Setup for an OpenVPN server which routes all traffic ("road-warrior")

First install and configure OpenVPN: https://wiki.gentoo.org/wiki/OpenVPN

Do not forget to first setup the key infrastructure: https://wiki.gentoo.org/wiki/Create_a_Public_Key_Infrastructure_Using_the_easy-rsa_Scripts

Add these lines to /etc/openvpn/openvpn.conf for routing all traffic:

push "dhcp-option DNS 8.8.8.8"
push "redirect-gateway def1"

Add these lines for user/password authentication in addition to the certificate:

plugin openvpn-plugin-auth-pam.so /etc/pam.d/login
username-as-common-name

Check the necessary kernel options (can be set as M):

CONFIG_TUN
CONFIG_IP_NF_CONNTRACK 
CONFIG_IP_NF_IPTABLES 
CONFIG_IP_NF_NAT

Allow IP forwarding in /etc/sysctl.conf:

net.ipv4.ip_forward = 1

Check that it is allowed:

cat /proc/sys/net/ipv4/ip_forward

Allow on the fly:

echo 1 > /proc/sys/net/ipv4/ip_forward

Activate IP forwarding (necessary after each reboot):

modprobe iptable_nat # if compiled as module
iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE

Open port 12112 UDP on your router.

Start OpenVPN:

/etc/init.d/openvpn restart

If everything works, add OpenVPN to the default runlevel, so that it starts during boot:

rc-update add openvpn

Android

Use https://play.google.com/store/apps/details?id=de.blinkt.openvpn.

Import client openvpn.conf. Enable "User/PW + Certificates" and "Use default route". Disable "LZO Compression", if you disabled it on the server because of ChromeOS clients.

ChromeOS

Source: https://www.errietta.me/blog/openvpn-chromebook/

openssl pkcs12 -export -in ./pki/issued/client1.crt -inkey ./pki/private/client1.key -certfile ./pki/ca.crt -name client1 -out client1.p12

When using the simple (UI) configuration for ChromeOS:

• disable comp-lzo in /etc/openvpn/openvpn.conf and restart OpenVPN
• use servername:12112 in ChromeOS OpenVPN connection settings

WiFi Hotspots

Some Hotspots (for example Telekom Germany) do not allow UDP packets. In that case, configure OpenVPN to use TCP.