matt-horton's picture

Hi, I have installed the Torrent Server appliance on a physical machine. However, I need it to connect to a VPN.

Can I install OpenVPN on to the Torrent Server machine or would you recommend installing the OpenVPN appliance on a separate machine and connecting to my VPN provider through that?

Also, would the machine running OpenVPN need two network cards? (one going to the torrent server and the other going to my router?)

Many thanks

Forum: 
Jeremy Davis's picture

(At least in theory) assuming that you only need to connect to an existing OpenVPN server/gateway, then you should only need to install the Debian 'openvpn' package and then upload the config. FWIW most of the complexity of our OpenVPN appliance is the fact that it can be configured as a client, server or gateway. Client is the simplest config AFAIK.

Having said that, I don't have a ton of experience doing that myself. I have worked a bit on our OpenVPN appliance, but it's mostly been minor updates here and there with basic testing to confirm it still works! :)

You can install the OpenVPN Debian package like this:

apt update
apt install openvpn

Then the Debian wiki has some info on it. TBH, it's not completely clear and it does contain info for servers, clients and gateways, but hopefully it might help?

Assuming that all traffic will be via the VPN, AFAIK there is no need for additional physical interfaces, that should all be handled at a software level. Although as I say, I haven't had tons of experience, so hopefully I'm not leading you astray.

It's also worth explicitly noting that TurnKey is based on (and binary compatible with) Debian (v15.x = Debian 9/Stretch). Almost everything that applies to Debian in a general sense, should apply to TurnKey also. Ubuntu is also based on Debian so more often than not, Ubuntu instructions will also often apply to TurnKey. However, be somewhat careful as Ubuntu and TurnKey/Debian are NOT binary compatible. So avoid installing software from Ubuntu PPAs!

Good luck with it and please feel free to post back if you hit specific issues that you need a hand with. Also please share any progress you have as I'm sure it will be useful for other users.

matt-horton's picture

Thanks for the help. I ended up getting another machine and installing the OpenVPN appliance to connect through to get to my VPN provider. I'm having a bit of trouble with setting up IP tables. I'm following the documentation at https://www.turnkeylinux.org/docs/openvpn

My details are:


Ip of applience: 192.168.1.4 

 

Ip of router: 192.168.1.1

 

 

Subnet mask: 255.255.255.0

 

 

However, this is what my IPTable file looks like:


# Generated by iptables-save v1.6.0 on Sat May  4 01:22:34 2019

 

*filter

 

:INPUT DROP [1:198]

 

:FORWARD ACCEPT [0:0]

 

:OUTPUT ACCEPT [6:680]

 

:f2b-sshd - [0:0]

 

-A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd

 

-A INPUT -i lo -j ACCEPT

 

-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

 

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

 

-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT

 

-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT

 

-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT

 

-A INPUT -p tcp -m tcp --dport 12320 -j ACCEPT

 

-A INPUT -p tcp -m tcp --dport 12321 -j ACCEPT

 

-A INPUT -p udp -m udp --dport 1194 -j ACCEPT

 

-A FORWARD -s 192.0.0.0/4 -i eth0 -o tun0 -m conntrack --ctstate NEW -j ACCEPT

 

-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

 

-A FORWARD -s 192.168.1.0/24 -i eth0 -o tun0 -m conntrack --ctstate NEW -j ACCEPT

 

-A FORWARD -s 192.0.0.0/4 -i eth0 -o tun0 -m conntrack --ctstate NEW -j ACCEPT

 

-A FORWARD -s 192.168.1.0/24 -i eth0 -o tun0 -m conntrack --ctstate NEW -j ACCEPT

 

-A FORWARD -s 192.0.0.0/4 -i eth0 -o tun0 -m conntrack --ctstate NEW -j ACCEPT

 

-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

 

-A f2b-sshd -j RETURN

 

COMMIT

 

# Completed on Sat May  4 01:22:34 2019

 

# Generated by iptables-save v1.6.0 on Sat May  4 01:22:34 2019

 

*nat

 

:PREROUTING ACCEPT [0:0]

 

:INPUT ACCEPT [0:0]

 

:OUTPUT ACCEPT [0:0]

 

:POSTROUTING ACCEPT [0:0]

 

-A POSTROUTING -o eth0 -j MASQUERADE

 

-A POSTROUTING -j MASQUERADE

 

-A POSTROUTING -j MASQUERADE

 

COMMIT

 

# Completed on Sat May  4 01:22:34 2019

 

# Generated by iptables-save v1.6.0 on Sat May  4 01:22:34 2019

 

*mangle

 

:PREROUTING ACCEPT [690:57622]

 

:INPUT ACCEPT [690:57622]

 

:FORWARD ACCEPT [0:0]

 

:OUTPUT ACCEPT [434:59908]

 

:POSTROUTING ACCEPT [434:59908]

 

COMMIT

 

# Completed on Sat May  4 01:22:34 2019

 

I don't think this looks right? I don't think the commands to edit this have worked for me. Can I make the changes manually?

Jeremy Davis's picture

You don't explicitly say, but I'm assuming that it's still not working?! I can probably safely assume that seeing as you've posted back here...! :)

As I've perhaps mentioned already, unfortunately, neither OpenVPN nor Firewall config are my strong points. Also I'm not sure how good that documentation is. It's quite old, last edited early 2018 so would have been directly relevant to the previous major version release I expect, or possibly earlier. FWIW it looks like the bit that you are using was actually added from this thread so that might also be worth a read?!

From a glance, the thing that jumps out at me from your firewall conf is the usage of the 192.0.0.0/4 subnet. Perhaps that's part of your network setup, but it seems like a particularly large subnet to me. According to an IP/netmask calculator I just checked, it includes IPs from 192.0.0.1 to 207.255.255.254; a total of over quarter of a million IPs (268,435,454 to be precise)!

matt-horton's picture

Haha, I definitely don't have or need 250k IPs! I was a bit confused about the number after the '/'. I've changed it to /24 now! My IPTables file is all messed up though, and for some reason even if I manually make changes to it, it adds a load of incorrect lines back into it when I run "iptables-save | tee /etc/ iptables .up.rules". I'm going to format and reinstall and try again.

matt-horton's picture

The documentation is correct - I also made a credentials.txt to go along with my vpn .conf file so it would automatically log me in upon rebooting the openVPN appliance.  I also found that uncommenting AUTOSTART="client" in /etc/default/openvpn was unnecessary because of moving and renameing the .ovpn file to a .conf file. the original .ovpn file does not need to remain in the original location.

Jeremy Davis's picture

Really glad to hear that you got it working. Plus extra bonus to have confirmation that the existing docs are ok! :)

Thanks for posting back.

Add new comment