#StackBounty: #pi-3 #pi-4 #vpn How to use Rasbperry PI 3 or Raspberry PI 4 as VPN Router?

Bounty: 50

I would like to use either Raspberry PI 3B 1GB or Raspberry PI 4 8GB version as VPN Router.

I have the following:

  1. 4G Router
  2. Either Raspberry PI 3B 1GB or Raspberry PI 4B 8GB
  3. TP Link Router

My plan is to connect the Raspberry PI to the 4G Router via Ethernet and then with USB to Ethernet Adapter to the TP Link Router, where all my devices will be connected and have access to the Internet through the VPN configured on the Raspberry PI.

After I configure OpenVPN on the Raspberry PI, how should I proceed so that the traffic from TP Link router will go through the VPN configured in Raspberry PI ? Can this be done using only ufw on the Raspberry PI and then setting the Default Gateway to the TP Link Router to be from the Raspberry PI ?

Will a get a decent speed if I use the Raspberry PI 3B with 1GB RAM or is it better with the Raspberry PI 4B with 8GB RAM ? Using the VPN my internet speed is 50Mbps/s download and 30 Mbps upload.

Can you please give me more information and recommendation how to proceed ? Thanks for your help..


Get this bounty!!!

#StackBounty: #networking #wireless-networking #vpn #port-forwarding #gaming Italics issue while trying to host/join a room in Gameranger

Bounty: 100

Okay so I use this software called Gameranger to play my game Age of Empires (conqueror’s expansion) and usually , there is this issue that happens. If your name appears in italic while you’re in a room which you’ve hosted or joined , you will basically be kicked off because an italic player is never able to actually enter a game and play it. The situation is something like this :

enter image description here

A thing to notice here is that although I’m the non-italic one (FateDontExist) , it’s the other way around for everyone else. As it’s a common gameranger issue , I’ve done a fair bit of googling and trying various “fixes” but nothing works.

I have been playing on Gameranger for over 3 months , and I have faced this problem in the past , but I was usually able to solve it using a VPN ( that’s the fix that no longer works)

A common fix on the internet is port forwarding your router , but I never used a router in the first place , I only use my mobile hotspot to connect to internet on my PC. I tried disabling , re-enabling the firewall , changing the DNS server manually , reset my network adapter , I even reset the PC . But nothing worked.I am still italic in all the room I join . I was able to become non italic by simply using a vpn client but it doesn’t help me anymore. I have no clue what to do anymore. I have ran out of ideas. Can someone help me come up with a fix ? And please understand that I can’t afford to get a new connection altogether or switch to wired internet.

Also , I tried this with two sim cards, i.e. 2 ISPs , and the same problem. I wanna add that this problem went away on both these ISPs on using a vpn client , but not anymore. What can be done ?

Also , if you need any more details , I’ll be happy to give them to you. Also this is my first question on here so apologies for any noob mistakes.Thank you.

EDIT : To the one downvoter , care mentioning why you downvoted ? All I’m trying is to fix my problem. If you needed more details you could’ve asked for it. Or if there’s anything wrong with the way I have posted this , just tell me before blatantly downvoting like that. I have already said I can improve the question or provide more details.


Get this bounty!!!

#StackBounty: #ios #swift #vpn Can't setup a personal VPN from the app on versions prior to iOS 14

Bounty: 50

I have a Strongswan VPN server, and I’ve used the code from this project to setup a VPN connection from within my app. It works on iOS 14, but not on any older versions (can’t even connect to VPN server)

Swift code looks like:

public func connectIKEv2(config: Configuration, onError: @escaping (String)->Void) {
    let p = NEVPNProtocolIKEv2()
    p.authenticationMethod = NEVPNIKEAuthenticationMethod.none
    p.serverAddress = config.server
    p.disconnectOnSleep = false
    p.deadPeerDetectionRate = NEVPNIKEv2DeadPeerDetectionRate.medium
    p.username = config.account
    p.passwordReference = config.getPasswordRef()
    p.sharedSecretReference = config.getPSKRef()
    p.disableMOBIKE = false
    p.disableRedirect = false
    p.enableRevocationCheck = false
    p.enablePFS = false
    p.useExtendedAuthentication = true
    p.useConfigurationAttributeInternalIPSubnet = false
    p.remoteIdentifier = config.server
    p.localIdentifier = config.account
    loadProfile { _ in
        self.manager.protocolConfiguration = p
        self.manager.isEnabled = true
        self.saveProfile { success in
            if !success {
                print("Unable to save vpn profile")
                return
            }
            self.loadProfile { success in
                if !success {
                    print("Unable to load profile")
                    return
                }
                let result = self.startVPNTunnel()
                if !result {
                    print("Can't connect")
                }
            }
        }
    }
}
// Additional code
private func loadProfile(callback: ((Bool)->Void)?) {
    manager.protocolConfiguration = nil
    manager.loadFromPreferences { error in
        if let error = error {
            print("Failed to load preferences: (error.localizedDescription)")
            callback?(false)
        } else {
            callback?(self.manager.protocolConfiguration != nil)
        }
    }
}
private func saveProfile(callback: ((Bool)->Void)?) {
    manager.saveToPreferences { error in
        if let error = error {
            print("Failed to save profile: (error.localizedDescription)")
            callback?(false)
        } else {
            callback?(true)
        }
    }
}
private func startVPNTunnel() -> Bool {
    do {
        try self.manager.connection.startVPNTunnel()
        return true
    } catch NEVPNError.configurationInvalid {
        print("Failed to start tunnel (configuration invalid)")
    } catch NEVPNError.configurationDisabled {
        print("Failed to start tunnel (configuration disabled)")
    } catch {
        print("Failed to start tunnel (other error)")
    }
    return false
}

Configuration:

class Configuration {
    public let server: String
    public let account: String
    public let password: String
    /* ... init code */
   
   func getPasswordRef() -> Data? {  
        KeychainWrapper.standard.set(password, forKey: Configuration.KEYCHAIN_PASSWORD_KEY)
        return KeychainWrapper.standard.dataRef(forKey: Configuration.KEYCHAIN_PASSWORD_KEY)
    }
}

My VPN config in /etc/ipsec.conf looks like this:

config setup
    charondebug="ike 1, knl 1, cfg 0"
    uniqueids=no
conn ikev2-vpn
    auto=add
    compress=no
    type=tunnel
    keyexchange=ikev2
    fragmentation=yes
    forceencaps=yes
    dpdaction=clear
    dpddelay=300s
    rekey=no
    left=%any
    leftid=MY_SERVER_IP_ADDRESS
    leftcert=server-cert.pem
    leftsendcert=always
    leftsubnet=0.0.0.0/0
    right=%any
    rightid=%any
    rightauth=eap-mschapv2
    rightsourceip=10.10.10.0/24
    rightdns=8.8.8.8,8.8.4.4
    rightsendcert=never
    eap_identity=%identity

If necessary, I can provide more detailed information


Get this bounty!!!

#StackBounty: #networking #vpn #routing #iptables #wireguard Using Wireguard to essentially give a machine in local network a public ad…

Bounty: 100

I am working on the home project and would like to give my machine essentially the public IP address that is assigned to my VPS in the cloud.

At home I have a public IP address and I have set up the Wireguard server, external port 1194 is being forwarded to that machine, so the WG clients from the internet can connect to it.

Now, I have a VPS in the cloud with static public IP address(let’s say with an IP 44.44.44.44) and also I have a machine in the local network (let’s say with an IP 192.168.1.3) and I want the machine in a local network handle traffic as it would actually have the public IP(44.44.44.44) of the VPS in the cloud. That means all incoming traffic coming to the VPS is routed to the machine(192.168.1.3) in the local network.

I had no issues of connecting the WG server and the VPS using Wireguard, or even redirecting all the traffic from VPS trough WG server(using iptables NAT rules), but I am stuck at the part of routing incoming traffic from the VPS preserving the original IP addresses to the machine in the local network.

My client(VPS) WG config:

[Interface]
PrivateKey = dGhpcyBpcyBub3QgdGhlIGtleSA7KQ==
Address = 10.66.66.2/24
#This was part of the test usin
#PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE;
#PostDown = iptables -D FORWARD -i wg0 -j ACCEPTl iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
PublicKey = dGhpcyBpcyBub3QgdGhlIGtleSBlYXRoZXIgOyk=
Endpoint = 33.33.33.123:1194
AllowedIPs = 10.66.66.1/32

My server(WG) config:

[Interface]
Address = 10.66.66.1/24
ListenPort = 1194
PrivateKey = dGhpcyBpcyBub3QgdGhlIGtleSA7KQ==
PostUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
PublicKey = dGhpcyBpcyBub3QgdGhlIGtleSBlYXRoZXIgOyk=
AllowedIPs = 10.66.66.2/32

Is my understanding correct, that the best course of action would be to connect the machine (192.168.1.3) to the WG server (let’s say using IP 10.66.66.3) and then on the VPS create a static route for eth0 to 10.66.66.3?

This is a simple drawing of the network and what I am trying to achieve:
enter image description here


Get this bounty!!!

#StackBounty: #vpn #openvpn How to setup a split tunnel with OpenVPN's server.conf

Bounty: 50

I’m trying to create a split tunnel with OpenVPN community edition.

I want to do this on the server instead of the client so I can easily add and remove routes as needed.
This is on Ubuntu 20.04

My current (non-split tunnel config) works fine:

port 1194
proto udp
dev tun
user nobody
group nogroup
persist-key
persist-tun
keepalive 10 120
topology subnet
server 10.8.0.0 255.255.0.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
push "redirect-gateway def1 bypass-dhcp"
dh none
ecdh-curve prime256v1
tls-crypt tls-crypt.key
crl-verify crl.pem
ca ca.crt
cert server_sdafasdf.crt
key server_sdafasdf.key
auth SHA256
cipher AES-128-GCM
ncp-ciphers AES-128-GCM
tls-server
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
client-config-dir /etc/openvpn/ccd
status /var/log/openvpn/status.log
log-append /var/log/openvpn/auth.log
plugin /usr/lib/openvpn/openvpn-auth-ldap.so /etc/openvpn/auth-ldap.conf
verify-client-cert optional
verb 3

Here’s my split tunnel config that doesn’t work.
EDIT: I can ping 8.8.8.8 but it seems like DNS doesn’t work with this config.

port 1194
proto udp
dev tun
user nobody
group nogroup
persist-key
persist-tun
keepalive 10 120
topology subnet
server 10.8.0.0 255.255.0.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
#push "redirect-gateway def1 bypass-dhcp"
push "route XX.XX.XX.0 255.255.255.0" #anonymized
dh none
ecdh-curve prime256v1
tls-crypt tls-crypt.key
crl-verify crl.pem
ca ca.crt
cert server_sdafasdf.crt
key server_sdafasdf.key
auth SHA256
cipher AES-128-GCM
ncp-ciphers AES-128-GCM
tls-server
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
client-config-dir /etc/openvpn/ccd
status /var/log/openvpn/status.log
log-append /var/log/openvpn/auth.log
plugin /usr/lib/openvpn/openvpn-auth-ldap.so /etc/openvpn/auth-ldap.conf
verify-client-cert optional
verb 3

Client config:

client
proto udp
explicit-exit-notify
remote XX.XX.XX.XX 1194 #anonymized
dev tun
resolv-retry infinite
pull
nobind
persist-key
persist-tun
remote-cert-tls server
verify-x509-name server_sdafasdf name
auth SHA256
auth-nocache
cipher AES-128-GCM
tls-client
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
ignore-unknown-option block-outside-dns
setenv opt block-outside-dns # Prevent Windows 10 DNS leak
verb 3
register-dns
auth-user-pass


Get this bounty!!!

#StackBounty: #vpn #openvpn How to setup a split tunnel with OpenVPN's server.conf

Bounty: 50

I’m trying to create a split tunnel with OpenVPN community edition.

I want to do this on the server instead of the client so I can easily add and remove routes as needed.
This is on Ubuntu 20.04

My current (non-split tunnel config) works fine:

port 1194
proto udp
dev tun
user nobody
group nogroup
persist-key
persist-tun
keepalive 10 120
topology subnet
server 10.8.0.0 255.255.0.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
push "redirect-gateway def1 bypass-dhcp"
dh none
ecdh-curve prime256v1
tls-crypt tls-crypt.key
crl-verify crl.pem
ca ca.crt
cert server_sdafasdf.crt
key server_sdafasdf.key
auth SHA256
cipher AES-128-GCM
ncp-ciphers AES-128-GCM
tls-server
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
client-config-dir /etc/openvpn/ccd
status /var/log/openvpn/status.log
log-append /var/log/openvpn/auth.log
plugin /usr/lib/openvpn/openvpn-auth-ldap.so /etc/openvpn/auth-ldap.conf
verify-client-cert optional
verb 3

Here’s my split tunnel config that doesn’t work.
EDIT: I can ping 8.8.8.8 but it seems like DNS doesn’t work with this config.

port 1194
proto udp
dev tun
user nobody
group nogroup
persist-key
persist-tun
keepalive 10 120
topology subnet
server 10.8.0.0 255.255.0.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
#push "redirect-gateway def1 bypass-dhcp"
push "route XX.XX.XX.0 255.255.255.0" #anonymized
dh none
ecdh-curve prime256v1
tls-crypt tls-crypt.key
crl-verify crl.pem
ca ca.crt
cert server_sdafasdf.crt
key server_sdafasdf.key
auth SHA256
cipher AES-128-GCM
ncp-ciphers AES-128-GCM
tls-server
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
client-config-dir /etc/openvpn/ccd
status /var/log/openvpn/status.log
log-append /var/log/openvpn/auth.log
plugin /usr/lib/openvpn/openvpn-auth-ldap.so /etc/openvpn/auth-ldap.conf
verify-client-cert optional
verb 3

Client config:

client
proto udp
explicit-exit-notify
remote XX.XX.XX.XX 1194 #anonymized
dev tun
resolv-retry infinite
pull
nobind
persist-key
persist-tun
remote-cert-tls server
verify-x509-name server_sdafasdf name
auth SHA256
auth-nocache
cipher AES-128-GCM
tls-client
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
ignore-unknown-option block-outside-dns
setenv opt block-outside-dns # Prevent Windows 10 DNS leak
verb 3
register-dns
auth-user-pass


Get this bounty!!!

#StackBounty: #vpn #openvpn How to setup a split tunnel with OpenVPN's server.conf

Bounty: 50

I’m trying to create a split tunnel with OpenVPN community edition.

I want to do this on the server instead of the client so I can easily add and remove routes as needed.
This is on Ubuntu 20.04

My current (non-split tunnel config) works fine:

port 1194
proto udp
dev tun
user nobody
group nogroup
persist-key
persist-tun
keepalive 10 120
topology subnet
server 10.8.0.0 255.255.0.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
push "redirect-gateway def1 bypass-dhcp"
dh none
ecdh-curve prime256v1
tls-crypt tls-crypt.key
crl-verify crl.pem
ca ca.crt
cert server_sdafasdf.crt
key server_sdafasdf.key
auth SHA256
cipher AES-128-GCM
ncp-ciphers AES-128-GCM
tls-server
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
client-config-dir /etc/openvpn/ccd
status /var/log/openvpn/status.log
log-append /var/log/openvpn/auth.log
plugin /usr/lib/openvpn/openvpn-auth-ldap.so /etc/openvpn/auth-ldap.conf
verify-client-cert optional
verb 3

Here’s my split tunnel config that doesn’t work.
EDIT: I can ping 8.8.8.8 but it seems like DNS doesn’t work with this config.

port 1194
proto udp
dev tun
user nobody
group nogroup
persist-key
persist-tun
keepalive 10 120
topology subnet
server 10.8.0.0 255.255.0.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
#push "redirect-gateway def1 bypass-dhcp"
push "route XX.XX.XX.0 255.255.255.0" #anonymized
dh none
ecdh-curve prime256v1
tls-crypt tls-crypt.key
crl-verify crl.pem
ca ca.crt
cert server_sdafasdf.crt
key server_sdafasdf.key
auth SHA256
cipher AES-128-GCM
ncp-ciphers AES-128-GCM
tls-server
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
client-config-dir /etc/openvpn/ccd
status /var/log/openvpn/status.log
log-append /var/log/openvpn/auth.log
plugin /usr/lib/openvpn/openvpn-auth-ldap.so /etc/openvpn/auth-ldap.conf
verify-client-cert optional
verb 3

Client config:

client
proto udp
explicit-exit-notify
remote XX.XX.XX.XX 1194 #anonymized
dev tun
resolv-retry infinite
pull
nobind
persist-key
persist-tun
remote-cert-tls server
verify-x509-name server_sdafasdf name
auth SHA256
auth-nocache
cipher AES-128-GCM
tls-client
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
ignore-unknown-option block-outside-dns
setenv opt block-outside-dns # Prevent Windows 10 DNS leak
verb 3
register-dns
auth-user-pass


Get this bounty!!!

#StackBounty: #vpn #openvpn How to setup a split tunnel with OpenVPN's server.conf

Bounty: 50

I’m trying to create a split tunnel with OpenVPN community edition.

I want to do this on the server instead of the client so I can easily add and remove routes as needed.
This is on Ubuntu 20.04

My current (non-split tunnel config) works fine:

port 1194
proto udp
dev tun
user nobody
group nogroup
persist-key
persist-tun
keepalive 10 120
topology subnet
server 10.8.0.0 255.255.0.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
push "redirect-gateway def1 bypass-dhcp"
dh none
ecdh-curve prime256v1
tls-crypt tls-crypt.key
crl-verify crl.pem
ca ca.crt
cert server_sdafasdf.crt
key server_sdafasdf.key
auth SHA256
cipher AES-128-GCM
ncp-ciphers AES-128-GCM
tls-server
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
client-config-dir /etc/openvpn/ccd
status /var/log/openvpn/status.log
log-append /var/log/openvpn/auth.log
plugin /usr/lib/openvpn/openvpn-auth-ldap.so /etc/openvpn/auth-ldap.conf
verify-client-cert optional
verb 3

Here’s my split tunnel config that doesn’t work.
EDIT: I can ping 8.8.8.8 but it seems like DNS doesn’t work with this config.

port 1194
proto udp
dev tun
user nobody
group nogroup
persist-key
persist-tun
keepalive 10 120
topology subnet
server 10.8.0.0 255.255.0.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
#push "redirect-gateway def1 bypass-dhcp"
push "route XX.XX.XX.0 255.255.255.0" #anonymized
dh none
ecdh-curve prime256v1
tls-crypt tls-crypt.key
crl-verify crl.pem
ca ca.crt
cert server_sdafasdf.crt
key server_sdafasdf.key
auth SHA256
cipher AES-128-GCM
ncp-ciphers AES-128-GCM
tls-server
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
client-config-dir /etc/openvpn/ccd
status /var/log/openvpn/status.log
log-append /var/log/openvpn/auth.log
plugin /usr/lib/openvpn/openvpn-auth-ldap.so /etc/openvpn/auth-ldap.conf
verify-client-cert optional
verb 3

Client config:

client
proto udp
explicit-exit-notify
remote XX.XX.XX.XX 1194 #anonymized
dev tun
resolv-retry infinite
pull
nobind
persist-key
persist-tun
remote-cert-tls server
verify-x509-name server_sdafasdf name
auth SHA256
auth-nocache
cipher AES-128-GCM
tls-client
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
ignore-unknown-option block-outside-dns
setenv opt block-outside-dns # Prevent Windows 10 DNS leak
verb 3
register-dns
auth-user-pass


Get this bounty!!!

#StackBounty: #vpn #openvpn How to setup a split tunnel with OpenVPN's server.conf

Bounty: 50

I’m trying to create a split tunnel with OpenVPN community edition.

I want to do this on the server instead of the client so I can easily add and remove routes as needed.
This is on Ubuntu 20.04

My current (non-split tunnel config) works fine:

port 1194
proto udp
dev tun
user nobody
group nogroup
persist-key
persist-tun
keepalive 10 120
topology subnet
server 10.8.0.0 255.255.0.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
push "redirect-gateway def1 bypass-dhcp"
dh none
ecdh-curve prime256v1
tls-crypt tls-crypt.key
crl-verify crl.pem
ca ca.crt
cert server_sdafasdf.crt
key server_sdafasdf.key
auth SHA256
cipher AES-128-GCM
ncp-ciphers AES-128-GCM
tls-server
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
client-config-dir /etc/openvpn/ccd
status /var/log/openvpn/status.log
log-append /var/log/openvpn/auth.log
plugin /usr/lib/openvpn/openvpn-auth-ldap.so /etc/openvpn/auth-ldap.conf
verify-client-cert optional
verb 3

Here’s my split tunnel config that doesn’t work.
EDIT: I can ping 8.8.8.8 but it seems like DNS doesn’t work with this config.

port 1194
proto udp
dev tun
user nobody
group nogroup
persist-key
persist-tun
keepalive 10 120
topology subnet
server 10.8.0.0 255.255.0.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
#push "redirect-gateway def1 bypass-dhcp"
push "route XX.XX.XX.0 255.255.255.0" #anonymized
dh none
ecdh-curve prime256v1
tls-crypt tls-crypt.key
crl-verify crl.pem
ca ca.crt
cert server_sdafasdf.crt
key server_sdafasdf.key
auth SHA256
cipher AES-128-GCM
ncp-ciphers AES-128-GCM
tls-server
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
client-config-dir /etc/openvpn/ccd
status /var/log/openvpn/status.log
log-append /var/log/openvpn/auth.log
plugin /usr/lib/openvpn/openvpn-auth-ldap.so /etc/openvpn/auth-ldap.conf
verify-client-cert optional
verb 3

Client config:

client
proto udp
explicit-exit-notify
remote XX.XX.XX.XX 1194 #anonymized
dev tun
resolv-retry infinite
pull
nobind
persist-key
persist-tun
remote-cert-tls server
verify-x509-name server_sdafasdf name
auth SHA256
auth-nocache
cipher AES-128-GCM
tls-client
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
ignore-unknown-option block-outside-dns
setenv opt block-outside-dns # Prevent Windows 10 DNS leak
verb 3
register-dns
auth-user-pass


Get this bounty!!!

#StackBounty: #vpn #openvpn How to setup a split tunnel with OpenVPN's server.conf

Bounty: 50

I’m trying to create a split tunnel with OpenVPN community edition.

I want to do this on the server instead of the client so I can easily add and remove routes as needed.
This is on Ubuntu 20.04

My current (non-split tunnel config) works fine:

port 1194
proto udp
dev tun
user nobody
group nogroup
persist-key
persist-tun
keepalive 10 120
topology subnet
server 10.8.0.0 255.255.0.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
push "redirect-gateway def1 bypass-dhcp"
dh none
ecdh-curve prime256v1
tls-crypt tls-crypt.key
crl-verify crl.pem
ca ca.crt
cert server_sdafasdf.crt
key server_sdafasdf.key
auth SHA256
cipher AES-128-GCM
ncp-ciphers AES-128-GCM
tls-server
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
client-config-dir /etc/openvpn/ccd
status /var/log/openvpn/status.log
log-append /var/log/openvpn/auth.log
plugin /usr/lib/openvpn/openvpn-auth-ldap.so /etc/openvpn/auth-ldap.conf
verify-client-cert optional
verb 3

Here’s my split tunnel config that doesn’t work.
EDIT: I can ping 8.8.8.8 but it seems like DNS doesn’t work with this config.

port 1194
proto udp
dev tun
user nobody
group nogroup
persist-key
persist-tun
keepalive 10 120
topology subnet
server 10.8.0.0 255.255.0.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
#push "redirect-gateway def1 bypass-dhcp"
push "route XX.XX.XX.0 255.255.255.0" #anonymized
dh none
ecdh-curve prime256v1
tls-crypt tls-crypt.key
crl-verify crl.pem
ca ca.crt
cert server_sdafasdf.crt
key server_sdafasdf.key
auth SHA256
cipher AES-128-GCM
ncp-ciphers AES-128-GCM
tls-server
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
client-config-dir /etc/openvpn/ccd
status /var/log/openvpn/status.log
log-append /var/log/openvpn/auth.log
plugin /usr/lib/openvpn/openvpn-auth-ldap.so /etc/openvpn/auth-ldap.conf
verify-client-cert optional
verb 3

Client config:

client
proto udp
explicit-exit-notify
remote XX.XX.XX.XX 1194 #anonymized
dev tun
resolv-retry infinite
pull
nobind
persist-key
persist-tun
remote-cert-tls server
verify-x509-name server_sdafasdf name
auth SHA256
auth-nocache
cipher AES-128-GCM
tls-client
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
ignore-unknown-option block-outside-dns
setenv opt block-outside-dns # Prevent Windows 10 DNS leak
verb 3
register-dns
auth-user-pass


Get this bounty!!!