Gentoo Wiki


This article is part of the HOWTO series.
Installation Kernel & Hardware Networks Portage Software System X Server Gaming Non-x86 Emulators Misc



There are as many advantages to VPN tunnels as there are different VPN scenarios. One easy implementation is the "OpenVPN via tun-device" solution.

An example: you'd like to connect your laptop to your LAN at home so that you can use your mail client without reconfiguring it anytime you switch from home to internet and back. Let's say your mail-server is in your LAN ( at home, and you have got a router/firewall providing access to the Internet. You connect from work or school and want to read mail. OpenVPN can create two virtual devices for you when connecting two computers through an encrypted tunnel. Naturally you then have the possibility of forwarding traffic into the networks behind them, and thus would be "virtually connected" to your LAN behind the firewall. To enable this, either your firewall or a server behind it should run OpenVPN (if you choose a server in your LAN, you'll have to forward the destination port to the OpenVPN server).

Kernel Configuration

Linux Kernel Configuration: Enable the tun module in your kernel
Device Drivers --->
   Network device support --->
[*]Network device support
<M>   Universal TUN/TAP device driver support  // This option must be enabled

Install Software

Make sure the tun module exists and can be loaded using modprobe tun. Next, install OpenVPN and it's dependencies on both the server and the client.

emerge openvpn

Now on both server and client, create a directory for your configuration:

mkdir -p /etc/openvpn/myhomelan

Inside that directory, create a shared key for your VPN session:

cd /etc/openvpn/myhomelan
openvpn --genkey --secret myhomelan-key.txt

Copy that key to the client's directory, /etc/openvpn/myhomelan, using for example scp or rsync.


Now for the tricky part, the routing. It is important that the two tun devices on the client and server use IP addresses from the same subnet. The configuration files shown below list the type of device, the two end-points of the tunnel, the compression method and the UDP-port on which the tunnel is established. Finally privileges are dropped to user and group as listed:

File: Server-side configuration file /etc/openvpn/myhomelan/local.conf
dev tun
ifconfig  // IP of the local tun device and its peer
secret /etc/openvpn/myhomelan/myhomelan-key.txt
port 5000
user nobody
group nobody

The client's configuration needs the tunnel's destination address. This is often a dynamic DNS address, sometimes a fixed IP, depending on your ISP. You also need to route to your home LAN ( in our example).

File: Client-side configuration file /etc/openvpn/myhomelan/local.conf
remote <servers.dynamic.dns.address> 5000  // or your VPN server's external IP if you have a fixed one
dev tun
ifconfig        // IP of the local tun device and its peer
secret /etc/openvpn/myhomelan/myhomelan-key.txt
user nobody
group nobody
route        // sets up the route to the network behind the VPN server

Note: please remove // comments from both examples since OpenVPN doesnt treat // as comment but does not print error message.

Also, if the vpn server is not your default gateway, you'll need to enable packet forwarding on the vpn server:

echo 1 > /proc/sys/net/ipv4/ip_forward

Or To make this permanent (so it does not change back on reboot) change the following line:

File: Kernel settings /etc/sysctl.conf
net.ipv4.ip_forward = 1

and run to apply this settings now:

sysctl -p

and set the back route on the default gateway to your vpn server (lets assume

route add -net netmask gw

That's it. Start OpenVPN on the server and the client, and check the devices with ifconfig and the routes with route -n. Success!

From: Gentoo Weekly Newsletter: October 11, 2004, reprinted with permisson.

--SmokesLikeaPoet 23:50, 13 Nov 2004 (GMT)


Retrieved from ""

Last modified: Thu, 02 Oct 2008 23:33:00 +0000 Hits: 56,140