> For the complete documentation index, see [llms.txt](https://zeferby.gitbook.io/transparent-openvpn-for-fantasy-grounds/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://zeferby.gitbook.io/transparent-openvpn-for-fantasy-grounds/transfer-first-test/step-7-connect-and-enjoy.md). # Step 7 : Connect, test, fix glitches ## Connecting your OpenVPN client You now know the Public IP for your server : you will use it to connect your OpenVPN client. Right-click your OpenVPN GUI, and "Edit Config" on your connection menu : ![Edit Config to write the public IP](/files/-LjCqMVFjcxFrvV_9WRo) Remember the **``** placeholder at line 6 ? Replace it with your server's pubic IP that you copied previously in the EC2 Console : ![](/files/-LjCrSzCK24VT768AV--) Now **close+save**, right-click again and "**Connect**" ! ![](/files/-LjCs2MDqTMVsEE6MvgO) You'll see a log flowing in a window\....:drum::drum: *...aaaannnnndddd...* :drum::drum: ![Yeah !](/files/-LjCsa2MBjSEogv7lPZ2) ### :clap: :fireworks::firecracker::dancer: :man\_dancing: **Bravo ! Cheers ! CongratZ !** :man\_dancing: :dancer: :firecracker: :fireworks: :clap: ***You are now officially a geek : you're both, a VPN client AND a VPN operator, all in 1 person !*** *So bookmark this and come back after you have properly celebrated this major event in your life...* ## Several tests Ok, now let's note and test a few things... ### Your VPN client Private IP We'll take a note of our VPN Private IP address, that you see in the OpenVPN balloon tooltip. **For this demo**, we **specified VPN network in our UserData** as **10.10.10.0/24**, so we are **10.10.10.6** {% hint style="warning" %} Being the only client for your VPN server, **you should always get the .6 VPN Private IP address in the network you specify in your UserData** {% endhint %} {% hint style="danger" %} **Important : the server does Fantasy Grounds port forwarding for the .6 IP ONLY** {% endhint %} ### Some pings Let's open a new command prompt window and try a few commands : **`ping 10.10.10.1`** : pings the server's **VPN private IP** Let's have a quick look at our server various IPs : ![](/files/-LjF2auwpQq8r2WnvoF7) **`ping 172.31.10.45`** : pings the server's ethernet LAN adapter **private IP in AWS** **`ping 13.53.45.99`** : pings the server's **Public IP** ![First ping tests](/files/-LjF4RWVHPngMMxaFB_E) Hummm...The server does not reply to our ping on its Public IP. Why ? :thinking: Because we [don't have a rule in our Security Group](/transparent-openvpn-for-fantasy-grounds/transfer-first-test/step-6-launch-time.md#your-own-firewall-rules-security-groups) for that. Let's add a rule to our Security Group : you can **click its name in the left column** of the EC2 instance ***Description*** tab, then go to the **Inbound rules** tab of the **Security Group** and click **Edit**, then **Add Rule** : ![](/files/-LjF60TX_BiUCWeTAuPS) We want to authorize **inbound** *ping requests*, which are in reality *ICMP echo requests*, so our new rule will be typed "***Custom ICMP rule - IPv4***", with protocol "***Echo Request***", from source "***0.0.0.0/0***" : ![](/files/-LjF80pMi7xH1wPi4VGc) Let's **Save**, then go back to our EC2 instance details to check it applies : ![Yep ! Now pingable from anywhere](/files/-LjF8dx_GSowZU17WMpe) Let's retry our ping on the public IP to check we have the replies...ok :white\_check\_mark: ![ping to public IP is now ok](/files/-LjF987juiqWnIRhvNaz) ### Fantasy Grounds Now let's start Fantasy Grounds and **create a test campaign** with any ruleset and **Start** it. {% hint style="warning" %} Let's **not** play with the ***server alias*** : the ***Connection test*** will keep failing, **that's expected !** {% endhint %} ![](/files/-LjFFLTWKU6WTeLH4fTP) {% hint style="info" %} I had to switch to **my own FG machine** for that, so i : * disconnected the test machine (W2012) i have used to show the latest OpenVPN (2.4.7, 64-bit) until now * "distributed" the ***my-fg-ovpn-dm01*** set of VPN client files to my own machine * connected my own machine to the server, **once again getting VPN IP = 10.10.10.6** This is a **Windows 7 (FR)** with an **older OpenVPN (2.2.2, 32-bit)**, but I'm connecting fine : {% endhint %} ![An older OpenVPN (2.2.2)](/files/-LjFHThCwIxpEPlkOpj8) ![ping results still ok on my Windows 7](/files/-LjFHeb9ZmBLUQt4wsSF) So here I am, connected to the VPN server and with Fantasy Grounds eagerly waiting for players to connect : ![A "blank" D\&D5e virtual table](/files/-LjFJW3gpCZyWhQmhxp-) Let's try this command in our command prompt : ``` netstat -ano | find "1802" ``` ![FG process 16100 listening on ALL my connections](/files/-LjFK6Itj339J8_TlJGD) We can see above that our "**GM FG**" has the Windows Process ID 16100, and is **listening to TCP 1802 on ALL IPs from ALL connected network adapters (the 0.0.0.0 on the left), *****including our VPN Private IP*** ### Anatomy of a local connection Now let's open a ***second Fantasy Grounds as a player on the same machine***, and ***Join Game*** on ***localhost*** as Host address (**localhost means "myself" and is the special private IPv4 address 127.0.0.1**) ![Player connection to localhost](/files/-LjFLdqyUmgV0wFhT6h-) ![](/files/-LjFMOwIDxv1d_9cNqYM) That works as expected : nothing fancy here, but if we retry our last command, we see how FG networking works : ![FG : GM + 1 player](/files/-LjFMgFNHcNrjKA_PFOJ) * the GM FG is still LISTENING on 0.0.0.0:1802 (Process ID16100, **line1**) * the player FG (**line 3**) : * has Windows Process ID 15428 * It connected from 127.0.0.1 (using dynamic port 55536) to localhost=127.0.0.1 on port 1802, and the connection is still active (ESTABLISHED) * the GM FG has accepted the inbound connection (**line 2**) and "maintains the dialog" (ESTABLISHED) between his own 127.0.0.1:1802 and the "not-so-remote" player at 127.0.0.1:55536 The **Player and GM FGs** see each other **both on the localhost 127.0.0.1** IP address, so they accept to work that way (otherwise we would have a ***license key conflict***, as we'll soon witness). Now let's **disconnect our player FG** and re-check : ![After player leaves the virtual table](/files/-LjFRTOSdCx52GMGRgmL) We still see our GM FG listening, and the dynamic port that was used by our player FG (TCP 55536) is now in TIME\_WAIT state, belongs to no process ID, and will be completely free to re-use by Windows within 4 minutes. ### Connecting a player FG to the server public IP This is all well and good, but what you want is **players connecting to your server** (its public IP, currently 13.53.45.99 in this demo) so that they **auto-magically appear in your GM FG virtual table**... **Let's try !** ![Connecting to the server as a player from the Internet](/files/-LjFTyP7zuP0Ovnf_maw) ***Aarrgghh !!!...Well, actually : Yeah !!!*** :fireworks::people\_with\_bunny\_ears\_partying::dancer::firecracker: ***It works !!!** (though it looks disappointing...)* ![It looks like a Fail but it is a Pass !](/files/-LjFUg1gZoTxsAsynNZt) ## Houston, we have liftoff ! {% hint style="success" %} **YES !** Our **GM FG and Player FG were actually able to talk to each other...** *...but they have **DIFFERENT IPs** and the **SAME license key =>*** ***LICENSE KEY CONLICT.*** **Your "REAL" players CAN now connect to your GM FG, using the server Public IP** {% endhint %} And if you then retry our netstat command, you'll see all these connections arriving on your VN Private IP on port 1802, all coming in from the server Private IP / various ports. **EDIT :** After some trial and errors, I was finally able to install the *Demo version of Fantasy Grounds on my temporary Windows 2012R2 machine*, even though I had some errors because it has no support for DirectX. So here is an example of 2 connections, **from 2 players with a Demo version of FG** to my GM FG virtual table **through the OpenVPN port-forwarding server** : ![](/files/-LjFw398jH7vInhhg5vL) The player connections seen on my GM FG machine : ![](/files/-LjFwKxsfGFghJN2vyY3) {% hint style="info" %} Our GM FG sees **ALL the "port-forwarded" player connections** coming in : * **from the server Private IPv4 address** (172.31.10.45 in this demo) from various TCP ports * **to our own VPN Private IP** (10.10.10.6 in this demo) always on our TCP 1802 port {% endhint %} *Note : I have FG Ultimate license so I can host any combination of licensed/demo players; if you have FG Standard then you can host 1 demo **or** N licensed players. This is the FG licensing scheme.* ## What if it fails ? ***What ? How ? When ? Where ? You have a real failure ? Like this one with a "player" FG ? Or worse, you can't even connect with your OpenVPN client to your shiny new server ?*** ![](/files/-LjFYJegqPLFWNrbxG6g) ### FG : ***Maybe you forgot*** [***what you should always remember***](/transparent-openvpn-for-fantasy-grounds/general/vpn-solutions.md#always-remember) ***?*** ***Ok,10 seconds to*** :sob:***...*** {% hint style="info" %} ...Now **recheck everything for your GM machine's Barriers 1-3**, remembering that FG inbound connections will come to your GM FG through **the VPN connection**, which Windows (rightfully) considers to be a **DIFFERENT network than your usual home network.** \=> for Windows 10, you have to mark the **VPN connection as PRIVATE !** \=> don't forget to open some doors in all your **firewall-like thingies**...you'll probably need to do so for **both :** * your **VPN private IP network** (10.10.10.0/24 in this demo) * **AND** the server **Private IPv4** in your AWS VPC (172.31.10.45 in this demo) {% endhint %} ### **OpenVPN :** CRLF ? Check the startup log of your OpenVPN server instance In the **Instances** section of the **EC2 Console**, use this right-click contextual menu : ![Getting the system log, including the startup log](/files/-LkEu5o9lXMBUkmmutNI) That should give you (**several minutes after** the instance is launched) something like this... ![Beginning of the system log](/files/-LkEw0OsH2DfLBS_8wEs) After 450 to 500 lines, if you encounter the following error message, it means your **`fgovpn001-init.sh` *****was saved with the CRLF mode*** for End-Of-Line control characters ***instead of LF*** : ![Error example : init script saved with CRLF mode](/files/-LkExDXLCC0dMyNVKBpp) In this example, because of a rogue **CR** character (^M) at the end of the very first line, **the init script did NOT execute AT ALL**, so OpenVPN is not even installed on your (useless) virtual server ! > In the above example, don't be confused by the following line 502 ("*UserData script finished*"). > > The very last thing that the UserData script tried to do was running fgovpn001-init.sh (line 499), so the error actually comes from that file, not from the UserData script (it has been cleansed of any CRs by importing it in the *web editor* in the AWS Console). \=> [**Correct the error**](/transparent-openvpn-for-fantasy-grounds/aws-setup-step-by-step/4.7-filling-the-bucket.md#important-save-files-in-lf-unix-format) by saving **fgovpn001-init.sh in LF mode** in your **`my-fg-ovpn-s3`** local sub-folder, re-transfer the file to S3 to overwrite the one you previously stored, **Terminate** (=destroy) your current instance (right-click / ***Instance State*** / ***Terminate***) like shown in [Step 8](/transparent-openvpn-for-fantasy-grounds/transfer-first-test/step-8-destroy-terminate-after-use.md#we-break-our-new-toy), and then **launch** a brand new one ! *...finally, if you still can't make this work, then **ask for help** with the links at the beginning of this document...* ## A little fix to our AWS Launch Template A little glitch caught my :eyes: when we launched our server, that you'll find just below the pink highlight for Source/dest. check on the screenshots of the EC2 console : T2/T3 Unlimited mode : ***Enabled*** **This is not a setting we want for our use case**, as it may introduce costs (though that is very unlikely, OpenVPN using a very low percentage of CPU). Anyway, this came out because in the AWS region we used, we did not have the usual "free tier elligible" t2.micro instance type but the t3.micro instead, and i found this note in AWS EC2 documentation which explains this unexpected (at least for me) setting : ![](/files/-LjCIZAoJ5twmpDP5jKb) Just to be sure, we'll disable this setting and that will give us an opportunity to experiment with creating a new version of our Launch Template. ### The Launch Template v2 We go to the Launch Templates section of the EC2 Console and click "**Create launch template**" again, but this time we : * select ***Create a new template version*** * select our existing template * enter a version description * select the existing version as source ![New template version, select our template...](/files/-LjG72DoM8V_0ODsajga) ![...enter a version description and select original version as source](/files/-LjG7yD8zVXHqNN8y-1E) Then we go to the bottom, expand **Advanced details** and switch the **T2/T3 Unlimited** setting to ***Disable*** : ![Disable T2/T3 Unlimited](/files/-LjG8gcpk-TcWNkS-ICt) And now we can click the final "***Create launch template***" button : ![](/files/-LjG9kcWMMSgTccud19u) Here we are : ![](/files/-LjGA9TZjSHmZEzuEj0S) Now let's **make this new version the default** version of our Launch Template, because ***the original one is currently still the default one*** : ![](/files/-LjGB7BkyjQ9tUqHaxhO) So we check the line is selected (blue square on the left) and use the **Actions** button : ![](/files/-LjG_RdQCEMYmvNlAT2s) Nothing mysterious there... ![](/files/-LkIQUZC4MLGIHrgzRVp) Finally we're done : ![](/files/-LjG_v6PpdSDa92XuuLA) --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://zeferby.gitbook.io/transparent-openvpn-for-fantasy-grounds/transfer-first-test/step-7-connect-and-enjoy.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.