Phoning Home with OpenVPN

31st July 2019

I wanted to be able to get to my home LAN, but my ISP didn't fancy giving out a static address so I moved it to the cloud. I wanted to be able to access my home NAS securely, ideally using OpenVPN (so ssh shenanigans were off the table).

After some consultation with friends, I reached the conclusion that since my address was static, and I wanted to avoid using dynamic DNS due to cost, the simplest option would be to leverage a Digital Ocean instance, hosting the OpenVPN server there. Within my LAN I would place a OpenVPN client, which would have a connection set to start on boot.

Installing the OpenVPN server was finicky, but relatively straight forward. I used the Digital Ocean walkthough. I've found their guides to be very helpful, and didn't encounter any hiccups, aside from a near-miss as in my first test case I didn't separate the CA and OpenVPN server onto different machines.

The main issue which was bothering me was thus: after following the guide, I had a functioning OpenVPN client - server. However I was on a /32, and could not see other connected clients. This was easily solved by reading the server.conf, deleting a single character, and restarting:

# Uncomment this directive to allow different
# clients to be able to "see" each other.
# By default, clients will only see the server.
# To force clients to only see the server, you
# will also need to appropriately firewall the
# server's TUN/TAP interface.
client-to-client

I could now see my other connected hosts:

$ get-connected-hosts.sh
Virtual Address  Common Name
10.8.0.6         prosthetic-conscience
10.8.0.10        argonath

One problem remained however; I could now prod and ssh into my client within my LAN, but I could go no further. It had to be a routing issue, as I was essentially trapped in my VPN's subnet, but when logged into my LAN client I could still ping local machines. After a little while of not reading the documentation within the configuration file, I read the documentation within the configuration file and added the following to /etc/openvpn/server.conf:

# Suppose that you actually spent 30 minutes
# reading the documentation
# Route traffic on the server to the client
client-config-dir ccd
route 192.168.0.0 255.255.255.0

"client-config-dir" points to /etc/openvpn/$dirname - I simply created this folder. OpenVPN will return a file corresponding to the requesting certificate. Since my home LAN's OpenVPN client is using argonath.key, I created a file called "argonath" with the following IP configuration within:

iroute 192.168.0.0 255.255.255.0

Super simple stuff. Now connecting hosts accessing the VPN have that rule pushed to them. All that was left to do was restart OpenVPN (the clients reconnect [and also autostart thanks to "AUTOSTART="all"]) and enjoy! It goes without saying that one should be careful which subnets you choose to share with the wider world, no matter your access controls.

Virtual Address  Common Name
10.8.0.6         prostheticconscience
10.8.0.10        argonath
192.168.0.0/24   argonath

To confirm the connection, your active OpenVPN connections should now include any attached subnets.