Skip to content

OpenVPN

Overview

OpenVPN may be optionally installed by the Quick Installer. Once this is done, you can create a client configuration and manage the openvpn-client service with RaspAP.

Enabling OpenVPN

To configure an OpenVPN client, upload a valid .ovpn file from your provider and, optionally, specify your login credentials. For clarity, these steps are described below:

  1. Enter your credentials, if needed, into the Username and Password fields.
  2. Browse to your provider's .ovpn file and choose Save settings.
  3. Confirm that the OpenVPN client.conf uploaded successfully.
  4. Choose Start OpenVPN.

The video walkthrough below illustrates the steps of configuring an OpenVPN client from start to finish.

Tunneling traffic

RaspAP will store your client configuration and add firewall rules to forward traffic from OpenVPN’s tun0 interface to your configured wireless interface. In the example below, the default AP interface wlan0 is used:

iptables -A POSTROUTING -o tun0 -j MASQUERADE
iptables -A FORWARD -i tun0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i wlan0 -o tun0 -j ACCEPT

Public IP address

After a page reload, your new public IPv4 address will be indicated. Click or tap the icon to open a new window with details about your public IP.

Multiple client configs

Experimental · Insiders only

Insiders are able to manage multiple OpenVPN configurations. This includes the ability to upload, activate and delete any number of valid .ovpn files and associated login credentials. Thereafter, switching between them is done by simply activating the desired profile.

Activating a profile will restart the openvpn-client service automatically. Additionally, openvpn-service activity may be tracked in the Logging tab.

Certificate authentication

Experimental · Insiders only

Insiders are able to authenticate with a signing certification authority (CA) certificate. This is an alternative to the default username and password authentication, and is often used with a private or self-hosted OpenVPN server.

To use this method, upload an OpenVPN configuration file (.ovpn) with the certificate authority (CA) certficate, client certificate and client private key enclosed in tags as described above.

Mitigating DNS leaks

Remote hosts use a variety of methods to defeat VPNs, some more aggressively than others. Many VPN providers will advise you to configure custom DNS servers to mitigate DNS leaks, which you can do from RaspAP's DHCP > Advanced tab. You can also test for this with https://dnsleaktest.com/.

Other providers have specific VPN nodes to use with popular streaming services. It's recommended to check with your provider and follow their suggestions.

When an OpenVPN client is configured, RaspAP adds NAT rules with iptables to forward all packets from the AP interface to tun0. If you suspect network traffic is not being routed through tun0 (or any other interface) for some reason, you can monitor this directly from your RPi with iftop:

sudo apt install iftop
sudo iftop -i [interface]

Browser considerations

The Mozilla Foundation recently added a DNS over HTTPS (DoH) proprietary service to its Firefox browser. As of this writing, this "feature" is enabled by default for users in the United States. A consequence of DoH is that DNS requests will be resolved by Mozilla's DNS servers, instead of your VPN provider's. Instructions for disabling this DoH may be found here.