Fri 6 Mar 2009
Setting up OpenVPN in debian/ubuntu
Posted by Kris under Tech
[23] Comments
This is little bit later than I originally intended but I finally got around to setting up OpenVPN, and here’s how I did it.
This guide is pretty simple to follow and should have an OpenVPN server on debian or ubuntu working within half an hour. I’ll also explain how to connect to the VPN from a windows PC.
First, install OpenVPN on the server (you’ll need to be root for all of this guide)
apt-get install openvpn
Next, we need to configure the server. You need to make a decision here whether you want tun (routed) or tap (bridged) connections. The main difference is that tap will give the client a network address on the server network, whereas tun creates a private network managed by the server. In this guide I will use tap because I find that it works better with windows clients.
Now you need to create certificates for the server and client for authentication purposes (which is much more secure than the passwords used in pptp). This is done through a number of steps:
Preparing to generate the keys
mkdir /etc/openvpn/easy-rsa
cp /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa
Now you need to edit /etc/openvpn/easy-rsa/vars with your required settings. You only really need to change the last section which is the default values for the fields in the certificates.
Generate the certificate authority (CA) which will be used to sign the server and client certificates.
cd /etc/openvpn/easy-rsa
source ./vars
./clean-all
./build-ca
Next, we need to create the server keys
./build-key-server servername
Answer ‘yes’ when asked to sign the certificate and commit to the database, and then you’ll need to generate the diffie-hellman parameters which are used for key exchange between the client and server.
./build-dh
And finally, create some client keys which will be used to allow clients to authenticate with the server. I prefer to use pkcs12 which stores the client public key and certificate in one passworded file.
./build-key-pkcs12 client1
As before, sign the key and commit to the database. You will be asked for a password which the client will use to connect to the server.
Now all the keys are created, we need to configure the server.
vim /etc/openvpn/server.conf
(add the following lines)
port 443
proto tcp
dev tap
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/servername.crt
key /etc/openvpn/easy-rsa/keys/servername.key
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
ifconfig-pool-persist ipp.txt
server-bridge 10.1.0.1 255.255.255.0 10.1.0.236 10.1.0.245
push “route 10.0.0.0 255.0.0.0″
keepalive 10 120
comp-lzo
persist-key
persist-tun
status /var/log/openvpn-status.log
verb 3
The only lines which you will need to change are ‘server-bridge’, which is simply the default gateway, subnet mask, and the start and end IP’s to assign the clients, and the push route, which pushes specific routes to all clients.
Now we need to create an ethernet bridge. First, we need to install bridge-utils:
apt-get install bridge-utils
Rather than explain how to set up a network bridge, I found a shell script which will do it for you. This can be found here. Just edit this with your network settings and execute it. You will also need to set it to create the bridge at boot time:
update-rc.d bridge defaults
Now you can start the openvpn server
/etc/init.d/openvpn start
Now we need to set up the windows client. First, download the OpenVPN client from here (at the time of writing, select 2.1 RC15). Install it, and create a file ‘client.conf’ in the config directory with the following parameters
client
dev tap
proto tcp
remote x.x.x.x 443 # (replace with your server IP)
resolv-retry infinite
nobind
pkcs12 client1.p12 # (replace with the client name)
ns-cert-type server
comp-lzo
verb 3
You can also add ‘redirect-gateway’ to the client configuration to pass all traffic down the VPN tunnel (rather than just traffic intended for the VPN itself).
Now copy the client1.p12 certificate file to the config directory on the client, start the gui, and connect. Everything should now work.
If you need to create any clients in the future, do the following:
cd /etc/openvpn/easy-rsa
source ./vars
./build-key-pkcs12 clientx
If one of your certificates is compromised, you can revoke it using the guide here.
This guide has been written from my notes and what I remember, so there may be a couple of things which aren’t 100% right. If anything goes wrong then post a comment or contact me and I’ll update the guide.
23 Responses to “ Setting up OpenVPN in debian/ubuntu ”
Trackbacks & Pingbacks:
-
[...] Setting up OpenVPN server on debian or ubuntu April 3, 2010 | Posted by admin (online) http://www.monkeedev.co.uk/blog/2009/03/06/setting-up-openvpn-in-debianubuntu/ [...]
An alternative guide which explains how to set up a Windows server and client, and also goes into more detail about how OpenVPN works can be found here:
http://www.theregister.co.uk/2008/09/01/openvpn_primer/
It’s definitely worth a read, as most of the commands are the same for windows and linux servers.
Excelent bro i can connect
i do it, thanks good bless you
The shell script is no good. I ran it and my server went down. I would rather you take the time to explain how to setup the Ethernet bridge. I knew I should not have trusted that script. Everything up to that part went well, but now I am dead in the water until I can get to the server and figure out what went wrong.
It definitely does work, I’ve used it on a couple of servers.
You do need to edit the first section to be correct for your ethernet port and ip addresses:
# Define physical ethernet interface to be bridged
# with TAP interface(s) above.
eth=”eth0″
eth_ip=”10.1.0.4″
eth_netmask=”255.255.255.0″
eth_broadcast=”10.1.0.255″
gw=”10.1.0.1″
If you’re still having problems, I’d recommend having a read of the OpenVPN bridging docs:
http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html
And these might help:
http://www.linode.com/wiki/index.php/OpenVPN#Ethernet_to_Tunnel_Bridging
http://ubuntuforums.org/showthread.php?t=482138
Good luck!
OK, I’ve looked into this a bit more and I think I’ve found the problem.
If you’re getting the error:
brctl: command not found
Then you need to install the ‘bridge-utils’ package to make the bridge script work correctly:
apt-get install bridge-utils
I’ll add this to the howto now.
Hi,
I followed these instructions for the most part, but my connection drops immediately and it keeps retrying. I found that when I uncomment the ‘duplicate-cn’ parameter from the server.conf file, that the connection works fine.
Why would I need this ‘duplicate-cn’ parameter enabled? I am going to be the only “client” and I don’t see how it is detecting dupicates.
Thanks
Scott
duplicate-cn is only really needed if you want many users sharing the same certificate and want to auth using something different such as authpam. I left it out of the example server.conf I posted because I don’t think many people will use it.
Yes, I agree. But there is something in my setup that is requiring it. I don’t want multiple users, and I’ve followed your instructions as outlined here. However, I get a cycle of connect/disconnect if that parameter isn’t enabled.
My question is what is causing me to need it?
To be honest, I’m not sure.
If you don’t have duplicate-cn enabled, and a client tries to connect using an already connected certificate then they will be disconnected.
Have you checked /var/log/openvpn-status.log to make sure there isn’t anything using your certificate, and that you’re not using the server certificate to connect as a client.
Other than that, I’ve never used duplicate-cn before, so hopefully someone who knows more about it will read this and give some better information.
I don’t know if this has anything to do with it, but when I run /etc/init.d/openvpn start, it starts a ‘client’ and a ‘server’. I don’t understand why a ‘client’ is being started and maybe this is why it is detecting duplicates.
My installation is now a complete mess, so who knows…It would seem that there would be some set of instructions out there that you can follow and this works, without having to be some sort of networking genius.
Do you have a client.conf in your /etc/openvpn directory? If so, I’d try deleting it (or moving it somewhere) and restarting. I haven’t tried a client in ubuntu but I think it will start a client if it finds a valid client config file in /etc/openvpn
Thanks Kris…that got past my wonky connection issues.
However now I’ve noticed that I can’t connect to anything on my network. When I ping it, it says “route not found” and the ping simply times out. I’m sure it is a routing issue and I may have something incorrect for the push statement in server.conf, or I haven’t done something on my server that is necessary for the bridge to operate correctly.
Are there any experts that check in here that know the networking side of this?
root@deb-4:/etc/openvpn/easy-rsa#./clean-all
-bash: ./clean-all: Permission denied
root@deb-4:/etc/openvpn/easy-rsa#
I’m always getting this error.
Please help me to solve.
@ dugger
as root, try ‘chmod 700 *’ in /etc/openvpn/easy-rsa
“You will also need to set it to create the bridge at boot time:
update-rc.d bridge defaults”
I don’t get this part. Trying to run that as a command doesn’t work. I can’t see where I would set up the interface at boot. Should I just put the script you linked in rc.local?
Excellent tutorial. It worked on a debian lenny box and the only thing that I had to change is the line in server.conf:
dev tap
to
dev tap0
because we are using already defined tap interface(see more about Ethernet Bridging in OpenVPN documentation)
Otherwise, I was wondering about one thing:
How can I remove pkcs12 client from server’s database?
Regards, Vlado
I was ok until I came to the server.conf file. It wasn’t there but i assume this needs to be created from scratch? I’m stuck on the server bridging and the push route lines.
How do I know what to put for the start and end ips? No idea what to put for the push route either. I’m using a vps.
Cliff,
The command “update-rc.d bridge defaults” will make the bridging works again if the computer reboot. If you don’t do it everytime the computer reboot, then eth0 returns to it’s ip again without being bridged with tap0
So what you need to do is copy the script that he linked into a file called “bridge” and save it into /etc/init.d/
Once you did that do a chmod +x /etc/init.d/bridge so that it’s executable
Then do the update-rc.d bridge defaults and it’ll work. Make sure you edit the top portion of the script to cater your network before running the script.
You can run the briding right away without reboot by doing “/etc/init.d/bridge start”
Hi,
I followed your guide and all seemed to go well untill I ran ./bridge start. At this point my server dropped off the network. I can get it on again by running ./bridge stop.
What have I configured wrong in the server.conf file?
server-bridge 255.255.255.0 10.1.0.236 10.1.0.245.
is this what it should be or should it be the ISP’s gateway.
Also what should the push .route be?
Thanks for your help.
Dec
The server bridge line should use the following format:
server-bridge [netmask] [first ip to assign] [last ip to assign]
The final 2 parameters should match addresses on your local network which the openvpn server can assign to clients when they connect. It’s likely that you’ll need to change this in your setup if your local network isn’t using the 10.1.0.x range.
Just a quick note about the bridging script — completely unnecessary on a Debian (or Debian-like) system, and seems to be causing people a lot of confusion. Just put something like the following in /etc/network/interfaces:
——————————————
iface eth0 inet manual
auto br0
iface br0 inet static
pre-up /usr/sbin/openvpn –mktun –dev tap0
bridge_ports eth0 tap0
address 192.168.1.2
netmask 255.255.255.0
gateway 192.168.1.1
——————————————
If you receive an error to the effect of “Cannot ioctl TUNSETIFF tap0,” try tap1 instead.
That’s all there is to it — no silly scripts.
Hello
What Ubuntu version this working ?
is it 8.10 and 9.04
I must test this. thnaks