Using OpenVPN to play old games with your friends

There are many great games from the past that we could play with our friends. Unfortunately, many of these games don't support internet properly anymore as they rely on an online service that has been shut down. While we could use a service like Hamachi or Tunggle to create a virtual network, it is much more sensible to set up our own VPN, as we then have control over our own virtual network. In this guide we will be setting up OpenVPN with a focus on playing games on Microsoft Windows.

OpenVPN on the server

First, we will install OpenVPN together with easy-rsa for certificate management:

emerge -a openvpn easy-rsa

OpenVPN uses TSL/SSL to encrypt the traffic between the server and clients. Therefore we have to set up our own certificate authority (CA) to hand out certificates to the users of our VPN. First copy the template directory from easy-rsa to our home directory:

cp -a /usr/share/easy-rsa ~/certs
cd ~/certs

We have to modify some variables inside the certs folder we have just created. First rename the example file vars.example to vars:

mv vars.example vars

Next, we will have to edit the default settings for new certificates, including properties like the country, the province, the city, the organisation name and the e-mail address. Those can be found at the bottom of the vars file. Once you have edited the variables, you want to source the file:

source vars

We want to ensure that we start in a clean environment:


Build the CA as follows and press ENTER for each field that is being prompted, as the tool will use the variables from vars:


Now we will build a server certificate and key pair:

./build-key-server games

Once again, the prompts will use the values in vars. Therefore you can simply press ENTER again. Make sure to not enter a challenge password when prompted. When asked to sign and commit the certificate, enter y.

Next, we generate strong Diffie-Hellman keys to use during the key exchange:


Finally, we generate an HMAC signature:

openvpn --genkey --secret keys/ta.key

Now that the keys have been generated, copy them to the OpenVPN directory:

cp ca.crt games.crt games.key ta.key dh2048.pem /etc/openvpn

Add the following to /etc/openvpn/games.conf to tell OpenVPN where to find the certificate and keys to use:

ca certs/keys/ca.crt
cert certs/keys/games.crt
key certs/keys/games.key
dh certs/keys/dh2048.pem

We will also be using the default port, UDP over both IPv4 and IPv6 and the TAP interface:

port 1194
proto udp
proto udp6
dev tap

user nobody
group nobody

We will set up OpenVPN to allocate IPs from for our clients and allow client-to-client communication over the network:

push "route"
push "route-metric 512"
push "route"
topology subnet

To make sure that we can configure static IPs for our clients, we tell OpenVPN where to find the list of persistent IPs:

ifconfig pool-persist games-ips.txt

We also enable compression and connection keepalive:

keepalive 10 120

Finally, we tell OpenVPN where to store the log files:

status /var/log/openvpn/games-status.log
log /var/log/openvpn/games.log
verb 4

After OpenVPN has been configured we set up the service and start it:

ln -s /etc/init.d/openvpn /etc/init.d/
/etc/init.d/ start
rc-update add default

Generating client certificates

While it is recommended to generate a client certificate and key pair on the client itself and then to sign the certificate by the server/CA, it is also possible to generate a client certificate and key pair on the server for simplicity. Browse to the directory that we previously created to generate the server certificate and key pair and source the vars file:

cd ~/certs
source vars

Using the build-key shell script we can generate client certificate and key pairs for as many clients as we like. For instance, to create one for a client named client1, run the following command:

./build-key client1

We can also create a certificate and key pair that is password-protected using:

./build-key-pass client1

Make sure that the client has the client1.key and client1.crt files.

Signing client certificates

To sign a certificate request, client1.csr for example, run the following command:

./sign-req --sign client1.csr

This should result in a client certificate client1.crt to send to the client.

Adding static IPs

We can assign static IPs to our clients by adding them to the /etc/openvpn/games-ips.txt file. For instance, to always assign IP to client1, we have to add the following entry:


Setting up the client

Download and install the OpenVPN client from the OpenVPN website. Then browse to where OpenVPN is installed and create a config directory. Download the server certificate ca.crt to this directory.

Using easy-rsa, we can generate the client certificates as mentioned before:

cd easy-rsa
source vars
./build-key client1

This should generate a private key client1.key and a certificate request client1.csr. We have to send the client1.csr to the server to sign it. Once it is signed, we can get the actual certificate client1.crt to store in our config directory. Alternatively, the server can also generate a certificate and private key pair.

Finally, we create a client config in the config directory to connect with the OpenVPN server. Add the following to games.ovpn:

dev tap
proto udp
remote 1194
resolv-retry infinite
ca ca.crt
cert client1.crt
key client1.crt
verb 3

Now connect with the server.

Game discovery

One of the problems that many games have is that when you try to find LAN games, that they will end up using the wrong network interface by default. To fix this, the VPN network interface has to be priortised over the default one. Go to Network Connections from Networking and Sharing Center. There you should see a VPN Network TAN-Windows Adapter V9 interface. Right-click it and select "Properties", you should be presented with the following window:


Select "Internet Protocol Version 4 (TCP/IPv4)" and click on "Properties":


Click on "Advanced":


Set the interface metric from automatic to manual and input 5 as its value and close the windows. Now you should be able to find your friend's hosted game using LAN discovery.