Wherein I set up OpenVPN on my VPS so that I can access my home network (which is behind forced NAT and can't accept inbound connections of any kind) while I'm away from home.


I live in student accommodation where I receive 'free Internet' (indirectly paid for through exorbitant rent fees) provided by KeySurf/KeyCom. This is accessible in two different ways:

  • Building-wide open WiFi (no security at all)
  • An Ethernet port in my room

Connecting to either of these gets you a captive portal where you must log in with your KeySurf account. You can also use the web interface to add specific devices by MAC address, which is necessary for stuff like the Nintendo 3DS.

I'm 99% sure that everybody in the building shares the same external IP address, though I haven't confirmed this for sure -- I know that my devices definitely do. Regardless, there is no way to set up port forwarding of any kind... so good luck getting remote access!

A friend gave me a TP-Link TL-WR710N router running OpenWRT (which I've since upgraded to LEDE 17.01.4). This has allowed me to set up a miniature home network, which is quite useful as it means that my laptop and desktop (plus VMs running on the latter) can communicate with each other reliably.

Of course, this only works when I'm actually physically there. Can I remotely access the network so that I can work on my desktop and access files when I'm not at home? The answer is yes -- but it took me the better part of a day to figure out the correct series of magical incantations (and a couple of experiments with magical "it just works" software packages that didn't end up actually working, like ZeroTier One and SoftEther VPN).

I'll spare you the details of how I actually got there and just describe the setup I ended up with, and how it works...

Network Setup

The router is running LEDE 17.01.4 and is accessing the Internet through the WAN interface. I've configured IP addressing as follows:

  • Router:
  • Laptop:
  • Desktop:
  • Subnet Mask:

I assigned static leases to my machines to make working with them easier, but this isn't strictly necessary for the OpenVPN setup to function.

Note: I've got the subnet mask set to rather than the somewhat more obvious as a leftover from one of my failed experiments (following somebody else's guide to set up ZeroTier One). The latter would probably work as well, but I'm hesitant to change now that I have things working.

OpenVPN Setup: Server

My VPS is currently running OpenVPN 2.4 on Arch Linux.

I used easy-rsa to create a certificate infrastructure with keys for the server, router and laptop. This is a fairly standard setup; there are plenty of guides for this.

The following files from the process are in /etc/openvpn/server: ca.crt, server.crt, server.key, ta.key, dh.pem, as well as the following configuration in server.conf:

port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
ifconfig-pool-persist ipp.txt
client-config-dir ccd
keepalive 10 120
tls-crypt ta.key
cipher AES-256-CBC
compress lz4-v2
push "compress lz4-v2"
status openvpn-status.log
verb 3

Note about the setup -- the OpenVPN network is on with subnet mask The OpenVPN server automatically assigns itself IP

Additionally, you need to create a client configuration directory at /etc/openvpn/server/ccd, containing the following files. Note that the name of the file needs to match the 'common name' specified when you created the certificate for that device. No extension!


push "route"

The ifconfig-push command assigns the router to on the OpenVPN network.

The iroute command tells the OpenVPN server to route all packets on the subnet (my home network) towards this device.

The push route command tells the router to route all OpenVPN network packets towards the OpenVPN server.


push "route"

The ifconfig-push command assigns the laptop to on the OpenVPN network.

The push route command tells the laptop to route all home network packets through the OpenVPN server.

No iroute is needed because the only packets going to the laptop are destined for the laptop itself -- this is in contrast to the router, where packets going to the home network need to be explicitly directed towards it.

OpenVPN Setup: Client 1 (Laptop)

This is a modified and pruned version of the template client configuration. I'm using it with Tunnelblick on macOS, but I see no reason it wouldn't work on other platforms as well.

The following files are included alongside the configuration: ca.crt, laptop.crt, laptop.key, ta.key

dev tun
proto udp
remote tres.wuffs.org 1194
resolv-retry infinite
ca ca.crt
cert laptop.crt
key laptop.key
tls-crypt ta.key
verb 3

OpenVPN Setup: Client 2 (Router)

Getting OpenVPN to work on the router is pretty straightforward, thankfully. Install openvpn-openssl using opkg.

The following files should be in /etc/openvpn: ca.crt, router.crt, router.key, ta.key, along with the following configuration in vpn.conf:

dev tun
proto udp
remote tres.wuffs.org 1194
resolv-retry infinite
ca ca.crt
cert router.crt
key router.key
tls-crypt ta.key
verb 3

Run /etc/init.d/openvpn start and with any luck, OpenVPN will start.

You may find it helpful when debugging to simply run OpenVPN in the foreground using openvpn /etc/openvpn/vpn.conf and view the log messages - this goes for the setup on the other devices too, not just the router.

Router Setup

Once all of this has been set up, you should have both devices connected to the VPN and you should be able to ping across the OpenVPN network: the router should be able to ping the laptop at, and the laptop should be able to ping the router at

However, to make the home network accessible, you'll need to set up forwarding on the firewall. Thankfully this is pretty straightforward via the firewall settings in LEDE's LuCI.

From Network > Interfaces, select Add new interface, and enter the following:

  • Name: tun0
  • Protocol: Unmanaged
  • Create a bridge: [unchecked]
  • Cover the following interface: tun0

Now go to Network > Firewall. Create a new Zone, with the following settings:

  • Name: tun
  • Input: accept
  • Output: accept
  • Forward: reject
  • Masquerading: [unchecked]
  • MSS clamping: [unchecked]
  • Covered networks: tun0
  • Allow forward to destination zones: lan only
  • Allow forward from source zones: lan only

Save and apply everything.

If all has gone well you should now be able to access devices on the home network (the 10.99.4.x subnet) while connected to the VPN, no matter where you are.

Caveats / Room for Improvement?

There are a couple of issues I didn't bother trying to troubleshoot and fix because I was already tired of OpenVPN/firewall configuration and I'm not particularly bothered by them.

SMB (Windows file sharing) appears to work fine over the network, but names are not resolved automatically so you must for example access \\ rather than \\TRASH.

OpenVPN client 1 (the laptop) can access the 10.99.4.x subnet, but the server itself can't. This is probably pretty straightforward to fix by adding extra routing rules but I didn't want the hassle.

Let me know on Twitter (@_Ninji) or through some other means if you found this useful!