I wanted to use Steam’s in-home streaming feature outside of my home. It turns out that you can do this via VPN. OpenVPN is relatively simple to setup in TUN mode, but TAP mode is more complicated due to bridging.
It took gathering information from a few different sources (referenced at the end of this article) to produce an up-to-date tutorial for a TAP-based VPN configuration.
This is our basic network topology, or rather, the topology we hope to configure towards:
Router & DHCP Server
DHCP Range: 192.168.1.10 to 192.168.1.237
IP: 192.168.1.206 (DHCP Reservation)
VPN Clients IP Range: 192.168.1.238 - 192.168.1.254
Install OpenVPN, bridge tools, and Easy-RSA
Although you will see examples of bridge configurations with static addresses defined, this did not work for me. I would not be able to access the outside internet. I looked into the ubuntu wiki on bridging (see references) and discovered a configuration for a simple, dhcp based bridge. This worked best for me. Everything after
bridge_ports is from a different TAP tutorial – I don’t know what they do!
The simplest way to check this is to reboot
shutdown -r now and then test if the outside internet is still accessible
ping google.com and to look at the output of
Extract the example VPN server configuration into
Open the server config, e.g.
Configure the following, yours may be different depending on your topology:
Create the scripts that will execute when the OpenVPN service starts and stops. These scripts add and remove the OpenVPN interface to the servers br0 interface.
Make these scripts executable
Generate the keys
Copy over the easy-rsa variables file and make the keys directory
/etc/openvpn/easy-rsa/vars and configure your defaults, e.g.
You must also set the
KEY_NAME="server", the value is referenced by the openvpn config.
Generate the Diffie-Hellman parameters
Now move to the easy-rsa dir, source the variables, clean the working directory and build everything:
Make sure that you responded positively to the prompts, otherwise the defaults are
no and the key creation will not complete.
Next, move the key files over to the openvpn directory
You’re ready to start the server
If the server is not running, look in
/var/log/syslog for errors
So far we’ve installed and configured the OpenVPN server, created a Certificate Authority, and created the server’s own certificate and key. In this step, we use the server’s CA to generate certificates and keys for each client device which will be connecting to the VPN. These files will later be installed onto the client devices such as a laptop or smartphone.
To create separate authentication credentials for each device you intend to connect to the VPN, you should complete this step for each device, but change the name client1 below to something different such as client2 or iphone2. With separate credentials per device, they can later be deactivated at the server individually, if need be. The remaining examples in this tutorial will use client1 as our example client device’s name.
As we did with the server’s key, now we build one for our client1 example. You should still be working out of
Again you need to respond positively when presented with yes or no prompts. You should not enter a challenge password.
You can repeat this section again for each client, replacing client1 with the appropriate client name throughout.
The example client configuration file should be copied to the Easy-RSA key directory too. We’ll use it as a template which will be downloaded to client devices for editing. In the copy process, we are changing the name of the example file from client.conf to client.ovpn because the .ovpn file extension is what the clients will expect to use.
Edit the client profile to reflect your server’s IP address and configure it for tap. Also be sure to replace my-server-1 with your VPN server’s IP or domain name.
Finally, you can transfer client1.crt, client1.key, client.ovpn, and ca.crt over to your client.
Now you can
scp that over to your Mac, double-click to extract, and then double-click the
.tblk file to allow Tunnelblick to install the profile.
Are you running on VMWare VSphere or ESXi? If so you need to configure your switch in promiscuous mode.
If you manually configure a DNS (e.g. 126.96.36.199), does it work? Then you can configure your openvpn server to
push DNS configuration to the clients.
Add a line like this to the openvpn server config: