Some essential steps to get openvpn-roadwarrior-clients to use the openvpn-server as a default gateway for internet access (using centos):
set ip_forward to 1 on the server to enable traffic forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
poke some holes and paths into iptables:
(assuming your openvpn-server is bound to 10.8.0.0 and eth0 is your server´s inet-interface)
(make sure your openvpn uses network adresses no one other uses otherwise you get routing problems when your clients are in a wlan that uses the same ip´s as your tunnel)
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT iptables -A FORWARD -j REJECT iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
make those iptables rules survive reboot:
put rules in
rc.local
make dns requests beeing answered by your server to the clients: install dnsmasq
put openvpn ip in dnsmasq config as listening interface
modify openvpn.conf (forget server.conf) on the server, add the following if not yet present:
(the following assumes you got a working server-conf already! push-command will modify clients routing tables)
#assign ip and port to server server 10.8.0.0 255.255.255.0 port 1234 #ping clients to avoid tunnel breakdowns which would lead to traffic changing ip all of a sudden keepalive 10 120 #not sure which one of those two is effecitve, so left both push "redirect-gateway def1 bypass-dhcp" push "redirect-gateway def1" #make clients use dnsmasq push "dhcp-option DNS 10.8.0.1" #make clients use vpn-server as network gateway; this avoids the need to fidle with your clients routing tables, if redirect-gateway didnt do what it should push "route 10.8.0.0 255.255.255.0" #add the following if your clients should be able to reach each other client-to-client #following are disabled, many suggest some of them, dont know if really useful #tun-mtu 1492 #fragment 1300 #mssfix #adjust following to your needs - a lot is logged in /var/log/messages anyway status /var/log/openvpn.log verb 4
simple client config for openvpn (windows) or tunnelblick (mac) suffices:
#never tcp, tcp over tcp is bullshit proto udp dev tap ns-cert-type server tls-client client mssfix remote <ip of server> <port of server> ca <path/file> cert <path/file> key <path/file>
if using android as a client (cyanogenmod got openvpn built in) be sure to convert your keys to a p12 file by converting and renaming to .p12, for win i.e.:
(first import certificate into certmgr then export then rename to .p12)
http://www.abtevrythng.com/2010/06/adding-cer-certificates-on-your-android.html
or this in linux
openssl pkcs12 -export -in client.crt -inkey client.key -certfile ca.crt -name client -out certs.p12
http://forum.xda-developers.com/showthread.php?t=1061946&page=1173
my cyanogenmod 7.1 need a “modprobe tun” to make openvpn work (even when using tap), so be sure to make that on boot:
http://wiki.cyanogenmod.com/wiki/OpenVPN