Published on December 29, 2020

Installation

Install OpenVPN:

apk add openvpn

Public Key Infrastructure

Install EasyRSA:

apk add easy-rsa

Copy the template at /usr/share/easy-rsa to its own directory:

cp -a /usr/share/easy-rsa ~/certs
cd ~/certs
mv vars.example vars

Edit ~/certs/vars:

set_var EASYRSA_DN              "org"
set_var EASYRSA_REQ_COUNTRY     "US"
set_var EASYRSA_REQ_PROVINCE    "CA"
set_var EASYRSA_REQ_CITY        "SanFrancisco"
set_var EASYRSA_REQ_ORG         "YourOrganization"
set_var EASYRSA_REQ_EMAIL       "mail@example.com"

Set up the Public Key Infrastructure:

./easyrsa init-pki

Create the CA certificate:

./easyrsa build-ca

Generate the server certificate request and key:

./easyrsa gen-req games nopass

Sign the server certificate request:

./easyrsa sign-req server games

Generate the Diffie-Hellman parameters:

./easyrsa gen-dh

Generate the scret Hash-based message Authentication Code (HMAC):

./easyrsa --genkey --secret pki/ta.key

Upload the following files:

• ~/certs/pki/ca.crt => /etc/openvpn/games/ca.crt
• ~/certs/pki/dh.pem => /etc/openvpn/games/dh.crt
• ~/certs/pki/ta.key => /etc/openvpn/games/ta.key
• ~/certs/pki/issued/games.crt => /etc/openvpn/games/games.crt
• ~/certs/pki/private/games.key => /etc/openvpn/games/games.key

Configuration

Edit /etc/openvpn/games.conf:

port 1194
proto udp
proto udp6
dev tap

user nobody
group nobody

ca /etc/openvpn/games/ca.crt
cert /etc/openvpn/games/games.crt
key /etc/openvpn/games/games.key
dh /etc/openvpn/games/dh.pem
tls-auth /etc/openvpn/games/ta.key 0

server 10.42.42.0 255.255.255.0
client-to-client
push "route 10.42.42.0 255.255.255.0"
push "route-metric 512"
push "route 0.0.0.0 0.0.0.0"
topology subnet

persist-key
ifconfig-pool-persist games-ips.txt

keepalive 10 120
comp-lzo

status /var/log/openvpn/games-status.log
log /var/log/openvpn/games.log
verb 4

mkdir -p /var/log/openvpn
chown -hR openvpn: /var/log/openvpn

Create the symlink for a game-specific service:

ln -s /etc/init.d/openvpn /etc/init.d/openvpn.games

Allow TCP traffic on port 1194:

ufw allow 1194

Start the service:

/etc/init.d/openvpn.games start
rc-update add openvpn.games

Issuing Client Certificates

Create a private key, create a certificate request and sign it for the client (replace client with a unique identifier for the client):

./easyrsa build-client-full client nopass

Edit games.ovpn:

client
dev tap
proto udp

remote example.com 1194

resolv-retry 30
nobind

persist-key

ca ca.crt
cert client.crt
key client.key
tls-auth ta.key 1

comp-lzo
status /var/log/openvpn/games-status.log
log /var/log/openvpn/games.log
verb 3

Provide the user with the following files:

• ~/certs/psk/ca.crt
• ~/certs/psk/ta.key
• ~/certs/psk/private/client.key
• ~/certs/psk/issued/client.crt

You can then use OpenVPN to open the games.ovpn directly.

On Linux, it should also be possible to use the games.ovpn as /etc/openvpn/games.conf. Adjust the paths to the keys accordingly (e.g. by storing them in /etc/openvpn/games/). Then create symlink and run the OpenVPN service:

ln -s /etc/init.d/openvpn /etc/init.d/openvpn.games
/etc/init.d/openvpn.games start
rc-update add openvpn.games

Game Discovery

One of the problems that many games have is that when you try to find LAN games, that they will end up using the wrong network interface by default. To fix this, the VPN network interface has to be priortised over the default one. Go to Network Connections from Networking and Sharing Center. There you should see a VPN Network TAN-Windows Adapter V9 interface. Right-click it and select "Properties", you should be presented with the following window:

Select "Internet Protocol Version 4 (TCP/IPv4)" and click on "Properties":

Click on "Advanced":

Set the interface metric from automatic to manual and input 5 as its value and close the windows. Now you should be able to find your friend's hosted game using LAN discovery.

---

If you like my work or if my work has been useful to you in any way, then feel free to donate me a cup of coffee. Any donation is much appreciated!