HOWTO: Openvpn and Ubuntu (Dapper)

[GroundZero3]

Starting Off

This is for Dapper ubuntu and openvpn

http://www.ubuntu.com/

http://openvpn.net/

(Once again thanks to my old boss for the help!)

Okay so the wonderful world of VPNs used by many business to add remote access to the network for those who travel. I will be using the latest Ubuntu version (dapper) and openvpn. (http://openvpn.net/) I really only made this as a reference for me if I ever needed to set it up again but ill post on it here if others want to play around with.

Okay first you will need to edit the source.list for apt-get (located in /etc/apt/sources.list) uncomment all the repositories. Do an apt-get update and then apt-get upgrade to download and install the latest updates for the os. Next you will want to install the openvpn software.

Type:
Apt-get install openvpn (it should download and install itself.)
Apt-get install openssl

*note* I would recommend installing ssh

Apt-get install ssh

Now im not going to go into all the details of VPN (the difference between bridging and routing as you can read about that on the openvpn site). I’m going to go with the routing as it seems a lot simpler to set up and if you look at the opensite, and it does everything I want it to do.

From here we are going to setup the server.conf file for the server (/etc/openvpn)

Now there are a lot of options when it comes to setting up the server. I’m only doing the basic to get it up and running and allow you to connect to the server. (There are more advance things you can do with this software). Before we start I just want to add something. I created a folder in the openvpn directory called keys for the certificates.

If you would like to do this, then type mkdir keys in /etc/openvpn

[GroundZero3]

CONFIGURE THE SERVER

So from here we type vi which will give you a visual prompt. Press the insert key to start typing.



First we will start off with the vpn port. The default port Openvpn runs on is 1194 using UDP. You can change this to something else and also use TCP instead of UDP if you choose.

*note* (the # means this is a comment, I put the comments in for reference for myself if I ever need to go back)


#VPN Port
Port 1194

#Local address (this is the address of the network card from your subnet, I suggest you make this machine have a static ip address)
Local 192.168.x.x

#Protocol for the VPN (remember you can use UDP or TCP, I use TCP)
Proto tcp

#Ethernet routing (like I stated above I picked routing over bridging)
Dev tun0

#Key location
Ca keys/ca.crt
Cert keys/server.crt
Key keys/server.key #secret file

# Diffie hellman parameters. (This is the cryptography)
Dh keys/dh1024.pem

#VPN DHCP Pool
Server 10.8.1.0 255.255.255.0

*note 10.8.1.0 is the address range for my VPN clients. Please note like most of the home routers out there. They use the 192.168.1.x range. If you go to a friends house or on a network that uses the 192.168.1.x the vpn will not work. So to combat this, you should change your network address range to something that isn’t used very often. (Please review the private addresses to get some ideas). I have changed my ip address subnet on my homework to 192.168.2.x/24*

#Gateway Push (this tells the server to push my subnet to any vpn client connecting, make sure you don’t forget the quotes)
Push “route 192.168.2.0 255.255.255.0”

#VPN static ip address pool. It makes sure that a given PKI certificate ALWAYS GETS THE SAME IP on the VPN tunnel
Ifconfig-pool-persist client-addresses.txt

(inside this file I just have name,ip I want to use. So in my case it would have

Groundzero3,10.8.1.6
#Allow vpn clients to communicate with each other (this is an optional option, for a work environment I was informed its not good to enabled this option)
Client-to-client

#keepalive
Keepalive 10 120

#more cryptographic cipher options
Cipher AES-128-CBC

#compression
Comp-lzo

#openvpn priv after init.
User nobody
Group nogroup

Persist-key
Persist-tun

#This is the status log file for openvpn
Status openvpn-status.log

Log openvpn

Verb 3

Mute 20

To save the file press escape the type :wq server.conf

That’s pretty much it. Remember the stuff in parentheses are just explaining the comment areas so they are not needed in the config file.

[GroundZero3]

CREATE KEYS FOR THE SERVER AND THE CLIENTS

Change to the directory /usr/share/doc/openvpn/examples/easy-rsa/2.0

Vi vars and change
export KEY_COUNTRY=" "
export KEY_PROVINCE=""
export KEY_CITY=" "
export KEY_ORG=""
export KEY_EMAIL=""

To whatever you want
gzip -d pkitool.gz

type the command ./vars
./clean-all
./build-ca

You will be asked to answer the questions you filled up top.

./build-key-server server

You will have to answer the same questions above. It will ask you for a password, I suggest you don’t put a password when it ask.

Click yes to sign the certificate.

Now to build the client files.

Type ./build-key client1
And once again you will need to answer the questions above. I still don’t recommend you putting a password as it can cause problems when I have tried.

Next you will want to type ./build-dh

All the files you just generated are located in /usr/share/doc/openvpn/examples/easy-rsa/2.0/keys

If you do a list command in the keys folder you should have something like:

01.pem ca.key client1.key index.txt.attr serial server.csr
02.pem client1.crt dh1024.pem index.txt.attr.old serial.old server.key
ca.crt client1.csr index.txt index.txt.old server.crt

Now you have to be careful with these files. Files such as the ca.key (THIS IS THE MOST IMPORTANT FILE TO PROTECT), server.key and the client1.key files are the ones that really need to be protected. Saying that all files should be protected but those I just listed are the ones you don’t want to be leaving laying around.

Copy the files ca.crt, ca.key, dh1024.pem, server.crt, and server.key to the /etc/openvpn/keys

cp ca.key ca.crt dh1024.pem server.key server.crt /etc/openvpn/keys/

We will worry about the client files after we configure the client config file.

[GroundZero3]

CONFIGURE THE CLIENTS

The configuration file is pretty straight forward as you set it up almost like the server.conf file above.

You can create this using notepad in windows or use VI again.

#Tell this is a client
Client

#Name of the VPN network connection. (in network neighborhood, i changed the name from the defualt vpn network card to HomeVPN so i can tell the difference between the different network adapters on the computer)
dev-node HomeVPN* *the name is whatever your vpn network adapter shows up in network neighborhood

#Protocol the VPN uses
Proto tcp

#Type of VPN connection (you will notice you have tun0 on the server, and tun on the clients)
dev tun

#ip address of the VPN Server. This is your WAN ip address is
Remote 192.168.2.110

#Something dealing with the keys
persist-key
persist-tun

#The keys for the clients (see below for more info)
ca ca.crt
cert client.crt
key client.key

#The server is using aes-128-cbc so we need to tell the client to use that
cipher aes-128-cbc

#Compression as the same on the server
comp-lzo

verb 3


mute 20


If you are using vi save it :wq clients.ovpn

Now download the OpenVPN gui

http://openvpn.se/ (openvpn-2.0.9-gui-1.0.3-install.exe)

Install program (I used all the default settings) You will get prompt with this notice



Click continue anyway

If you right click network neighborhood and click properties you will see the new network interface. Now when you were configuring the client.ovpn file you had a line in there “Dev-node mytap”. Now I usually rename the vpn interface to homevpn so it’s easier to distinguish the difference of the interefaces. Whatever you name the interface (if you rename it, make sure you change the name of mytap and it’s case sensitive).

So in my config file I have dev-node homevpn. It’s very important to remember if you rename it to change that line or the vpn config file will fail.


copy the file client1.crt and client1.key and ca.crt from the folder where the other keys are located to your home directory. The .key file is the one you want to keep to yourself!

Now you will need to get winscp to download the files from a Linux environment to a windows environment. (if you get a permission error from winscp type chown sudo name then client1.*) The sudo name is the root login name you made for the machine.

Before you copy my boss noted that sometimes coping over from Linux to windows can cause some issues with the files, when you drag the file over you will get a prompt to press copy. Before you do click more then click binary then you can press copy


Copy these files into

C:\Program Files\openvpn\config also place your client.ovpn into this folder too

Right click on the client.ovpn and click start openvp on this config file. A dos box should pop up and when its done connecting to the VPN you should see “Initialization Sequence Completed” If you close this DOS box you will disconnect from the VPN

Now the VPN is connected you need to setup up a route to the vpn subnet so 192.168.x.x or whatever can communicate with vpn clients. Log into the router (for this im gonna go through a linksys router, you must bear with me as im using the DD-WRT firmware) . If you are running the default firmware you would click the first tab and see the advance routing tab. Click it then for the destination LAN address type in your VPN subnet. In my case it would be 10.8.1.0, gateway 255.255.255.0 and the gateway will be the address of the VPN server. So if your vpn server internal address is 192.168.1.50 you would but that as the gateway.

Now if you are a vpn client on the road and want to access a server recourse you can type in run

\\192.168.1.100\music. You have to use the ip address of the server, name resolution for a routed vpn does not work. I have tried to stream music over a vpn, its a hit or miss depending on your connection and the speed of the vpn server.

Also note i am running the vpn server in a vmware and it works great

[GroundZero3]

MISC

DHCP- You can push DHCP address to vpn clients but most home routers have a very basic DHCP server that you cant do with this. If you are running something like DHCPD or Windows Server DHCP, im sure there is a way to push them.

Im gonna test this with edgy later on, im sure you will be able to do the exact stuff and have it work

If you are a vpn client and want to use the vpn for your internet, you will need to set a proxy up at your office and point your web browser to it. If not you will continue to browse the internet with whatever connection you have.

There are ALOT more options for openvpn, if you would like to review them check out the site!

[flashingcurser]

Nice write-up! Very few quality howto's on the net for this. Most are broken and/or incomplete. What makes matters worse is that openvpn doesn't come with sample config files, at least not for slackware/debian.

Thank you, I have been cheating with a openvpn plugin for ipcop. I will give your walkthrough a go this weekend.

Oh one question: does liblzo come with ubuntu? I don't think it does with other distro's.


Thanks,


dan

[GroundZero3]

flashing, openvpn has a sample server/client config here

http://openvpn.net/howto.html#server

im sure sure if liblzo is on an install by default.

http://packages.ubuntulinux.org/hoar...vel/liblzo-dev

Im sure a simple apt-get will install it if it isnt.

[GroundZero3]

Just a heads up, for those running DD-wrt v23 SP2 there seems to be some issues with the advance routing portion. ( I even tried the latest v24 beta) I went back to the latest version of HyperWRT Thibor and its working like a champ!


Also i noticed i had to do the command to enable routing

echo 1 > /proc/sys/net/ipv4/ip_forward

when i restart the server. I'm trying to figure out how to make this start on its own.


seems this is the fix

echo "net.ipv4.ip_forward=1" > /etc/sysctl.conf

[estebanko]

Thanks for the howto. However first letters of each config parameter must NOT be capitalized. otherwise it causes errors. This affects both server and client configs.

Stephen.

[GroundZero3]

aw i didn't catch that, i guess i can thank MS word for that

[Sir_Stigmund]

Thanks so much for the how to, not sure I even qualify as a Noobie, but I do have a problem and I suspect it is related to the fact that I am an idiot but I can get so far theough the how to but in the section around CREATE KEYS FOR THE SERVER AND THE CLIENTS... when I type in gzip -d pkitool.gz I get the error "gzip: pkitool.gz: No such file or directory" and of course after that the subsequent permission denied when I try to build-ca. Help, thoughts appreciated

[GroundZero3]

are you in the correct directory when you try to do gzip command for pkitool?

Do you see the pkitool file when you do the list command on the directory?

Are you sudo in when trying it?

[Sir_Stigmund]

wow, thanks for the quick response yes i am in the right directory "/usr/share/doc/openvpn/examples/easy-rsa/2.0", yes i see the pkitool file and no I am not sudo as I am logged in as root.

[GroundZero3]

can you copy and paste when you do the ls command and when you try the gzip command with the error. Just so i can see what you are doing.

I just tried out the gzip -d pkitool.gz on my vmware image and worked fine.

[Sir_Stigmund]

here is the ls..
build-ca build-key-pass build-req-pass list-crl revoke-full
build-dh build-key-pkcs12 clean-all openssl.cnf sign-req
build-inter build-key-server inherit-inter pkitool vars
build-key build-req keys README.gz

here is what gets returned..


root@ubuntu:/usr/share/doc/openvpn/examples/easy-rsa/2.0# gzip -d pkitool.gz
gzip: pkitool.gz: No such file or directory

and also here is what I get when id o the clean-all and build-ca..

root@ubuntu:/usr/share/doc/openvpn/examples/easy-rsa/2.0# source ./vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /usr/share/doc/openvpn/examples/easy-rsa/2.0/keys
root@ubuntu:/usr/share/doc/openvpn/examples/easy-rsa/2.0# ./clean-all
root@ubuntu:/usr/share/doc/openvpn/examples/easy-rsa/2.0# ./build-ca
./build-ca: line 8: /usr/share/doc/openvpn/examples/easy-rsa/2.0/pkitool: Permission denied
root@ubuntu:/usr/share/doc/openvpn/examples/easy-rsa/2.0#

any help gratefully appreciated!

[GroundZero3]

You don't have the pkitool.gz file. You already have the pkitool folder so you can skip that

what shows up when you do ls -l build-ca

[Sir_Stigmund]

root@ubuntu:/usr/share/doc/openvpn/examples/easy-rsa/2.0# ls -l build-ca
-rwxr-xr-x 1 root root 121 2005-11-02 13:42 build-ca

THX

[GroundZero3]

try chmod +x pkitool and see if that corrects it

[zachhale]

I have several questions. You mention "Now when you were configuring the client.conf file you had a line in there “Dev-node mytap”." but never did this in the conf files. Is there something missing? When I finish doing all of this and try to run /etc/init.d/openvpn start I get a Starting virtual private network daemon: server(FAILED). Am I supposed to start the "server" vpn? I think this might be related to the previous problem with not setting the vpn name?

Also, you refer to client.conf (in the problem I just stated). May I assume you are talking about the clients.ovpn you made?

Thanks for your help!
Zach
aim:zachhale
gtalk:zachhale()gmail.com

[GroundZero3]

That client config has nothing to do with starting the server. If you are getting a server (failed) it means something in your config file on the server is not set up right.

As for the client.conf and my tap, i have updated that part of the post. You are correct i left out the mytap portion. Thanks for the heads up.

Please post your server.conf file so i/others can review it.