This is OpenVPN setup for gaming where VPN’s own internal network is not connected to physical LAN. It’s star shaped and OpenVPN server is running on high bandwidth connection on virtual machine or dedicated server in some ISP’s server room so that the latency is minimal to all connected gamers (ie. guy which has most upload bandwidth should do this). Every player and game server hoster connects to this server and OpenVPN handles rest of networking stuff. It’s also layer 2 (TAP) so that everyone sees mac addresses and UDP broadcasts work ok etc.
Install OpenVPN
aptitude install openvpn
Setting up OpenVPN server
/etc/openvpn/server.conf:
mode server tls-server port 1194 proto udp dev tap client-to-client ca /etc/openvpn/easy-rsa/keys/ca.crt cert /etc/openvpn/easy-rsa/keys/servername.crt key /etc/openvpn/easy-rsa/keys/servername.key dh /etc/openvpn/easy-rsa/keys/dh384.pem ifconfig-pool-persist ipp.txt server-bridge 10.10.10.1 255.255.255.0 10.10.10.128 10.10.10.250 push .route 10.10.10.1 255.255.255.0 keepalive 5 60 comp-lzo persist-key persist-tun status /var/log/openvpn-status.log log-append /var/log/openvpn.log verb 3 user nobody group nogroup #this allows more than one connection at a time from same key #good if you just want to give one "gaming" certificate to everybody #duplicate-cn
mkdir /etc/openvpn/easy-rsa cp /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa cd /etc/openvpn/easy-rsa
Modify “vars” file with your favorite editor
Change export KEY_SIZE=1024 to export KEY_SIZE=384. We don’t need much encryption for gaming.
Modify export KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG and KEY_EMAIL to your liking.
Save the file.
source ./vars ./clean-all ./build-ca ./build-key-server servername ./build-dh
Use
/etc/init.d/openvpn restart /etc/init.d/openvpn start /etc/init.d/openvpn stop
To start/stop/restart the OpenVPN server.
Adding clients
Replace clientX with actual username wanted.
cd /etc/openvpn/easy-rsa source ./vars ./build-key-pkcs12 clientX
copy clientX.p12 file from “keys” directory to some directory
create following clientX.ovpn file:
client dev tap proto udp #replace this with your OpenVPN server hostname/IP remote 192.168.0.123 1194 resolv-retry infinite nobind ns-cert-type server comp-lzo verb 3 pull # Replace this with your own .p12 certificate file pkcs12 clientX.p12
Send the certificate (.p12) and .ovpn file to your buddy.
Windows client configurations / troubleshooting
We used OpenVPN GUI as Windows client. Download the .ovpn and .p12 file to C:\Program Files\OpenVPN\config directory. Click connect on OpenVPN GUI’s taskbar icon and you should be connected.
To minimize problems set the OpenVPN TAP Adapter as first interface from network configuration. This required reboot for me so that Windows XP acknowledged it. Remove unnecessary stuff from TAP interface (like QoS).
WireShark is your friend. Use it to find out if games are shouting their packets to wrong network and not to VPN IP network. 99.9% of LAN games use UDP broadcast to tell about themselves so use “udp” as filter.
Ping and arp -a is also good for basic connectivity testing. Some firewalls block ping (ICMP) so be aware of that too. Other good tool is netstat and TCPView for looking in which port the game is running.
If you’re running some old games through virtual machine then set the virtual machine’s network adapter to OpenVPN’s TAP Adapter. IPX packets should go through too because TAP is layer 2 (but I didn’t test).
I also found this ForceBindIP application which will force specified application to certain network card or network card IP. Might come in handy if game is constantly picking up wrong NIC or IP network.
