Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
OpenVPN 2.x TAP mini-HOWTO (linux 2 wifi-linux, wifi-xp)
View unanswered posts
View posts from last 24 hours

Goto page 1, 2, 3, 4, 5  Next  
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
cchee
Apprentice
Apprentice


Joined: 29 Jul 2003
Posts: 214
Location: NYC

PostPosted: Wed Oct 06, 2004 1:44 am    Post subject: OpenVPN 2.x TAP mini-HOWTO (linux 2 wifi-linux, wifi-xp) Reply with quote

Background
In my attempt to setup OpenVPN for my network, I search through the forum and can't find much information on setting OpenVPN 2.0 using TAP, especially sample configuration file. Most of the HOWTO I found are related to TUN settings. The HOWTO from http://openvpn.sourceforge.net/ was helpful but since I am a newbie to openvpn. It took me a while to figure out how to get thing setup right. In the light of hoping to speed up the adoption of openvpn 2.0 ebuild into gentoo distribution (I love this distribution!!) and also hoping to help out newbie for OpenVPN (like I am) to save time. I have created this mini-HOWTO. Your constructive criticism/suggestion/feedback are most welcome, especially in the light of network security related configuration.

Simplified Server/Client Environment
The system I used for setup OpenVPN server is Gentoo Linux with kernel 2.6.8-r3 (which is gentoo-dev-sources-2.6.8-r3). Later kernel can also be used, the newest one I have used is gentoo-sources-2.6.11-r11. Make sure kernel has TAP/TUN compiled as module or build-in. If compiled as module, make sure you have tun in your /etc/module.autoload.d/kernel-2.6. Linux server/client OpenSSL version is 0.9.7d-r1 or newer version. For windows client, I used Windows XP with SP2 installed. This setup works regardless you are using wireless or not. In my case, Linux client is wired, and Windows XP client is wireless tablet pc.
OpenVPN server has external static IP in this setup.
Protected network: 10.2.0.0
Protected network DNS: 10.2.0.1 10.2.0.2
Protected network VPN server: 10.2.0.3
Protected network domain: homenetwork.local
Protected network is behind a separate hardware based firewall, e.g. Netscreen or Linksys Cable/DSL Wireless Router
OpenVPN server is resided inside the protected network with UDP port 5000 forwarded from outside (Internet) to the OpenVPN server at the firewall.
OpenVPN virtual network: 10.1.0.0
OpenVPN virtual network server IP: 10.1.0.1 (in this example, I named it gateway)
OpenVPN virtual network client IP range: 10.1.0.2 - 10.1.0.10
OpenVPN client can be anywhere in the Internet or other remote LAN (via wireless or wired) with access to the Internet.

Unlike the typical TUN setup, with this setup, you won't need to manually assign virtual IP address to server/client. All client virtual IP are assigned by the server using the virtual IP range specified in the server configuration (parameter ifconfig-pool). Route table entries for virtual client can be managed from the OpenVPN server configuration (under the parameter push "xxxx"). In addition, no ethernet bridging setup is needed in this setup. IMHO, this really makes the system/network administrator life a lot easier.

Downloads
Update: You can use 2.0 rc6 or newer (latest is the official version 2.0) instead. The differences are in some of the parameter values in the configuration file (sectioned out for you in later instruction.)
VPN Server/Client (Gentoo Linux, of course) - OpenVPN 2.0 ebuild [already in latest portage as stable].
Windows XP Client: http://openvpn.net/download.html
Mac OSX installation, please goto http://openvpn2.darwinports.com, http://www-user.rhrk.uni-kl.de/~nissler/tuntap/

There are a few OpenVPN GUI available, depends on which one you like and you can just google them. Here are a few links I found.
Windows XP OpenVPN GUI: http://www.ipact.com/~huttinger/bb/download.php?id=7, http://www.nilings.se/openvpn/download.html, http://openvpn.se/
Mac OS X OpenVPN GUI: http://mac.softpedia.com/get/Network-Admin/OpenVPN-GUI.shtml
Linux OpenVPN GUI: http://sourceforge.net/projects/openvpnadmin/, http://govpn.clubnix.net/

Installation

Linux VPN Server/Client
These steps are only needed if openvpn 2.0 is not yet official in the portage.
Code:
vi /etc/make.conf # to uncomment PORTDIR_OVERLAY
mkdir -p /usr/local/portage/net-misc/openvpn
cp ~/openvpn-2.0.ebuild /usr/local/portage/net-misc/openvpn # assuming you downloaded the ebuild in your current user (root) directory
cd /usr/local/portage/net-misc/openvpn
ebuild openvpn-2.0.ebuild digest

Before openvpn 2.0 become official in portage
Code:

ACCEPT_KEYWORDS="~x86" USE="pthreads ssl" emerge -v openvpn # You want to enable pthread for speed

After openvpn 2.0 become official in portage
Code:

USE="examples threads ssl" emerge -v openvpn # You want to enable threads for speed

Before openvpn 2.0 become official in portage
Code:

mkdir -p /etc/openvpn/gateway # you can replace gateway with whatever directory name you want to use
cd # go back to your root home directory
gzip -d < /usr/portage/distfiles/openvpn-2.0.tar.gz | ( cd /root; tar xvfo - )
cd /root/openvpn-2.0
mv easy-rsa ~/
rm -rf /root/openvpn-2.0
rc-update add openvpn default
vi /etc/conf.d/local.start # to add echo 1 > /proc/sys/net/ipv4/ip_forward
vi /etc/conf.d/local.stop # to add echo 0 > /proc/sys/net/ipv4/ip_forward
rc-update add local default

After openvpn 2.0 become official in portage
Code:

mkdir -p /etc/openvpn/gateway
cd # go back to your root home directory
# easy-rsa is available under /usr/share/openvpn/easy-rsa
rc-update add openvpn default
vi /etc/conf.d/local.start # to add echo 1 > /proc/sys/net/ipv4/ip_forward
vi /etc/conf.d/local.stop # to add echo 0 > /proc/sys/net/ipv4/ip_forward
rc-update add local default

Windows XP Client
I have the latest SP from Microsoft installed before I start.

    Install openvpn-2.0-install.exe
    Install OpenVPN GUI [optional]


Configuration
OpenVPN server configuration file (/etc/openvpn/gateway/local.conf)
Code:
port 1194 # or any other port you want to use
dev tap
tls-server
cd /etc/openvpn/gateway
ca ca.crt
cert gateway.crt
key gateway.key
dh dh2048.pem
tls-auth ta.key 0
mode server
duplicate-cn
ifconfig 10.1.0.1 255.255.255.0 # openvpn gateway
ifconfig-pool 10.1.0.2 10.1.0.11 255.255.255.0 # ip range for openvpn client
push "dhcp-option DNS 10.2.0.1" # push DNS entries to openvpn client
push "dhcp-option DNS 10.2.0.2"
push "route-gateway 10.1.0.1" # push default gateway
mtu-test
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
ping 10
ping-restart 120
push "ping 10"
push "ping-restart 60"
push "route 10.2.0.0 255.255.255.0 10.1.0.1" # add route to to protected network
push "route 10.1.0.0 255.255.255.0 10.1.0.1"
comp-lzo
status openvpn-status.log
verb 4

NOTE: If you are using openvpn 2.1 (not yet in the official portage, hopefully soon) You can added the following line to do port sharing. The following line basically tells openvpn to listen to port 443, if the traffic is openvpn traffic, process it. Otherwise forward it to ssl_webserver.mycompany.com to process as https traffic. One great thing about this is you have one less hole in your firewall.
Code:

port-share ssl_webserver.mycompany.com 443


OpenVPN Linux client configuration (/etc/openvpn/client/local.conf)
Code:
port 1194 # or any other port you want to use
dev tap
remote w.x.y.z # w.x.y.z is external IP of the OpenVPN server

tls-client
cd /etc/openvpn/client
ca ca.crt
cert client.crt
key client.key
tls-auth ta.key 1
mtu-test
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
pull

comp-lzo
verb 4


Symbolic linked the configuration files for Gentoo Linux (server/client) [NEW from official openvpn 2.0 ebuild]
Code:

cd /etc/openvpn
# foreach sub-directory, we create a symbolic link to the local.conf to the current directory since the new init script don't scan for sub-directory
# anymore instead it looks for .conf files. With the sample environment defined above, we have:
ln -s gateway/local.conf gateway.conf


Windows XP client configuration (My Document\client.ovpn)
Code:
port 1194 # or any other port you want to use
dev tap
remote w.x.y.z # w.x.y.z is external IP of the OpenVPN server

tls-client
ca ca.crt
cert client.crt
key client-key.txt
tls-auth ta-key.txt 1
mtu-test
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
pull

comp-lzo
verb 4


To generate the ta.key (or ta-key.txt), I use the following command (recommended by HOWTO from OpenVPN) to generate on Linux:
Code:
openvpn --genkey --secret ta.key
or
Code:
openvpn --genkey --secret ta-key.txt

Then I basically copy this file to server and all clients machines via secure channel.

To generate the server certificate and key file for /etc/openvpn/gateway, I basically follow the instruction provided by easy-rsa README file. Make sure you specify the purpose of the certificate is Web server when you submit your CSR for your server.
Code:
cd /root/easy-rsa
vi vars # update the KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, KEY_EMAIL to appropriate value
. vars
./clean-all
./build-dh   # to generate the dh2048.pem needed by the server configuration
cp /root/openvpn/dh2048.pem /etc/openvpn/gateway

./clean-all
./build-req gateway
cp /root/openvpn/gateway.key /etc/openvpn/gateway
# Send the /root/openvpn/gateway.csr to your CA authority, once it is
# signed by CA authority, they will send you the certificate. Save this
# certificate as gateway.crt under /etc/openvpn/gateway.


To generate the client certificate and key file for /etc/openvpn/client, it will be similar to the server, except the purpose for your client CSR is User instead of Web Server. Otherwise, you may run into "unroutable" problem. Well, at least that is the case for me.
Code:

# repeat these steps for each OpenVPN client
# BEGIN
./clean-all
./build-req client
# Copy /root/openvpn/client.key to /etc/openvpn/client on your OpenVPN
# Linux client via SECURE channel
# For Windows XP, I just save the configuration, certificate and key files
# under My Document folder
# Send the certificate sign request to your CA authority.
# END
# Your CA authority should have a CA certificate which you will save it
# under /etc/openvpn/gateway (for server), /etc/openvpn/client (for
# Linux client) and My Document folder for Windows XP client as ca.crt
# in our example. Make sure you use SECURE channel to transfer these
# files.


To verify the server certificate is valid, you can use the following:
Code:
openssl verify -CAfile ca.crt -purpose sslserver gateway.crt


To verify the client certiciate(s) is(are) valid, you can use the following:
Code:
openssl verify -CAfile ca.crt -purpose sslclient client.crt


**You also need to make sure your firewall have udp port 1194 (or whatever port you have specified in your server configuration) opened for your OpenVPN server. In addition, depends on what firewall you are using, you may need to make sure network traffic is allowed into your protected network for your OpenVPN client IP range. Since we are not using ethernet bridge, you will need to add route on your protected lan gateway to tell all machines in the protected lan to forward package to your VPN server when the requester IP belongs to the VPN lan.

Once you have all the configuration file in place, do the following on the server or Linux client.
Code:
/etc/init.d/openvpn start


For Windows XP, start OpenVPN GUI and then load the configuration file client.ovpn under My Document.

Testing
Start up the client side and then do a ping on one of the server in the protected network (10.2.0.0). If you can ping, then you are connected and your packet are routed correctly.

Finishing Touch
After you have verified the network connectivity is all well, if you are using Windows client, you will want to turn your openvpn into automatically start as service instead of starting it manually each time you login. To do that just follow the instruction under section Running OpenVPN as a Windows Service in the INSTALL-Win32 provided by http://openvpn.sourceforge.net/INSTALL-win32.html **Make sure you have all your config files, certificates and keys moved to <openvpn installed directory>/config directory if they are not already there.


Last edited by cchee on Tue Apr 03, 2007 3:22 pm; edited 27 times in total
Back to top
View user's profile Send private message
cchee
Apprentice
Apprentice


Joined: 29 Jul 2003
Posts: 214
Location: NYC

PostPosted: Thu Oct 07, 2004 8:03 pm    Post subject: Reply with quote

Troubleshooting

Q: I am getting the following error when I start up openvpn (version 2.0.2)
Code:
 * Starting openvpn for server ... [ !! ]


A: The /etc/init.d/openvpn for version 2.0.2 uses -cd option in line 43
Code:
 --daemon --cd "${VPNDIR}"

replace that line with
Code:
 --daemon

and make sure your /etc/openvpn/gateway/local.conf (using above example) has
Code:
cd /etc/openvpn/gateway

should fix your problem. For details on how to modify the /etc/init.d/openvpn to accommodate multiple OpenVPN connection setup, check the bug attachment in http://bugs.gentoo.org/show_bug.cgi?id=109363

Q: I keep getting the following error on the server log when my client connected. What's wrong?
Code:
Oct  7 15:48:25 gateway openvpn[17954]: Administrator/www.xxx.yyy.zz:3510 Bad LZO decompression header byte: 40
Oct  7 15:48:27 gateway openvpn[17954]: Administrator/www.xxx.yyy.zzz:3510 Bad LZO decompression header byte: 255
Oct  7 15:48:28 gateway openvpn[17954]: Administrator/www.xxx.yyy.zzz:3510 Bad LZO decompression header byte: 255
Oct  7 15:48:29 gateway openvpn[17954]: Administrator/www.xxx.yyy.zzz:3510 Bad LZO decompression header byte: 255
Oct  7 15:48:29 gateway openvpn[17954]: Administrator/www.xxx.yyy.zzz:3510 Bad LZO decompression header byte: 40

where www.xxx.yyy.zzz is the IP address from the client

A: Check the comp-lzo setting on both server and client configuration. Most likely your client doesn't have comp-lzo while your server expected it.

Q: I keep getting the following error on the server log when my client connected. What's wrong?
Code:
Oct  7 15:56:24 gateway openvpn[17954]: TLS Error: cannot locate HMAC in incoming packet from www.xxx.yyy.zzz:1073
Oct  7 15:56:26 gateway openvpn[17954]: TLS Error: cannot locate HMAC in incoming packet from www.xxx.yyy.zzz:1073
Oct  7 15:56:29 gateway openvpn[17954]: TLS Error: cannot locate HMAC in incoming packet from www.xxx.yyy.zzz:1073
Oct  7 15:56:31 gateway openvpn[17954]: TLS Error: cannot locate HMAC in incoming packet from www.xxx.yyy.zzz:1073
Oct  7 15:56:33 gateway openvpn[17954]: TLS Error: cannot locate HMAC in incoming packet from www.xxx.yyy.zzz:1073
Oct  7 15:56:35 gateway openvpn[17954]: TLS Error: cannot locate HMAC in incoming packet from www.xxx.yyy.zzz:1073

where www.xxx.yyy.zzz is the IP address from the client

A: Make sure both server and client configuration files have "tls-auth ta.key #" either enabled or disabled. Plus you want to make sure the server has 0 for # while the client has 1 for #. You can't have one enabled while the other disabled.

Q: I keep getting the following error on the server log when my client connected. What's wrong?
Code:
Oct  7 16:10:52 gateway openvpn[17954]: www.xxx.yyy.zzz:1042 VERIFY ERROR: depth=0, error=unsupported certificate purpose: /emailAddress=cchee@xxxxxx.yyyyy.zzz/C=US/ST=NY/L=NOWHERE/O=NOORG/OU=NODEPT/CN=Nobody
Oct  7 16:10:52 gateway openvpn[17954]: www.xxx.yyy.zzz:1042 TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
Oct  7 16:10:52 gateway openvpn[17954]: www.xxx.yyy.zzz:1042 TLS Error: TLS object -> incoming plaintext read error
Oct  7 16:10:52 gateway openvpn[17954]: www.xxx.yyy.zzz:1042 TLS Error: TLS handshake failed
Oct  7 16:10:52 gateway openvpn[17954]: www.xxx.yyy.zzz:1042 TLS Error: Unroutable control packet received from www.xxx.yyy.zzz:1042 (si=3 op=P_CONTROL_V1)
Oct  7 16:10:52 gateway openvpn[17954]: www.xxx.yyy.zzz:1042 TLS Error: Unroutable control packet received from www.xxx.yyy.zzz:1042 (si=3 op=P_CONTROL_V1)
Oct  7 16:10:52 gateway openvpn[17954]: www.xxx.yyy.zzz:1042 TLS Error: Unroutable control packet received from www.xxx.yyy.zzz:1042 (si=3 op=P_CONTROL_V1)

where www.xxx.yyy.zzz is the IP address from the client


A: Check your client side SSL/TLS certificate. If you are using the server type of the certificate for client, you will get this error. To verify your certificate, type:
Code:
openssl verify -CAfile ca.crt -purpose sslclient mycert.crt
It should returns OK status without any error at all.

Q:All clients connected with the same virtual IP even though I have specified ifconfig-pool in my OpenVPN server configuration. What do I do?

A: Check your client side certificate to make sure you have the correct setup. If the same client want to use the same certificate for multiple connections, then try to add the following in your server configuration if that fits your need.
Code:
duplicate-cn
And then restart your OpenVPN service on the server and try to connect to it again. In general, you are NOT recommended to do so since it makes session tracking harder to pin point particular client side certificate during security audit.

Q:VPN client connected to the VPN server ok, but it can't access any other nodes in the protected network. What do I do?

A: There are two options.
1) In your default gateway, you need to add the route to your protected lan with VPN server as the gateway. Using the sample environment above, you will need to add the following route.
Code:
route add -net 10.1.0.0 netmask 255.255.255.240 gw 10.2.0.3
Note: Why netmask is 255.255.255.240? Because our VPN client IP range is 0 - 10, netmask is given as 255.255.255.240 (which give us 16 entries [0-15]) Power of 2 is always more efficent for router.
2) Use ethernet bridge.

Q: How do I put an access control list to define who can gain access to my VPN?

A: Using the learn-address directive and a shell script. You can easily manage your access control list via a text file. With the sample environment defined above, your will add the following line in to your local.conf of OpenVPN:
Code:

learn-address /etc/openvpn/gateway/access-control.sh


And shell script /etc/openvpn/gateway/access-control.sh:
Code:
#!/bin/bash

case $1 in
        delete)
        exit 0
        ;;
        *)
        whologin=$(grep $3 /etc/openvpn/gateway/access-control.txt)
        if [ -z ${whologin}]; then
                exit 1
        else
                exit 0
        fi
        ;;
esac

The format of the access control list file (text) is simply CN for each line:
Code:
Good.Guy
Good.Girl

Note: With openvpn 2.0 rc6, your access control list file (text) will replace the dot with white space as below:
Code:
Good Guy
Good Girl

Note: With openvpn 2.0 rc17, your access control list file (text) will replace the dot with underscore as below:
Code:
Good_Guy
Good_Girl


Q: After I emerge from the official OpenVPN ebuild in gentoo, my setup broke, can't start openvpn server. What's up?

A: The issue lies within the /etc/init.d/openvpn. The official init script for openvpn in Gentoo has changed slightly. It is expecting the config file to be within the /etc/openvpn not /etc/openvpn/gateway (given the sample environment described in the first post of this topic). So to workaround this, you will need to do two things:
Code:

cd /etc/openvpn; ln -s /etc/openvpn/gateway/local.conf gateway.conf

And then if your local.conf doesn't have cd /etc/openvpn/gateway you will need to add that before any config file loading directive.
Code:

cd /etc/openvpn/gateway
ca ca.crt

Or, if you enjoy typing, you can use absolute path for all files reference in the config file. For example,
Code:

ca /etc/openvpn/gateway/ca.crt


Last edited by cchee on Sat Oct 15, 2005 2:26 pm; edited 15 times in total
Back to top
View user's profile Send private message
cchee
Apprentice
Apprentice


Joined: 29 Jul 2003
Posts: 214
Location: NYC

PostPosted: Sat Oct 09, 2004 11:09 pm    Post subject: DNS lookup for OpenVPN client (Linux only) Reply with quote

For those who has Linux as their OpenVPN client, if they want to have the DNS lookup working properly, they will need to add the following into their Linux client configuration (using the above example environment):
Code:
up /etc/openvpn/client/client.up
down /etc/openvpn/client/client.down

where client.up is a shell script with the following content:
Code:
sed -i \
-e '1,1 i nameserver 10.2.0.1' \
-e '1,1 i nameserver 10.2.0.2' \
-e '1,1 i search homenetwork.local.' /etc/resolv.conf
and client.down is another shell script with the following content:
Code:
sed -i \
-e '/nameserver 10.2.0/d'
-e '/search homenetwork.local/d' /etc/resolv.conf

Make sure you have
Code:
chmod 755 client.up client.down
And have these scripts under the same directory as the configuration file. Note: Absolute path is needed for client.up in OpenVPN configuration file in order for the up command to work. At least that is the case for my environment.

Last edited by cchee on Sat Oct 16, 2004 2:04 am; edited 2 times in total
Back to top
View user's profile Send private message
cchee
Apprentice
Apprentice


Joined: 29 Jul 2003
Posts: 214
Location: NYC

PostPosted: Mon Oct 11, 2004 1:16 pm    Post subject: Sign your own certificate with your own CA using EASY-RSA Reply with quote

Create your own CA
Easy-RSA comes with OpenVPN. To create your own CA is very easy, just update the vars file accordingly. Then do:
Code:
. vars
./clean-up
./build-ca

You will have the ca.crt and ca.key generated under the KEY_DIR defined in vars.

Create certificate request
Code:
./build-req laptop

You will have the laptop.csr and laptop.key generated under the KEY_DIR defined in vars.

Sign your CSR request(s)
After you have created your CSR for your OpenVPN client, for example, the name of the client is laptop, and you have already generated CA (as described above), and CSR for laptop is under KEY_DIR. Then you will do:
Code:
./sign-req laptop

You will have the laptop.crt generated under the KEY_DIR defined in vars.


Last edited by cchee on Sat Nov 06, 2004 7:14 pm; edited 1 time in total
Back to top
View user's profile Send private message
cchee
Apprentice
Apprentice


Joined: 29 Jul 2003
Posts: 214
Location: NYC

PostPosted: Thu Oct 14, 2004 7:29 pm    Post subject: Security Configuration Enhancements Reply with quote

Thanks to Vlada Macek in the OpenVPN news group for this great suggestion. To have my openvpn server to check against the CRL on my CA server. I did the following:

Add
Code:
crl-verify /etc/openvpn/gateway/ca.crl
to my local.conf on my OpenVPN server (using the example environment above).

Create the following cronjob script, named crl-update.cron, under /etc/openvpn/gateway:
Code:
#!/bin/sh
/usr/bin/wget -q http://myca.mynetwork.local/CertEnroll/CA%20Root.crl -O /etc/openvpn/gateway/new-ca.crl
/usr/bin/openssl crl -inform DER -outform PEM -in /etc/openvpn/gateway/new-ca.crl -out /etc/openvpn/gateway/ca.crl
chmod 600 /etc/openvpn/gateway/ca.crl


This cronjob script basically retrieves the CA Root CRL from the CA server (MS Windows Server) in my network using wget. Then I use openssl crl to convert the CRL from DER format to PEM format. wget -q option mute any standard output stuff from wget.

Lastly, I create a symbolic link:
Code:
ln -s /etc/openvpn/gateway/crl-update.cron .
where . is /etc/cron.hourly to have this cronjob runs every hour.

Last edited by cchee on Sat Oct 16, 2004 2:04 am; edited 1 time in total
Back to top
View user's profile Send private message
cchee
Apprentice
Apprentice


Joined: 29 Jul 2003
Posts: 214
Location: NYC

PostPosted: Sat Oct 16, 2004 2:04 am    Post subject: Re: DNS lookup for OpenVPN client (Linux only) Reply with quote

cchee wrote:
For those who has Linux as their OpenVPN client, if they want to have the DNS lookup working properly, they will need to add the following into their Linux client configuration (using the above example environment):
Code:
up /etc/openvpn/client/client.up
down /etc/openvpn/client/client.down

where client.up is a shell script with the following content:
Code:
sed -i \
-e '1,1 i nameserver 10.2.0.1' \
-e '1,1 i nameserver 10.2.0.2' \
-e '1,1 i search homenetwork.local.' /etc/resolv.conf
and client.down is another shell script with the following content:
Code:
sed -i \
-e '/nameserver 10.2.0/d'
-e '/search homenetwork.local/d' /etc/resolv.conf

Make sure you have
Code:
chmod 755 client.up client.down
And have these scripts under the same directory as the configuration file. Note: Absolute path is needed for client.up in OpenVPN configuration file in order for the up command to work. At least that is the case for my environment.

Thanks to James Yonan for the hints on environment variables being set by OpenVPN before the up/down command are being invoked. To make the above script even more system admin friendly, we replace the client.up.

With openvpn 2.0 beta11:
Code:
domain=`echo ${foreign_option_1} | sed -e 's/dhcp-option\.DOMAIN\.//g'`
dns1=`echo ${foreign_option_2} | sed -e 's/dhcp-option\.DNS\.//g'`
dns2=`echo ${foreign_option_3} | sed -e 's/dhcp-option\.DNS\.//g'`
sed -i \
-e "1,1 i nameserver ${dns1}" \
-e "1,1 i nameserver ${dns2}" \
-e "1,1 i search ${domain}." /etc/resolv.conf


With openvpn 2.0 rc6 to latest 2.0 stable:
Code:
domain=`echo ${foreign_option_1} | sed -e 's/dhcp-option DOMAIN //g'`
dns1=`echo ${foreign_option_2} | sed -e 's/dhcp-option DNS //g'`
dns2=`echo ${foreign_option_3} | sed -e 's/dhcp-option DNS //g'`
sed -i \
-e "1,1 i nameserver ${dns1}" \
-e "1,1 i nameserver ${dns2}" \
-e "1,1 i search ${domain}." /etc/resolv.conf


And then replace the client.down.

With openvpn 2.0 beta 11:
Code:
domain=`echo ${foreign_option_1} | sed -e 's/dhcp-option\.DOMAIN\.//g'`
dns1=`echo ${foreign_option_2} | sed -e 's/dhcp-option\.DNS\.//g'`
dns2=`echo ${foreign_option_3} | sed -e 's/dhcp-option\.DNS\.//g'`
sed -i \
-e "/nameserver ${dns1}/d" \
-e "/nameserver ${dns2}/d" \
-e "/search ${domain}./d" /etc/resolv.conf


With openvpn 2.0 rc6 to latest 2.0 stable:
Code:
domain=`echo ${foreign_option_1} | sed -e 's/dhcp-option DOMAIN //g'`
dns1=`echo ${foreign_option_2} | sed -e 's/dhcp-option DNS //g'`
dns2=`echo ${foreign_option_3} | sed -e 's/dhcp-option DNS //g'`
sed -i \
-e "/nameserver ${dns1}/d" \
-e "/nameserver ${dns2}/d" \
-e "/search ${domain}./d" /etc/resolv.conf


This way, when you (as being system admin) need to change domain, dns IPs. You don't need to change all the Linux clients' client.up and client.down script manually, all you need to do is update the domain and DNS IP in the server local.conf and it will automagically prepend the correct domain and DNS IPs into the clients' /etc/resolv.conf file.

If none of the above help, goto http://news.gmane.org/gmane.network.openvpn.user and browse through the mailing list archive. Great resource for information!


Last edited by cchee on Fri Apr 29, 2005 4:34 am; edited 2 times in total
Back to top
View user's profile Send private message
nyne
n00b
n00b


Joined: 07 Oct 2004
Posts: 8
Location: New York

PostPosted: Sat Oct 16, 2004 8:47 pm    Post subject: Reply with quote

if my ISP assigns a dynamic ip, should that cause any real problems with a setup like this (essentially for encryption/authentication of wireless nodes in a client/server type setup)

I basically have a gentoo box (2.6.8) with eth1 grabbing an IP from my ISP via DHCP, and eth0(192.168.0.0) being my private lan. hooked to a wireless access point && 5 port 100mbit switch (befw11s4 linksys)

I'm running iptables, have openvpn installed, and tun/tap compiled into the kernel.. should I be okay with a configuration like this?
_________________
Fortune Favours the Brave.
Back to top
View user's profile Send private message
cchee
Apprentice
Apprentice


Joined: 29 Jul 2003
Posts: 214
Location: NYC

PostPosted: Sat Oct 16, 2004 10:00 pm    Post subject: Reply with quote

nyne wrote:
if my ISP assigns a dynamic ip, should that cause any real problems with a setup like this (essentially for encryption/authentication of wireless nodes in a client/server type setup)

I basically have a gentoo box (2.6.8) with eth1 grabbing an IP from my ISP via DHCP, and eth0(192.168.0.0) being my private lan. hooked to a wireless access point && 5 port 100mbit switch (befw11s4 linksys)

I'm running iptables, have openvpn installed, and tun/tap compiled into the kernel.. should I be okay with a configuration like this?
Are you trying to
a) access OpenVPN from your home network to external static IP openvpn server? or
b) setup your home OpenVPN server so can you access it from outside (Internet)? or
c) setup OpenVPN between all your wireless nodes and your LAN server so you can "safely" surf the web via your wireless LAN?
Back to top
View user's profile Send private message
nyne
n00b
n00b


Joined: 07 Oct 2004
Posts: 8
Location: New York

PostPosted: Sat Oct 16, 2004 11:09 pm    Post subject: Reply with quote

Essentially I am trying to (C) setup OpenVPN between all your wireless nodes and your LAN server so you can "safely" surf the web via your wireless LAN?
_________________
Fortune Favours the Brave.
Back to top
View user's profile Send private message
cchee
Apprentice
Apprentice


Joined: 29 Jul 2003
Posts: 214
Location: NYC

PostPosted: Mon Oct 18, 2004 3:51 am    Post subject: Reply with quote

nyne wrote:
Essentially I am trying to (C) setup OpenVPN between all your wireless nodes and your LAN server so you can "safely" surf the web via your wireless LAN?
You need to "push" (from OpenVPN server) the changes of the default gateway for all your OpenVPN client wireless nodes to point to OpenVPN server on your LAN instead of your wireless broadband router (linksys befw11s4). I haven't tested this type of setup myself since my setup is more of (A), but I can't think any reason why you won't be able to do it.
Back to top
View user's profile Send private message
lokelo
Tux's lil' helper
Tux's lil' helper


Joined: 16 Dec 2002
Posts: 101
Location: Maryland, USA

PostPosted: Fri Oct 22, 2004 11:29 pm    Post subject: Reply with quote

I'm not too familiar with the whole concept of getting a my .csr signed. Who would I go to for that to be signed for my server? I see you have how to sign a clients csr file, but would that work for the main server? Is there a way that I can sign that csr myself?

Also, you mention to specify the purpose of the certificate. Does that get specified somewhere when you make the csr file? or done when you actually get it signed?
Back to top
View user's profile Send private message
cchee
Apprentice
Apprentice


Joined: 29 Jul 2003
Posts: 214
Location: NYC

PostPosted: Sun Oct 24, 2004 1:17 am    Post subject: Reply with quote

lokelo wrote:
I'm not too familiar with the whole concept of getting a my .csr signed. Who would I go to for that to be signed for my server? I see you have how to sign a clients csr file, but would that work for the main server? Is there a way that I can sign that csr myself?

Also, you mention to specify the purpose of the certificate. Does that get specified somewhere when you make the csr file? or done when you actually get it signed?
Check the README that comes with easy-rsa (which comes with OpenVPN tarball). I used Certificate Server comes with MS Windows Server 2003. In there, when you request to sign a certificate request, they have User and Webserver (plus others) purpose. If you are doing self-sign using Easy RSA, you probably don't need to specify the purpose. Hope this help.
Back to top
View user's profile Send private message
voice0
n00b
n00b


Joined: 26 Oct 2004
Posts: 2

PostPosted: Tue Oct 26, 2004 8:37 pm    Post subject: Can't find other clients in VPN Reply with quote

Hi cchee!

Today, I have installed a VPN following your Mini-HOWTO. The VPN seems to work, now. However, after connecting client C0 to the server, the server client C0 had the ip address 10.1.0.2 in the subnet 255.255.255.0 which seems to be correct. A ping from the client C0 to the server or from the server to the client C0 works, too. Everything seems to be fine, so far.

After connecting client C1 to the server, the client C1 got the ip address 10.1.0.3 which seems to be fine, too. I tried to ping the server 10.1.0.1 and got a response. The server was able to ping 10.1.0.3, too. Seems to be fine.

The Problem:
Client C0 does not get a ping reply from client C1 nor does C1 get any response from C0, although both clients are able to connect and communicate with the server. The server does not report any errors in the log.

Any idea, why?

[edit]:
I have just added the client-to-client option to my server configuration file. Now, C1 can ping C0 but C0 is still not able to ping C1 O_o

Well, I guess it's a firewall problem, now.
[/edit]
[edit²]
It was a firewall problem and the client-to-client option really does make it work :-)
[/edit]

Here's my server-configuration:
Code:

port 5000
dev tap
tls-server
ca ca.crt
cert gateway.crt
key gateway.key
dh dh1024.pem
mode server
duplicate-cn
ifconfig 10.1.0.1 255.255.255.0
ifconfig-pool 10.1.0.2 10.1.0.11 255.255.255.0
push "dhcp-option DNS 10.2.0.1"
push "dhcp-option DNS 10.2.0.2"
push "route-gateway 10.1.0.1"
mtu-test
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
ping 10
ping-restart 120
push "ping 10"
push "ping-restart 60"
push "route 10.2.0.0 255.255.255.0 10.1.0.1"
push "route 10.1.0.0 255.255.255.0 10.1.0.1"
comp-lzo
status openvpn-status.log
verb 4


And this is my client configuration (both clients are using this configuration):
Code:

remote w.x.y.z    # I deleted the ip on purpose ;-)
port 5000
dev tap

tls-client
ca ca.crt
cert client.crt
key client.key
# tls-auth ta.key 1

mtu-test
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
pull

comp-lzo

verb 4
Back to top
View user's profile Send private message
nyne
n00b
n00b


Joined: 07 Oct 2004
Posts: 8
Location: New York

PostPosted: Wed Oct 27, 2004 2:49 am    Post subject: Reply with quote

cchee wrote:
nyne wrote:
Essentially I am trying to (C) setup OpenVPN between all your wireless nodes and your LAN server so you can "safely" surf the web via your wireless LAN?
You need to "push" (from OpenVPN server) the changes of the default gateway for all your OpenVPN client wireless nodes to point to OpenVPN server on your LAN instead of your wireless broadband router (linksys befw11s4). I haven't tested this type of setup myself since my setup is more of (A), but I can't think any reason why you won't be able to do it.


the wireless router is only being used as a wireless access point/wired switch. the dhcp server, is sitting on my default gateway/iptables gentoo box.. (which is connected directly to the cable modem)
_________________
Fortune Favours the Brave.
Back to top
View user's profile Send private message
cchee
Apprentice
Apprentice


Joined: 29 Jul 2003
Posts: 214
Location: NYC

PostPosted: Wed Oct 27, 2004 5:09 pm    Post subject: Reply with quote

lokelo wrote:
I'm not too familiar with the whole concept of getting a my .csr signed. Who would I go to for that to be signed for my server? I see you have how to sign a clients csr file, but would that work for the main server? Is there a way that I can sign that csr myself?

Also, you mention to specify the purpose of the certificate. Does that get specified somewhere when you make the csr file? or done when you actually get it signed?
Here is another link for good info related to certificate. http://www.oreillynet.com/pub/a/security/2004/10/21/vpns_and_pki.html
Back to top
View user's profile Send private message
lokelo
Tux's lil' helper
Tux's lil' helper


Joined: 16 Dec 2002
Posts: 101
Location: Maryland, USA

PostPosted: Sun Oct 31, 2004 5:39 pm    Post subject: can't get inside the remote network Reply with quote

Ok, I have my setup working fairly ok now, but I'm still having a little problem. My client can ping the virtual address of the server, and the server can ping the virtual address of the client, but I can't ping anything past that, including the actual IP or any computers on the remote network. I've got my setup exactly as the howto describes except that my protected network is 192.168.1.0 and my virtual network is 192.168.2.0. Any help on this would be appreciated.
Back to top
View user's profile Send private message
cchee
Apprentice
Apprentice


Joined: 29 Jul 2003
Posts: 214
Location: NYC

PostPosted: Fri Nov 05, 2004 5:42 pm    Post subject: Re: can't get inside the remote network Reply with quote

lokelo wrote:
Ok, I have my setup working fairly ok now, but I'm still having a little problem. My client can ping the virtual address of the server, and the server can ping the virtual address of the client, but I can't ping anything past that, including the actual IP or any computers on the remote network. I've got my setup exactly as the howto describes except that my protected network is 192.168.1.0 and my virtual network is 192.168.2.0. Any help on this would be appreciated.
Check the updated Troubleshooting section of this topic.
Back to top
View user's profile Send private message
damed92
n00b
n00b


Joined: 10 Sep 2003
Posts: 11

PostPosted: Tue Nov 09, 2004 2:27 pm    Post subject: Reply with quote

Firstly, thank you VERY much for this howto. I have OpenVPN working well.

One question:

I have the server set up at Location 1 (L1). It accepts Windows client connections from the internet fine.

What I need to do now is set up Location 2 (L2) to connect to L1 and create a permanant VPN tunnel, so that clients at L1 can get to L2 and clients at L2 can get to L1. L2 currently has a Linux firewall set up. My plan is to set up this machine as a Linux client to the server at L1

Basically, what I want to know:

Do I need to create a new conf file on the server using a different port for this connection, or can it use 5000? Keep in mind that I still want Windows clients from the net to get into L1.

Please advise, and thank you again.
Back to top
View user's profile Send private message
cchee
Apprentice
Apprentice


Joined: 29 Jul 2003
Posts: 214
Location: NYC

PostPosted: Tue Nov 09, 2004 2:57 pm    Post subject: Reply with quote

damed92 wrote:
Firstly, thank you VERY much for this howto. I have OpenVPN working well.

One question:

I have the server set up at Location 1 (L1). It accepts Windows client connections from the internet fine.

What I need to do now is set up Location 2 (L2) to connect to L1 and create a permanant VPN tunnel, so that clients at L1 can get to L2 and clients at L2 can get to L1. L2 currently has a Linux firewall set up. My plan is to set up this machine as a Linux client to the server at L1

Basically, what I want to know:

Do I need to create a new conf file on the server using a different port for this connection, or can it use 5000? Keep in mind that I still want Windows clients from the net to get into L1.

Please advise, and thank you again.
L2 VPN server will be one of the VPN client to L1 server at port 5000. L1 VPN server will be one of the VPN client to L2 server at port OTHER than 5000 (e.g. 6000). If you want L1 clients able to access L2. You may need to add
Code:
client-to-client
in your local.conf on L1 VPN server. In addition, you need to make sure you have proper route in your routing table on both L1 and L2.
Back to top
View user's profile Send private message
damed92
n00b
n00b


Joined: 10 Sep 2003
Posts: 11

PostPosted: Tue Nov 09, 2004 3:24 pm    Post subject: Reply with quote

cchee wrote:
L2 VPN server will be one of the VPN client to L1 server at port 5000. L1 VPN server will be one of the VPN client to L2 server at port OTHER than 5000 (e.g. 6000). If you want L1 clients able to access L2. You may need to add
Code:
client-to-client
in your local.conf on L1 VPN server. In addition, you need to make sure you have proper route in your routing table on both L1 and L2.


Ok, so let me see if I have this straight.

I have to add a second conf file to the directory on L1's server that makes a connection to L2's server (which I need to set up)

L2 needs to be installed in server mode as well, so it can accept a connection from L1 (at a different port than 5000). It will also be a client to the server at L1. So, basically we are creating 2 vpn connections for this (in essence)

If I put both the server configuration (local.conf, as specified above) and the new client.conf (local.conf for clients, as seen above) will the openvpn server at startup automatically read both conf files and create the appropriate connections?
Back to top
View user's profile Send private message
cchee
Apprentice
Apprentice


Joined: 29 Jul 2003
Posts: 214
Location: NYC

PostPosted: Tue Nov 09, 2004 3:40 pm    Post subject: Reply with quote

damed92 wrote:
If I put both the server configuration (local.conf, as specified above) and the new client.conf (local.conf for clients, as seen above) will the openvpn server at startup automatically read both conf files and create the appropriate connections?

The openvpn startup script in Gentoo scan each sub-directory under /etc/openvpn and load the local.conf accordingly. So in your setup, you will have /etc/openvpn/L1 and /etc/openvpn/L2 sub-directories.
Back to top
View user's profile Send private message
damed92
n00b
n00b


Joined: 10 Sep 2003
Posts: 11

PostPosted: Tue Nov 09, 2004 3:49 pm    Post subject: Reply with quote

cchee wrote:
damed92 wrote:
If I put both the server configuration (local.conf, as specified above) and the new client.conf (local.conf for clients, as seen above) will the openvpn server at startup automatically read both conf files and create the appropriate connections?

The openvpn startup script in Gentoo scan each sub-directory under /etc/openvpn and load the local.conf accordingly. So in your setup, you will have /etc/openvpn/L1 and /etc/openvpn/L2 sub-directories.


Unfortunatley I am using Redhat on these boxes (not my choice). Can you possibly point me to the startup script so I can see if I can port it?
Back to top
View user's profile Send private message
cchee
Apprentice
Apprentice


Joined: 29 Jul 2003
Posts: 214
Location: NYC

PostPosted: Tue Nov 09, 2004 3:54 pm    Post subject: Reply with quote

damed92 wrote:
Unfortunatley I am using Redhat on these boxes (not my choice). Can you possibly point me to the startup script so I can see if I can port it?

It could be more involved than you think but this should give you a general idea. You may want to switch to Gentoo. ;)
Code:
#!/sbin/runscript

VPNDIR="/etc/openvpn"

depend() {
        need net
}

checktundevice() {
        if [ -h /dev/net/tun ] && [ -c /dev/misc/net/tun ]; then
                ebegin Detected broken /dev/net/tun symlink, fixing...
                        rm /dev/net/tun
                        ln -s /dev/misc/net/tun /dev/net/tun
                eend $?
        fi
}

start() {
        checktundevice || return 1

        cd $VPNDIR
        for VPN in *
        do
                if [ -d $VPN ] && [ -e $VPN/local.conf ]; then
                        ebegin "Starting openvpn for $VPN"
                                start-stop-daemon --start --pidfile /var/run/openv
pn-$VPN.pid --startas /usr/sbin/openvpn -- --config $VPN/local.conf --writepid /va
r/run/openvpn-$VPN.pid --daemon --cd $VPN
                        eend $?
                else
                        ewarn "Expected $VPNDIR/$VPN to be a directory containing
a local.conf."
                fi
        done
}

stop() {
        cd $VPNDIR
        for VPN in *
        do
                if [ -e /var/run/openvpn-$VPN.pid ]; then
                        ebegin "Stoping openvpn for $VPN"
                                start-stop-daemon --oknodo --stop --pidfile /var/run/openvpn-$VPN.pid
                                rm /var/run/openvpn-$VPN.pid
                        eend 0
                else
                        ewarn "$VPN has no pidfile!"
                fi
        done
        return 0
}
Back to top
View user's profile Send private message
damed92
n00b
n00b


Joined: 10 Sep 2003
Posts: 11

PostPosted: Tue Nov 09, 2004 4:04 pm    Post subject: Reply with quote

Ugh. This could be difficult. Would it be possible to have both these functions in one local.conf file? What about if there are 2 conf files in the same directory, but with different names? There is no way I can change it to gentoo, as these boxes are the internet gateways for 2 locations that work 12 hour shifts, and I'm not going to get a chance to take them offline that long.
Back to top
View user's profile Send private message
cchee
Apprentice
Apprentice


Joined: 29 Jul 2003
Posts: 214
Location: NYC

PostPosted: Tue Nov 09, 2004 4:36 pm    Post subject: Reply with quote

damed92 wrote:
Ugh. This could be difficult. Would it be possible to have both these functions in one local.conf file? What about if there are 2 conf files in the same directory, but with different names? There is no way I can change it to gentoo, as these boxes are the internet gateways for 2 locations that work 12 hour shifts, and I'm not going to get a chance to take them offline that long.
You also need to consider the certificate and key files for different VPN link. So separate directories help to prevent confusion. You can use the above "script" and put it as /etc/init.d/openvpn. You may need to replace some gentoo specific function with something similar in the RedHat.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Goto page 1, 2, 3, 4, 5  Next
Page 1 of 5

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum