VPN: ultimate configuration guide

Hello guys

I would like to add a OpenVPN Server to my NAS, but I'm not able to find a complete and updated guide on internet.

My need is to connect to the devices in my home from anywhere.

Somebody says OperVPN plugin (via OMV Extras) is better than Docker... but somebody, as opposite, says Docker is the only way to obtain a stable VPN.

Somebody says OpenVPN plugin has some bugs in gateway and routing options, preventing it to works as expected. Is it true? Are there really plugins that handle such a delicate service with bugs?

If I search for a guide in order to use OpenVPN plugin, I find only obsolete guides, with obsolete screenshots and unclear explanations.

Some guides even say to configure "like this" without explaining the reason for each single option, but VPN is a serious topic, why should I configure "like this"?.

If I look for a guide in order to use Docker, I find uncomplete documentation and difficult guides, and if I try to follow them, I get a VPN with a very basic configurations and difficult to debug. I love command line, but in year 2021 is there not a user interface for the milions of VPNs active on the whole world?

I'm sorry but after some hours on internet I'm not able to find an easy and ultimate guide to configure an OpenVPN server for OMV, via plugin or alternatively via docker.

Can you help me to find one?

Thankyou in advance.

Thank you for your answer, chente.

Wireguard seems interesting and I will evaluate it.

The sentence:

"Note:Do not change the default port, it only worked for me with that port. 51820 udp"

seems to me like:

"use it as you find, or something that I don't know will no works".

So I ask: why you didn't understand the issue? And do you trust something that you don't understand?

Thankyou chente for your explanation: I'm always corious to know what people think about the "trusting" and the "security" and you has been honest.
As I said, I will try this solution.

macom, I perceive from your answer that my last post came to you as arrogant. Probably it was: I'm sorry but my english is less than scholastic so I explain myself with the words and the ways I know. Sorry (also for chente, if he felt the same sensation).
I only want to know, with open mind, how can I trust a docker image that seems have a bug in configuration side.

(for those who will read in the future, I'm not saying that the image we talked about is buggy, but I'm dealing with a more generic discourse)

Quote

Here is the official documentation of openVPN.

It might be better you use it as a reference: https://openvpn.net/vpn-server…he-openvpn-access-server/

I'm afraid to install openVPN or other software from CLI, in a OMV machine.
My fear is that an OMV update/upgrade/dist-upgrade broke the configuration of the manually installed software.

For example, if I modify SMB configuration from CLI, the configuration itself will be overwritten by OMV, sooner or later.

Please, correct me if I'm wrong.

Quote

Why don't you search for yourself??????

Because I'm not able to do it.
This is why I'm looking for a TRUSTED software, WELL mantained, and with CLEAR documentation and FLEXIBLE configuration. Probably, If I was a linux genius, I was not using OMV but I started every single service I need from a basic installation of Debian, Centos or other ultra-stable distros. One of the strong points of OMV is that is pretty easy to use and powerful on its functionalities. VPN should be too, like SMB, FTP, SSH or the most used softwares in the world. But this is only my point of view.

macom, anyway thank you for your interest, for your answer and for the link to the official openvpn documentation.

Quote from chente

I usually try to change the default ports always. In this case it did not work. I assume that the package prepared by linuxserver needs that specific port to be able to work.

I made some tests today. Your solution, wireguard, is good.
For me changing port is perfectly working: it is necessary to change two lines in configuration (Line 14, and Line 23) as follow...

version: "2.1"
services:
  wireguard:
    image: ghcr.io/linuxserver/wireguard
    container_name: wireguard
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    environment:
      - PUID=1000                     #See point 1.
      - PGID=100                      #See point 1.
      - TZ=Europe/Rome                #Should be adjusted according to your location
      - SERVERURL=your.domain.com     #See point 2. Your domain, or your public IP
      - SERVERPORT=31001              #Put here your public port
      - PEERS=2                       #See point 2. Number of clients you want to configure
      - PEERDNS=auto
      - INTERNAL_SUBNET=10.13.13.0    #Only change if it conflicts
      - ALLOWEDIPS=0.0.0.0/0
    volumes:
      - /SSD/config:/config           #See point 1.
      - /lib/modules:/lib/modules
    ports:
      - 31001:51820/udp               #Redirect your public port to server's container port
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
    restart: unless-stopped

If you want you can do your test and modify the guide,

TheFax

Hello Soma,

short answer is: yes.

I have more than one server in the same LAN (with different IP) and I can access them from everywhere when I'm connected via Wireguard.

Example: it is possible manage my router, connect via SMB to another server or any other operation that you do when you are connected in home LAN.

Also the internet traffic of the smarphone is redirected inside the Wireguard connection.

From what I've seen, broadcast packets are not redirected into the tunnel, so SMB discovery (and other discovery tools) has some difficulty to work, but I can be wrong because I made only few tests with a basic configuration.

This is the default behaviour, and I think this can be changed modifying the configuration.

Voilà...

(underscore for hide sensitive data)

192.168.0.53 is the static IP I use to connect to this machine.

172.18.0.2 is the IP of the Wireguard container (read from Portainer).

# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: enp0s25: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether _________________ brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.53/24 brd 192.168.0.255 scope global enp0s25
       valid_lft forever preferred_lft forever
3: br-439005c319a3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
    link/ether _________________ brd ff:ff:ff:ff:ff:ff
    inet 172.18.0.1/16 brd 172.18.255.255 scope global br-439005c319a3
       valid_lft forever preferred_lft forever
    inet6 _______________________/64 scope link
       valid_lft forever preferred_lft forever
4: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
    link/ether _________________ brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
    inet6 _______________________/64 scope link
       valid_lft forever preferred_lft forever
6: vethe981129@if5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default
    link/ether _________________ brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet6 ________________________/64 scope link
       valid_lft forever preferred_lft forever
8: veth717b8f9@if7: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-439005c319a3 state UP group default
    link/ether _________________ brd ff:ff:ff:ff:ff:ff link-netnsid 1
    inet6 _________________________/64 scope link
       valid_lft forever preferred_lft fore
ver