🛡️ OpenVPN Implementation - Office Network Access

Edit Page New Page Revisions

📋 Overview

This document outlines the steps taken to implement a secure OpenVPN solution for accessing internal resources (like VMs and web servers) from an external location via a public IP.

🌐 Network Overview

  • TP-Link Gateway (VPN Traffic): 192.168.1.1

  • Jio Gateway (VMs & Internal Sites): 192.168.0.1

  • OpenVPN Server Public IP: 49.249.34.138

  • OpenVPN Server NICs:

    • ens18 (TP-Link): 192.168.1.126

    • ens19 (Jio): 192.168.0.7

🖥️ Server-Side Configuration

🔧 Netplan Configuration

File: /etc/netplan/01-netcfg.yaml

yaml

network:
  version: 2
  ethernets:
    ens18:
      dhcp4: no
      addresses:
        - 192.168.1.126/24
      routes:
        - to: default
          via: 192.168.1.1
      nameservers:
        addresses:
          - 8.8.8.8
          - 8.8.4.4
    ens19:
      dhcp4: no
      addresses:
        - 192.168.0.7/24

🔐 OpenVPN Server Configuration

File: /etc/openvpn/server.conf

conf

port 1194
proto udp
dev tun
user nobody
group nogroup
persist-key
persist-tun
keepalive 10 120
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt

# DNS and Routing
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
push "redirect-gateway def1 bypass-dhcp"
push "route 192.168.0.0 255.255.255.0"

# Crypto
dh none
ecdh-curve prime256v1
tls-crypt tls-crypt.key
crl-verify crl.pem
ca ca.crt
cert server.crt
key server.key
auth SHA256
cipher AES-128-GCM
ncp-ciphers AES-128-GCM

# TLS Settings
tls-server
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256

client-config-dir /etc/openvpn/ccd
status /var/log/openvpn/status.log
verb 3🔁 Enable IP Forwarding
bash
echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward

Make it permanent:

bash
sudo nano /etc/sysctl.conf # Uncomment or add: 
net.ipv4.ip_forward=1 
sudo sysctl -p

🔥 IPTables NAT Rule

bash
sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -d 192.168.0.0/24 -j MASQUERADE sudo iptables-save | sudo tee /etc/iptables/rules.v4

💻 Client Configuration (Windows)

  • Use OpenVPN GUI to import .ovpn file.

  • Ensure route is added automatically.

  • If not, add manually via Admin Command Prompt:

cmd
route add 192.168.0.0 mask 255.255.255.0 10.8.0.1 -p

✅ Result

  • VPN clients can connect via 49.249.34.138.

  • SSH and web access is now possible to internal VMs/sites in the 192.168.0.x network.

  • VPN traffic is routed via ens18 (TP-Link), while internal resources are accessed via ens19 (Jio).

🧠 Notes

  • The public IP (49.249.34.138) must forward port 1194/UDP to 192.168.1.126.

  • Make sure the OpenVPN subnet (10.8.0.0/24) is allowed in all internal firewalls.

  • Check and restart services if necessary:

    bash
sudo systemctl restart openvpn@server

Previous Page

Left

Next Page

Right
On this page