You've already bought it so I'd try it and see if you're happy with the result.

Try downloading virtualbox in Windows, and then downloading 237MB VM image from turnkey linux here. Turnkey setup is pretty simple, so once you configure your router and everything it should work. This isn't a permanent solution, but it'll give you a great starting point to test out speeds and functionality.

OpenVPN is software, and not a "complete" VPN service provider in the sense of e.g. Private Internet Access or NordVPN. It is excellent and Free software for establishing a VPN tunnel, but it is up to the user of the software to provide endpoints on which to install it. This is where a VPN service provider comes in.

As an example: you can buy VPS's in different countries and install it there, but that is costly and you likely would not do as good a job at setting up the technical and security details as an experienced VPN service provider would. You could also, say, set it up on your home router and use it to get past your work or school network's Internet filters as a simple no-frills stopgap.

Many VPN services of course use OpenVPN as the software platform on which they are built. OpenVPN works with a lot of different operating systems and is very robust, so it is a good platform on which to build a service. However, those service providers are providing endpoints and configuration. The OpenVPN software is simply a tool they use to provide that service.

I think a lot of people assume since we're running/using a VPN, it must be something for masking IP's like NordVPN, ExpressVPN or others. A lot of people think that's the only thing VPN's are good for, and don't understand why VPN's were initially created.

So at the recommendation of my counterpart, we built a new vpn server and configured it according to https://www.digitalocean.com/community/tutorials/how-to-setup-and-configure-an-openvpn-server-on-centos-6

And the thing works. The page left a few things out related to the easy-rsa stuff. I can share if anyone cares.

On my RT-N66U I went from merlinwrt to tomato. Still can't get this done. It is possible. I have found this tutorial, but haven't tried it yet. http://serverfault.com/questions/382498/howto-only-tunnel-specific-hosts-route-through-openvpn-client-on-tomato Also I don't think you can do this with the asuswrt. What is your model and firmware?

>a window shows up telling me what the assigned IP address is.

>Is this the address i need to put into the Firewall rule to be allowed in

Correct

>what IP address do I put when i launch Remote Desktop Connection to that server

The SoftEther VPN's IP, from https://www.softether.org/index.php?title=4-docs/1-manual/3._SoftEther_VPN_Server_Manual/3.7_Virtual_NAT_%26_Virtual_DHCP_Servers see the Virtual Host Network Interface's IP address. It should be in the same subnet as the assigned IP to the client.

Alright, you do not need to brag :). If you can find something easier than PiVPN let me know. I set mine up in less than 5 minutes with it. You can also use it to set it up at home. Once you finally get your VPN setup, think about adding Pi-Hole to it. That takes a few minutes to setup. It is a ad-blocker. Anytime you connect to your VPN, you will see no ads. I do not even see ads in any app I use as well. Well worth it.

You ought to use a monitoring solution, such as Nagios (demo). But this should be part of a larger deployment.

Look into the script or cmd mentions in the man page (there are a lot).

You could also parse the log file as it is being written, and upon Successful connection from John Doe, run an external command.

It's a long time since last time I downloaded a profile from PrivateTunnel (those I have already works well enough). But I don't think you can enable username/password auth in PrivateTunnel. The authentication is still rock solid though, as the identity used for logging in is based on the certificate found in the downloaded PrivateTunnel profile.

This is possible via OpenVPN Cloud where you can decide better how you want to authenticate your user account. But OpenVPN Cloud is targeting a different user segment than Private Tunnel.

What can work, as a workaround, to at least require some password to start your PrivateTunnel connection is to extract the private key from the PrivateTunnel profile and encrypt it using some OpenSSL commands and then put this encrypted private key back into the PrivateTunnel profile. For the OpenVPN clients to be able to use this private key, it needs to decrypt it first and will then ask for a password. But this happens completely locally on your device and will be not be resistant against bruteforce password attcks

This. Never ever ever ever ever run a free VPN. Ok, maybe if you want free protection on public WIFI for basic browsing...MAYBE, but for your use, pay for it. I like ExpressVPN after 3 years with them. Good speed, Good audits (so far as I have seen), and Netflix regions work great.

I wouldnt trust a free one with that kind of data. PIA or NordVPN or ExpressVPN are very cheap if you go for the yearly or 2-yearly plan.

Also OpenVPN is a specific VPN Protocol, so it only partly has something to do with that kind of VPN provider.

What? Your question doesn’t make sense. Do you want to run a VPN server on your home network, or do you want to connect your devices to a commercial VPN service like ProtonVPN? If it’s the latter, you will not need to change router/firewall settings.

And unless I’ve missed something, how does this relate to OpenVPN?

My preferred openvpn app for android is https://play.google.com/store/apps/details?id=de.blinkt.openvpn which is open source. I have only tried it with open source versions of the openvpn program.

Same here so I might make some mistakes. But IIRC OpenVPN is a protocol for a VPN, not its own VPN (unless you're paying), You're using another VPN that's compatible with OpenVPN (for example NordVPN) at a lower networking level.

I see, it's not hard to build a openvpn server, many run theirs on raspberry pi's or freenas/freebsd. Personally I run a VM instead. It's not that hard.

But keep in mind that vpn is simple a network tunnel with options to encrypt data.

By running a local vpn server all you're doing is connecting to your home network, which doesn't protect you from nosy ISP's.

The difference between NordVPN (or any other provider) is that you use their internet connections, which in most cases isn't limited or monitored in any way due to very large contracts and almost 99% private corporate ISP's which wouldn't try to monetize on its customers data etc.

I only trust a few select local ISP's which are still recent standups and will happily take anyone one and offer them great benefits that many monopoly giants won't.

Hello!

So there's some confusing issues here that we need to sort out.

What exactly is your use case? Are you connecting to a VPN provider? If so, they should provide you with a config file that you import into Tunnelblick.

PrivateTunnel is a VPN provider that is ran by the main developers of the OpenVPN open source project called OpenVPN Technologies. You do not need anything private tunnel related to use another provider or to set up your own VPN client/server.

As for simple sign-ins, the version of OpenVPN you were using is ancient. The protocol and the apps have significantly changed since then. There's substantially more features, less bugs, and much stronger cryptography. Are you absolutely sure that the VPN was OpenVPN based and not PPTP, IPsec/L2TP or something else? Signing on with just a user/pass is not how OpenVPN generally works, even in old versions.

If you're using Linux or anything with rudimentary package management, you should get updates.

[2016-08-02 20:49] [ALPM] installed openvpn (2.3.11-2) [2016-08-17 23:31] [ALPM] upgraded openvpn (2.3.11-2 -> 2.3.11-3) [2016-08-29 07:50] [ALPM] upgraded openvpn (2.3.11-3 -> 2.3.12-1) [2016-11-06 18:06] [ALPM] upgraded openvpn (2.3.12-1 -> 2.3.13-1) [2016-12-12 23:19] [ALPM] upgraded openvpn (2.3.13-1 -> 2.3.14-1) [2017-01-02 23:16] [ALPM] upgraded openvpn (2.3.14-1 -> 2.4.0-2) [2017-03-26 23:38] [ALPM] upgraded openvpn (2.4.0-2 -> 2.4.1-1) [2017-04-24 23:48] [ALPM] upgraded openvpn (2.4.1-1 -> 2.4.1-2) [2017-05-15 07:56] [ALPM] upgraded openvpn (2.4.1-2 -> 2.4.2-1) [2017-06-22 18:36] [ALPM] upgraded openvpn (2.4.2-1 -> 2.4.3-1) [2017-08-01 00:04] [ALPM] upgraded openvpn (2.4.3-1 -> 2.4.3-3) [2017-09-28 23:04] [ALPM] upgraded openvpn (2.4.3-3 -> 2.4.4-1)

Even Android has updates: https://play.google.com/store/apps/details?id=de.blinkt.openvpn&hl=en (updated June 26, 2017)

On Windows and macOS, still in the dark ages of manual installation, you will need to download updates from the official site: https://openvpn.net/index.php/open-source/downloads.html

Device, version(s) and most importantly what VPN service and what settings... check that the server isn't down.

Try foce stopping OpenVPN Connect and try rebooting device.

ps. Not really a fix, but I prefer this client: https://play.google.com/store/apps/details?id=de.blinkt.openvpn

Nope. The OpenVPN protocol is not natively supported on Android. You'll have to get https://play.google.com/store/apps/details?id=de.blinkt.openvpn , which is the de facto standard, open-source Android client. It seems to be somewhat compatible with the "always-on" feature as well.

It is in the settings of Android 7.0+, settings > wireless & networks > more > VPN > little cog wheel > always on.

This works with the unofficial client "OpenVPN for Android" https://play.google.com/store/apps/details?id=de.blinkt.openvpn

Hi,

There are 2 applications that we can recommend:

• https://play.google.com/store/apps/details?id=net.openvpn.openvpn which is the official closed-source client. It has some caveats though (doesn't do tap even with root...)
• https://play.google.com/store/apps/details?id=de.blinkt.openvpn which is the free and open-source client (it's somewhere on GitHub) that has all the features you could wish for. The dev is also very reactive.

I don't know which app you use but I use this one: https://play.google.com/store/apps/details?id=de.blinkt.openvpn (it's open source and the devs are on #openvpn@freenode). No such thing (popup) on my side.

maybe check out this guide. Underneath section 10 there is a part that goes over linux specific client config configuration. But the content basically says:

>If your client is running Linux and has an /etc/openvpn/update-resolv-conf file, you should uncomment these lines from the generated OpenVPN client configuration file.

>; script-security 2

>; up /etc/openvpn/update-resolv-conf

>; down /etc/openvpn/update-resolv-conf

When I was learning to build OpenVPN servers I found this guide by Digital Ocean helpful (granted that one is for Ubuntu). I just looked and it appears they have a guide for CentOS 7 as well here.

Need to remember to flush all iptable rules:
iptables -t nat -F
iptables -t mangle -F
iptables -F
iptables -X

https://www.digitalocean.com/community/tutorials/how-to-list-and-delete-iptables-firewall-rules

>(I'm assuming these come with windows)

No they dont normally come with an OS. I'm talking about something like this. It is a fanless mini pc with 4 ports. https://www.amazon.com/dp/B0BCKSMCV7?psc=1&ref=ppx_yo2ov_dt_b_product_details you just installed PFSense directly onto the storage drive that comes with the system.

And not quite because you dont remote into the mini PC. It just runs PFSense natively. I personally use EERO WiFi Access Points on the same network as my main network. (however you could use VLANs or Optional networks if you want) and then I access the EERO via any computer or the app. If you config the WiFi to be on the same as your main LAN network. If you configure it on another LAN or VLAN you can config it so any wireless devices can access it (like an app from your phone) to access Nest. Although this might required a more advanced setup.

You don't need to complicate the setup. Just install PFSense on the mini PC. Get a small unmanaged switch and plug the LAN from the PFSense LAN to the switch LAN and plug any of your devices you have on the switch (like wifi access points, then nest connected to that wifi) etc... you will be able to access those devices from any system on the same network.

Yes it can be done.

Work may detect you connecting to their VPN after you having connected to some other VPN though. I can say I have seen first hand, people caught out using NordVPN and ExpressVPN on work computers.

Personally, I have a VPN gateway at home. I could direct my work laptop to use that. My laptop wouldn't be running the VPN directly but all traffic from laptop would go via that gateway.

Are you using your Raspberry as the VPN server or the VPN client? If it's the client have you checked with your VPN server to ensure that torrent traffic is allowed to pass through?

This particular link could help you out a little.

Egypt uses DPI - really, the only option is XOR/scramble patch on the work VPN.

Although XOR/Scramble rules out OpenVPN Connect - you would need to use a 3rd party/patched client and server, to use just the work VPN.

tls-crypt sometimes sort of works, for a bit.

For your 2 VPN setup, the problem you might also have, is that maybe both VPNs are trying to change the default route - would need to see logs and configs. If that is the case, to stand any chance of using 2 VPNs at once, you would need to:

• On the AirVPN connection, set 'route-nopull'
• On the AirVPN connection, set a manual route for your work VPN:

route 255.255.255.255

• On the inner work VPN connection, set a route to the AirVPN connection via the regular net_gateway:

route 255.255.255.255 net_gateway

This way, when AirVPN connects to start with, it doesn't insert any routes into the routing table other than for your work VPN endpoint through the Air VPN tunnel (so when you try to connect to the work VPN IP, it sends it through the AirVPN tunnel).

When the work VPN then connects, after AirVPN is established, it adds a route so that the AirVPN connection can still reach the net_gateway, everything else then goes via the work VPN.

... I think this is about right.

Or, using a VPN router for the AirVPN connection, then connect your laptop to the VPN router and use the work VPN on the local computer.

But you do still have the DPI problem, potentially also an MTU/MSS if these are fixed/set on any of the VPN profiles.

No, ExpressVPN decides which IP is assigned, so even if your router always connects it still can get changed from the server side, which they explicitly say would regularly rotate as a feature.

Consider whitelisting Instagram and Google, it's not like they can't track you just because your IP changes, or just don't use Google in the first place, DDG is more friendly with random IPs.

If you don't torrent or stream and merely don't want your ISP from tracking your web activity, consider hosting your own OpenVPN server on a VPS, that should get you static IP for a much cheaper cost than an ExpressVPN subscription.

Though that is what I am wanting to achieve. I'd like for PiHole to route to the DNS servers set in ExpressVPN. Do you reckon it could be made to work or is this definitely a non-starter?

I may be best going back to the Pi-hole community on it but had wondered if the machine could be set to take in account the DNS requests being sent to it and send them through Australia for this case.

Nothing you can suggest I add to OpenVPN config that may influence how this works?

For all you VPN experts out there, perhaps the question I should be asking is:

What’s the best way to change my IP without paying for a 3rd party to do it for me (i.e CyberGhost etc). Is there any servers I can spin up locally on my NAS (running Linux) which is hidden on my local network at home?

To make it much simpler.

What I want to achieve is.. for my phone able to connect to my own OpenVPN Server (which is hosted on my home asus router). This allows my phone to access local files and resources on my home network. Going even further, my phone could also access the internet using the routing table of connections to IVACY VPN (which my same, home, asus router is also connected (as client) to the IVACY VPN. This allows my phone to use Ivacy's Public IP.

My home router handles the traffic both sides.. as a server for local resource and also as client to ivacy for privacy and security.

I hope this makes sense to you.

Ok. That makes sense if the DNS provided by the wifi provider was active even after the tunnel was setup. I am pretty sure I never tried the link until after the tunnel was established so caching should not of been present. Iam pretty sure I assign my DNS to my home preferences once the tunnel is established. (I will double check that). Thanks for the hints. I know I am not %100 secure, even with IPVanish (which use frequently), the OpenVPN is only for access to my home network without having to open up other less secure ports and to block local sniffers.

>router CPU aren’t all that capable of encrypting/decrypting all the network traffic efficiently when compared to something like a laptop

It just depends on what your router is. It's no different than asking if your computer can handle playing some particular game. The NordVPN rep is probably assuming you are talking more off the shelf gear like you get at Best Buy. It might be a lot iffier there. If you have higher end gear, or something a little more enthusiast friendly(i.e. you have what amounts to a PC running OpnSense or pfSense) then you stand a much better chance of being able to manage it. I'd almost say you can judge it by how much your router cost. If it was in the 100$ range, it's probably gonna struggle with VPN at high speeds. If it was 300$+, it's more reasonable to have high expectations of what it can do.

​

>why you'd want to game over a VPN though is beyond me

The two reasons I know of: you're a streamer or otherwise worried someone will DDOS you...a lot of games do regional matchmaking for certain things, using a VPN can make you look like you are in a particular region, which you might be trying to do so you can match with your friends.

Cheap store bought routers don't have fast cpu's, that can encrypt every packet for openvpn or wireguard.

That's why many people here buy a mini-pc like (this) for $300 and install router software, like pfsense, vyos, untangle or if you are adventurous, build your own custom linux router like I do.

I bought that box and tested it. pfsense can sustain about 100mb/s for openvpn, but drops 30% of packets. vyos and linux do about 200mb/s openvpn, no packets dropped, and less cpu used.

I get 400mb/s wireguard using linux on that box. Works great.

Looks like your not using the official android client, so it might be an issue with that. This is the official one and works fine for me on my phone. https://play.google.com/store/apps/details?id=net.openvpn.openvpn

I don't think there is a way for me to verify for sure either way if I can connect from the VPS to the Jellyfin server directly.

However, I cannot ssh in from the VPS since that port isn't forwarded. I also can't ping my public IP address, but many residential routers come configured by default to not respond to pings from the internet, so I would assume that my ISP's (WhiteSky's) is the same.

On paper, I feel that this should work since I have been able to get ports forwarded properly with AirVPN (which is based on OpenVPN) in the past even when my router didn't allow it. Though that was before I moved here to the situation I'm in now. Weirdly, though, I can't get it to work now; I'll try to see if I can make it work or if something else is screwing with it.

I had set up this OpenVPN Server in March 2020, when covid has started.

Everything works well from home Wifi & Mobile HotSpots.

This is the first time I have had the opportunity to use my OpenVPN server from a hotel Wifi. Its the hotel's Wifi that is creating an issue. As soon as I switch to my Mobile hotspot, it works fine.

I spoke to the IT guys at the hotel. They said they are not blocking VPNs as most of their clients are business visitors and they all use VPNs.

ExpressVPN works fine via hotel's Wifi.
But my openVPN server does not.

ExpressVPN works fine via the hotel's Wifi.
But my OpenVPN server does not. may not work in other hotels too. Now that's a cause of concern.

It would be a shame if I had to stop using my sweet like OpenVPN and switch to ExpressVPN or Nord VPN.

Can the OpenVPN not be configured to work like ExpressVPN etc?

The hotel's ISP is detecting OpenVPN traffic and blocking them. Switching to a non-standard port, or TCP/443 might work if their filter is laughably simple, but OpenVPN isn't really designed to avoid detection. If you can set up Outline in your server it might work, if not, just give up and stick with ExpressVPN, they use Lightway Core, a custom open source protocol with built-in obfuscation.

Just use one of the more popular services like NordVPN. Can't beat it.

I used to create my own private VPN to a linux server running in the cloud, but then do you really trust the cloud service to not log you? They make no guarantees, and most likely do. It's been independently verified that NordVPN runs diskless servers in RAM only mode, so no chance of logs. The vpn client they install on your windows computer is much more advanced than the openvpn connect client. I still use both.

Like I've mentioned, I don't have a lot of experience with Ubuntu, so I honestly couldn't make heads or tails of their instructions, sorry.

If it helps you understand where I'm at ,in any way, I followed these instructions to the letter.

https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-16-04

I don't really have access to another platform/device to try it on.

I followed this guide for the setup: https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-16-04

Not necessarily. Many VPN providers have legacy crypto did dependencies. For example, Fedora is moving faster forward and deploys additional hardening to the TLS defaults. It may simply be that NordVPN is not capable of establishing a functional tunnel due to not supporting the same cipher settings Fedora now requires, while Ubuntu is not as strict.

Of course, you can blame Fedora of breaking stuff, but that would be to be ignorant to security and privacy.

This situation isn't a new thing. I've seen consumer VPN services claiming the best privacy protection and using client and server certificates with MD5 signatures, which were deprecated a decade earlier - and it has exited proofs for even a longer time how such certificates setups can be faked. The solution from this VPN provider was to instruct users how to lower the security on their own equipment to be able to connect. Of course, I hope NordVPN is better. But I don't expect it, based on experience with several other providers. It's a dark and murky service segment.

But to be sure, someone needs to inspect the server logs. That needs to go via NordVPN.

And it may be something very different as well. Have you tried other VPN service providers? Try signing up for a free OpenVPN Cloud account and try connecting to that service.

If it was from NordVPN, I would have this issue on my Ubuntu-Mate as well.

the problem stands that fedora 35 simply can't work with the installed OpenVPN.

if I try to add the .ovpn in Network Manager using GUI and enter the correct password and username it won't matter because the millisecond i click connect, it gets disconnected.

It's obviously the operating system's fault

You're using NordVPN. They should be able to provide support in this case. From what I see in the logs here, everything is working as expected. If you can ping 10.8.3.1 as well, the link is up and running. And it needs to be investigated on the server side as well, which is nordvpn in this case.

It eventually returned to normal this morning. Some of the config scripts took longer than others, but they all were operational eventually.

I’m usually not Chicken Little about this sort of thing, but BTGuard has been so consistently reliable over the years I’ve used it that I was immediately concerned. Hope all is OK with them.

Hi man, thanks for replying to my rant, got some time so I'll answer everything I can to the best of my abilities.

Okay so a bit of clarification on my setup, I'm running Windows 10 as my host machine, using VMWare for the linux machines, both using a bridged connection so they're legitimate machines on the network.

I used this tutorial for the linux stuff: https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-14-04 on both Ubuntu 14 and 15.

And then I used https://community.openvpn.net/openvpn/wiki/Easy_Windows_Guide for the Windows 10 stuff, that was ran on my host. Neither worked.

Onto router and ports, for whatever reason my ISP blocks 1194 and my university only allows certain ports through, I use 119, I've used canoyouseeme.org to check if the port is open, always returns yes. The only times I've ever had issues or the program hasn't just executed perfectly is when I've not set the port to something that's already being used by something else, as it happens 119 is free on everything I use.

I've never had any reason to check the logs which sounds quite stupid looking back on it, but the Windows 10 client has a GUI with a live log, there were no errors in there and I assumed the Linux stuff ran all good. As for TCP over my network, I do web programming and I've got a series of websites running from off a VM that everything else on my network can access perfectly fine.

And as for UDP, I'm assuming it's 100% a-okay as I can use my laptop to connect to a VMWare Workstation server running on my desktop, so UDP is good as well. Anything else, I've got everything here and ready, so ask away, thanks again man for dealing with my rant.

Should be possible if you install OpenWRT, I’m not sure if that router can handle it natively. Details for OpenVPN on OpenWRT here: https://openwrt.org/docs/guide-user/services/vpn/openvpn/server

A quick Google search for OpenWRT with your router’s model number should give you firmware and instructions on OpenWRT for your device.

This is a normal “problem” for any VPN Connection (not just Orbi) when the Local and remote network is on the same subnet.

There easiest solution is to change your home network IP/subnet to something uncommon i.e. it is very unlikely to match local and remote subnet when connecting, e.g.172.17.204.0/24. Thus avoiding the problem altogether.

If you are determined to get it working on the same subnet you can create advanced 1:1 NAT rules in both ends to force the traffic through the VPN tunnel. I am not sure the Orbi support this. http://serverfault.com/questions/548888/ddg#835400

It sounds like you need to change the NAT rule in your iptables configuration.

Example from netfilter NAT HOWTO:

## Change source addresses to 1.2.3.4. # iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 1.2.3.4

http://www.netfilter.org/documentation/HOWTO/NAT-HOWTO-6.html

Use the https://nordvpn.com/servers/tools/ to get the recommended server for P2P, then pick the corresponding config https://nordvpn.com/ovpn/. UDP is more performant and reliable, assuming your ISP/network doesn't block it.

> With that setup I downloaded and installed OpenVPN onto my desktop and setup a config file through my NordVPN account to set my VPN to connect to Seattle, WA.

If you want all your devices to use OpenVPN, the installation and configuration should be on your router, not on your desktop.

I may have found what I'm looking for.... This includes a script that uses a flat file username/password file. Luckily I have a Safari Books Online login/pass so I can read the whole thing. Here's the auth script:

#!/bin/bash # the username+password is stored in a temporary file# pointed to by $1 username=head -1 $1 password=tail -1 $1

if grep "$username:$password" $0.passwd > /dev/null 2>&1 then exit 0 else if grep "$username" $0.passwd > /dev/null 2>&1 then echo "auth-user-pass-verify: Wrong password entered for user '$username'" else echo "auth-user-pass-verify: Unknown user '$username'" fi exit 1 fi

[root@vpn ~]# cat /etc/openvpn/server/server.conf port 1194 proto udp dev tun ca /etc/openvpn/server/ca.crt cert /etc/openvpn/server/VPNServer.crt key /etc/openvpn/server/VPNServer.key dh /etc/openvpn/server/dh.pem server 10.0.0.0 255.255.255.0

ifconfig-pool-persist /etc/openvpn/server/ipp.txt 0

duplicate-cn cipher AES-256-CBC tls-version-min 1.2 tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256 auth SHA512 auth-nocache keepalive 20 60 persist-key persist-tun compress lz4 remote-cert-tls client daemon user nobody group nobody status /var/log/openvpn-status.log 60 status-version 2 log-append /var/log/openvpn.log

ccd-exclusive

client-config-dir /etc/openvpn/ccd verb 3 management localhost 7000

plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so login

Push routes for clients. Use https://www.robtex.com/ to find IPs for domain

push "redirect-gateway def1"

push "route-gateway 1XX.1X5.XX.XX"

push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4"

push "route 0.0.0.0 255.255.255.255"

If you want to do it right I would consider separating clients and servers the same way as in Whonix https://www.whonix.org/wiki/Documentation

Your client would be creating a local AP which your iOS device connects to and routes everything through the VPN tunnel. iOS itself would have no idea about any VPN.

It all seems pretty basic to me. Maybe try changing your port to 443 just in case there is any MITM stuff scanning for OpenVPN ports. I've been running mine over 443 and never had any issues. This might also help - https://winaero.com/blog/speed-up-openvpn-and-get-faster-speed-over-its-channel/

Ah, I first need to make a clarification. I'm just running the standard openvpn package, but I didn't realize that there are separate access server packages (even though I'm using openvpn as an access server). So my bad on that.

This is my current config. So it seems my route toward the end is not correct?

Hey I don’t want to disappoint you or anything but something like this already exists.

https://ngrok.com

This doesn’t stop you from making your own service though and letting customers/friends use.

It’s a nice way to get around having a dynamic IP address if you want to host a public server.

I followed this howto and It works well,

https://www.linode.com/docs/tools-reference/custom-kernels-distros/install-freebsd-on-linode/

I have other VPNs on other ISPs, on Debian, CentOS6 and CentOS7. theres no difference for openvpn

if you want a free open source web UI to control it, and only plan to use it on like your phones and computers, Pritunl is perfect. I use it for my vpn and hacked together a way to get the chromeos vpn to work.

https://pritunl.com

All you have to do is install some open VPN client software. I assume you already have a server to connect too. If its a paid VPN, then they should have some client software.

Just adapt these instruction for whatever you openvpn server is https://nordvpn.com/tutorials/linux/openvpn/

You need to enter it to the "remote". From the firewall's PoV your SoftEther interface is a "remote" (despite actually being a virtual adapter in your server)

See https://www.softether.org/index.php?title=4-docs/1-manual/3._SoftEther_VPN_Server_Manual/3.7_Virtual_NAT_%26_Virtual_DHCP_Servers for the configs.

https://www.softether.org/@api/deki/files/4/=1.2.jpg

• L2TP is built into all devices, no software client installation required.

• Works with Linksys L2TP mode, no need DDWRT or OpenWRT or any router flashing

I am actually using "# openvpn /path/to/client.ovpn". I don't do it through networkmanager. I do however use that to connect to wifi/eth0. Here is the output from when i execute openvpn if this helps: https://ghostbin.com/paste/35zbh

So u/AutoModerator has asked me to include more details...

1. The Problem I am experiencing. When using the VPN access point I have set up, my traffic is detected as being from a VPN, when connecting through NordVPN app the traffic is not detected. Even when using the same NordVPN server number.
2. The desired outcome. That my traffic is not detected as traffic from a VPN, and I can view geo-blocked content from a foreign country for the purpose of learning a foreign language.
3. ...
4. Follow the guide in the original post to recreate the Raspberry Pi VPN Access Point, connect to a Norwegian NordVPN server, try to view NRK TV programme.
5. Raspberry Pi 4 4GB, Current stable and fully updated RaspbianOS, current openVPN from repository.

OpenVPN and WireGuard can have many users as you want.

You have installed “OpenVPN Access Server” that is a product over OpenVPN that give you a website admin feature. Is not the open source one!

If you want to be like NordVPN you can rent host VPS all over the world and configure VPN on the servers you want to go out with

For the configuration you can google it “how configure OpenVPN on [OS name]” depends if you are using Linux vs Windows and you are good to go

I’m not on a pc to check you but you will find good info to make it

How about VPN with Wireguard? Is there that 2 user limit for the "free" open source install on say AWS or GCP VPS? Can one setup a service similar to NordVPN where you can have access to servers in multiple countries using a single provisioning?

Depending on how messed up the router is, you could get a physical remote reboot device such as this. Basically using an app on your phone, you'd be telling this box to power cycle whatever is plugged into it.

If your router is totally hosed, there are dialup versions of this box, but you'd need to spend money on a land line and hope it doesn't get robocalled.

You don't need OpenVPN Cloud or to pay anything to OpenVPN themselves. They seem to have their own VPN service which by looks of it isn't so cheap.

Your VPN provider should be able to provide you with a OpenVPN profile or provide you connection details. If it is Panda Security however, I don't know if they'll support OpenVPN protocol as not all do.

Maybe have a look at VPN Unlimited, IPVanish, ExpressVPN or SurfShark. I think all of them support OpenVPN.

Alternatively, you can host a VPN server in the cloud. It can become expensive though depending on use. Maybe check out Azure, Amazon AWS, or DigitalOcean. I've tried and tested DigitalOcean and was easiest one to get set up with.

Yes, I have OpenVPN and ProtonVPN (either will be fine to get working) on my Mac, and I want to use the VPN on a Nintendo Switch. The link you shared got me excited because it looked as though I could just share my Wifi without setting up a VPN interface like I had been trying. But, on those options, I can't share Wifi over Wifi. There is options for Bluetooth and Ethernet, but the Switch needs to be paired by Wifi only.
My router doesn't have settings to be used with VPN, so I was hoping there was another way.

Openvpn needs a client and a server. Your gaming PC will be the client and will connect to a server. The software for client and server is the same, role is defined by the config.

Most people will sign up with a VPN provider like NordVPN or PIA. These services run the server and provide you with a config to put in your client. You can also get your own server in a data centre somewhere and configure it yourself.

The regular internet is not about privacy anymore. So privacy today means choosing who gets to read all your traffic.

A VPS provider makes money by selling their service and is not in the user data business. I might be wrong though. A subscription VPN service (NordVPN et al) is in the privacy buiseness so you'd think they're not selling your data. But what's stopping them? Or maybe they serve ads themselves? Your ISP might not track you, but they just as well might.

DNS querys are transmitted in plaintext. You can encrypt them using DNS-crypt (or other means) and choose your upstream DNS resolver to be hosted by a pro-privacy group for example. You only need to trust said group to not be tracking you or meddling with the DNS records. I consider my setup pretty secure/private in this regard.

On top of that ad blocking/tracking plugins for your browsers and stay away from native apps and you're already pretty good on privacy. Better than 99.9% I'd wager.

> what is the difference between OpenVPN and services like NordVPN

OpenVPN is a VPN protocol + implementation. NordVPN is a public VPN provider which uses OpenVPN in the background.

> Will my ISP see what i am doing

Most websites use TLS (HTTPS) which is end to end ecrypted. A secure, encrypted tunnel is built between your browser and the webserver. Website content, cookies, URLs, fom data etc is transported over that tunnel. Nobody in between (for example your ISP) can see the content. Due to the nature of TLS 1.2, the hostname of the site (, , ) is tansmitten in clear text. Nothing else and this probably changes with TLS 1.3.

With a VPN it's the same. You just send all your traffic to the VPN provides server and from there to the internet.

> in terms of what websites i visit and what searches i look for and what i download.

As explained above: no

> Can i somehow mask my IP from my ISP with OpenVPN

No. You IP belongs to the ISP and it's technically not possible to hide it. Why the fear of your ISP btw?

Well I dont know those articles and YouTube videos so I can not judge them.

"VPN on raspberry pi good" can be true, depending on what you want it to do.

But very importantly, PiVPN is not a replacement for the likes of NordVPN or PIA or what theyre all called.

So the question still stands: what do you want to achieve with a VPN?

• Do you want to access your home network resources? Then PiVPN is the right choice. You can then also use PiVPN to encrypt traffic between your laptop and your home network, if you dont trust the network youre currently in (like a Starbucks).
• If you only want to encrypt traffic, you can use a VPN company (like Nord or PIA, etc). But very important to note is, that the encryption is only between you and the server by the company. So on the way between the company's server and the destination (like youtube or whatever youre browsing) is not encrypted. It can only partly "protect your privacy", like some of these companies claim. But thats getting to long to discuss in a small comment like this.

The underlying thechnology (VPN - Virtual Private Network) is the same, but there are very different reasons to use them. The encryption is only part of this.

Not sure if there is an iOS version, but here's an easy way to send encrypted email via Android:

"FlowCrypt: Encrypted Email with PGP" https://play.google.com/store/apps/details?id=com.flowcrypt.email

> are you saying that OpenVPN shows that it's connected directly to my home connection

Yes, that is the case. Your IP address may be different from when you are physically at home, but you are indeed connected to your home network, and any website you visit will log your visit as coming from your home. You can prove this by visiting e.g. when physically at home. Note the public IP address shown there. Then, when you are somewhere else and NOT connected to your home VPN, visit the same site. Note it shows a different public IP address. Now connect to your home VPN, and reload . It should now show the same IP address it showed when you were physically at home.

> I make my OpenVPN server look like I'm connected to somewhere else in the world

That is something you can only achieve by having multiple OpenVPN servers scattered around the world. The easiest way to do this is by using a third-party VPN service, like NordVPN.

What is going on here lol? OpenVPN is not a service and does not offer services. (Except for OVPN connect?)

You are not “connecting” to OpenVPN. You are using OpenVPN software to connect to a remote server also running OpenVPN software. The internet connection between your remote server and YouTube are likely the issue.

Don’t say “I’m connecting to OpenVPN”. Say “I’m connecting to my VPN service, i.e. NordVPN using OpenVPN for my network protocol”

OpenVPN is a technology. Not a consumer offered service. Companies, networks, and end users like yourself use OpenVPN software to connect to a remote server.

You didn’t mention who you are using for your VPN service. (Don’t say OpenVPN 😉)

I did just that and it still wouldn’t work. It works really slow for a couple seconds then stops receiving packets. I think OpenVPN wouldn’t work here because I tried numerous NordVPN servers to no avail

It is. I setup the t2.xlarge thinking the issue was with the micro’s low to moderate performance. Yet I’m getting similar performance to the micro.

I literally just thought of it. The country I reside in (UAE) has restrictions on VPN access, so NordVPN doesn’t work here. Perhaps they’ve restricted OpenVPN as well. I will try to setup WireGuard in hopes that works.

Do you own or maintain the server you connect to?

If so, then you need to check the validity of your CA and server certificate yourself using the openssl command.

If you are not the admin to the server, if it is a VPN provider like NordVPN or your employer. Then you need to ask them to check the server certificates and ask for assistance.

You can check your own certificates by using this command:

openssl x509 -noout -text -in

Check that the dates are still correct, they should not have expired If you use client certificates to authenticate to the server you can use the same command again to verify those.

openssl x509 -noout -text -in

Again check the dates.

When server is running, RAM and physical server can be accessible to corrupted Datacenter technicians as well as Server Service-provider whom have admin access to servers. Both can do this potentially. Unless we can find a solution to encrypt the data in RAM with a protocol like ZRTP or similar realtime encryption protocols, also unencrypted drive/server should be a way to keep it encrypted from Datacenter technician and admin user of Server Service provider and hosting company.

You defined the threat model, now is there any solution for this to prevent it in personal/private OpenVPN deployment on a rented VPS/Server abroad?

​

> 'NordVPN colocates their server infrastructure which a third-party data center, a very common practice.'

Is there any more secure option based on these threat model? How shall I secure a private/personal VPS based OpenVPN server against this physical datacenter technician or remote server service provider's attack then?

Tnx

Might be a better question to ask NordVPN support.

Otherwise, if NordVPN does use an OpenVPN backend. Please answer the following questions.

5) Specifications:

OpenVPN Server Version Server Operating System, Number of CPU Cores, Memory etc.

OpenVPN Client Version Client Operating System, Number of Cores, Memory etc.

6) Add a sanitized version of the following files:

OpenVPN Server Configuration

OpenVPN Client Configuration

Server Firewall Rules

Server NAT/Routing Rules

Any additional applicable information.

Well the video doesn’t show this exact thing, the video shows you an option for hosting your own VPN server on a VPS. How is this related to OpenVPN and how is this related to ProtonVPN? It isn’t.

If this is what you want to achieve that’s great but this does not match anything that you described so far.

Good luck!

I’m not sure that you can connect two OpenVPN servers together via ProtonVPN, I’m sure that would involve changes to config with ProtonVPN and/or its network. Even if you could, why would you want to do this? If your end goal is to connect two LANs together without touching routers on either LAN, my recommendation would be to run OpenVPN on a Virtual Private Server and connect both LANs to that.

If that still doesn’t work, maybe try and explain what you’re actually trying to achieve and I or others might be able to assist.

Yes, I believe it might even be six like PIA. I was starting to have the same problems with Express but not as bad as PIA's servers so I had to keep looking. I really wanted to try out OpenVPN but their # of machines was too few. They have a great policy since they're in Portugal I think or was it Panama and away from the 14 nations. Even then no VPN provider can promise anything. Some of them even can be under gag rules and no one even knows - especially in the US. I'm not a covert or sophisticated user so AirVPN was too much for me that I couldn't even get it started. I'm pleased to have found Mullvad. It's not sexy, it's simple and it just works and that's all I need.

This thread is a little old so maybe you've figured it out already.

You're thinking along the right lines but perhaps a little cheaper and easier than a raspberry pi is an open VPN router like this one:

https://www.amazon.com/GL-iNET-GL-MT300N-V2-Repeater-300Mbps-Performance/dp/B073TSK26W

You can attach this to your current router; it broadcasts it's own SSID so you can connect your Chromecast to this, along with the casting device. Then any other device you don't want VPN'd just stays connected to your original SSID.

It's a bit of a pain to switch Chromecast WiFi networks so just disable/ enable open VPN in the router. You can also change the VPN region as required.

Setup can be a bit finicky - here's a guide from one VPN provider. Good luck!

https://torguard.net/knowledgebase.php?action=displayarticle&id=256

No worries!

There are a bunch of ping apps for Android, here's one I chose at random:

https://play.google.com/store/apps/details?id=ua.com.streamsoft.pingtools

Grab that, hit the hamburger menu top left, 4th option is ping. Choose that, type in the name of your Windows machine you want to RDP to, it'll either say Unknown Host or it'll give your a round-trip time in ms of how long it takes.

Try that and report back. :)

(edit: spelling)

Hi, the only Android App you should use is that one: https://play.google.com/store/apps/details?id=de.blinkt.openvpn&hl=en

As to why connection could (not) work on some networks: https://en.wikipedia.org/wiki/Deep_packet_inspection, etc.

The "local" statement is derived from the interface you set in the web GUI. You use 10.116.0.34. Is that IP configured on that ExpressVPN interface? Why did you even create a new interface? I'd just use LAN there.

@FengoVolkov I would like to ask if you are using any Anti-virus software, as this will cause an issue sometimes with installing the Tap adapter? If you have Anti-virus software, please add the following files as exceptions/exclusions to your Anti-virus software: C:\Program Files<a rel="nofollow" href="http://www.privateinternetaccess.com/pages/buy-vpn/redditfaves">Private Internet Access C:\Program Files\Private Internet Access\tap\win10 C:\Program Files\Private Internet Access\tap\win7 C:\Program Files\Private Internet Access\ C:\Program Files\Private Internet Access\ C:\Program Files\Private Internet Access\ C:\Program Files\Private Internet Access\

Once you have added these exceptions, please try reinstalling the PIA app once more from :

If you run into any other issues while doing this, please submit a support request ticket on the PIA website at

There's currently a deal for NordVPN: 3 year plan for $100. From what I can tell, it seems all the VPNs are pretty much always on sale, so is this a good deal? You convinced me to pull the trigger on buying one.

EDIT: I went ahead and made the purchase. Seems to be a good deal at $2.99 a month. Thanks for the advice!

Have you gone step by step on an actual NordVPN tutorial? Does your /etc/config/firewall contain the strings listed on "config forwarding"? Might be the issue for not going through the tunnel.

Can you elaborate that, I am new to all this stuff? I haven't bought a VPN plan yet, however I plan to buy Torguard VPN + Streaming IP as described in /r/NetflixViaVPN. Should I buy a proxy plan too? Is this available on router level? Would it work with https? What do you suggest? Thanks in advance.

Edit: I just checked squid is available on Entware. I think you meant this. Can you provide a basic code snippet for my purpose? How do I enter domains and route the request to VPN or WAN?

ok so ive got some good news!

it seems our edit with the "remote-cert-tls server" is a necessary step, so keep that in all your future config files. Not sure why its not just included already.

I could not get the "vpnbook-euro1-udp53" to work sadly... tried messing around with some config parameters but to no avail. but a quick search online for port 53 shows that it is used by a number of applications already, so it's pretty likely that's just not a good port to use because it may just be too congested. (?port=53)

So I tried the "vpnbook-euro1-udp25000" configuration, figuring port 25000 is going to be a bit more obscure than port 53. Keeping our edit to the config file, I was able to get the VPN active under this configuration. So give that a try and let me know if it works for you.

Also, I do use 2 VPN services. Tho I will say, I'm a firm believer in the adage - if somethings free, you're the product! But I didn't vet vpnbook, so I don't know in their particular case. I do like how no sign-up is required, but are they looking at/logging your internet traffick? Who knows. Your ISP won't know what you're doing tho, if that's what you're trying to achieve.

I personally use PIA VPN (Private Internet Access) for downloads and streaming. It's cheap (like $4/month) and they get a lot of good press over not keeping logs and supporting net neutrality.

My second VPN is essentially free after setup costs. I host my own with a Raspberry Pi that I use for accessing password sensitive accounts on public wifi. It's a pretty easy setup if you want to give it a try, but if you're trying to stream/download/torrent it's best to use a VPN that's not connected to your home network. So the Pi VPN is more of a special use case.

Not sure what platform you are on, but when I did this same thing on a Raspberry Pi3 there was a bash script called in /etc/openvpn/easy-rsa/keys. That will make the OVPN config file you need for the IOS app. Make sure you use the same client name you used earlier when you created the key. You could also do it by hand though.

Sorry, I know it's been a while but I hope I can still get your help. I got my raspberry pi and pihole setup, and have been following the guide on to set up the two with openVPN.

I'm not quite clear how it will work, though. Currently I use OpenVPN on my android to connect to my account on the servers. It sounds like I will need to use OpenVPN to connect instead to my home DNS pi-hole server once it's set up, thereby losing the use of the IVPN service. The alternative is to port-forward the DNS server, use open VPN to get to IVPN but override the server provided DNS settings, but port forwarding introduces a lot of security risks, no?

Anyways, any thoughts you have would be greatly appreciated. Thanks again.

It worked just two weeks ago. I thought maybe something had happened with the OS so I reinstalled that, but the problem persists. I had no problems two weeks ago, and the client config is the same as two weeks ago, and same as on my windows machines, and they work perfectly connected to the same server with openvpn. On my windows machines I get 85/85 Mbps on http and torrents, and I used to get about half of that on torrents on pi two weeks ago, but now it just kills internet as soon as any torrent client is opened, except transmission......

"customer success team" at PureVPN is no help, keep going around in circles about DNS even though I cannot ping anything. The millisecond the UI opens on deluge or qbittorrent the pings to internet stops.

Other then having an extension for the browser that is from a company like TunnelBear, and you are not on linux, I don't think there would be a way to just have one application go through VPN with OpenVPN. I would suggest checking out r/VPN, they might have something.

Transmission works here too, but if I have to use that I'd rather not use it for torrenting at all. Deluge and qbittorrent doesn't work anymore, even thought it worked just two weeks ago. I thought maybe something had happened with the OS so I reinstalled that, but the problem persists. I had no problems two weeks ago, and the client config is the same as two weeks ago, and same as on my windows machines, and they work perfectly connected to the same server with openvpn "customer success team" at PureVPN is no help, keep going around in circles about DNS even though I cannot ping anything. The millisecond the UI opens on deluge or qbittorrent the pings to internet stops.