For me, setting up an OpenVPN server on Ubuntu Server was orders of magnitude easier than trying to use a commercial ipsec utility. Here's the steps to take to set up an Ubuntu 8.04 (Hardy) server.
First, be aware this setup makes a few assumptions. First, no bridging of networks is done which means no broadcast traffic and no multicast. I believe most people won't use those, so I'm not even going to try to explain how to make that work - I'm going for a quick and easy setup. Second, the server is on the Internet with a static IP address - or at least has a DNS entry somewhere so that computers on the outside can locate it. Your typical home network won't have a static IP, but with some of the "dynamic DNS" website / utilities, you can get around that restriction.
I'm also not going to try to deal with firewall issues in this HOWTO. If you can disable your firewall and everything works, then get your firewall working afterwards. The best advice I can give there is to allow all traffic to/from the "tun0" (or tun1 or tun2... whatever) device that the VPN creates, and allow incoming traffic on the Internet facing adapter (eth0?) to the TCP or UDP port you configure your server to listen on. It's really not that complicated for a basic setup.
First, become root (sudo su -) and then install the following:
apt-get install openvpn dnsmasq openssl
Unlike most software you'll install, this will not install configuration files for you by default. You'll want a quick barebones setup, so do the following:
mkdir /etc/openvpn cp /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/ cd /etc/openvpn/ mkdir keys nano vars
Insert the appropriate settings at the end of this file for your locality and organization name. Afterwards:
./clean-all source ./vars ./build-ca
The build-ca will ask some questions. This part is for the "Certificate Authority" you are creating - so make sure you enter things accurately. It's mostly for documentation purposes, however and a wrong answer here is unlikely to break anything.
./build-key-server server
This generates an encryption key for your server. If you are positive you will only ever have one server, you can name it "server". Otherwise, name it something meaningful so you know what the key goes to. This does not have to be the dns name, but it may help to use that as a standard. When asked for the common name in the key that you're generating, you will want to use the same thing there. You may not want to put a password on this file so you can have it automatically start at boot. Make sure you tell it to sign the certificate when it asks.
./build-key client-name
This generates the keys that you'll need both on the server and on the client to make the connection work. Replace "client-name" with something you'll use to remember who's key this belongs to. Perhaps a user's name or a laptop workstation name would be good here. NOTE: if you close the console and come back later to generate more keys, you'll need to run "source ./vars" before running build-key again.
Now you'll need to build the "DH" key. This might take some time:
./build-dh
Once completed, copy the "client-name.key" "client-name.crt" and "ca.crt" files securely to the workstation that will be using them. I don't recommend emailing them - a USB drive is a great way to transfer them, or an SSH connection.
Next we want to setup the server.conf file. We're going to start with the example provided:
cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/ gunzip /etc/openvpn/server.conf.gz
Now edit the server.conf file with your favorite editor.
If your server has multiple interfaces - most firewall machines will because one will face the Internet and one face the LAN, you'll want to add the internet facing IP to this file (Obviously replace 1.2.3.4 with your IP address):
local 1.2.3.4
You may or may not want to change the port that OpenVPN listens on.
port 1194
Personally I found the TCP protcol to work much better for me. Apparently I'm getting packet loss and using UDP was causing extraordinary delays since UDP doesn't detect lost packets and packet order like TCP. So, I changed it to:
proto tcp
Use the TUN device unless you want to figure out how to do bridging, and make sure the dev-node line is commented out:
dev tun ;dev-node MyTap
Now we need to tell it where the server key files are located:
ca /etc/openvpn/keys/ca.crt cert /etc/openvpn/keys/server.crt key /etc/openvpn/keys/server.key # This file should be kept secret dh /etc/openvpn/keys/dh1024.pem
Pick a subnet that the VPN server will assign clients to. This should be a different subnet from anything else you use:
server 10.8.0.0 255.255.255.0
If you want your clients to be able to access your LAN network, you'll need to push a route out to them:
push "route 192.168.1.0 255.255.255.0"
Make sure this matches your LAN route. However, if your LAN has a subnet that is the same as where a client might connect - like the above one based on the overly common "192.168.1.x" - you can choose to only route certain servers or subgroups of it. In this example, 192.168.1.5 and 192.168.1.127-255 will be available to the clients, but the remainder will not. This keeps the common Internet router address of 192.168.1.1 from conflicting:
push "route 192.168.1.5 255.255.255.255" push "route 192.168.1.128 255.255.255.128"
To add to security just a bit, we want to make sure that the server drops to a non privileged user after it starts:
user nobody group nogroup
The rest of the settings in this file should be able to be left at default without any trouble.
Start up your new VPN server manually at least once using:
openvpn /etc/openvpn/server.conf
With this you can watch the messages and see if something goes wrong.
Next, on an Ubuntu client you install:
sudo apt-get install openvpn dnsmasq openssl network-manager-openvpn
Left click on the network manager in the panel and choose "VPN Connection" "Configure VPN". Create a new OpenVPN connection.
For "Gateway" use the external IP address or DNS name of the OpenVPN server. The type is "Certificates (TLS)"
Attach your client .key, .crt and the ca.crt file in the appropriate places. Make sure those files are only readable by the user.
If you changed to TCP like I did, click the Advanced button and check "Use a TCP connection". If you changed the port that OpenVPN listens to, you'll want to add that here as well, and it's always good to check the LZO data compression if you're going over the Internet. There's also an option to make the VPN always start when you log in.
Save the changes and your client is configured. Left click on the network manager icon again and click on the new VPN entry to open the VPN connection.
Here's a screenshot of the client setup:
Once you're sure everything is working fine, you can configure openvpn to automatically start. Edit the /etc/default/openvpn file and uncomment:
AUTOSTART="all"
Then just do:
/etc/init.d/openvpn start
And there you have it - a fully functional VPN solution. There's also a Windows client version available, so you can use it in a mixed environment.
One slight tweak necessary
I've been trying to figure out a simple config for OpenVPN for ages - and your HOWTO do the trick! Yes!
One thing I had to do in order to get ./build-key-server server to work was to create three files in the "keys" directory (the first two can be blank, the file called "serial" has to have "01" in it):
cd /etc/openvpn/keys
touch index.txt database
echo 01 > serial
build-key-server was complaining it couldn't find these files otherwise.
Glad I could help! I
Glad I could help! I definitely didn't need to do what you did with those three files, but thanks for sharing your experience too!
Works Great! Advice for samba shares?
Tony,
Thanks a million! I was able to get the openvpn server on my Hardy machine up and running without much trouble. I've got vista and xp laptops both connecting, without any hiccups.
I'm trying to connect to the samba share on the same machine through the openvpn server, so that I can eventually access the public directory remotely, using a static dns service such as dyndns.org. For the life of me, I can't make the tunnel connection. I followed the instruction from the openvpn HOWTO:
http://openvpn.net/index.php/open-source/documentation/howto.html#samba
but they don't work for me. I can connect to the samba share on the ubuntu server without openvpn running, so I think it's a problem with my smb.conf file (which I thought I setup according to the HOWTO). Otherwise, maybe it's a firewall issue?
Any thoughts?
Thanks again for the user-friendly openvpn guide.
Brian
My guess is it's firewall
My guess is it's firewall related, but check out my new post that adds in how to do dual-routing:
http://www.ossramblings.com/openvpn_route_both_ways
It might make a difference for you.
Server.conf
Thanks for the great tutorial.
Just one quick note, if you are setting this up on a ubuntu or debian server, there is not a nobody group.
When editing the server.conf so that openvpn will run in a lower privileged account change it to "nogroup" instead of "nobody". Leave the user as nobody though.
Right - that's what it says
Right - that's what it says in the tutorial. You must have misread unless I'm missing something.
routing issue
Hello there,
I have recently gone through these steps to setup an Open VPN server virtually under ESXI. Authentication worked seamlessly but I'm running into an issue. Here's the details:
Private Network: 10.50.25.0 /24
VPN network : 10.50.1.0 /24
I have setup the server.conf to reflect the above and also pushed out a route as follows:
push "route 10.50.25.0 255.255.255.0"
Open VPN starts and accepts connections with no issues. The only problem is that the device connecting to the VPN cannot ping or access hosts on the private network. I have added a default route to my local gateway for 10.50.1.0/24 pointing to my openvpn server. The private network can ping 10.50.1.1 but not anything else on the vpn network. The vpn network can also ping 10.50.1.1 but nothing on the private network.
I thought it might have been because of the virtual machine, so I tried to create a physical one, but the have the same results. Is there something I am missing?
Thanks,
DJ
Did you check my other post?
Check my other post on the subject and see if this solves your issue:
http://www.ossramblings.com/openvpn_route_both_ways
Hello, Yes, I had taken a
Hello,
Yes, I had taken a look at the other page, and even though the scenario was not the same, I tried adding the commands. The server would not let me use iroute as listed there. Attempting to add iroute 10.50.25.0 255.255.255.0 and then starting it with openvpn /etc/openvpn/server.conf reported an error that "option iroute cannot be used in this way."
below is the current state of the server.conf file. Can you see anything blatantly wrong with it?
#################################################
# Sample OpenVPN 2.0 config file for #
# multi-client server. #
# #
# This file is for the server side #
# of a many-clients <-> one-server #
# OpenVPN configuration. #
# #
# OpenVPN also supports #
# single-machine <-> single-machine #
# configurations (See the Examples page #
# on the web site for more info). #
# #
# This config should work on Windows #
# or Linux/BSD systems. Remember on #
# Windows to quote pathnames and use #
# double backslashes, e.g.: #
# "C:\\Program Files\\OpenVPN\\config\\foo.key" #
# #
# Comments are preceded with '#' or ';' #
#################################################
########### CUT BY TONY TO SHORTEN THE POST ################
That's correct - you cannot
That's correct - you cannot use iroute in the server.conf. It must be in the client side config file - stored on the server.
All of your client-config-dir entries above are commented.
Create a directory on the server at /etc/openvpn/ccd
Then add the following line to your server.conf file
Inside the client config directory, create a file that matches the name of the client. For instance, if the client's key is called "remoteuser" then create a text file called /etc/openvpn/ccd/remoteuser and place the iroute (and a push and ifconfig-push if necessary) command in that file.
Then, restart both the server and then the client.
Great post!
Great post Tony!
I have a headless server running Ubuntu 8.04 (Hardy) server with nothing to do...till now. :)
This might be a neat solution to set up VPN for family members in simplifying the means for me to remote into their machines whenever they have problems.
I'll be sure to put it through its paces.
Thanks for posting!
Thanks it works perfectly
just wanted to say thank you. your post was really helpful and I got my VPN working now.
thanks a lot!
Troubles with UDP
First time I try to set up OpenVPN throught UDP (by default). Spent 2 days and many variants of server config. OpenVPN on server writes to log "TLS key negotiation failed". I think what I make something wrong when I make the keys.
Keys was OK.
When I add to server config one string "proto tcp" and says to client also use TCP - link magically appears 8)
But I could not understand WHY it don't work with UDP :(
Seems to connect but cannot see anything
I think that I must be missing something really obvious here because doing as per this article + opening up port 1194 on my router/forwarding to the server machine appears to enable a connection but I cannot see anything on the server. Network Manager in 10.04 shows the active connection and Admin/Network Tools shows IPv4 settings of 10.8.0.6, 255.255.255.255 for the tun device.
There is no firewall on the server itself, which is a test machine. I'm sure that I had this working on a previous machine but can't find my notes anywhere.
Any ideas?
Post new comment