Aus VivaLV
Wechseln zu: Navigation, Suche

Setup for an OpenVPN server which handles ALL traffic

First install and configure OpenVPN:

Do not forget to first setup the key infrastructure:

Add these lines to /etc/openvpn/openvpn.conf for routing all traffic:

push "dhcp-option DNS"
push "redirect-gateway def1"

Add these lines for user/password authentication in addition to the certificate:

plugin /etc/pam.d/login

Add this line for TLS Authentication (the client then also has to import ta.key and use direction 1):

tls-auth ta.key 0

Check the necessary kernel options (can be set as Modul):


Allow IP forwarding in /etc/sysctl.conf:

net.ipv4.ip_forward = 1

Check that it is allowed:

cat /proc/sys/net/ipv4/ip_forward

Allow on the fly:

echo 1 > /proc/sys/net/ipv4/ip_forward

Activate IP forwarding/routing (necessary after each reboot, so put it for example in /etc/local.d/baselayout1.start):

modprobe iptable_nat # if compiled as module
iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADE

For verifying, list nat rules:

iptables -t nat -v -L -n --line-number

Open port 12112 UDP on your router.

Start OpenVPN:

/etc/init.d/openvpn start

If everything works, add OpenVPN to the default runlevel, so that it starts during boot:

rc-update add openvpn



Import client openvpn.conf. Enable User/PW + Certificates and Use default route.

Disable LZO Compression, if you disabled it on the server because of simple ChromeOS clients.

If you want to use TLA Authentication then import also ta.key.



Restrictions of simple method:

  • no compression
  • no tlsauth
  • only UDP

On the Linux server:

openssl pkcs12 -export -in ./pki/issued/client1.crt -inkey ./pki/private/client1.key -certfile ./pki/ca.crt -name client1 -out client1.p12
  • import ca.crt and client1.p12 at chrome://settings/certificates and then use the OpenVPN connection wizard of ChromeOS.
  • disable comp-lzo and tlsauth and use proto udp in /etc/openvpn/openvpn.conf and restart OpenVPN
  • use servername:12112 in ChromeOS OpenVPN connection settings



For advanced configuration, you also have to import the certificates and then you have to create a .onc config file and import it at chrome://net-internals/#chromeos.

Advanced configuration is necessary for LZO compression or TLS Authentication or TCP protocol.

More info: or

Note: If you want to import multiple config files for multiple connections, the UUIDs in the files must be unique.

Alternative method (did not work for me):

WiFi Hotspots

Some Hotspots (for example Telekom Germany) do not allow UDP packets. In that case, configure OpenVPN to use TCP.

Multiple OpenVPN servers on one machine (Gentoo)

Create 2 config files server1.conf and server2.conf in /etc/openvpn with the content from above. Then change the following lines:


port 12112
proto udp
dev tun0
ifconfig-pool-persist ipp.txt


port 3389
proto tcp
dev tun1
ifconfig-pool-persist ipp2.txt

Open both ports on your router.

Link to OpenRC config:

ln -s /etc/init.d/openvpn /etc/init.d/openvpn.server1
ln -s /etc/init.d/openvpn /etc/init.d/openvpn.server2

Create 2 routes:

iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADE

Start both servers:

/etc/init.d/openvpn.server1 start
/etc/init.d/openvpn.server2 start

Configure autostart:

rc-update add openvpn.server1
rc-update add openvpn.server2