My last post showed how to setup OpenVPN in TAP mode. Unfortunately, TAP is not supported on iOS (I’m using the official OpenVPN app from the App Store).
This post is a continuation of that post. So we already have a bridge configured (br0) running openvpn in TAP mode. Now we want to add a second listener in TUN mode for iOS. We will reuse the same key (hence we use duplicate-cn option in both server configs)
The OpenVPN side is easy. OpenVPN will scan for .conf files in /etc/openvpn so just:
Rename /etc/openvpn/server.conf to /etc/openvpn/server-tap.conf
Create /etc/openvpn/server-tun.conf with contents like so:
1 | port 1190 |
Now you just need to configure the linux side.
We want to configure sysctl to make the kernel forward traffic out to the internet.
1 | echo 1 > /proc/sys/net/ipv4/ip_forward |
Persist this setting by editing /etc/sysctl.conf to uncomment this line:
1 | net.ipv4.ip_forward=1 |
Next up you need to configure the firewall to perform NAT. Typically:
1 | ufw allow ssh |
The ufw forwarding policy needs to be set as well. We’ll do this in ufw’s primary configuration file.
1 | vim /etc/default/ufw |
Look for DEFAULT_FORWARD_POLICY="DROP". This must be changed from DROP to ACCEPT. It should look like this when done:
1 | DEFAULT_FORWARD_POLICY="ACCEPT" |
Next we will add additional ufw rules for network address translation and IP masquerading of connected clients.
1 | vim /etc/ufw/before.rules |
Add the following to the top of your before.rules file:
1 | *nat |
We are allowing traffic from the openvpn clients to br0, our bridge interface configured previously.
Finally, enable the firewall
1 | ufw enable |
Your client provide will be pretty much identical to the TAP version. Here’s what it should look like:
1 | client |
Install this on your device. You’re now able to connect using TUN and TAP using a single openvpn server, using the same keys/identities.