VPN: ultimate configuration guide

  • Hello guys

    I would like to add a OpenVPN Server to my NAS, but I'm not able to find a complete and updated guide on internet.

    My need is to connect to the devices in my home from anywhere.


    Somebody says OperVPN plugin (via OMV Extras) is better than Docker... but somebody, as opposite, says Docker is the only way to obtain a stable VPN.

    Somebody says OpenVPN plugin has some bugs in gateway and routing options, preventing it to works as expected. Is it true? Are there really plugins that handle such a delicate service with bugs?


    If I search for a guide in order to use OpenVPN plugin, I find only obsolete guides, with obsolete screenshots and unclear explanations.

    Some guides even say to configure "like this" without explaining the reason for each single option, but VPN is a serious topic, why should I configure "like this"?.


    If I look for a guide in order to use Docker, I find uncomplete documentation and difficult guides, and if I try to follow them, I get a VPN with a very basic configurations and difficult to debug. I love command line, but in year 2021 is there not a user interface for the milions of VPNs active on the whole world?

    I'm sorry but after some hours on internet I'm not able to find an easy and ultimate guide to configure an OpenVPN server for OMV, via plugin or alternatively via docker.

    Can you help me to find one?


    Thankyou in advance.

  • Thank you for your answer, chente.


    Wireguard seems interesting and I will evaluate it.


    The sentence:

    "Note:Do not change the default port, it only worked for me with that port. 51820 udp"

    seems to me like:

    "use it as you find, or something that I don't know will no works".


    So I ask: why you didn't understand the issue? And do you trust something that you don't understand?

  • Here is the official documentation of openVPN.

    It might be better you use it as a reference: https://openvpn.net/vpn-server…he-openvpn-access-server/



    So I ask: why you didn't understand the issue? And do you trust something that you don't understand?

    Why don't you search for yourself??????

  • I usually try to change the default ports always. In this case it did not work. I assume that the package prepared by linuxserver needs that specific port to be able to work. Maybe if you get into docker once installed you could change it in the internal configuration, I have not investigated it. If you do please post it, I would like to know. If it can be done I will include it in the guide.

    In any case I trust linuxserver. If it were another author, maybe I would see it differently. I have not given more importance to this matter. I have only written the note to avoid headaches to someone who does like me and changes it without trying anything.

  • Thankyou chente for your explanation: I'm always corious to know what people think about the "trusting" and the "security" and you has been honest.
    As I said, I will try this solution.

    macom, I perceive from your answer that my last post came to you as arrogant. Probably it was: I'm sorry but my english is less than scholastic so I explain myself with the words and the ways I know. Sorry (also for chente, if he felt the same sensation).
    I only want to know, with open mind, how can I trust a docker image that seems have a bug in configuration side.

    (for those who will read in the future, I'm not saying that the image we talked about is buggy, but I'm dealing with a more generic discourse)

    Quote

    Here is the official documentation of openVPN.

    It might be better you use it as a reference: https://openvpn.net/vpn-server…he-openvpn-access-server/

    I'm afraid to install openVPN or other software from CLI, in a OMV machine.
    My fear is that an OMV update/upgrade/dist-upgrade broke the configuration of the manually installed software.

    For example, if I modify SMB configuration from CLI, the configuration itself will be overwritten by OMV, sooner or later.

    Please, correct me if I'm wrong.


    Quote

    Why don't you search for yourself??????

    Because I'm not able to do it.
    This is why I'm looking for a TRUSTED software, WELL mantained, and with CLEAR documentation and FLEXIBLE configuration. Probably, If I was a linux genius, I was not using OMV but I started every single service I need from a basic installation of Debian, Centos or other ultra-stable distros. One of the strong points of OMV is that is pretty easy to use and powerful on its functionalities. VPN should be too, like SMB, FTP, SSH or the most used softwares in the world. But this is only my point of view.


    macom, anyway thank you for your interest, for your answer and for the link to the official openvpn documentation.

  • Just clarify that I am not an expert in Linux or OMV. I am just an average user and I try to help OMV and the developers to the best of my ability. This is the help that I can provide with my knowledge, I would like to help more and I know that more help is needed here.

    Of course there are things that I do not understand, I am not a Linux genius. BUT you can trust the published guides regardless of who they are. All are approved by the moderators before being published, they pass a filter before reaching users.

  • I usually try to change the default ports always. In this case it did not work. I assume that the package prepared by linuxserver needs that specific port to be able to work.

    I made some tests today. Your solution, wireguard, is good.
    For me changing port is perfectly working: it is necessary to change two lines in configuration (Line 14, and Line 23) as follow...

    If you want you can do your test and modify the guide,


    TheFax

  • For me changing port is perfectly working: it is necessary to change two lines in configuration (Line 14, and Line 23) as follow...

    Thank you very much for your input!!

    Sadly that setup is the first thing I tried and it didn't work for me.

    I could comment in the guide saying that it will work for some and not for others, but it would be confusing.

    Clear your browser's cache.

  • I made some tests today. Your solution, wireguard, is good.

    Sorry to ask, do you have an extra server (besides where wireguard runs) on your LAN?


    If you do, can you access it via outside network?

    I mean, when you're wireguarded to the home, do you manage to access the other computers/services on the rest of your LAN?

  • Hello Soma,

    short answer is: yes.


    I have more than one server in the same LAN (with different IP) and I can access them from everywhere when I'm connected via Wireguard.

    Example: it is possible manage my router, connect via SMB to another server or any other operation that you do when you are connected in home LAN.

    Also the internet traffic of the smarphone is redirected inside the Wireguard connection.

    From what I've seen, broadcast packets are not redirected into the tunnel, so SMB discovery (and other discovery tools) has some difficulty to work, but I can be wrong because I made only few tests with a basic configuration.


    This is the default behaviour, and I think this can be changed modifying the configuration.

  • Hello Soma,

    short answer is: yes.

    Since there was an other thread, with docker-wireguard that the OP wasn't able to "see" any services other than the one's running on the wireguard server, perhaps you can post one output?


    Hide any sensible/private DATA, of course, ;)


    On the CLI:

    ip addr # Just to see if your wired ethernet has a normal eth0 name or not. Assuming you're with wired. If WiFi also good.

  • On the CLI:

    ip addr # Just to see if your wired ethernet has a normal eth0 name or not.

    In my case, for what it's worth, the name is enp4s0. I can access any of my services and servers from the WAN using wireguard.

    Darkopi's case is rare. His ethernet name is not normal.

    Clear your browser's cache.

  • Voilà...

    (underscore for hide sensitive data)

    192.168.0.53 is the static IP I use to connect to this machine.

    172.18.0.2 is the IP of the Wireguard container (read from Portainer).

  • Ok, according to both chente and TheFax , both ethernet connections also have a different name from the "default" one.

    I was hoping the reason for the docker-wireguard fail, was due to that but it seems it won't matter the name.


    Well, I need to forget about this, since the situation with darkopi was sorted.


    Thank you all.

  • For me changing port is perfectly working

    I rectify. I have tried this configuration again and the port change works for me.

    The first time I tried it a long time ago it did not work. A container update may have resolved it. Or maybe I had weird in my setup.

    In any case now it has the expected operation, I will correct the guide. Thank you.

  • Ok, according to both chente and TheFax , both ethernet connections also have a different name from the "default" one.

    I was hoping the reason for the docker-wireguard fail, was due to that but it seems it won't matter the name.

    The reason the network names are not eth0, eth1 ... is systemd. They are renamed so as not to lose the origin after a reboot. It is a case like the discs by uuid.

    https://juncotic.com/eth0-enp0…res-interfaces-red-linux/

    Clear your browser's cache.

Participate now!

Don’t have an account yet? Register yourself now and be a part of our community!