Skip to content

Instantly share code, notes, and snippets.

@GlitchWitch
Last active May 3, 2024 09:24
Show Gist options
  • Save GlitchWitch/97cb812a24e815199a0a84806ead5078 to your computer and use it in GitHub Desktop.
Save GlitchWitch/97cb812a24e815199a0a84806ead5078 to your computer and use it in GitHub Desktop.
OpenVPN Server for LAN Access only (no internet forwarding)

How to setup an OpenVPN server for LAN Access only

Install OpenVPN

wget https://git.io/vpn -O openvpn-install.sh && bash openvpn-install.sh

Edit server.conf

/etc/openvpn/server/server.conf

Change the OpenVPN LAN address to prevent interfering with other OpenVPN connections server 10.8.0.0 255.255.255.0 to server 10.5.0.0 255.255.255.0

Comment out the following so Internet traffic is not routed through

#push "redirect-gateway def1 bypass-dhcp"
#push "dhcp-option DNS 1.1.1.1"
#push "dhcp-option DNS 1.0.0.1"

Add the following so VPN Clients get LAN route

# 10.13.37.254 is OpenVPN server's LAN IP
push "route 10.13.37.254 255.255.255.0"
push "route 10.13.37.0 255.255.255.0"

Edit client.conf

Comment out the following from client.conf and /etc/openvpn/server/client-common.txt

#ignore-unknown-option block-outside-dns
#block-outside-dns

Add LAN Routes

Add route to DDWRT/Routing.asp so LAN clients can respond

Destination LAN NET 10.5.0.0
Subnet Mask 255.255.0.0
Gateway 10.13.37.254

Add route to VM pfsense/system_routes.php

Destination network
10.5.0.0 / 32
Gateway
10.13.37.1
client
dev tun
proto tcp
remote X.X.X.X 1337
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
auth SHA512
cipher AES-256-CBC
verb 3
local 10.13.37.254
port 1337
proto tcp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-crypt tc.key
topology subnet
server 10.5.0.0 255.255.255.0
#push "redirect-gateway def1 bypass-dhcp"
push "route 10.13.37.254 255.255.255.0"
push "route 10.13.37.0 255.255.255.0"
ifconfig-pool-persist ipp.txt
#push "dhcp-option DNS 1.1.1.1"
#push "dhcp-option DNS 1.0.0.1"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nogroup
client-to-client
persist-key
persist-tun
verb 3
crl-verify crl.pem
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment