Ubuntu – Use Steam’s In-Home Streaming across VPN (OpenVPN)

14.04networkingopenvpnserversteam

Like the question says, I would like to set up an OpenVPN server using TAP mode to facilitate the game-streaming capabilities built into Steam to stream from a Windows 7 gaming machine to an externally located Ubuntu 14.04 laptop at work or school. This would allow an Ubuntu user to connect to their steam account on their Windows machines and stream non-linux games to their Ubuntu hardware!

Here is the general idea of what I want to accomplish:

*********************internet*******************internet**********************

Ubuntu Laptop (Steam) <—> Ubuntu OpenVPN server <—> Windows Machine (Steam)

We will want to use OpenVPN to create a VPN network on the server that both our Ubuntu Laptop and Windows client can connect to. We must use TAP to forward the full Ethernet frame data as Steam's in-home streaming service does not play well with IP tunnels (TUN). Once both machines are connected to the VPN they will begin broadcasting that their libraries are available for streaming.

Current Network Topography:

School/work Ubuntu 14.04 laptop

hostname chimaera-linux

dynamic internet ip (ipv4)

dynamic local ip (10.1.10.x)

hardwired connection to eth0

Ubuntu 14.04 KVM virtual machine running OpenVPN

hostname cerberus-vm

public static internet ip (x.y.145.133) on eth0 (ipv4, hardwired)

no local ip or local network

Windows 7 Pro desktop

hostname windoze

dynamic internet ip (ipv4)

dynamic local ip (192.168.0.x)

hardwired connection to eth0

Requirements:

  • The clients connected to the VPN must be able to use TAP adapters to send traffic to/from the VPN network. TUN WILL NOT WORK!
  • The VPN network should also be able to forward traffic from the clients to the internet and back (so that we can connect to the VPN and use it as a secure method of browsing).
  • Connection settings should be as secure as possible to prevent MITM attacks or other shenanigannary.
  • The internal VPN network should be stand-alone meaning that it does not allow or interface with either client's or server's respective local networks. I'm not looking to set up a VPN network that allows me to ping other local devices on the server's network – only to be able to connect to other VPN clients using their internal VPN IPs.

Steps towards success!

  1. Found and used https://help.ubuntu.com/lts/serverguide/openvpn.html as a guide to install OpenVPN on the server and set up certificates. No issues!
  2. Found and adapted http://www.slsmk.com/getting-started-with-openvpn/installing-openvpn-on-ubuntu-server-12-04-or-14-04-using-tap/ because the server docs talk about setting up a TUN instead of a TAP. At this point, clients CAN connect and authenticate with the VPN server but traffic does not flow between clients and clients cannot access the internet through the VPN!

Relevant configs/system info

  1. The ubuntu VPN client is configure through network-manager according to the LTS server docs.

  2. The Windows 7 client is using the OpenVPN-gui package from openvpn.net

  3. Can provide any config files at request. I can't seem to figure out how to paste them in here without them getting royally screwed on formatting even in the code tickmarks.

Problem Areas and Mysteries

  1. I just cannot seem to wrap my head around the vpn routes or "push" commands in server.conf for openvpn. I suspect that this is the main reason why I can connect but can't seem to get traffic in our out of the vpn to other clients or to the internet.

  2. I have played with iptables and masquerading and all that to no avail. At this point I don't think that's the problem. Right now iptables is completely unconfigured and accepts all traffic.

  3. I have not configured (and don't need?) any bridging or special network settings on any of the clients.

Best Answer

I got it working with OpenVPN (using TAP) after a lot of work. No luck with TUN, I believe it cannot work with TUN since there is no UDP broadcast possible with it (which apparently Steam In-home Streaming uses to detect peers).

I run the OpenVPN server on my router, a Archer C7 V2 running OpenWRT (Barrier Breaker).

Below is the server config file I use. Modification is necessary, where should be clear:

client-to-client
persist-key
persist-tun
tls-server
ca /etc/openvpn/ca.crt
cert /etc/openvpn/erb-router-c7.crt
dev tap_mypvn
dh /etc/openvpn/dh2048.pem
keepalive 10 120
key /etc/openvpn/erb-router-c7.key
log /tmp/openvpn.log
mode server
port 1194
proto udp
route-gateway dhcp
server 10.8.0.0 255.255.255.0
status /var/log/openvpn_status.log
topology subnet
verb 3
push topology subnet
push route-gateway dhcp
push persist-key
push persist-tun

Here is my client config (The host machine running Windows, a similar config is used on the client machine running Ubuntu):

client
float

dev tap
proto udp
remote YOUR_HOSTNAME_OR_IP_HERE 1194

log "C:/Program Files/OpenVPN/config/log.txt"
verb 3

resolv-retry infinite
nobind

persist-key
persist-tun

remote-cert-tls server    
ca "C:/Program Files/OpenVPN/config/ca.crt"
cert "C:/Program Files/OpenVPN/config/erb-main-7.crt"
key "C:/Program Files/OpenVPN/config/erb-main-7.key"

I've done so much with the OpenWRT config that I'm not sure if this is all that is required for someone to replicate my success. But the short version it: Use TAP and not TUN, make sure your VPN clients can talk to each other by specifying the client-to-client parameter in the server config. In OpenWRT I've also set up the network interface and the firewall as specified in the OpenWRT wiki for OpenVPN.

If you have any questions, I'll do my best to answer them.

Edit, on request:

/etc/config/network

config interface 'loopback'
    option ifname 'lo'
    option proto 'static'
    option ipaddr '127.0.0.1'
    option netmask '255.0.0.0'

config globals 'globals'
    option ula_prefix 'fd0f:252f:ed29::/48'

config interface 'lan'
    option force_link '1'
    option type 'bridge'
    option proto 'static'
    option ipaddr '192.168.1.1'
    option netmask '255.255.255.0'
    option ip6assign '60'
    option _orig_ifname 'eth1 wlan0 wlan1'
    option _orig_bridge 'true'
    option ifname 'eth1 tap_myvpn'

config interface 'wan'
    option ifname 'eth0'
    option proto 'dhcp'

config interface 'wan6'
    option ifname '@wan'
    option proto 'dhcpv6'

config switch
    option name 'switch0'
    option reset '1'
    option enable_vlan '1'

config switch_vlan
    option device 'switch0'
    option vlan '1'
    option ports '0 2 3 4 5'

config switch_vlan
    option device 'switch0'
    option vlan '2'
    option ports '1 6'

config interface 'vpn0'
    option ifname 'tun0'
    option proto 'none'
    option auto '1'

Selected part from /etc/config/firewall, may not provide entire context but I don't want my entire firewall file to be known. Please inform me of eventual redundancy and mistakes:

config rule
        option name 'Allow-OpenVPN-Inbound'
        option target 'ACCEPT'
        option src '*'
        option proto 'udp'
        option dest_port '1194'

config zone
        option name 'vpn'
        option masq '1'
        option input 'ACCEPT'
        option forward 'ACCEPT'
        option output 'ACCEPT'
        option network 'vpn0'

config forwarding
        option dest 'lan'
        option src 'vpn'

config forwarding
        option dest 'wan'
        option src 'vpn'

config forwarding
        option dest 'vpn'
        option src 'lan'
Related Question