+ Reply to Thread
Page 1 of 3 1 2 3 LastLast
Results 1 to 20 of 48
  1. #1
    Goverment property now GroundZero3's Avatar
    Join Date
    Oct 2001
    Location
    NOVA
    Posts
    34,953
    Blog Entries
    62

    HOWTO: Openvpn and Ubuntu (Dapper)

    Starting Off

    This is for Dapper ubuntu and openvpn

    http://www.ubuntu.com/

    http://openvpn.net/

    (Once again thanks to my old boss for the help!)

    Okay so the wonderful world of VPNs used by many business to add remote access to the network for those who travel. I will be using the latest Ubuntu version (dapper) and openvpn. (http://openvpn.net/) I really only made this as a reference for me if I ever needed to set it up again but ill post on it here if others want to play around with.

    Okay first you will need to edit the source.list for apt-get (located in /etc/apt/sources.list) uncomment all the repositories. Do an apt-get update and then apt-get upgrade to download and install the latest updates for the os. Next you will want to install the openvpn software.

    Type:
    Apt-get install openvpn (it should download and install itself.)
    Apt-get install openssl

    *note* I would recommend installing ssh

    Apt-get install ssh

    Now im not going to go into all the details of VPN (the difference between bridging and routing as you can read about that on the openvpn site). Iím going to go with the routing as it seems a lot simpler to set up and if you look at the opensite, and it does everything I want it to do.

    From here we are going to setup the server.conf file for the server (/etc/openvpn)

    Now there are a lot of options when it comes to setting up the server. Iím only doing the basic to get it up and running and allow you to connect to the server. (There are more advance things you can do with this software). Before we start I just want to add something. I created a folder in the openvpn directory called keys for the certificates.

    If you would like to do this, then type mkdir keys in /etc/openvpn

  2. #2
    Goverment property now GroundZero3's Avatar
    Join Date
    Oct 2001
    Location
    NOVA
    Posts
    34,953
    Blog Entries
    62
    CONFIGURE THE SERVER

    So from here we type vi which will give you a visual prompt. Press the insert key to start typing.



    First we will start off with the vpn port. The default port Openvpn runs on is 1194 using UDP. You can change this to something else and also use TCP instead of UDP if you choose.

    *note* (the # means this is a comment, I put the comments in for reference for myself if I ever need to go back)


    #VPN Port
    Port 1194

    #Local address (this is the address of the network card from your subnet, I suggest you make this machine have a static ip address)
    Local 192.168.x.x

    #Protocol for the VPN (remember you can use UDP or TCP, I use TCP)
    Proto tcp

    #Ethernet routing (like I stated above I picked routing over bridging)
    Dev tun0

    #Key location
    Ca keys/ca.crt
    Cert keys/server.crt
    Key keys/server.key #secret file

    # Diffie hellman parameters. (This is the cryptography)
    Dh keys/dh1024.pem

    #VPN DHCP Pool
    Server 10.8.1.0 255.255.255.0

    *note 10.8.1.0 is the address range for my VPN clients. Please note like most of the home routers out there. They use the 192.168.1.x range. If you go to a friends house or on a network that uses the 192.168.1.x the vpn will not work. So to combat this, you should change your network address range to something that isnít used very often. (Please review the private addresses to get some ideas). I have changed my ip address subnet on my homework to 192.168.2.x/24*

    #Gateway Push (this tells the server to push my subnet to any vpn client connecting, make sure you donít forget the quotes)
    Push ďroute 192.168.2.0 255.255.255.0Ē

    #VPN static ip address pool. It makes sure that a given PKI certificate ALWAYS GETS THE SAME IP on the VPN tunnel
    Ifconfig-pool-persist client-addresses.txt

    (inside this file I just have name,ip I want to use. So in my case it would have

    Groundzero3,10.8.1.6
    #Allow vpn clients to communicate with each other (this is an optional option, for a work environment I was informed its not good to enabled this option)
    Client-to-client

    #keepalive
    Keepalive 10 120

    #more cryptographic cipher options
    Cipher AES-128-CBC

    #compression
    Comp-lzo

    #openvpn priv after init.
    User nobody
    Group nogroup

    Persist-key
    Persist-tun

    #This is the status log file for openvpn
    Status openvpn-status.log

    Log openvpn

    Verb 3

    Mute 20

    To save the file press escape the type :wq server.conf

    Thatís pretty much it. Remember the stuff in parentheses are just explaining the comment areas so they are not needed in the config file.

  3. #3
    Goverment property now GroundZero3's Avatar
    Join Date
    Oct 2001
    Location
    NOVA
    Posts
    34,953
    Blog Entries
    62
    CREATE KEYS FOR THE SERVER AND THE CLIENTS

    Change to the directory /usr/share/doc/openvpn/examples/easy-rsa/2.0

    Vi vars and change
    export KEY_COUNTRY=" "
    export KEY_PROVINCE=""
    export KEY_CITY=" "
    export KEY_ORG=""
    export KEY_EMAIL=""

    To whatever you want
    gzip -d pkitool.gz

    type the command ./vars
    ./clean-all
    ./build-ca

    You will be asked to answer the questions you filled up top.

    ./build-key-server server

    You will have to answer the same questions above. It will ask you for a password, I suggest you donít put a password when it ask.

    Click yes to sign the certificate.

    Now to build the client files.

    Type ./build-key client1
    And once again you will need to answer the questions above. I still donít recommend you putting a password as it can cause problems when I have tried.

    Next you will want to type ./build-dh

    All the files you just generated are located in /usr/share/doc/openvpn/examples/easy-rsa/2.0/keys

    If you do a list command in the keys folder you should have something like:

    01.pem ca.key client1.key index.txt.attr serial server.csr
    02.pem client1.crt dh1024.pem index.txt.attr.old serial.old server.key
    ca.crt client1.csr index.txt index.txt.old server.crt

    Now you have to be careful with these files. Files such as the ca.key (THIS IS THE MOST IMPORTANT FILE TO PROTECT), server.key and the client1.key files are the ones that really need to be protected. Saying that all files should be protected but those I just listed are the ones you donít want to be leaving laying around.

    Copy the files ca.crt, ca.key, dh1024.pem, server.crt, and server.key to the /etc/openvpn/keys

    cp ca.key ca.crt dh1024.pem server.key server.crt /etc/openvpn/keys/

    We will worry about the client files after we configure the client config file.

  4. #4
    Goverment property now GroundZero3's Avatar
    Join Date
    Oct 2001
    Location
    NOVA
    Posts
    34,953
    Blog Entries
    62
    CONFIGURE THE CLIENTS

    The configuration file is pretty straight forward as you set it up almost like the server.conf file above.

    You can create this using notepad in windows or use VI again.

    #Tell this is a client
    Client

    #Name of the VPN network connection. (in network neighborhood, i changed the name from the defualt vpn network card to HomeVPN so i can tell the difference between the different network adapters on the computer)
    dev-node HomeVPN* *the name is whatever your vpn network adapter shows up in network neighborhood

    #Protocol the VPN uses
    Proto tcp

    #Type of VPN connection (you will notice you have tun0 on the server, and tun on the clients)
    dev tun

    #ip address of the VPN Server. This is your WAN ip address is
    Remote 192.168.2.110

    #Something dealing with the keys
    persist-key
    persist-tun

    #The keys for the clients (see below for more info)
    ca ca.crt
    cert client.crt
    key client.key

    #The server is using aes-128-cbc so we need to tell the client to use that
    cipher aes-128-cbc

    #Compression as the same on the server
    comp-lzo

    verb 3


    mute 20


    If you are using vi save it :wq clients.ovpn

    Now download the OpenVPN gui

    http://openvpn.se/ (openvpn-2.0.9-gui-1.0.3-install.exe)

    Install program (I used all the default settings) You will get prompt with this notice



    Click continue anyway

    If you right click network neighborhood and click properties you will see the new network interface. Now when you were configuring the client.ovpn file you had a line in there ďDev-node mytapĒ. Now I usually rename the vpn interface to homevpn so itís easier to distinguish the difference of the interefaces. Whatever you name the interface (if you rename it, make sure you change the name of mytap and itís case sensitive).

    So in my config file I have dev-node homevpn. Itís very important to remember if you rename it to change that line or the vpn config file will fail.


    copy the file client1.crt and client1.key and ca.crt from the folder where the other keys are located to your home directory. The .key file is the one you want to keep to yourself!

    Now you will need to get winscp to download the files from a Linux environment to a windows environment. (if you get a permission error from winscp type chown sudo name then client1.*) The sudo name is the root login name you made for the machine.

    Before you copy my boss noted that sometimes coping over from Linux to windows can cause some issues with the files, when you drag the file over you will get a prompt to press copy. Before you do click more then click binary then you can press copy


    Copy these files into

    C:\Program Files\openvpn\config also place your client.ovpn into this folder too

    Right click on the client.ovpn and click start openvp on this config file. A dos box should pop up and when its done connecting to the VPN you should see ďInitialization Sequence CompletedĒ If you close this DOS box you will disconnect from the VPN

    Now the VPN is connected you need to setup up a route to the vpn subnet so 192.168.x.x or whatever can communicate with vpn clients. Log into the router (for this im gonna go through a linksys router, you must bear with me as im using the DD-WRT firmware) . If you are running the default firmware you would click the first tab and see the advance routing tab. Click it then for the destination LAN address type in your VPN subnet. In my case it would be 10.8.1.0, gateway 255.255.255.0 and the gateway will be the address of the VPN server. So if your vpn server internal address is 192.168.1.50 you would but that as the gateway.

    Now if you are a vpn client on the road and want to access a server recourse you can type in run

    \\192.168.1.100\music. You have to use the ip address of the server, name resolution for a routed vpn does not work. I have tried to stream music over a vpn, its a hit or miss depending on your connection and the speed of the vpn server.

    Also note i am running the vpn server in a vmware and it works great

  5. #5
    Goverment property now GroundZero3's Avatar
    Join Date
    Oct 2001
    Location
    NOVA
    Posts
    34,953
    Blog Entries
    62
    MISC

    DHCP- You can push DHCP address to vpn clients but most home routers have a very basic DHCP server that you cant do with this. If you are running something like DHCPD or Windows Server DHCP, im sure there is a way to push them.

    Im gonna test this with edgy later on, im sure you will be able to do the exact stuff and have it work

    If you are a vpn client and want to use the vpn for your internet, you will need to set a proxy up at your office and point your web browser to it. If not you will continue to browse the internet with whatever connection you have.

    There are ALOT more options for openvpn, if you would like to review them check out the site!

  6. #6
    Senior Member flashingcurser's Avatar
    Join Date
    Jan 2002
    Location
    ThirdWorld- Montana
    Posts
    607
    Nice write-up! Very few quality howto's on the net for this. Most are broken and/or incomplete. What makes matters worse is that openvpn doesn't come with sample config files, at least not for slackware/debian.

    Thank you, I have been cheating with a openvpn plugin for ipcop. I will give your walkthrough a go this weekend.

    Oh one question: does liblzo come with ubuntu? I don't think it does with other distro's.


    Thanks,


    dan
    If you believe it is important for future generations to learn about computers. Please help--- http://computer4kids.us

  7. #7
    Goverment property now GroundZero3's Avatar
    Join Date
    Oct 2001
    Location
    NOVA
    Posts
    34,953
    Blog Entries
    62
    flashing, openvpn has a sample server/client config here

    http://openvpn.net/howto.html#server

    im sure sure if liblzo is on an install by default.

    http://packages.ubuntulinux.org/hoar...vel/liblzo-dev

    Im sure a simple apt-get will install it if it isnt.

  8. #8
    Goverment property now GroundZero3's Avatar
    Join Date
    Oct 2001
    Location
    NOVA
    Posts
    34,953
    Blog Entries
    62
    Just a heads up, for those running DD-wrt v23 SP2 there seems to be some issues with the advance routing portion. ( I even tried the latest v24 beta) I went back to the latest version of HyperWRT Thibor and its working like a champ!


    Also i noticed i had to do the command to enable routing

    echo 1 > /proc/sys/net/ipv4/ip_forward
    when i restart the server. I'm trying to figure out how to make this start on its own.


    seems this is the fix

    echo "net.ipv4.ip_forward=1" > /etc/sysctl.conf

  9. #9
    Junior Member
    Join Date
    Nov 2006
    Posts
    1

    Minor but crucial correction.

    Thanks for the howto. However first letters of each config parameter must NOT be capitalized. otherwise it causes errors. This affects both server and client configs.

    Stephen.

  10. #10
    Goverment property now GroundZero3's Avatar
    Join Date
    Oct 2001
    Location
    NOVA
    Posts
    34,953
    Blog Entries
    62
    aw i didn't catch that, i guess i can thank MS word for that

  11. #11
    Junior Member
    Join Date
    Dec 2006
    Posts
    4
    Thanks so much for the how to, not sure I even qualify as a Noobie, but I do have a problem and I suspect it is related to the fact that I am an idiot but I can get so far theough the how to but in the section around CREATE KEYS FOR THE SERVER AND THE CLIENTS... when I type in gzip -d pkitool.gz I get the error "gzip: pkitool.gz: No such file or directory" and of course after that the subsequent permission denied when I try to build-ca. Help, thoughts appreciated

  12. #12
    Goverment property now GroundZero3's Avatar
    Join Date
    Oct 2001
    Location
    NOVA
    Posts
    34,953
    Blog Entries
    62
    are you in the correct directory when you try to do gzip command for pkitool?

    Do you see the pkitool file when you do the list command on the directory?

    Are you sudo in when trying it?

  13. #13
    Junior Member
    Join Date
    Dec 2006
    Posts
    4
    wow, thanks for the quick response yes i am in the right directory "/usr/share/doc/openvpn/examples/easy-rsa/2.0", yes i see the pkitool file and no I am not sudo as I am logged in as root.

  14. #14
    Goverment property now GroundZero3's Avatar
    Join Date
    Oct 2001
    Location
    NOVA
    Posts
    34,953
    Blog Entries
    62
    can you copy and paste when you do the ls command and when you try the gzip command with the error. Just so i can see what you are doing.

    I just tried out the gzip -d pkitool.gz on my vmware image and worked fine.

  15. #15
    Junior Member
    Join Date
    Dec 2006
    Posts
    4
    here is the ls..
    build-ca build-key-pass build-req-pass list-crl revoke-full
    build-dh build-key-pkcs12 clean-all openssl.cnf sign-req
    build-inter build-key-server inherit-inter pkitool vars
    build-key build-req keys README.gz

    here is what gets returned..


    root@ubuntu:/usr/share/doc/openvpn/examples/easy-rsa/2.0# gzip -d pkitool.gz
    gzip: pkitool.gz: No such file or directory

    and also here is what I get when id o the clean-all and build-ca..

    root@ubuntu:/usr/share/doc/openvpn/examples/easy-rsa/2.0# source ./vars
    NOTE: If you run ./clean-all, I will be doing a rm -rf on /usr/share/doc/openvpn/examples/easy-rsa/2.0/keys
    root@ubuntu:/usr/share/doc/openvpn/examples/easy-rsa/2.0# ./clean-all
    root@ubuntu:/usr/share/doc/openvpn/examples/easy-rsa/2.0# ./build-ca
    ./build-ca: line 8: /usr/share/doc/openvpn/examples/easy-rsa/2.0/pkitool: Permission denied
    root@ubuntu:/usr/share/doc/openvpn/examples/easy-rsa/2.0#

    any help gratefully appreciated!

  16. #16
    Goverment property now GroundZero3's Avatar
    Join Date
    Oct 2001
    Location
    NOVA
    Posts
    34,953
    Blog Entries
    62
    You don't have the pkitool.gz file. You already have the pkitool folder so you can skip that

    what shows up when you do ls -l build-ca

  17. #17
    Junior Member
    Join Date
    Dec 2006
    Posts
    4
    root@ubuntu:/usr/share/doc/openvpn/examples/easy-rsa/2.0# ls -l build-ca
    -rwxr-xr-x 1 root root 121 2005-11-02 13:42 build-ca

    THX

  18. #18
    Goverment property now GroundZero3's Avatar
    Join Date
    Oct 2001
    Location
    NOVA
    Posts
    34,953
    Blog Entries
    62
    try chmod +x pkitool and see if that corrects it

  19. #19
    Junior Member
    Join Date
    Jan 2007
    Posts
    1
    I have several questions. You mention "Now when you were configuring the client.conf file you had a line in there ďDev-node mytapĒ." but never did this in the conf files. Is there something missing? When I finish doing all of this and try to run /etc/init.d/openvpn start I get a Starting virtual private network daemon: server(FAILED). Am I supposed to start the "server" vpn? I think this might be related to the previous problem with not setting the vpn name?

    Also, you refer to client.conf (in the problem I just stated). May I assume you are talking about the clients.ovpn you made?

    Thanks for your help!
    Zach
    aim:zachhale
    gtalk:zachhale()gmail.com

  20. #20
    Goverment property now GroundZero3's Avatar
    Join Date
    Oct 2001
    Location
    NOVA
    Posts
    34,953
    Blog Entries
    62
    That client config has nothing to do with starting the server. If you are getting a server (failed) it means something in your config file on the server is not set up right.

    As for the client.conf and my tap, i have updated that part of the post. You are correct i left out the mytap portion. Thanks for the heads up.

    Please post your server.conf file so i/others can review it.

Quick Reply Quick Reply

If you are already a member, please login above.

What is the color of the sky?

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Ubuntu Dapper (can't be pinged by host name)
    By gberz3 in forum Linux and Unix
    Replies: 9
    Last Post: August 4th, 2006, 11:52 PM
  2. Ubuntu Dapper Wireless Configuration
    By HOlmes101 in forum Linux and Unix
    Replies: 28
    Last Post: July 9th, 2006, 05:13 PM
  3. HOWTO: Install vmware server on Ubuntu 5.10
    By GroundZero3 in forum Linux and Unix
    Replies: 8
    Last Post: June 5th, 2006, 10:10 PM
  4. Ubuntu Dapper 6.06
    By GroundZero3 in forum Linux and Unix
    Replies: 2
    Last Post: June 1st, 2006, 01:50 PM
  5. Howto
    By athlonxpguy in forum Linux and Unix
    Replies: 8
    Last Post: September 18th, 2003, 08:46 PM

Posting Permissions

  • You may post new threads
  • You may post replies
  • You may not post attachments
  • You may not edit your posts
  •  
Copyright 2014 All Enthusiast, Inc