My last post showed how to setup OpenVPN in TAP mode. Unfortunately, TAP is not supported on iOS (I’m using the official OpenVPN app from the App Store).
This post is a continuation of that post. So we already have a bridge configured (br0) running openvpn in TAP mode. Now we want to add a second listener in TUN mode for iOS. We will reuse the same key (hence we use duplicate-cn option in both server configs)
The OpenVPN side is easy. OpenVPN will scan for
.conf files in
/etc/openvpn so just:
/etc/openvpn/server-tun.conf with contents like so:
Now you just need to configure the linux side.
We want to configure sysctl to make the kernel forward traffic out to the internet.
Persist this setting by editing
/etc/sysctl.conf to uncomment this line:
Next up you need to configure the firewall to perform NAT. Typically:
The ufw forwarding policy needs to be set as well. We’ll do this in ufw’s primary configuration file.
DEFAULT_FORWARD_POLICY="DROP". This must be changed from DROP to ACCEPT. It should look like this when done:
Next we will add additional ufw rules for network address translation and IP masquerading of connected clients.
Add the following to the top of your before.rules file:
We are allowing traffic from the openvpn clients to br0, our bridge interface configured previously.
Finally, enable the firewall
Your client provide will be pretty much identical to the TAP version. Here’s what it should look like:
Install this on your device. You’re now able to connect using TUN and TAP using a single openvpn server, using the same keys/identities.