OpenVPN for DotA again, once and for all

Posted on: Wed, 02/28/2007 - 00:01 By: dae
Tags
howto

-- updated 08 March 07 --

From the stat at mybloglog, many ppl come to my web from the Google search about OpenVPN and DotA. I will summarize the howto again because my previous two entries do not give enough information.

First, let us define the problem. My particular problem is that we have several players sitting on different subnets and each subnet has a very strong firewall rules, i.e., the firewall block most of the ports and doesn't allow UDP package.

If this is not the case of you, e.g., your subnet is an open subnet then the solution is simple, just logon to any existing PvPGN server!!! (the battle.net emulator). That should solve all the problem.

However, in our case, we don't enjoy such luxury. Our network administrator are much more paranoid. UDP port is blocked, so that it is not possible for the gaming data to be sent between the player. The straightforward approach is to create some virtual privacy network (VPN). My solution uses OpenVPN. However, configuring OpenVPN is not a simple task for non-tech-savvy user. Besides, having everyone install OpenVPN seems like a bit over cost. The requirement is that the solution should be done in a minimum of fuzz.

I have to add a remark here that, if UDP is allow in your network, you might give Hamachi a try. Hamachi is a zero-configuration VPN. It is surprisingly easy to use and if every body can use Hamachi, that should be OK. But again, my situation does not sport such luxury.

In contrast, OpenVPN allows you to config various thing, you can pick protocol, port number, etc., at the cost of configuration complexity.

Now back to my solution. I am lucky enough to have a machine with a public fixed IP in one particular subnet. So, that machine is used as a central server for OpenVPN and PvPGN.

My solution is like this:

  1. Install PvPGN on that server.
  2. Install OpenVPN on that server also, and configure the server to forward the package from the VPN interface (Let that machine do NAT for its OpenVPN interface).
  3. Let the ppl on the different subnet (not the same subnet of the server) connect to the server, using OpenVPN.
  4. Let the ppl on the same subnet as the server create the game and let the others join.

This solution is possible because I configure OpenVPN to route every package from VPN client to the server subnet. Hence, gaming data using UDP port will be packed and sent to the game server via VPN, while other ppl on the same subnet of the server could directly use their network, without using OpenVPN.

Here are the detailed description of the solution.

Step 1 is really simple, just go to the PvPGN website, download the latest version and install, that should be OK.

Step 2 requires some manpower. I won't describe the detail here. My earlier post already gives some detail and the Official OpenVPN HOWTO provides a very detailed step-by-step explanation. In general, what you have to do is to set up OpenVPN server normally as described in the official how-to. Then, you have to re-configure your server to accept multiple client using the same client key (this is not recommended by the OpenVPN standard since all client would be able to decrypt other clients data, but we just want to play DotA, no secret is required to be protected. So, this should be fine).

Step 3 is to generate one client key and configuration and let the ppl on the other subnet use them. What you have to do is to configure the client configuration file such that all data that is bounded for the server subnet should go through VPN. However, this must not include the traffic from the client to the VPN server, this particular traffic has to go via the normal network, otherwise, OpenVPN will not work. This could be done in the routing setting of the client configuration file. Adding the following line should do the job.

route a.a.a.a b.b.b.b
route s.s.s.s 255.255.255.255 net_gateway 1

where a.a.a.a and b.b.b.b is the network and the subnet mask of the server while s.s.s.s is the IP of the server. Consider this example,

route 11.22.33.0 255.255.255.0
route 11.22.33.29 255.255.255.255 net_gateway 1

In this case, the network is 11.22.33.* and the server is located at 11.22.33.29.

That is all, let everybody login to the PvPGN and let someone in 11.22.33.* create a game. Everybody should be able to join and play.

Step 4 requires no explanation, I believe that you know how to create the game.

Some might ask, why we have to do step 3? The point is that, when a Warcraft III client from different subnet join the game, gaming data (UDP) must be transmit to the machine of the creator that resides on the server subnet. That is not possible, so we have to route the traffic from the client on different subnet via OpenVPN and let the OpenVPN server do NAT for us. And since we don't generally know the IP of the game creator beforehand, we simply route everything bounded for server subnet to the OpenVPN server. However, this also include the "data-for-VPN" packet to be routed in the same way, and it won't reach the server, so we have to add the exception that, if data is to be routed to the openvpn server, we simply use the normal routing.