View previous topic :: View next topic |
Author |
Message |
cchee Apprentice
Joined: 29 Jul 2003 Posts: 214 Location: NYC
|
Posted: Wed Oct 06, 2004 1:44 am Post subject: OpenVPN 2.x TAP mini-HOWTO (linux 2 wifi-linux, wifi-xp) |
|
|
Background
In my attempt to setup OpenVPN for my network, I search through the forum and can't find much information on setting OpenVPN 2.0 using TAP, especially sample configuration file. Most of the HOWTO I found are related to TUN settings. The HOWTO from http://openvpn.sourceforge.net/ was helpful but since I am a newbie to openvpn. It took me a while to figure out how to get thing setup right. In the light of hoping to speed up the adoption of openvpn 2.0 ebuild into gentoo distribution (I love this distribution!!) and also hoping to help out newbie for OpenVPN (like I am) to save time. I have created this mini-HOWTO. Your constructive criticism/suggestion/feedback are most welcome, especially in the light of network security related configuration.
Simplified Server/Client Environment
The system I used for setup OpenVPN server is Gentoo Linux with kernel 2.6.8-r3 (which is gentoo-dev-sources-2.6.8-r3). Later kernel can also be used, the newest one I have used is gentoo-sources-2.6.11-r11. Make sure kernel has TAP/TUN compiled as module or build-in. If compiled as module, make sure you have tun in your /etc/module.autoload.d/kernel-2.6. Linux server/client OpenSSL version is 0.9.7d-r1 or newer version. For windows client, I used Windows XP with SP2 installed. This setup works regardless you are using wireless or not. In my case, Linux client is wired, and Windows XP client is wireless tablet pc.
OpenVPN server has external static IP in this setup.
Protected network: 10.2.0.0
Protected network DNS: 10.2.0.1 10.2.0.2
Protected network VPN server: 10.2.0.3
Protected network domain: homenetwork.local
Protected network is behind a separate hardware based firewall, e.g. Netscreen or Linksys Cable/DSL Wireless Router
OpenVPN server is resided inside the protected network with UDP port 5000 forwarded from outside (Internet) to the OpenVPN server at the firewall.
OpenVPN virtual network: 10.1.0.0
OpenVPN virtual network server IP: 10.1.0.1 (in this example, I named it gateway)
OpenVPN virtual network client IP range: 10.1.0.2 - 10.1.0.10
OpenVPN client can be anywhere in the Internet or other remote LAN (via wireless or wired) with access to the Internet.
Unlike the typical TUN setup, with this setup, you won't need to manually assign virtual IP address to server/client. All client virtual IP are assigned by the server using the virtual IP range specified in the server configuration (parameter ifconfig-pool). Route table entries for virtual client can be managed from the OpenVPN server configuration (under the parameter push "xxxx"). In addition, no ethernet bridging setup is needed in this setup. IMHO, this really makes the system/network administrator life a lot easier.
Downloads
Update: You can use 2.0 rc6 or newer (latest is the official version 2.0) instead. The differences are in some of the parameter values in the configuration file (sectioned out for you in later instruction.)
VPN Server/Client (Gentoo Linux, of course) - OpenVPN 2.0 ebuild [already in latest portage as stable].
Windows XP Client: http://openvpn.net/download.html
Mac OSX installation, please goto http://openvpn2.darwinports.com, http://www-user.rhrk.uni-kl.de/~nissler/tuntap/
There are a few OpenVPN GUI available, depends on which one you like and you can just google them. Here are a few links I found.
Windows XP OpenVPN GUI: http://www.ipact.com/~huttinger/bb/download.php?id=7, http://www.nilings.se/openvpn/download.html, http://openvpn.se/
Mac OS X OpenVPN GUI: http://mac.softpedia.com/get/Network-Admin/OpenVPN-GUI.shtml
Linux OpenVPN GUI: http://sourceforge.net/projects/openvpnadmin/, http://govpn.clubnix.net/
Installation
Linux VPN Server/Client
These steps are only needed if openvpn 2.0 is not yet official in the portage.
Code: | vi /etc/make.conf # to uncomment PORTDIR_OVERLAY
mkdir -p /usr/local/portage/net-misc/openvpn
cp ~/openvpn-2.0.ebuild /usr/local/portage/net-misc/openvpn # assuming you downloaded the ebuild in your current user (root) directory
cd /usr/local/portage/net-misc/openvpn
ebuild openvpn-2.0.ebuild digest
|
Before openvpn 2.0 become official in portage
Code: |
ACCEPT_KEYWORDS="~x86" USE="pthreads ssl" emerge -v openvpn # You want to enable pthread for speed
|
After openvpn 2.0 become official in portage
Code: |
USE="examples threads ssl" emerge -v openvpn # You want to enable threads for speed
|
Before openvpn 2.0 become official in portage
Code: |
mkdir -p /etc/openvpn/gateway # you can replace gateway with whatever directory name you want to use
cd # go back to your root home directory
gzip -d < /usr/portage/distfiles/openvpn-2.0.tar.gz | ( cd /root; tar xvfo - )
cd /root/openvpn-2.0
mv easy-rsa ~/
rm -rf /root/openvpn-2.0
rc-update add openvpn default
vi /etc/conf.d/local.start # to add echo 1 > /proc/sys/net/ipv4/ip_forward
vi /etc/conf.d/local.stop # to add echo 0 > /proc/sys/net/ipv4/ip_forward
rc-update add local default
|
After openvpn 2.0 become official in portage
Code: |
mkdir -p /etc/openvpn/gateway
cd # go back to your root home directory
# easy-rsa is available under /usr/share/openvpn/easy-rsa
rc-update add openvpn default
vi /etc/conf.d/local.start # to add echo 1 > /proc/sys/net/ipv4/ip_forward
vi /etc/conf.d/local.stop # to add echo 0 > /proc/sys/net/ipv4/ip_forward
rc-update add local default
|
Windows XP Client
I have the latest SP from Microsoft installed before I start.
Install openvpn-2.0-install.exe
Install OpenVPN GUI [optional]
Configuration
OpenVPN server configuration file (/etc/openvpn/gateway/local.conf)
Code: | port 1194 # or any other port you want to use
dev tap
tls-server
cd /etc/openvpn/gateway
ca ca.crt
cert gateway.crt
key gateway.key
dh dh2048.pem
tls-auth ta.key 0
mode server
duplicate-cn
ifconfig 10.1.0.1 255.255.255.0 # openvpn gateway
ifconfig-pool 10.1.0.2 10.1.0.11 255.255.255.0 # ip range for openvpn client
push "dhcp-option DNS 10.2.0.1" # push DNS entries to openvpn client
push "dhcp-option DNS 10.2.0.2"
push "route-gateway 10.1.0.1" # push default gateway
mtu-test
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
ping 10
ping-restart 120
push "ping 10"
push "ping-restart 60"
push "route 10.2.0.0 255.255.255.0 10.1.0.1" # add route to to protected network
push "route 10.1.0.0 255.255.255.0 10.1.0.1"
comp-lzo
status openvpn-status.log
verb 4
|
NOTE: If you are using openvpn 2.1 (not yet in the official portage, hopefully soon) You can added the following line to do port sharing. The following line basically tells openvpn to listen to port 443, if the traffic is openvpn traffic, process it. Otherwise forward it to ssl_webserver.mycompany.com to process as https traffic. One great thing about this is you have one less hole in your firewall.
Code: |
port-share ssl_webserver.mycompany.com 443
|
OpenVPN Linux client configuration (/etc/openvpn/client/local.conf)
Code: | port 1194 # or any other port you want to use
dev tap
remote w.x.y.z # w.x.y.z is external IP of the OpenVPN server
tls-client
cd /etc/openvpn/client
ca ca.crt
cert client.crt
key client.key
tls-auth ta.key 1
mtu-test
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
pull
comp-lzo
verb 4
|
Symbolic linked the configuration files for Gentoo Linux (server/client) [NEW from official openvpn 2.0 ebuild]
Code: |
cd /etc/openvpn
# foreach sub-directory, we create a symbolic link to the local.conf to the current directory since the new init script don't scan for sub-directory
# anymore instead it looks for .conf files. With the sample environment defined above, we have:
ln -s gateway/local.conf gateway.conf
|
Windows XP client configuration (My Document\client.ovpn)
Code: | port 1194 # or any other port you want to use
dev tap
remote w.x.y.z # w.x.y.z is external IP of the OpenVPN server
tls-client
ca ca.crt
cert client.crt
key client-key.txt
tls-auth ta-key.txt 1
mtu-test
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
pull
comp-lzo
verb 4
|
To generate the ta.key (or ta-key.txt), I use the following command (recommended by HOWTO from OpenVPN) to generate on Linux:
Code: | openvpn --genkey --secret ta.key | or Code: | openvpn --genkey --secret ta-key.txt |
Then I basically copy this file to server and all clients machines via secure channel.
To generate the server certificate and key file for /etc/openvpn/gateway, I basically follow the instruction provided by easy-rsa README file. Make sure you specify the purpose of the certificate is Web server when you submit your CSR for your server.
Code: | cd /root/easy-rsa
vi vars # update the KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, KEY_EMAIL to appropriate value
. vars
./clean-all
./build-dh # to generate the dh2048.pem needed by the server configuration
cp /root/openvpn/dh2048.pem /etc/openvpn/gateway
./clean-all
./build-req gateway
cp /root/openvpn/gateway.key /etc/openvpn/gateway
# Send the /root/openvpn/gateway.csr to your CA authority, once it is
# signed by CA authority, they will send you the certificate. Save this
# certificate as gateway.crt under /etc/openvpn/gateway.
|
To generate the client certificate and key file for /etc/openvpn/client, it will be similar to the server, except the purpose for your client CSR is User instead of Web Server. Otherwise, you may run into "unroutable" problem. Well, at least that is the case for me.
Code: |
# repeat these steps for each OpenVPN client
# BEGIN
./clean-all
./build-req client
# Copy /root/openvpn/client.key to /etc/openvpn/client on your OpenVPN
# Linux client via SECURE channel
# For Windows XP, I just save the configuration, certificate and key files
# under My Document folder
# Send the certificate sign request to your CA authority.
# END
# Your CA authority should have a CA certificate which you will save it
# under /etc/openvpn/gateway (for server), /etc/openvpn/client (for
# Linux client) and My Document folder for Windows XP client as ca.crt
# in our example. Make sure you use SECURE channel to transfer these
# files.
|
To verify the server certificate is valid, you can use the following:
Code: | openssl verify -CAfile ca.crt -purpose sslserver gateway.crt |
To verify the client certiciate(s) is(are) valid, you can use the following:
Code: | openssl verify -CAfile ca.crt -purpose sslclient client.crt |
**You also need to make sure your firewall have udp port 1194 (or whatever port you have specified in your server configuration) opened for your OpenVPN server. In addition, depends on what firewall you are using, you may need to make sure network traffic is allowed into your protected network for your OpenVPN client IP range. Since we are not using ethernet bridge, you will need to add route on your protected lan gateway to tell all machines in the protected lan to forward package to your VPN server when the requester IP belongs to the VPN lan.
Once you have all the configuration file in place, do the following on the server or Linux client.
Code: | /etc/init.d/openvpn start |
For Windows XP, start OpenVPN GUI and then load the configuration file client.ovpn under My Document.
Testing
Start up the client side and then do a ping on one of the server in the protected network (10.2.0.0). If you can ping, then you are connected and your packet are routed correctly.
Finishing Touch
After you have verified the network connectivity is all well, if you are using Windows client, you will want to turn your openvpn into automatically start as service instead of starting it manually each time you login. To do that just follow the instruction under section Running OpenVPN as a Windows Service in the INSTALL-Win32 provided by http://openvpn.sourceforge.net/INSTALL-win32.html **Make sure you have all your config files, certificates and keys moved to <openvpn installed directory>/config directory if they are not already there.
Last edited by cchee on Tue Apr 03, 2007 3:22 pm; edited 27 times in total |
|
Back to top |
|
|
cchee Apprentice
Joined: 29 Jul 2003 Posts: 214 Location: NYC
|
Posted: Thu Oct 07, 2004 8:03 pm Post subject: |
|
|
Troubleshooting
Q: I am getting the following error when I start up openvpn (version 2.0.2)
Code: | * Starting openvpn for server ... [ !! ] |
A: The /etc/init.d/openvpn for version 2.0.2 uses -cd option in line 43
Code: | --daemon --cd "${VPNDIR}" |
replace that line with
and make sure your /etc/openvpn/gateway/local.conf (using above example) has
Code: | cd /etc/openvpn/gateway |
should fix your problem. For details on how to modify the /etc/init.d/openvpn to accommodate multiple OpenVPN connection setup, check the bug attachment in https://bugs.gentoo.org/show_bug.cgi?id=109363
Q: I keep getting the following error on the server log when my client connected. What's wrong? Code: | Oct 7 15:48:25 gateway openvpn[17954]: Administrator/www.xxx.yyy.zz:3510 Bad LZO decompression header byte: 40
Oct 7 15:48:27 gateway openvpn[17954]: Administrator/www.xxx.yyy.zzz:3510 Bad LZO decompression header byte: 255
Oct 7 15:48:28 gateway openvpn[17954]: Administrator/www.xxx.yyy.zzz:3510 Bad LZO decompression header byte: 255
Oct 7 15:48:29 gateway openvpn[17954]: Administrator/www.xxx.yyy.zzz:3510 Bad LZO decompression header byte: 255
Oct 7 15:48:29 gateway openvpn[17954]: Administrator/www.xxx.yyy.zzz:3510 Bad LZO decompression header byte: 40
where www.xxx.yyy.zzz is the IP address from the client |
A: Check the comp-lzo setting on both server and client configuration. Most likely your client doesn't have comp-lzo while your server expected it.
Q: I keep getting the following error on the server log when my client connected. What's wrong? Code: | Oct 7 15:56:24 gateway openvpn[17954]: TLS Error: cannot locate HMAC in incoming packet from www.xxx.yyy.zzz:1073
Oct 7 15:56:26 gateway openvpn[17954]: TLS Error: cannot locate HMAC in incoming packet from www.xxx.yyy.zzz:1073
Oct 7 15:56:29 gateway openvpn[17954]: TLS Error: cannot locate HMAC in incoming packet from www.xxx.yyy.zzz:1073
Oct 7 15:56:31 gateway openvpn[17954]: TLS Error: cannot locate HMAC in incoming packet from www.xxx.yyy.zzz:1073
Oct 7 15:56:33 gateway openvpn[17954]: TLS Error: cannot locate HMAC in incoming packet from www.xxx.yyy.zzz:1073
Oct 7 15:56:35 gateway openvpn[17954]: TLS Error: cannot locate HMAC in incoming packet from www.xxx.yyy.zzz:1073
where www.xxx.yyy.zzz is the IP address from the client |
A: Make sure both server and client configuration files have "tls-auth ta.key #" either enabled or disabled. Plus you want to make sure the server has 0 for # while the client has 1 for #. You can't have one enabled while the other disabled.
Q: I keep getting the following error on the server log when my client connected. What's wrong? Code: | Oct 7 16:10:52 gateway openvpn[17954]: www.xxx.yyy.zzz:1042 VERIFY ERROR: depth=0, error=unsupported certificate purpose: /emailAddress=cchee@xxxxxx.yyyyy.zzz/C=US/ST=NY/L=NOWHERE/O=NOORG/OU=NODEPT/CN=Nobody
Oct 7 16:10:52 gateway openvpn[17954]: www.xxx.yyy.zzz:1042 TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
Oct 7 16:10:52 gateway openvpn[17954]: www.xxx.yyy.zzz:1042 TLS Error: TLS object -> incoming plaintext read error
Oct 7 16:10:52 gateway openvpn[17954]: www.xxx.yyy.zzz:1042 TLS Error: TLS handshake failed
Oct 7 16:10:52 gateway openvpn[17954]: www.xxx.yyy.zzz:1042 TLS Error: Unroutable control packet received from www.xxx.yyy.zzz:1042 (si=3 op=P_CONTROL_V1)
Oct 7 16:10:52 gateway openvpn[17954]: www.xxx.yyy.zzz:1042 TLS Error: Unroutable control packet received from www.xxx.yyy.zzz:1042 (si=3 op=P_CONTROL_V1)
Oct 7 16:10:52 gateway openvpn[17954]: www.xxx.yyy.zzz:1042 TLS Error: Unroutable control packet received from www.xxx.yyy.zzz:1042 (si=3 op=P_CONTROL_V1)
where www.xxx.yyy.zzz is the IP address from the client |
A: Check your client side SSL/TLS certificate. If you are using the server type of the certificate for client, you will get this error. To verify your certificate, type: Code: | openssl verify -CAfile ca.crt -purpose sslclient mycert.crt | It should returns OK status without any error at all.
Q:All clients connected with the same virtual IP even though I have specified ifconfig-pool in my OpenVPN server configuration. What do I do?
A: Check your client side certificate to make sure you have the correct setup. If the same client want to use the same certificate for multiple connections, then try to add the following in your server configuration if that fits your need. And then restart your OpenVPN service on the server and try to connect to it again. In general, you are NOT recommended to do so since it makes session tracking harder to pin point particular client side certificate during security audit.
Q:VPN client connected to the VPN server ok, but it can't access any other nodes in the protected network. What do I do?
A: There are two options.
1) In your default gateway, you need to add the route to your protected lan with VPN server as the gateway. Using the sample environment above, you will need to add the following route. Code: | route add -net 10.1.0.0 netmask 255.255.255.240 gw 10.2.0.3 | Note: Why netmask is 255.255.255.240? Because our VPN client IP range is 0 - 10, netmask is given as 255.255.255.240 (which give us 16 entries [0-15]) Power of 2 is always more efficent for router.
2) Use ethernet bridge.
Q: How do I put an access control list to define who can gain access to my VPN?
A: Using the learn-address directive and a shell script. You can easily manage your access control list via a text file. With the sample environment defined above, your will add the following line in to your local.conf of OpenVPN:
Code: |
learn-address /etc/openvpn/gateway/access-control.sh
|
And shell script /etc/openvpn/gateway/access-control.sh: Code: | #!/bin/bash
case $1 in
delete)
exit 0
;;
*)
whologin=$(grep $3 /etc/openvpn/gateway/access-control.txt)
if [ -z ${whologin}]; then
exit 1
else
exit 0
fi
;;
esac
|
The format of the access control list file (text) is simply CN for each line:
Note: With openvpn 2.0 rc6, your access control list file (text) will replace the dot with white space as below:
Note: With openvpn 2.0 rc17, your access control list file (text) will replace the dot with underscore as below:
Q: After I emerge from the official OpenVPN ebuild in gentoo, my setup broke, can't start openvpn server. What's up?
A: The issue lies within the /etc/init.d/openvpn. The official init script for openvpn in Gentoo has changed slightly. It is expecting the config file to be within the /etc/openvpn not /etc/openvpn/gateway (given the sample environment described in the first post of this topic). So to workaround this, you will need to do two things:
Code: |
cd /etc/openvpn; ln -s /etc/openvpn/gateway/local.conf gateway.conf
|
And then if your local.conf doesn't have cd /etc/openvpn/gateway you will need to add that before any config file loading directive.
Code: |
cd /etc/openvpn/gateway
ca ca.crt
|
Or, if you enjoy typing, you can use absolute path for all files reference in the config file. For example,
Code: |
ca /etc/openvpn/gateway/ca.crt
|
Last edited by cchee on Sat Oct 15, 2005 2:26 pm; edited 15 times in total |
|
Back to top |
|
|
cchee Apprentice
Joined: 29 Jul 2003 Posts: 214 Location: NYC
|
Posted: Sat Oct 09, 2004 11:09 pm Post subject: DNS lookup for OpenVPN client (Linux only) |
|
|
For those who has Linux as their OpenVPN client, if they want to have the DNS lookup working properly, they will need to add the following into their Linux client configuration (using the above example environment): Code: | up /etc/openvpn/client/client.up
down /etc/openvpn/client/client.down |
where client.up is a shell script with the following content: Code: | sed -i \
-e '1,1 i nameserver 10.2.0.1' \
-e '1,1 i nameserver 10.2.0.2' \
-e '1,1 i search homenetwork.local.' /etc/resolv.conf
| and client.down is another shell script with the following content: Code: | sed -i \
-e '/nameserver 10.2.0/d'
-e '/search homenetwork.local/d' /etc/resolv.conf
|
Make sure you have Code: | chmod 755 client.up client.down | And have these scripts under the same directory as the configuration file. Note: Absolute path is needed for client.up in OpenVPN configuration file in order for the up command to work. At least that is the case for my environment.
Last edited by cchee on Sat Oct 16, 2004 2:04 am; edited 2 times in total |
|
Back to top |
|
|
cchee Apprentice
Joined: 29 Jul 2003 Posts: 214 Location: NYC
|
Posted: Mon Oct 11, 2004 1:16 pm Post subject: Sign your own certificate with your own CA using EASY-RSA |
|
|
Create your own CA
Easy-RSA comes with OpenVPN. To create your own CA is very easy, just update the vars file accordingly. Then do:
Code: | . vars
./clean-up
./build-ca |
You will have the ca.crt and ca.key generated under the KEY_DIR defined in vars.
Create certificate request
You will have the laptop.csr and laptop.key generated under the KEY_DIR defined in vars.
Sign your CSR request(s)
After you have created your CSR for your OpenVPN client, for example, the name of the client is laptop, and you have already generated CA (as described above), and CSR for laptop is under KEY_DIR. Then you will do:
You will have the laptop.crt generated under the KEY_DIR defined in vars.
Last edited by cchee on Sat Nov 06, 2004 7:14 pm; edited 1 time in total |
|
Back to top |
|
|
cchee Apprentice
Joined: 29 Jul 2003 Posts: 214 Location: NYC
|
Posted: Thu Oct 14, 2004 7:29 pm Post subject: Security Configuration Enhancements |
|
|
Thanks to Vlada Macek in the OpenVPN news group for this great suggestion. To have my openvpn server to check against the CRL on my CA server. I did the following:
Add Code: | crl-verify /etc/openvpn/gateway/ca.crl | to my local.conf on my OpenVPN server (using the example environment above).
Create the following cronjob script, named crl-update.cron, under /etc/openvpn/gateway: Code: | #!/bin/sh
/usr/bin/wget -q http://myca.mynetwork.local/CertEnroll/CA%20Root.crl -O /etc/openvpn/gateway/new-ca.crl
/usr/bin/openssl crl -inform DER -outform PEM -in /etc/openvpn/gateway/new-ca.crl -out /etc/openvpn/gateway/ca.crl
chmod 600 /etc/openvpn/gateway/ca.crl
|
This cronjob script basically retrieves the CA Root CRL from the CA server (MS Windows Server) in my network using wget. Then I use openssl crl to convert the CRL from DER format to PEM format. wget -q option mute any standard output stuff from wget.
Lastly, I create a symbolic link: Code: | ln -s /etc/openvpn/gateway/crl-update.cron . | where . is /etc/cron.hourly to have this cronjob runs every hour.
Last edited by cchee on Sat Oct 16, 2004 2:04 am; edited 1 time in total |
|
Back to top |
|
|
cchee Apprentice
Joined: 29 Jul 2003 Posts: 214 Location: NYC
|
Posted: Sat Oct 16, 2004 2:04 am Post subject: Re: DNS lookup for OpenVPN client (Linux only) |
|
|
cchee wrote: | For those who has Linux as their OpenVPN client, if they want to have the DNS lookup working properly, they will need to add the following into their Linux client configuration (using the above example environment): Code: | up /etc/openvpn/client/client.up
down /etc/openvpn/client/client.down |
where client.up is a shell script with the following content: Code: | sed -i \
-e '1,1 i nameserver 10.2.0.1' \
-e '1,1 i nameserver 10.2.0.2' \
-e '1,1 i search homenetwork.local.' /etc/resolv.conf
| and client.down is another shell script with the following content: Code: | sed -i \
-e '/nameserver 10.2.0/d'
-e '/search homenetwork.local/d' /etc/resolv.conf
|
Make sure you have Code: | chmod 755 client.up client.down | And have these scripts under the same directory as the configuration file. Note: Absolute path is needed for client.up in OpenVPN configuration file in order for the up command to work. At least that is the case for my environment. |
Thanks to James Yonan for the hints on environment variables being set by OpenVPN before the up/down command are being invoked. To make the above script even more system admin friendly, we replace the client.up.
With openvpn 2.0 beta11: Code: | domain=`echo ${foreign_option_1} | sed -e 's/dhcp-option\.DOMAIN\.//g'`
dns1=`echo ${foreign_option_2} | sed -e 's/dhcp-option\.DNS\.//g'`
dns2=`echo ${foreign_option_3} | sed -e 's/dhcp-option\.DNS\.//g'`
sed -i \
-e "1,1 i nameserver ${dns1}" \
-e "1,1 i nameserver ${dns2}" \
-e "1,1 i search ${domain}." /etc/resolv.conf |
With openvpn 2.0 rc6 to latest 2.0 stable: Code: | domain=`echo ${foreign_option_1} | sed -e 's/dhcp-option DOMAIN //g'`
dns1=`echo ${foreign_option_2} | sed -e 's/dhcp-option DNS //g'`
dns2=`echo ${foreign_option_3} | sed -e 's/dhcp-option DNS //g'`
sed -i \
-e "1,1 i nameserver ${dns1}" \
-e "1,1 i nameserver ${dns2}" \
-e "1,1 i search ${domain}." /etc/resolv.conf |
And then replace the client.down.
With openvpn 2.0 beta 11: Code: | domain=`echo ${foreign_option_1} | sed -e 's/dhcp-option\.DOMAIN\.//g'`
dns1=`echo ${foreign_option_2} | sed -e 's/dhcp-option\.DNS\.//g'`
dns2=`echo ${foreign_option_3} | sed -e 's/dhcp-option\.DNS\.//g'`
sed -i \
-e "/nameserver ${dns1}/d" \
-e "/nameserver ${dns2}/d" \
-e "/search ${domain}./d" /etc/resolv.conf |
With openvpn 2.0 rc6 to latest 2.0 stable: Code: | domain=`echo ${foreign_option_1} | sed -e 's/dhcp-option DOMAIN //g'`
dns1=`echo ${foreign_option_2} | sed -e 's/dhcp-option DNS //g'`
dns2=`echo ${foreign_option_3} | sed -e 's/dhcp-option DNS //g'`
sed -i \
-e "/nameserver ${dns1}/d" \
-e "/nameserver ${dns2}/d" \
-e "/search ${domain}./d" /etc/resolv.conf |
This way, when you (as being system admin) need to change domain, dns IPs. You don't need to change all the Linux clients' client.up and client.down script manually, all you need to do is update the domain and DNS IP in the server local.conf and it will automagically prepend the correct domain and DNS IPs into the clients' /etc/resolv.conf file.
If none of the above help, goto http://news.gmane.org/gmane.network.openvpn.user and browse through the mailing list archive. Great resource for information!
Last edited by cchee on Fri Apr 29, 2005 4:34 am; edited 2 times in total |
|
Back to top |
|
|
nyne n00b
Joined: 07 Oct 2004 Posts: 8 Location: New York
|
Posted: Sat Oct 16, 2004 8:47 pm Post subject: |
|
|
if my ISP assigns a dynamic ip, should that cause any real problems with a setup like this (essentially for encryption/authentication of wireless nodes in a client/server type setup)
I basically have a gentoo box (2.6. with eth1 grabbing an IP from my ISP via DHCP, and eth0(192.168.0.0) being my private lan. hooked to a wireless access point && 5 port 100mbit switch (befw11s4 linksys)
I'm running iptables, have openvpn installed, and tun/tap compiled into the kernel.. should I be okay with a configuration like this? _________________ Fortune Favours the Brave. |
|
Back to top |
|
|
cchee Apprentice
Joined: 29 Jul 2003 Posts: 214 Location: NYC
|
Posted: Sat Oct 16, 2004 10:00 pm Post subject: |
|
|
nyne wrote: | if my ISP assigns a dynamic ip, should that cause any real problems with a setup like this (essentially for encryption/authentication of wireless nodes in a client/server type setup)
I basically have a gentoo box (2.6. with eth1 grabbing an IP from my ISP via DHCP, and eth0(192.168.0.0) being my private lan. hooked to a wireless access point && 5 port 100mbit switch (befw11s4 linksys)
I'm running iptables, have openvpn installed, and tun/tap compiled into the kernel.. should I be okay with a configuration like this? | Are you trying to
a) access OpenVPN from your home network to external static IP openvpn server? or
b) setup your home OpenVPN server so can you access it from outside (Internet)? or
c) setup OpenVPN between all your wireless nodes and your LAN server so you can "safely" surf the web via your wireless LAN? |
|
Back to top |
|
|
nyne n00b
Joined: 07 Oct 2004 Posts: 8 Location: New York
|
Posted: Sat Oct 16, 2004 11:09 pm Post subject: |
|
|
Essentially I am trying to (C) setup OpenVPN between all your wireless nodes and your LAN server so you can "safely" surf the web via your wireless LAN? _________________ Fortune Favours the Brave. |
|
Back to top |
|
|
cchee Apprentice
Joined: 29 Jul 2003 Posts: 214 Location: NYC
|
Posted: Mon Oct 18, 2004 3:51 am Post subject: |
|
|
nyne wrote: | Essentially I am trying to (C) setup OpenVPN between all your wireless nodes and your LAN server so you can "safely" surf the web via your wireless LAN? | You need to "push" (from OpenVPN server) the changes of the default gateway for all your OpenVPN client wireless nodes to point to OpenVPN server on your LAN instead of your wireless broadband router (linksys befw11s4). I haven't tested this type of setup myself since my setup is more of (A), but I can't think any reason why you won't be able to do it. |
|
Back to top |
|
|
lokelo Tux's lil' helper
Joined: 16 Dec 2002 Posts: 101 Location: Maryland, USA
|
Posted: Fri Oct 22, 2004 11:29 pm Post subject: |
|
|
I'm not too familiar with the whole concept of getting a my .csr signed. Who would I go to for that to be signed for my server? I see you have how to sign a clients csr file, but would that work for the main server? Is there a way that I can sign that csr myself?
Also, you mention to specify the purpose of the certificate. Does that get specified somewhere when you make the csr file? or done when you actually get it signed? |
|
Back to top |
|
|
cchee Apprentice
Joined: 29 Jul 2003 Posts: 214 Location: NYC
|
Posted: Sun Oct 24, 2004 1:17 am Post subject: |
|
|
lokelo wrote: | I'm not too familiar with the whole concept of getting a my .csr signed. Who would I go to for that to be signed for my server? I see you have how to sign a clients csr file, but would that work for the main server? Is there a way that I can sign that csr myself?
Also, you mention to specify the purpose of the certificate. Does that get specified somewhere when you make the csr file? or done when you actually get it signed? | Check the README that comes with easy-rsa (which comes with OpenVPN tarball). I used Certificate Server comes with MS Windows Server 2003. In there, when you request to sign a certificate request, they have User and Webserver (plus others) purpose. If you are doing self-sign using Easy RSA, you probably don't need to specify the purpose. Hope this help. |
|
Back to top |
|
|
voice0 n00b
Joined: 26 Oct 2004 Posts: 2
|
Posted: Tue Oct 26, 2004 8:37 pm Post subject: Can't find other clients in VPN |
|
|
Hi cchee!
Today, I have installed a VPN following your Mini-HOWTO. The VPN seems to work, now. However, after connecting client C0 to the server, the server client C0 had the ip address 10.1.0.2 in the subnet 255.255.255.0 which seems to be correct. A ping from the client C0 to the server or from the server to the client C0 works, too. Everything seems to be fine, so far.
After connecting client C1 to the server, the client C1 got the ip address 10.1.0.3 which seems to be fine, too. I tried to ping the server 10.1.0.1 and got a response. The server was able to ping 10.1.0.3, too. Seems to be fine.
The Problem:
Client C0 does not get a ping reply from client C1 nor does C1 get any response from C0, although both clients are able to connect and communicate with the server. The server does not report any errors in the log.
Any idea, why?
[edit]:
I have just added the client-to-client option to my server configuration file. Now, C1 can ping C0 but C0 is still not able to ping C1 O_o
Well, I guess it's a firewall problem, now.
[/edit]
[edit²]
It was a firewall problem and the client-to-client option really does make it work
[/edit]
Here's my server-configuration:
Code: |
port 5000
dev tap
tls-server
ca ca.crt
cert gateway.crt
key gateway.key
dh dh1024.pem
mode server
duplicate-cn
ifconfig 10.1.0.1 255.255.255.0
ifconfig-pool 10.1.0.2 10.1.0.11 255.255.255.0
push "dhcp-option DNS 10.2.0.1"
push "dhcp-option DNS 10.2.0.2"
push "route-gateway 10.1.0.1"
mtu-test
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
ping 10
ping-restart 120
push "ping 10"
push "ping-restart 60"
push "route 10.2.0.0 255.255.255.0 10.1.0.1"
push "route 10.1.0.0 255.255.255.0 10.1.0.1"
comp-lzo
status openvpn-status.log
verb 4
|
And this is my client configuration (both clients are using this configuration):
Code: |
remote w.x.y.z # I deleted the ip on purpose ;-)
port 5000
dev tap
tls-client
ca ca.crt
cert client.crt
key client.key
# tls-auth ta.key 1
mtu-test
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
pull
comp-lzo
verb 4
|
|
|
Back to top |
|
|
nyne n00b
Joined: 07 Oct 2004 Posts: 8 Location: New York
|
Posted: Wed Oct 27, 2004 2:49 am Post subject: |
|
|
cchee wrote: | nyne wrote: | Essentially I am trying to (C) setup OpenVPN between all your wireless nodes and your LAN server so you can "safely" surf the web via your wireless LAN? | You need to "push" (from OpenVPN server) the changes of the default gateway for all your OpenVPN client wireless nodes to point to OpenVPN server on your LAN instead of your wireless broadband router (linksys befw11s4). I haven't tested this type of setup myself since my setup is more of (A), but I can't think any reason why you won't be able to do it. |
the wireless router is only being used as a wireless access point/wired switch. the dhcp server, is sitting on my default gateway/iptables gentoo box.. (which is connected directly to the cable modem) _________________ Fortune Favours the Brave. |
|
Back to top |
|
|
cchee Apprentice
Joined: 29 Jul 2003 Posts: 214 Location: NYC
|
Posted: Wed Oct 27, 2004 5:09 pm Post subject: |
|
|
lokelo wrote: | I'm not too familiar with the whole concept of getting a my .csr signed. Who would I go to for that to be signed for my server? I see you have how to sign a clients csr file, but would that work for the main server? Is there a way that I can sign that csr myself?
Also, you mention to specify the purpose of the certificate. Does that get specified somewhere when you make the csr file? or done when you actually get it signed? | Here is another link for good info related to certificate. http://www.oreillynet.com/pub/a/security/2004/10/21/vpns_and_pki.html |
|
Back to top |
|
|
lokelo Tux's lil' helper
Joined: 16 Dec 2002 Posts: 101 Location: Maryland, USA
|
Posted: Sun Oct 31, 2004 5:39 pm Post subject: can't get inside the remote network |
|
|
Ok, I have my setup working fairly ok now, but I'm still having a little problem. My client can ping the virtual address of the server, and the server can ping the virtual address of the client, but I can't ping anything past that, including the actual IP or any computers on the remote network. I've got my setup exactly as the howto describes except that my protected network is 192.168.1.0 and my virtual network is 192.168.2.0. Any help on this would be appreciated. |
|
Back to top |
|
|
cchee Apprentice
Joined: 29 Jul 2003 Posts: 214 Location: NYC
|
Posted: Fri Nov 05, 2004 5:42 pm Post subject: Re: can't get inside the remote network |
|
|
lokelo wrote: | Ok, I have my setup working fairly ok now, but I'm still having a little problem. My client can ping the virtual address of the server, and the server can ping the virtual address of the client, but I can't ping anything past that, including the actual IP or any computers on the remote network. I've got my setup exactly as the howto describes except that my protected network is 192.168.1.0 and my virtual network is 192.168.2.0. Any help on this would be appreciated. | Check the updated Troubleshooting section of this topic. |
|
Back to top |
|
|
damed92 n00b
Joined: 10 Sep 2003 Posts: 11
|
Posted: Tue Nov 09, 2004 2:27 pm Post subject: |
|
|
Firstly, thank you VERY much for this howto. I have OpenVPN working well.
One question:
I have the server set up at Location 1 (L1). It accepts Windows client connections from the internet fine.
What I need to do now is set up Location 2 (L2) to connect to L1 and create a permanant VPN tunnel, so that clients at L1 can get to L2 and clients at L2 can get to L1. L2 currently has a Linux firewall set up. My plan is to set up this machine as a Linux client to the server at L1
Basically, what I want to know:
Do I need to create a new conf file on the server using a different port for this connection, or can it use 5000? Keep in mind that I still want Windows clients from the net to get into L1.
Please advise, and thank you again. |
|
Back to top |
|
|
cchee Apprentice
Joined: 29 Jul 2003 Posts: 214 Location: NYC
|
Posted: Tue Nov 09, 2004 2:57 pm Post subject: |
|
|
damed92 wrote: | Firstly, thank you VERY much for this howto. I have OpenVPN working well.
One question:
I have the server set up at Location 1 (L1). It accepts Windows client connections from the internet fine.
What I need to do now is set up Location 2 (L2) to connect to L1 and create a permanant VPN tunnel, so that clients at L1 can get to L2 and clients at L2 can get to L1. L2 currently has a Linux firewall set up. My plan is to set up this machine as a Linux client to the server at L1
Basically, what I want to know:
Do I need to create a new conf file on the server using a different port for this connection, or can it use 5000? Keep in mind that I still want Windows clients from the net to get into L1.
Please advise, and thank you again. | L2 VPN server will be one of the VPN client to L1 server at port 5000. L1 VPN server will be one of the VPN client to L2 server at port OTHER than 5000 (e.g. 6000). If you want L1 clients able to access L2. You may need to add in your local.conf on L1 VPN server. In addition, you need to make sure you have proper route in your routing table on both L1 and L2. |
|
Back to top |
|
|
damed92 n00b
Joined: 10 Sep 2003 Posts: 11
|
Posted: Tue Nov 09, 2004 3:24 pm Post subject: |
|
|
cchee wrote: | L2 VPN server will be one of the VPN client to L1 server at port 5000. L1 VPN server will be one of the VPN client to L2 server at port OTHER than 5000 (e.g. 6000). If you want L1 clients able to access L2. You may need to add in your local.conf on L1 VPN server. In addition, you need to make sure you have proper route in your routing table on both L1 and L2. |
Ok, so let me see if I have this straight.
I have to add a second conf file to the directory on L1's server that makes a connection to L2's server (which I need to set up)
L2 needs to be installed in server mode as well, so it can accept a connection from L1 (at a different port than 5000). It will also be a client to the server at L1. So, basically we are creating 2 vpn connections for this (in essence)
If I put both the server configuration (local.conf, as specified above) and the new client.conf (local.conf for clients, as seen above) will the openvpn server at startup automatically read both conf files and create the appropriate connections? |
|
Back to top |
|
|
cchee Apprentice
Joined: 29 Jul 2003 Posts: 214 Location: NYC
|
Posted: Tue Nov 09, 2004 3:40 pm Post subject: |
|
|
damed92 wrote: | If I put both the server configuration (local.conf, as specified above) and the new client.conf (local.conf for clients, as seen above) will the openvpn server at startup automatically read both conf files and create the appropriate connections? |
The openvpn startup script in Gentoo scan each sub-directory under /etc/openvpn and load the local.conf accordingly. So in your setup, you will have /etc/openvpn/L1 and /etc/openvpn/L2 sub-directories. |
|
Back to top |
|
|
damed92 n00b
Joined: 10 Sep 2003 Posts: 11
|
Posted: Tue Nov 09, 2004 3:49 pm Post subject: |
|
|
cchee wrote: | damed92 wrote: | If I put both the server configuration (local.conf, as specified above) and the new client.conf (local.conf for clients, as seen above) will the openvpn server at startup automatically read both conf files and create the appropriate connections? |
The openvpn startup script in Gentoo scan each sub-directory under /etc/openvpn and load the local.conf accordingly. So in your setup, you will have /etc/openvpn/L1 and /etc/openvpn/L2 sub-directories. |
Unfortunatley I am using Redhat on these boxes (not my choice). Can you possibly point me to the startup script so I can see if I can port it? |
|
Back to top |
|
|
cchee Apprentice
Joined: 29 Jul 2003 Posts: 214 Location: NYC
|
Posted: Tue Nov 09, 2004 3:54 pm Post subject: |
|
|
damed92 wrote: | Unfortunatley I am using Redhat on these boxes (not my choice). Can you possibly point me to the startup script so I can see if I can port it? |
It could be more involved than you think but this should give you a general idea. You may want to switch to Gentoo. Code: | #!/sbin/runscript
VPNDIR="/etc/openvpn"
depend() {
need net
}
checktundevice() {
if [ -h /dev/net/tun ] && [ -c /dev/misc/net/tun ]; then
ebegin Detected broken /dev/net/tun symlink, fixing...
rm /dev/net/tun
ln -s /dev/misc/net/tun /dev/net/tun
eend $?
fi
}
start() {
checktundevice || return 1
cd $VPNDIR
for VPN in *
do
if [ -d $VPN ] && [ -e $VPN/local.conf ]; then
ebegin "Starting openvpn for $VPN"
start-stop-daemon --start --pidfile /var/run/openv
pn-$VPN.pid --startas /usr/sbin/openvpn -- --config $VPN/local.conf --writepid /va
r/run/openvpn-$VPN.pid --daemon --cd $VPN
eend $?
else
ewarn "Expected $VPNDIR/$VPN to be a directory containing
a local.conf."
fi
done
}
stop() {
cd $VPNDIR
for VPN in *
do
if [ -e /var/run/openvpn-$VPN.pid ]; then
ebegin "Stoping openvpn for $VPN"
start-stop-daemon --oknodo --stop --pidfile /var/run/openvpn-$VPN.pid
rm /var/run/openvpn-$VPN.pid
eend 0
else
ewarn "$VPN has no pidfile!"
fi
done
return 0
}
|
|
|
Back to top |
|
|
damed92 n00b
Joined: 10 Sep 2003 Posts: 11
|
Posted: Tue Nov 09, 2004 4:04 pm Post subject: |
|
|
Ugh. This could be difficult. Would it be possible to have both these functions in one local.conf file? What about if there are 2 conf files in the same directory, but with different names? There is no way I can change it to gentoo, as these boxes are the internet gateways for 2 locations that work 12 hour shifts, and I'm not going to get a chance to take them offline that long. |
|
Back to top |
|
|
cchee Apprentice
Joined: 29 Jul 2003 Posts: 214 Location: NYC
|
Posted: Tue Nov 09, 2004 4:36 pm Post subject: |
|
|
damed92 wrote: | Ugh. This could be difficult. Would it be possible to have both these functions in one local.conf file? What about if there are 2 conf files in the same directory, but with different names? There is no way I can change it to gentoo, as these boxes are the internet gateways for 2 locations that work 12 hour shifts, and I'm not going to get a chance to take them offline that long. | You also need to consider the certificate and key files for different VPN link. So separate directories help to prevent confusion. You can use the above "script" and put it as /etc/init.d/openvpn. You may need to replace some gentoo specific function with something similar in the RedHat. |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|