OpenVPN 2.1.0 Testing on Ubuntu 10.04 LTS

  1. Installation
  2. Bridge Configuration
  3. Server/Client Certificates
  4. Server Configuration
  5. Client Configuration
  6. Adding Username / Password Auth
  7. NAT/Routed Configuration
  8. Links
  9. Woes

Server Installation

apt-get install openvpn openssl bridge-utils

Bridge Configuration

Edit /etc/network/interfaces to create the bridge, updating the example below with values for your network: auto lo
iface lo inet loopback
auto br0 iface br0 inet static address 192.168.75.130 network 192.168.75.0 netmask 255.255.255.0 broadcast 192.168.75.255 gateway 192.168.75.1 bridge_ports eth0 bridge_fd 9 bridge_hello 2 bridge_maxage 12 bridge_stp off Note: For my inital testing on a virtual machine, I used dhcp instead of static and eliminated the 5 definition lines immediately below

Restart networking to enable the bridge interface:sudo /etc/init.d/networking restart

The new bridge interface should now be up and running. The brctl command provides useful information about the state of the bridge, controls which interfaces are part of the bridge, etc.

Create Certificates

sudo mkdir /etc/openvpn/easy-rsa/ sudo cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa/ sudo chown -R $USER /etc/openvpn/easy-rsa/ Edit /etc/openvpn/easy-rsa/vars and adjust the following: export KEY_COUNTRY="US" export KEY_PROVINCE="CA" export KEY_CITY="Example City" export KEY_ORG="Example Company" export KEY_EMAIL="admin@example.com"

Create server certificates

cd /etc/openvpn/easy-rsa/ source vars ./clean-all ./build-dh ./pkitool --initca ./pkitool --server server cd keys openvpn --genkey --secret ta.key sudo cp server.crt server.key ca.crt dh1024.pem ta.key /etc/openvpn/

Create client certificates

cd /etc/openvpn/easy-rsa/
source vars
./pkitool client_hostname

The following files will need to be copied (scp) to the client:

For example: scp root@openvpn_server:/etc/openvpn/easy-rsa/keys/\{client_hostname*,ca.crt,ta.key\} /Users/admin/Library/openvpn/

Key Files

Here is a brief explanation of the newly generated key files:
FilenameNeeded ByPurposeSecret
ca.crt server + all clientsRoot CA certificateNO
ca.key key signing machine onlyRoot CA key YES
dh{n}.pemserver onlyDiffie Hellman parameters NO
server.crtserver onlyServer Certificate NO
server.keyserver onlyServer Key YES
client_hostname.crtclient only (unique for each)Client CertificateNO
client_hostname.keyclient only (unique for each)Client Key YES

Files endinge in .key need to be kept secret and those ending in .crt may be shared.

Server Configuration

sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/ sudo gzip -d /etc/openvpn/server.conf.gz Edit /etc/openvpn/server.conf: local 192.168.75.130 dev tap0 up "/etc/openvpn/up.sh br0" down "/etc/openvpn/down.sh br0" ;server 10.8.0.0 255.255.255.0 server-bridge 192.168.75.130 255.255.255.0 192.168.75.101 192.168.75.105 push "route 192.168.75.1 255.255.255.0" push "dhcp-option DNS 192.168.75.2" push "dhcp-option DOMAIN example.com" tls-auth ta.key 0 # This file is secret user nobody group nogroup

You may also have to enable IP forwarding in /etc/sysctl.conf by uncommenting the net.ipv4.ip_forward=1 line.

Next, create the /etc/openvpn/up.sh and /etc/openvpn/down.sh helper scripts with the content shown below:

/etc/openvpn/up.sh /etc/openvpn/down.sh
#!/bin/sh

BR=$1
DEV=$2
MTU=$3

/sbin/ifconfig $DEV mtu $MTU promisc up
/usr/sbin/brctl addif $BR $DEV		 #!/bin/sh

BR=$1
DEV=$2

/usr/sbin/brctl delif $BR $DEV
/sbin/ifconfig $DEV down
Then make them executeable: chmod 755 /etc/openvpn/up.sh /etc/openvpn/down.sh Restart OpenVPN: /etc/init.d/openvpn restart Check /var/log/syslog for ovpn-server messages.

Client Installation and Configuration

Ubuntu

Install the openvpn client:apt-get install openvpn Copy the client certificates you created above to /etc/openvpn/ and create a client configuration file using the example in /usr/share/doc/openvpn/examples/sample-config-files/client.conf: cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/ Edit /etc/openvpn/client.conf dev tap remote vpn.example.com 1194 cert client_hostname.crt key client_hostname.key tls-auth ta.key 1 restart the openvpn client:/etc/init.d/openvpn restart You should now be able to connect to the remote LAN through the VPN.

OSX

Download and install Tunnelblick. It will guide you through most of these steps and give you an opportunity to edit config.ovpn (similar to client.conf) as described above.

Notes

Checking VPN Connection

Edit /etc/openvpn/server.conf and restart openvpn: status status.log 5
status-version 2 This will write the current status of the OpenVPN server to /etc/openvpn/openvpn-status.log every 5 seconds (default is one minute). Lines starting with CLIENT_LIST describe the connected users. This could be parsed by a script for mrtg/cacti graphs.

If the telnet interface is installed...

Links

OSX Links

Woes

Date 4/13/2011
Problem Openvpn 2.1.0 will not start on Ubuntu 10.04.1 LTS. # /etc/init.d/openvpn start
* Starting virtual private network daemon(s)...
* Autostarting VPN 'server'
...fail!
Resolution /var/log/syslog showed the following: ovpn-server[pid]: TCP/UDP: Socket bind failed on local address [AF_INET]ipaddress:port: Cannot assign requested address It appears that openvpn starts before ip-binding does. The easy fix is to comment out or remove the line "local xxx.xxx.xxx.xxx" from /etc/openvpn/server.conf and restart openvpn.
Links [karmic] openvpn service starts before dhclient
wiki.archlinux.org - OpenVPN Bridge Troubleshooting
 
Date 4/13/2011
Problem Tunnelblick on OSX 10.6.7 not connecting to Ubuntu openvpn server. Tunnelblick "Details..." shows the following:

  WARNING: No server certificate verification method has been enabled.
  Cannot load private key file host-127-69.key: error:02001002:system library:fopen:No such file or directory: error:20074002:BIO routines:FILE_CTRL:system lib: error:140B0002:SSL routines:SSL_CTX_use_PrivateKey_file:system lib
  Error: private key password verification failed

Resolution Corrected type-o in /Users/admin/Library/openvpn/config.ovpn for cert and key definitions.
Links Possible "Man-in-the-Middle" attack if clients do not verify the certificate of the server they are connecting to

OpenVPN with NAT Setup Notes (In Progress)

Where:

OpenVPN Server   OpenVPN Client
eth0192.168.75.130 eth0whatever
tap010.10.10.1 tap010.10.10.10-20


  1. Update the following in /etc/openvpn/server.conf: server-bridge 10.10.10.1 255.255.255.0 10.10.10.10 10.10.10.20
    push "route 10.10.10.0 255.255.0.0 10.10.10.1"
  2. Configure the TAP interface: ip addr add 10.10.10.1/24 dev tap0
    ip link set tap0 up     ifconfig tap0 10.10.10.1
    route add -net 10.10.10.0 netmask 255.255.255.0 gw 10.10.10.1 dev tap0
    netcfg tap0 up
  3. Set up the NAT: iptables -v -t nat -A PREROUTING -d 192.168.75.0/24 -j NETMAP --to 10.10.10.0/24 iptables -v -t nat -A PREROUTING -i tap0 -d 10.10.10.0/24 -j NETMAP --to 192.168.75.0/24 iptables -v -t nat -A POSTROUTING -o tap0 -s 192.168.75.0/24 -j NETMAP --to 10.10.10.0/24 iptables -v -t nat -A POSTROUTING -o eth0 -s 10.10.10.0/24 -j NETMAP --to 192.168.75.0/24 echo 1 > /proc/sys/net/ipv4/ip_forward
  4. Setup Proxy ARP: ip addr add 192.168.75.130/24 dev tap0 echo 1 > /proc/sys/net/ipv4/conf/tap0/proxy_arp echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp

Links: