Home Server Point-to-Point VPN Network


06-Jul-2011: initial release.
23-Aug-2012: configuration changed to netcfg.
06-Jan-2013: adjusted for Slackware.
29-Aug-2013: changed port from 1195 to 1196.



This article is about creating a Point-to-Point network between two home networks. This could be used to connect two family homes or two small business networks, everyone has his own reasons for a Point-to-Point network. The Point-to-Point network is created using OpenVPN, with that you can create a virtual ethernet connection as if the two networks are connected via a network card and a very long cross cable. The connection is encrypted and secured.

Currently in OpenVPN 2.2.x there is no support to configure IPv6 on the Point-to-Point connection. But because we are using tap devices on the endpoints, any ethernet frame can be transferred over the link, so IPv4 and IPv6 will work both. The problem is in the configuration. In the .conf script only IPv4 parameters can be set, to use IPv6 you must do all the interface configuring with scripts. It sounds more complicated then it really is. (It seems that the future 2.3 series can do IPv6 configuration).


Update network plan.

First, update the network plan, here we have added the subnet with it’s corresponding IPv6 subnet. We use and 2001:1af8:fecf:7ea3::1 for our local address. For the remote side we use and 2001:1af8:fecf:7ea3::2. You can use a totally different range if you like, but then routing will be a little more complicated. Just picking a address from our total space still leaves us 4 address blocks free.


Home Server network plan.
IPv4 IPv6 Remark 2001:1af8:fecf:7ea0::/64 Workstations LAN 2001:1af8:fecf:7ea1::/64 Server/Gateway LAN 2001:1af8:fecf:7ea2::/64 DMZ Network 2001:1af8:fecf:7ea3::/64 VPN trunk 2001:1af8:fecf:7ea4::/64 Spare 2001:1af8:fecf:7ea5::/64 Spare 2001:1af8:fecf:7ea6::/64 Spare 2001:1af8:fecf:7ea7::/64 Spare


Install OpenVPN.

Install OpenVPN on our local machine, create a working directory for the configuration, and generate a static key.

root@gateway:~# mkdir -p /etc/openvpn/wpl_mbse
root@gateway:/etc/openvpn/wpl_mbse# cd /etc/openvpn/wpl_mbse/
root@gateway:/etc/openvpn/wpl_mbse# openvpn --genkey --secret static.key
root@gateway:/etc/openvpn/wpl_mbse# chmod 400 static.key


Then in /etc/openvpn/wpl_mbse create wpl_mbse.up:


/sbin/ifconfig $1 netmask broadcast \
         add 2001:1af8:fecf:7ea3::1/64
/sbin/route add -net 10.xxx.xxx.x netmask gw
/sbin/route -A inet6 add 2001:1af8:feb8::/48 gw 2001:1af8:fecf:7ea3::2 $1


Then in /etc/openvpn/wpl_mbse create wpl_mbse.down:


/sbin/route -A inet6 del 2001:1af8:feb8::/48 gw 2001:1af8:fecf:7ea3::2 $1
/sbin/route del -net 10.xxx.xxx.x netmask gw
/sbin/ifconfig $1 del 2001:1af8:fecf:7ea3::1/64
/sbin/ifconfig $1 down


Make these both scripts mode 0755 and create /etc/openvpn/wpl_mbse.conf:

cd /etc/openvpn/wpl_mbse
remote 192.168.xxx.xxx
port 1196
dev tap0
keepalive 10 120
proto udp
verb 1
cipher DES-EDE3-CBC  # Triple-DES
script-security 3
up wpl_mbse.up
down wpl_mbse.down
secret static.key


A few remarks:

  • the remote address should be a fqdn (Full Qualified Domain Name) if possible, if the remote is on a dynamic IP and the IP changes, and everything is configured using some dynamic DNS updater, you have more chance to reconnect.
  • We use UDP port 1196 instead of 1194, leave 1194 (standard) and 1195 for ad-hoc road warriors to connect to the LAN. This is a different story to tell.
  • The directory and scripts are named after the from and to second level domain names. Do what you think fits best, but keep in mind that you can have more then one point-to-point connection.
  • The persists  and keepalive parameters make sure that the connection automatic reconnects if there was a problem on the Internet or with the other side of the link.
  • This setup makes us a client and server, both sides try to (re)start the connection at regular intervals.
  • So the firewall need to allow UDP port 1196 out and in.

On the remote you need the opposite configuration, but you don’t need to create the file static.key. Instead you must install our local generated key on the remote. This key file is the weak point, if you ever think it is stolen, generate a new key and use that.


Starting the link.

I have written an sysv init script /etc/rc.d/init.d/openvpn that with the following contents:

# sysv init script to start and stop openvpn connections on Slackware.
# Copyright 2012 Michiel Broek, The Netherlands.


case "$1" in
    echo -n "Starting openvpn connections: "
    mkdir -p "${STATEDIR}"
    for cfg in "${CFGDIR}"/*.conf; do
      echo -n "$(basename "${cfg}" .conf) "
      /usr/sbin/openvpn --daemon --writepid "${STATEDIR}"/"$(basename "${cfg}" .
conf)".pid --cd "${CFGDIR}" --config "${cfg}" || success=$?
    echo ""
    echo -n "Stopping openvpn connections: "
    for pidfile in "${STATEDIR}"/*.pid; do
      echo -n "$(basename "${pidfile}" .pid) "
      kill $(cat "${pidfile}" 2>/dev/null) 2>/dev/null
      rm -f "${pidfile}"
    echo ""
    $0 stop
    sleep 1
    $0 start
    echo -n "Openvpn connections: "
    mkdir -p "${STATEDIR}"
    for cfg in "${CFGDIR}"/*.conf; do
      if [ -f "${STATEDIR}"/"$(basename "${cfg}" .conf)".pid ]; then
        echo -n "$(basename "${cfg}" .conf)=up "
        echo -n "$(basename "${cfg}" .conf)=down "
    echo ""
    echo "usage: $0 {start|stop|restart|status}"


Now create symlinks for runlevel 3 and 4 to start openvpn and start openvpn:

root@gateway:/etc/rc.d/rc3.d# ln -s ../init.d/openvpn S01openvpn
root@gateway:/etc/rc.d/rc3.d# ln -s ../init.d/openvpn K99openvpn
root@gateway:/etc/rc.d/rc3.d# cd ../rc4.d
root@gateway:/etc/rc.d/rc4.d# ln -s ../init.d/openvpn S01openvpn
root@gateway:/etc/rc.d/rc4.d# ln -s ../init.d/openvpn K99openvpn
root@gateway:/etc/rc.d/rc4.d# /etc/rc.d/init.d/openvpn start
Starting openvpn connections: wpl_mbse


In your firewall you need to add this new network interface including the IPv4 and IPv6 addresses. Then, add a policy rule to allow all traffic on that interface. You can check the link with some ping commands:

mbroek@mgmtws:~$ ping -c1
PING ( 56(84) bytes of data.
64 bytes from icmp_req=1 ttl=62 time=4.83 ms

--- ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 4.831/4.831/4.831/0.000 ms
mbroek@mgmtws:~$ ping6 -c1 2001:1af8:fecf:7ea3::2
PING 2001:1af8:fecf:7ea3::2(2001:1af8:fecf:7ea3::2) 56 data bytes
64 bytes from 2001:1af8:fecf:7ea3::2: icmp_seq=1 ttl=62 time=5.40 ms

--- 2001:1af8:fecf:7ea3::2 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 5.404/5.404/5.404/0.000 ms



See the download page for the script and configuration files.