Hi Folks, there are a lot of VPN howtos out there and here I am making one more. Well if the format I’m putting it in helps for some of you to install your VPN, great. That is all I’m wishing for, and besides because I have a very short memory every time I discover something I make a note of it and this Blog is one of those notes as reminder for myself as well.
Note: I will not go into explaining much of what I list here. Sometimes I add comments but it’s the minimum.
Installing OpenVPN
Installing the packages
apt-get update
apt-get upgrade --show-upgraded
apt-get install openvpn udev
For Debian Squeeze/Wheezy
cp -R /usr/share/doc/openvpn/examples/easy-rsa/ /etc/openvpn
For Debian Jessie, follow the instructions in the following HowTo:
https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-debian-8
In order that the service starts properly at boot time:
Edit the file: /etc/init.d/openvpn and change the file headers:
DELETE the lines:
# Should-Start: network-manager
# Should-Stop: network-manager
Adapt the values at the bottom of the FILE:
mcedit /etc/openvpn/easy-rsa/2.0/vars
eg.
export KEY_COUNTRY="DE"
export KEY_PROVINCE="Berlin"
export KEY_CITY="Berlin"
export KEY_ORG="MyORG"
export KEY_EMAIL="myname@myorg.com"
Initialize the Public Key Infrastructure (PKI)
Issue the following commands to create the CA and Public Key infrastructure:
cd /etc/openvpn/easy-rsa/2.0/
. /etc/openvpn/easy-rsa/2.0/vars
. /etc/openvpn/easy-rsa/2.0/clean-all
. /etc/openvpn/easy-rsa/2.0/build-ca
Generate Certificates and Private Keys
. /etc/openvpn/easy-rsa/2.0/build-key-server server
(Answer all question as appropriate)
Generate Diffie Hellman Parameters(for controlling method of key exchange)
. /etc/openvpn/easy-rsa/2.0/build-dh
The keys and certificates for the server need to be relocated to the /etc/openvpn directory so the OpenVPN server process can access them.
The commands are:
cp /etc/openvpn/easy-rsa/2.0/keys/ca.crt /etc/openvpn/
cp /etc/openvpn/easy-rsa/2.0/keys/ca.key /etc/openvpn/
cp /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem /etc/openvpn/
cp /etc/openvpn/easy-rsa/2.0/keys/server.crt /etc/openvpn/
cp /etc/openvpn/easy-rsa/2.0/keys/server.key /etc/openvpn/
OPTIONAL:
Note: If you need to remove a user’s access to the VPN server, issue the following command sequence.
This will prevent the ‘client1‘ from connecting to your vpn server any further.
. /etc/openvpn/easy-rsa/2.0/vars
. /etc/openvpn/easy-rsa/2.0/revoke-full client1
Configure the Virtual Private Network (using example files as s start)
cd /usr/share/doc/openvpn/examples/sample-config-files
gunzip -d server.conf.gz
cp server.conf /etc/openvpn/
cp client.conf ~/
cd ~/
Edit the config file: /etc/openvpn/server.conf and make sure only the following parameters are active.
(modify the parameters as suited for your environment, eg. ca,cert,key,server)
To verify afterwards just run the command:
egrep -v '^#|^;|^$' /etc/openvpn/server.conf
and you should get the following (except for the environment dependent values)
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key < <............ This file should be kept secret
dh dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-to-client <<............. Allows VPN clients to communicate between each other
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
Start the VPN server
service openvpn restart
Verify that the VPN network interface has been created:
ifconfig tun0
Important Note:
Make sure your firewall doesn't block the port 1194 for access from Internet.
Creating new Client Certificates:
Note:
The following steps will need to be done for each VPN client machine:
ON VPN SERVER
Using the now generated private key, generate client certificates:
(replace 'client1' be the name of your client..without spaces)
cd /etc/openvpn/easy-rsa/2.0/
source ./vars
. /etc/openvpn/easy-rsa/2.0/build-key client1
Transfer the keys/certificates from the server to the clients machines ) if they are Linux with SSH running:
(Commands done on the server)
Copy ctertificate,ca and key to client machine:
ssh remote_server mkdir -p /etc/openvpn
scp /etc/openvpn/easy-rsa/2.0/keys/ca.crt root@remote_client:/etc/openvpn/
scp /etc/openvpn/easy-rsa/2.0/keys/client1.crt root@remote_client:/etc/openvpn/
scp /etc/openvpn/easy-rsa/2.0/keys/client1.key root@remote_client:/etc/openvpn/
Note: To be able to connect to the server with multiple clients at the same time with the same client certificate, add the following server start argument in:
File: /etc/default/openvpn
OPTARGS=" --duplicate-cn "
ON LINUX VPN CLIENTS:
Client configuration on Ubuntu 11.10
apt-get install openvpn network-manager-openvpnEdit the file /etc/openvpn/client.conf and make sure only the following parameters are active.
cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/
(modify the parameters as suited for your environment, eg. ca,cert,key,remote)
To verify afterwards just run the command:
egrep -v '^#|^;|^$' /etc/openvpn/client.conf
and you should get the following (except for the environment dependent values)
client
dev tun
proto udp
remote www.itmatrix.eu 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/ubuntu1110.crt
key /etc/openvpn/ubuntu1110.key
ns-cert-type server
comp-lzo
verb 3
- Open a terminal/console, we need to create a new Key and certificate for this new VPN client
- Connect to the VPN server and 'root' using the ssh command: eg ssh root@host.myvpn.com
- Run the following comands:
cd /etc/openvpn/easy-rsa/2.0/
source ./vars
. /etc/openvpn/easy-rsa/2.0/build-key ubuntu1110
- Answer the questions, Forget the optionnal questions(just press enter)
type yes when asked to sign the certificate.
Now we have created a new certificate for this ubuntu1110 client
- Logoff ssh ('exit' command)
- (back into our desktop terminal) run the following commands:
sudo su -
mkdir -p /etc/openvpn/
scp root@host.myvpn.com:/etc/openvpn/easy-rsa/2.0/keys/ubuntu1110.* /etc/openvpn/
scp root@host.myvpn.com:/etc/openvpn/easy-rsa/2.0/keys/ca.crt /etc/openvpn/
Temporarily making the private key readable be the Ubuntu user for configuration
cd /etc/openvpn/
chmod 644 ubuntu1110.key
chown user:group ubuntu1110.* ca.crt
(user:group = user and group of the graphic interface)
- Now we should have 3 certificate files transferred into the OpenVPN config directory on the client machine
Connecting to the VPN server from client
Using the Linux command line
Start the VPN tunnel:
openvpn --config /etc/openvpn/client.conf & disown %1
Check the interface of the VPN tunnel:
ifconfig tun0
Finding out the IP of the Remote VPN Server (using the normal Internet way):
ssh root@vpnserver.vpn ifconfig tun0 | grep inet | awk '{print $2}' | cut -d: -f2
Connecting to the VPN server via the newly created VPN Tunnel: eg.
ssh root@10.8.0.1
Stopping the VPN on the client
killall openvpn
Using the Ubuntu Network Manager
Client OpenVPN for Ubuntu 11.10
- Start Ubuntu Software Center
- Click on 'All Software' Button (left top)
- Enter the word 'VPN' in the search field (Right top)
- Double Click on 'Network' (Network manager Gnome)
- In 'Add-ons' List Select 'Open VPN Plugin Gnome GUI' and leave the others unselected.
- Click on 'Apply Changes' button (midle right)
- Enter your password to allow the installation
- Once fully installed, close 'Ubuntu Software Center' window.
- Click on 'Systems Settings' Icon (left middle)
- Click on 'Network' Icon
- Click on '+' (bottom left of window)
- Select 'VPN' and click on 'Create' button
- Select 'OpenVPN' (middle dropdown menu) and click on 'Create' button
- Enter the Connection name (eg. MyVPNServer) in the field 'Connection Name' eg. VPN Server 1
- Select the Option 'Connect Automatically'
- In the 'Gateway' Field enter the address or FQDN of the VPN server
- In Authentication section:
- select 'Certificates(TLS)' in Type Drop down Menu.
- Click in User Certificate field and select the file /etc/openvpn/ubuntu1110.crt
- Click in Ca Certificate field and select the file /etc/openvpn/ca.crt
- Click in Private Key field and select the file /etc/openvpn/ubuntu1110.key
- Enter a password to protect the use of your private key
- Click on Advanced Button (right down of window)
- Select 'Use UDP connection'
and 'Use LZO Data Compression'
- Click on 'OK', then 'Save' and finally 'Close'
- Go back to your terminal and protect your VPN key (stored in /etc/openvpn/) run the command:
chmod 600 /etc/openvpn/ubuntu1110.key
Making the VPN connection
- On upper right Ubuntu system Control Bar, Click on the Icon which has 2 Arrows
(one pointing up and one pointing down)
- Select 'VPN Connection'
- Click on your VPN connection name eg. MyServer
- The connection should start after a few seconds.
- Check the interface of the VPN tunnel from your terminal:
/sbin/ifconfig tun0
- Connect to the VPN server through the VPN tunnel:
Find out the IP of the Remote VPN Server (using the normal Internet way):
ssh root@vpnserver.vpn ifconfig tun0 | grep inet | awk '{print $2}' | cut -d: -f2
eg. Answer: 10.8.0.1
Connect to the VPN server via the Tunnel:
eg.
ssh root@10.8.0.1
Extra Note:
to allow a user to login with ssh without having to type a password, run the following commands logged in as the user (incl. root as well):
On the client machine
Create an RSA key pair for the user
ssh-keygen
(Only press 'Enter' key to all questions)
Send the new Public key of the user's ssh to the ~/.ssh/authorized_keys on the remote server
ssh-copy-id 10.8.0.1
(type the password)
Now you can login in 10.8.0.1 without password.
ssh 10.8.0.1
OSX OpenVPN Clients
- Install Tunnelblick Application from:
http://code.google.com/p/tunnelblick/wiki/DownloadsEntry?tm=2
- Edit the client file config file (/etc/openvpn/client.conf)
and replace the paramaters appropriately just as above for Linux.
- Start Tunnelblick application
- When asked 'Do you have any configuration file?' select 'I have configuration files'
- When asked for 'Which type of Configuration do you have?' select 'OpenVPN Configuration(s)'
- When asked 'Which type of configuration do you whish to create?' select 'Open Private Configurations Folder'
Tunnelblick will open Finder window where its Open VPN files should be copied,
wait here before anyswering anything and proceed to the next step.
- Copying the configuration file, ca, key and certificate into Tunnelblick config Directory
Open a terminal and issue the command:
sudo cp /etc/openvpn/*.conf /etc/openvpn/*.crt /etc/openvpn/*.key /Users/$USER/Library/Application\ Support/Tunnelblick/Configurations/
sudo chown michelbisson:michelbisson /Users/$USER/Library/Application\ Support/Tunnelblick/Configurations/*
- Click on 'Done' button of Tunnelblick application
Making the VPN connection
- Click the icon of the tunnelblick (on top right of screen)
- Click on 'Connect Client'
- Once you see a light at the end of the tunnel you're connected.
- To check out your own Tunnel Interface IP:
- Start a bash terminal
- Issue the command:
ifconfig tun0
- Finding out the VPN server's Tunnel Interface IP:
- Start a bash terminal
- Issue the command:
netstat -nr | grep 'UGSc.*tun0' | awk '{print $1}' | cut -d/ -f1
Open VPN Client on Windows
- Login as root on the VPN server and create new client certificates as done for Linux OpenVPN clients.
- Download the OpenVPN program from the following URL and install it:
http://swupdate.openvpn.org/community/releases/openvpn-2.2.2-install.exe(Read the following note that will will appear at the end of the installation)
GENERAL QUICKSTART FOR WINDOWS
The OpenVPN Client requires a configuration file and key/certificate files.
You should obtain these and save them to \Program Files\OpenVPN\config.
To start OpenVPN, first run the OpenVPN GUI by double clicking on the desktop icon or start menu icon.
The OpenVPN GUI is a system-tray applet, so an icon for the GUI will appear in the lower-right corner of the screen.
Right click on the system tray icon, and a menu should appear showing the names of your OpenVPN configuration files, and giving you the option to connect.
- Download putty and winSCP (for windows) from the following URL and install it:
http://the.earth.li/~sgtatham/putty/latest/x86/putty-0.62-installer.exe
http://download.winscp.net/download/files/201201251938f0fd4d4756d7bce59a6207776b36c42b/winscp436setup.exe
IN the VPN Server:
- Login as root in the VPN server and issue the following commands:
cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/client.ovpn
cd /etc/openvpn/
- Edit the file /etc/openvpn/client.conf and make sure only the following parameters are active.
(modify the parameters as suited for your environment, eg. ca,cert,key,remote)
To verify afterwards just run the command:
egrep -v '^#|^;|^$' /etc/openvpn/client.conf
and you should get the following (except for the environment dependant values)
client
dev tun
proto udp
remote www.myvpnserver.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/windows.crt
key /etc/openvpn/windows.key
ns-cert-type server
comp-lzo
verb 3
Prepare the transfer to Windows computer by running the following commands:
apt-get install dos2unix
unix2dos client.ovpn
cd /etc/openvpn/easy-rsa/2.0/
. /etc/openvpn/easy-rsa/2.0/build-key windows
- Answer the questions, forget the optional questions(just press enter)
- type 'yes' when asked to sign the certificate.
Now we have created a new certificate for this ubuntu1110 client.
In Windows host
- start WinSCP, login as root in VPN server and copy the following files as indicated:
(VPN Server) (Windows host Directory)
=========================================== ============================================
/etc/openvpn/easy-rsa/2.0/keys/ca.crt ..............Copy to directory.. \Program Files\OpenVPN\config\
/etc/openvpn/easy-rsa/2.0/keys/windows.key .........Copy to directory.. \Program Files\OpenVPN\config\
/etc/openvpn/easy-rsa/2.0/keys/windows.crt .........Copy to directory.. \Program Files\OpenVPN\config\
/etc/openvpn/client.ovpn ...........................Copy to directory.. \Program Files\OpenVPN\config\
- Start the OpenVPN GUI: Start button == All Programs == OpenVPN == OpenVPN GUI
An Icon(2 very tiny red monitors) will appear in the QuickStart Bar (Bottpm Right) of screen
- Right click on the icon and select 'Connect'
- You should get a log screen and if everything goes well you will hear a short 'blip' from windows indicating that a new interface is been created.
- Verify the IP of the new interface:
Start ==>> Run Command ==>> Enter: cmd.exe ==>> In DOS window run the command 'ipconfig'
Here is an exampe of the result you should get:
(This was done on a German Windows XP)
Windows-IP-Konfiguration
Ethernetadapter LAN-Verbindung 3:
Verbindungsspezifisches DNS-Suffix: localdomain
IP-Adresse. . . . . . . . . . . . : 192.168.47.129
Subnetzmaske. . . . . . . . . . . : 255.255.255.0
Standardgateway . . . . . . . . . : 192.168.47.2
Ethernetadapter LAN-Verbindung 4:
Verbindungsspezifisches DNS-Suffix:
IP-Adresse. . . . . . . . . . . . : 10.8.0.18
Subnetzmaske. . . . . . . . . . . : 255.255.255.252
Standardgateway . . . . . . . . . :
Notice the IP: 10.8.0.18 of the second interface.
This is the IP of this machine seen through the VPN.
A ping to the VPN server should also works:
ping 10.8.0.1
Ping wird ausgefuehrt fuer 10.8.0.1 mit 32 Bytes Daten:
Antwort von 10.8.0.1: Bytes=32 Zeit=60ms TTL=64
Antwort von 10.8.0.1: Bytes=32 Zeit=81ms TTL=64
Antwort von 10.8.0.1: Bytes=32 Zeit=195ms TTL=64
Antwort von 10.8.0.1: Bytes=32 Zeit=204ms TTL=64
Ping-Statistik fuer 10.8.0.1:
Pakete: Gesendet = 4, Empfangen = 4, Verloren = 0 (0% Verlust),
Ca. Zeitangaben in Millisek.:
Minimum = 60ms, Maximum = 204ms, Mittelwert = 135ms
IMPORTANT for Windows 7:
I could not get it to work on Windows 7 yet ....:-(
- Now the client.ovpn file is been configured properly but is not readable so far by the OpenVPN for Windows.
Some extra Note for windows 7:
(Although I could not get it to work on Windows 7 yet)
In Windows 7 the file 'windows.crt', because of it's extention as 'crt' (certificate)
doesn't allow it to be copied to windows via WinSCP. So the trick is to change the extention of the file from .crt to .cert
We will use this new name in windows for OpenVPN.