT='10020' # Incoming port for the connection OPENVPN_1_SECRET='client1.secret' # key file of the client OPENVPN_1_TYPE='tunnel' OPENVPN_1_REMOTE_VPN_IP='10.0.0.2' # IP address of the client OPENVPN_1_LOCAL_VPN_IP='10.0.0.1' # IP address of the server OPENVPN_1_ROUTE_N='0' OPENVPN_1_INPUT_LIST_N='1' OPENVPN_1_INPUT_LIST_1='ACCEPT' OPENVPN_1_FORWARD_LIST_N='1' OPENVPN_1_FORWARD_LIST_1='IP_NET_1 ACCEPT BIDIRECTIONAL' # Configuration of the second client OPENVPN_2_NAME='client2' # Name of the client OPENVPN_2_LOCAL_PORT='10021' # Incoming port for the connection OPENVPN_2_SECRET='client2.secret' # key file of the clients OPENVPN_2_TYPE='tunnel' OPENVPN_2_REMOTE_VPN_IP='10.0.0.6' # IP address of the client OPENVPN_2_LOCAL_VPN_IP='10.0.0.5' # IP address of the server OPENVPN_2_ROUTE_N='0' OPENVPN_2_INPUT_LIST_N='1' OPENVPN_2_INPUT_LIST_1='ACCEPT' OPENVPN_2_FORWARD_LIST_N='1' OPENVPN_2_FORWARD_LIST_1='IP_NET_1 ACCEPT BIDIRECTIONAL'
Important: Every client needs its own section in the configuration and its own “dial in port”. Instead of the port numbers 10020 or 10021 you can use any other port number you like, but you should be careful only to use ports, which are not already in use by existing services – therefore its recommended to use port numbers above 10000, as all services of FLI4L use ports numbers below 10000.
The IP adresses for server and client (10.0.0.1, 10.0.0.2 and 10.0.0.5, 10.0.0.6) must meet a number of requirements:
- They must not exist in the LAN – neither on the side of FLI4L nor within the LAN of the clients.
- They must be “private” addresses (192.168.*.* or 10.*.*.*)
- Under Windows, they must be in a 255.255.255.252 subnet, so that only the following combinations are valid
[ 1, 2] [ 5, 6] [ 9, 10] [ 13, 14] [ 17, 18] [ 21, 22] [ 25, 26] [ 29, 30] [ 33, 34] [ 37, 38] [ 41, 42] [ 45, 46] [ 49, 50] [ 53, 54] [ 57, 58] [ 61, 62] [ 65, 66] [ 69, 70] [ 73, 74] [ 77, 78] [ 81, 82] [ 85, 86] [ 89, 90] [ 93, 94] [ 97, 98] [101,102] [105,106] [109,110] [113,114] [117,118] [121,122] [125,126] [129,130] [133,134] [137,138] [141,142] [145,146] [149,150] [153,154] [157,158] [161,162] [165,166] [169,170] [173,174] [177,178] [181,182] [185,186] [189,190] [193,194] [197,198] [201,202] [205,206] [209,210] [213,214] [217,218] [221,222] [225,226] [229,230] [233,234] [237,238] [241,242] [245,246] [249,250] [253,254]
This list can be obtained by using the following command line
openvpn --show-valid-subnets
after installing OpenVPN under Windows.
Instead of “client1” and “client2” you can of course use meaningful names, so that you later still know, which connection is used by whom.
The files client1.secret
and client2.secret
contain the keys for the connections and have to be created before updating the FLI4L installation – see also “Creating the key file” below.
Configuring the clients
On the client, OpenVPN has to be installed separately – the client software is not part of FLI4L. I’ve successfully tested the shown examples with OpenVPN 2.0 rc21 und OpenVPN 2.0 rc18 with GUI 1.0 rc5. See also http://www.openvpn.org or http://openvpn.se. Furthermore i assume a Windows installation.
“Disconnected” network connection in the sys tray?
After installing OpenVPN an additional icon is shown in the sys tray indicating a “disconnected” network connection. This is no problem – it’s just the virtual network connection, which is later used by the OpenVPN client. You must not delete this connection, since it is not possible to establish a VPN connection then.
A solution to avoid showing the network connection is installing the driver “invisible” (the version with GUI from http://openvpn.se offers this as an option when installing the software). To do so, you have to edit the text file OemWin2k.inf
in the directory drivers
of OpenVPN as follows – change the entry for “Characteristics” in the section [tap0801.ndi]
from 0x81 to 0x89:
[tap0801.ndi] CopyFiles = tap0801.driver, tap0801.files AddReg = tap0801.reg AddReg = tap0801.params.reg Characteristics = 0x89
Note: The value for “Characteristics” is usually 0x81. By setting the flag 0x08 (NCF_HIDDEN) the driver will neither be visible in the device manager nor the network connections. This also means, you can only remove the driver using the appropriate tool of OpenVPN and not in the Windows device manager.
If you want to “hide” the virtual network connection, you have to delete the existing driver first (“Delete ALL TAP-Win32 virtual ethernet adapters” in the Windows start menu), apply the changes above and then install the driver again (“Add a new TAP-Win32 virtual ethernet adapter” in the Windows start menu).
Creating the key file
After installing OpenVPN you will find a new menu “OpenVPN” in the Windows start menu. There is also a menu command “Generate a static OpenVPN key”.
With this menu command you can generate a static key for the client. After selecting the menu command, a new console windows should be opened and display the following message:
Randomly generated 2048 bit key written to C:\Programme\OpenVPN\config\key.txt
This file should be renamed (according the example this would be client1.secret
or client2.secret
), so it will not be overwritten when selecting the menu command by accident. A copy of this file is also needed by FLI4L and has to be copied to /config/etc/openvpn
, where you have to create openvpn
if neccessary – e.g. when FLI4L is stored at C:\fli4l
, the directory should be C:\fli4l\config\etc\openvpn
.
On the client, the file stays in the config
directory of OpenVPN.
Configuring the connection
For the connection you need a text file with the extension .ovpn
(e.g. client.ovpn
) and the following entry in the config
directory of OpenVPN. In this example, only the first client is described. The second client will be configured similar – you just have to change IP adresses, port for the connection and the name of the “secret” file.
remote my.dyndns.domain rport 10020 secret client1.secret dev tun ifconfig 10.0.0.2 10.0.0.1 route 192.168.1.0 255.255.255.0 comp-lzo persist-tun persist-key ping-timer-rem ping-restart 60 proto udp tun-mtu 1500 fragment 1300 mssfix
At remote
you have to specify the address of the router. Therefore it makes sense, to use a service like DynDNS or similar, to make the router available at a domain name.
rport
is the port number, which is used on the router.
At ifconfig
you have to specify the same addresses, which are used in the OpenVPN configuration on the router (in the order client and then server), and at route
the LAN address of the router.
Additionally you can provide other options here as needed. Details see the documentation of OpenVPN.
Finally you have to make sure, that the key file client.secret
exists on the client and on the router.
Opening the ports on the router for incoming connections
Usually it is not neccessary to open the ports of the OpenVPN server manually, since this is done automatically (if you don’t want this, you can add OPENVPN_DEFAULT_OPEN_OVPNPORT='no
‘ in the OpenVPN configuration).
If you have OPENVPN_DEFAULT_OPEN_OVPNPORT='no
‘ in your OpenVPN configuration, you have to open the ports for the incoming connections with appropriate rules in the base configuration of FLI4L:
INPUT_LIST_N='2' INPUT_LIST_1='10020 ACCEPT' INPUT_LIST_2='10021 ACCEPT'
If you already have other INPUT rules defined, you have to adapt the numbers of course.
Establishing a connection on the client
For establishing a OpenVPN connection you have several possibilities:
Variant 1: Using the context menu of the Windows explorer
Click the configuration file in the Windows explorer with the right mouse key and select “Start OpenVPN on this config file”. A new console window will be opened, showing the status messages of OpenVPN.
To close the connection, press F4 in the console window (not Alt+F4, just F4 alone!).
Variant 2: Using a script
Create a CMD script (e.g. vpnconnect.cmd
) with the following commands:
c: cd \Programme\OpenVPN\config c:\Programme\OpenVPN\bin\openvpn.exe --pause-exit --config client.ovpn
The names of directories and files have to be adapted to the own installation. When starting the script, the connection will be established in the same way like using the context menu.
Variant 3: OpenVPN-GUI
If you don’t want the console window of OpenVPN, you can optionally use an additional tool for Windows – the OpenVPN-GUI (see also http://openvpn.se). This tool is meanwhile also part of the Windows version of OpenVPN. If you downloaded only the GUI, just copy it to the bin
directory of OpenVPN.
The GUI provides an icon in the sys tray, where you can establish or shut down connections by a mouse click.
Connection will be established, but data transfer is not possible?
An important prerequisite for a working VPN connection is, that the client and FLI4L use different network addresses!
Example: FLI4L is configured to use the network 192.168.0.0-192.168.0.255. When a client connects using OpenVPN, its network must not use any adress in the range 192.168.0.0-192.168.0.255, since then the client can not decide, which packets stay in the own network and which packets have to be forwarded to the OpenVPN connection. I am not talking about the “VPN sub network” (client addresse 10.0.0.2, server address 10.0.0.1), but the local networks of the client and FLI4L.
Connection will be established, but accessing Windows shares is not possible?
In general: The “Windows network neighorhood” does generally not work over a OpenVPN – you have to access using UNC paths or connect the shares as network drives.
Did you try to access using the computer names (\\pcname\data
)? This will not work, because the name resolution uses broadcasts, which will not transmitted through the tunnel. You either have to use the IP address, e.g. \\192.168.3.1\data
, or use a bridge instead of a tunnel.
Is the Windows firewall active on the target computers? Then either it turn off or add an exception for the access from outside.
Bridge configuration
Andreas Winkler suggests the following configuration for using a bridge. This configuration is also very suitable for games. Any other things, which are not mentioned below (creating the secret file, selecting the IP addresses etc.) – see above.
Configuring the router
It is neccessary to install advanced_networking with the following configuration in the file advanced_networking.txt
:
OPT_BRIDGE_DEV='yes' BRIDGE_DEV_N='1' BRIDGE_DEV_BOOTDELAY='no' BRIDGE_DEV_1_NAME='root_bridge' # Any name is ok BRIDGE_DEV_1_DEVNAME='br0' BRIDGE_DEV_1_DEV_N='1' BRIDGE_DEV_1_DEV_1_DEV='eth0' # the device, which connects to the internet
Furthermore, the following extensions have to be added to the file base.txt
:
IP_NET_1_DEV='br0' # name has to be changed to br0 for the first bridge
DHCP should be configured as well, since it provides the pool for the VPN clients. You can also use fixed IP addresses.
The configuration on the router is done in the file openvpn.txt
. There you have to use the following entries – here for three clients (if you need more clients, just add a section for each clients with its own incoming port):
OPT_OPENVPN='yes' OPENVPN_FEATURES='std' OPENVPN_WEBGUI='yes' OPENVPN_N='3' # Number of clients OPENVPN_1_NAME='client1' # Name of the first client OPENVPN_1_LOCAL_PORT='10020' # Incoming port for the connection OPENVPN_1_SECRET='client1.secret' # Name of the key file for for the client OPENVPN_1_TYPE='bridge' # Mode: bridge OPENVPN_1_BRIDGE='root_bridge' # Bridge name, as in BRIDGE_DEV_1_NAME OPENVPN_1_COMPRESS='yes' # Compress data transfer OPENVPN_2_NAME='client2' OPENVPN_2_LOCAL_PORT='10021' OPENVPN_2_SECRET='client2.secret' OPENVPN_2_TYPE='bridge' OPENVPN_2_BRIDGE='root_bridge' OPENVPN_2_COMPRESS='yes' OPENVPN_3_NAME='client3' OPENVPN_3_LOCAL_PORT='10023' OPENVPN_3_SECRET='client3.secret' OPENVPN_3_TYPE='bridge' OPENVPN_3_BRIDGE='root_bridge' OPENVPN_3_COMPRESS='yes'
Configuring the client
For the connection you need a text file with the extension .ovpn
(e.g. client.ovpn
) and the following entry in the config
directory of OpenVPN, where the port number has to be specified according the router configuration:
remote my.dyndns.domain port 10021 secret client1.secret dev tap ping 60 ping-restart 180 proto udp fragment 1300 mssfix mute 50 verb 4 nobind comp-lzo float
Changes since FLI4L 3.2.0
In FLI4L 3.2.0 the naming of the packet filter rules was changed. Therefore, the INPUT- and FORWARD-rules have to be specified in another way. Instead of INPUT_LIST
you have to use PF_INPUT
and instead of FORWARD_LIST
use PF_FORWARD
:
OPENVPN_1_PF_INPUT_N='1' OPENVPN_1_PF_INPUT_1='ACCEPT' OPENVPN_1_PF_FORWARD_N='1' OPENVPN_1_PF_FORWARD_1='IP_NET_1 ACCEPT BIDIRECTIONAL' OPENVPN_2_PF_INPUT_N='1' OPENVPN_2_PF_INPUT_1='ACCEPT' OPENVPN_2_PF_FORWARD_N='1' OPENVPN_2_PF_FORWARD_1='IP_NET_1 ACCEPT BIDIRECTIONAL' PF_INPUT_N='2' PF_INPUT_1='10020 ACCEPT' PF_INPUT_2='10021 ACCEPT'