October 29th, 2006, 09:14 AM #1
HOWTO: Openvpn and Ubuntu (Dapper)
This is for Dapper ubuntu and openvpn
(Once again thanks to my old boss for the help!)
Okay so the wonderful world of VPNs used by many business to add remote access to the network for those who travel. I will be using the latest Ubuntu version (dapper) and openvpn. (http://openvpn.net/) I really only made this as a reference for me if I ever needed to set it up again but ill post on it here if others want to play around with.
Okay first you will need to edit the source.list for apt-get (located in /etc/apt/sources.list) uncomment all the repositories. Do an apt-get update and then apt-get upgrade to download and install the latest updates for the os. Next you will want to install the openvpn software.
Apt-get install openvpn (it should download and install itself.)
Apt-get install openssl
*note* I would recommend installing ssh
Apt-get install ssh
Now im not going to go into all the details of VPN (the difference between bridging and routing as you can read about that on the openvpn site). Iím going to go with the routing as it seems a lot simpler to set up and if you look at the opensite, and it does everything I want it to do.
From here we are going to setup the server.conf file for the server (/etc/openvpn)
Now there are a lot of options when it comes to setting up the server. Iím only doing the basic to get it up and running and allow you to connect to the server. (There are more advance things you can do with this software). Before we start I just want to add something. I created a folder in the openvpn directory called keys for the certificates.
If you would like to do this, then type mkdir keys in /etc/openvpn
October 29th, 2006, 09:14 AM #2
CONFIGURE THE SERVER
So from here we type vi which will give you a visual prompt. Press the insert key to start typing.
First we will start off with the vpn port. The default port Openvpn runs on is 1194 using UDP. You can change this to something else and also use TCP instead of UDP if you choose.
*note* (the # means this is a comment, I put the comments in for reference for myself if I ever need to go back)
#Local address (this is the address of the network card from your subnet, I suggest you make this machine have a static ip address)
#Protocol for the VPN (remember you can use UDP or TCP, I use TCP)
#Ethernet routing (like I stated above I picked routing over bridging)
Key keys/server.key #secret file
# Diffie hellman parameters. (This is the cryptography)
#VPN DHCP Pool
Server 10.8.1.0 255.255.255.0
*note 10.8.1.0 is the address range for my VPN clients. Please note like most of the home routers out there. They use the 192.168.1.x range. If you go to a friends house or on a network that uses the 192.168.1.x the vpn will not work. So to combat this, you should change your network address range to something that isnít used very often. (Please review the private addresses to get some ideas). I have changed my ip address subnet on my homework to 192.168.2.x/24*
#Gateway Push (this tells the server to push my subnet to any vpn client connecting, make sure you donít forget the quotes)
Push ďroute 192.168.2.0 255.255.255.0Ē
#VPN static ip address pool. It makes sure that a given PKI certificate ALWAYS GETS THE SAME IP on the VPN tunnel
(inside this file I just have name,ip I want to use. So in my case it would have
#Allow vpn clients to communicate with each other (this is an optional option, for a work environment I was informed its not good to enabled this option)
Keepalive 10 120
#more cryptographic cipher options
#openvpn priv after init.
#This is the status log file for openvpn
To save the file press escape the type :wq server.conf
Thatís pretty much it. Remember the stuff in parentheses are just explaining the comment areas so they are not needed in the config file.
October 29th, 2006, 09:15 AM #3
CREATE KEYS FOR THE SERVER AND THE CLIENTS
Change to the directory /usr/share/doc/openvpn/examples/easy-rsa/2.0
Vi vars and change
export KEY_COUNTRY=" "
export KEY_CITY=" "
To whatever you want
gzip -d pkitool.gz
type the command ./vars
You will be asked to answer the questions you filled up top.
You will have to answer the same questions above. It will ask you for a password, I suggest you donít put a password when it ask.
Click yes to sign the certificate.
Now to build the client files.
Type ./build-key client1
And once again you will need to answer the questions above. I still donít recommend you putting a password as it can cause problems when I have tried.
Next you will want to type ./build-dh
All the files you just generated are located in /usr/share/doc/openvpn/examples/easy-rsa/2.0/keys
If you do a list command in the keys folder you should have something like:
01.pem ca.key client1.key index.txt.attr serial server.csr
02.pem client1.crt dh1024.pem index.txt.attr.old serial.old server.key
ca.crt client1.csr index.txt index.txt.old server.crt
Now you have to be careful with these files. Files such as the ca.key (THIS IS THE MOST IMPORTANT FILE TO PROTECT), server.key and the client1.key files are the ones that really need to be protected. Saying that all files should be protected but those I just listed are the ones you donít want to be leaving laying around.
Copy the files ca.crt, ca.key, dh1024.pem, server.crt, and server.key to the /etc/openvpn/keys
cp ca.key ca.crt dh1024.pem server.key server.crt /etc/openvpn/keys/
We will worry about the client files after we configure the client config file.
October 29th, 2006, 09:15 AM #4
CONFIGURE THE CLIENTS
The configuration file is pretty straight forward as you set it up almost like the server.conf file above.
You can create this using notepad in windows or use VI again.
#Tell this is a client
#Name of the VPN network connection. (in network neighborhood, i changed the name from the defualt vpn network card to HomeVPN so i can tell the difference between the different network adapters on the computer)
dev-node HomeVPN* *the name is whatever your vpn network adapter shows up in network neighborhood
#Protocol the VPN uses
#Type of VPN connection (you will notice you have tun0 on the server, and tun on the clients)
#ip address of the VPN Server. This is your WAN ip address is
#Something dealing with the keys
#The keys for the clients (see below for more info)
#The server is using aes-128-cbc so we need to tell the client to use that
#Compression as the same on the server
If you are using vi save it :wq clients.ovpn
Now download the OpenVPN gui
Install program (I used all the default settings) You will get prompt with this notice
Click continue anyway
If you right click network neighborhood and click properties you will see the new network interface. Now when you were configuring the client.ovpn file you had a line in there ďDev-node mytapĒ. Now I usually rename the vpn interface to homevpn so itís easier to distinguish the difference of the interefaces. Whatever you name the interface (if you rename it, make sure you change the name of mytap and itís case sensitive).
So in my config file I have dev-node homevpn. Itís very important to remember if you rename it to change that line or the vpn config file will fail.
copy the file client1.crt and client1.key and ca.crt from the folder where the other keys are located to your home directory. The .key file is the one you want to keep to yourself!
Now you will need to get winscp to download the files from a Linux environment to a windows environment. (if you get a permission error from winscp type chown sudo name then client1.*) The sudo name is the root login name you made for the machine.
Before you copy my boss noted that sometimes coping over from Linux to windows can cause some issues with the files, when you drag the file over you will get a prompt to press copy. Before you do click more then click binary then you can press copy
Copy these files into
C:\Program Files\openvpn\config also place your client.ovpn into this folder too
Right click on the client.ovpn and click start openvp on this config file. A dos box should pop up and when its done connecting to the VPN you should see ďInitialization Sequence CompletedĒ If you close this DOS box you will disconnect from the VPN
Now the VPN is connected you need to setup up a route to the vpn subnet so 192.168.x.x or whatever can communicate with vpn clients. Log into the router (for this im gonna go through a linksys router, you must bear with me as im using the DD-WRT firmware) . If you are running the default firmware you would click the first tab and see the advance routing tab. Click it then for the destination LAN address type in your VPN subnet. In my case it would be 10.8.1.0, gateway 255.255.255.0 and the gateway will be the address of the VPN server. So if your vpn server internal address is 192.168.1.50 you would but that as the gateway.
Now if you are a vpn client on the road and want to access a server recourse you can type in run
\\192.168.1.100\music. You have to use the ip address of the server, name resolution for a routed vpn does not work. I have tried to stream music over a vpn, its a hit or miss depending on your connection and the speed of the vpn server.
Also note i am running the vpn server in a vmware and it works great
October 29th, 2006, 09:26 AM #5
DHCP- You can push DHCP address to vpn clients but most home routers have a very basic DHCP server that you cant do with this. If you are running something like DHCPD or Windows Server DHCP, im sure there is a way to push them.
Im gonna test this with edgy later on, im sure you will be able to do the exact stuff and have it work
If you are a vpn client and want to use the vpn for your internet, you will need to set a proxy up at your office and point your web browser to it. If not you will continue to browse the internet with whatever connection you have.
There are ALOT more options for openvpn, if you would like to review them check out the site!
November 1st, 2006, 12:40 PM #6
Nice write-up! Very few quality howto's on the net for this. Most are broken and/or incomplete. What makes matters worse is that openvpn doesn't come with sample config files, at least not for slackware/debian.
Thank you, I have been cheating with a openvpn plugin for ipcop. I will give your walkthrough a go this weekend.
Oh one question: does liblzo come with ubuntu? I don't think it does with other distro's.
danIf you believe it is important for future generations to learn about computers. Please help--- http://computer4kids.us
November 1st, 2006, 01:33 PM #7
flashing, openvpn has a sample server/client config here
im sure sure if liblzo is on an install by default.
Im sure a simple apt-get will install it if it isnt.
November 8th, 2006, 11:50 AM #8
Just a heads up, for those running DD-wrt v23 SP2 there seems to be some issues with the advance routing portion. ( I even tried the latest v24 beta) I went back to the latest version of HyperWRT Thibor and its working like a champ!
Also i noticed i had to do the command to enable routing
echo 1 > /proc/sys/net/ipv4/ip_forward
seems this is the fix
echo "net.ipv4.ip_forward=1" > /etc/sysctl.conf
November 16th, 2006, 02:56 PM #9
- Join Date
- Nov 2006
Minor but crucial correction.
Thanks for the howto. However first letters of each config parameter must NOT be capitalized. otherwise it causes errors. This affects both server and client configs.
November 16th, 2006, 05:20 PM #10
aw i didn't catch that, i guess i can thank MS word for that
December 1st, 2006, 11:02 AM #11
- Join Date
- Dec 2006
Thanks so much for the how to, not sure I even qualify as a Noobie, but I do have a problem and I suspect it is related to the fact that I am an idiot but I can get so far theough the how to but in the section around CREATE KEYS FOR THE SERVER AND THE CLIENTS... when I type in gzip -d pkitool.gz I get the error "gzip: pkitool.gz: No such file or directory" and of course after that the subsequent permission denied when I try to build-ca. Help, thoughts appreciated
December 1st, 2006, 11:10 AM #12
are you in the correct directory when you try to do gzip command for pkitool?
Do you see the pkitool file when you do the list command on the directory?
Are you sudo in when trying it?
December 1st, 2006, 11:26 AM #13
- Join Date
- Dec 2006
wow, thanks for the quick response yes i am in the right directory "/usr/share/doc/openvpn/examples/easy-rsa/2.0", yes i see the pkitool file and no I am not sudo as I am logged in as root.
December 1st, 2006, 11:58 AM #14
can you copy and paste when you do the ls command and when you try the gzip command with the error. Just so i can see what you are doing.
I just tried out the gzip -d pkitool.gz on my vmware image and worked fine.
December 1st, 2006, 12:06 PM #15
- Join Date
- Dec 2006
here is the ls..
build-ca build-key-pass build-req-pass list-crl revoke-full
build-dh build-key-pkcs12 clean-all openssl.cnf sign-req
build-inter build-key-server inherit-inter pkitool vars
build-key build-req keys README.gz
here is what gets returned..
root@ubuntu:/usr/share/doc/openvpn/examples/easy-rsa/2.0# gzip -d pkitool.gz
gzip: pkitool.gz: No such file or directory
and also here is what I get when id o the clean-all and build-ca..
root@ubuntu:/usr/share/doc/openvpn/examples/easy-rsa/2.0# source ./vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /usr/share/doc/openvpn/examples/easy-rsa/2.0/keys
./build-ca: line 8: /usr/share/doc/openvpn/examples/easy-rsa/2.0/pkitool: Permission denied
any help gratefully appreciated!
December 1st, 2006, 12:22 PM #16
You don't have the pkitool.gz file. You already have the pkitool folder so you can skip that
what shows up when you do ls -l build-ca
December 1st, 2006, 12:30 PM #17
- Join Date
- Dec 2006
root@ubuntu:/usr/share/doc/openvpn/examples/easy-rsa/2.0# ls -l build-ca
-rwxr-xr-x 1 root root 121 2005-11-02 13:42 build-ca
December 1st, 2006, 12:35 PM #18
try chmod +x pkitool and see if that corrects it
January 16th, 2007, 09:59 PM #19
- Join Date
- Jan 2007
I have several questions. You mention "Now when you were configuring the client.conf file you had a line in there ďDev-node mytapĒ." but never did this in the conf files. Is there something missing? When I finish doing all of this and try to run /etc/init.d/openvpn start I get a Starting virtual private network daemon: server(FAILED). Am I supposed to start the "server" vpn? I think this might be related to the previous problem with not setting the vpn name?
Also, you refer to client.conf (in the problem I just stated). May I assume you are talking about the clients.ovpn you made?
Thanks for your help!
January 17th, 2007, 11:31 AM #20
That client config has nothing to do with starting the server. If you are getting a server (failed) it means something in your config file on the server is not set up right.
As for the client.conf and my tap, i have updated that part of the post. You are correct i left out the mytap portion. Thanks for the heads up.
Please post your server.conf file so i/others can review it.
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)
By gberz3 in forum Linux and UnixReplies: 9Last Post: August 4th, 2006, 11:52 PM
By HOlmes101 in forum Linux and UnixReplies: 28Last Post: July 9th, 2006, 05:13 PM
By GroundZero3 in forum Linux and UnixReplies: 8Last Post: June 5th, 2006, 10:10 PM
By GroundZero3 in forum Linux and UnixReplies: 2Last Post: June 1st, 2006, 01:50 PM
By athlonxpguy in forum Linux and UnixReplies: 8Last Post: September 18th, 2003, 08:46 PM