SOHO : Small Office Home Office
Freeware - Opensource software tips, tricks, tweaks & fixes for managing, securing, improving the performance of SOHO Desktop, Laptop, Networks

Thursday, May 3, 2012

Install openvpn on ubuntu VPS in less than 10 minutes

Overview

If all that you want is just a openvpn server without the hassle of compiling, I recommend a debian / ubuntu system with a minimum of 64mb RAM. The below instructions would let you connect to your own openvpn (openvz VPS) server in less than 10 minutes.


Prerequisite

Before we install openvpn, check if tun/tap is enable for your vps:
cat /dev/net/tun 
In the above image "File descriptor in bad state"  means  tun/tap enabled. If not, contact your vps provider to activate tun/tap. Without tun/tap vpn connection cannot be established.

Installation

To install openvpn in a terminal enter:
sudo apt-get install openvpn


Server Certificates

Now that the openvpn package is installed, the certificates for the VPN server need to be created. 
First, copy the easy-rsa directory to /etc/openvpn. This will ensure that any changes to the scripts will not be lost when the package is updated. You will also need to adjust permissions in the easy-rsa directory to allow the current user permission to create files. From a terminal enter:

sudo mkdir /etc/openvpn/easy-rsa/
sudo cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa/
sudo chown -R $USER /etc/openvpn/easy-rsa/
Next, edit /etc/openvpn/easy-rsa/vars adjusting the following to your environment:

export KEY_COUNTRY="US"
export KEY_PROVINCE="NC"
export KEY_CITY="Winston-Salem"
export KEY_ORG="Example Company"
export KEY_EMAIL="steve@example.com"
Enter the following to create the server certificates:

cd /etc/openvpn/easy-rsa/
source vars
./clean-all
./build-dh
./pkitool --initca
./pkitool --server server
cd keys
openvpn --genkey --secret ta.key
sudo cp server.crt server.key ca.crt dh1024.pem ta.key /etc/openvpn/


Client Certificates

The VPN client will also need a certificate to authenticate itself to the server. To create the certificate, enter the following in a terminal:

cd /etc/openvpn/easy-rsa/
source vars
./pkitool hostname
Replace hostname with the actual hostname of the machine connecting to the VPN.
Copy the following files to the client:

/etc/openvpn/ca.crt
/etc/openvpn/easy-rsa/keys/hostname.crt
/etc/openvpn/easy-rsa/keys/hostname.key
/etc/openvpn/ta.key
Remember to adjust the above file names for your client machine's hostname.
It is best to use a secure method to copy the certificate and key files. The scp utility is a good choice, but copying the files to removable media then to the client, also works well.


Configuration

Server Configuration

Now configure the openvpn server by creating /etc/openvpn/server.conf from the example file. In a terminal enter:

sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
sudo gzip -d /etc/openvpn/server.conf.gz
Edit /etc/openvpn/server.conf changing the following options to:

push "redirect-gateway defi by-pass-dhcp" ; uncomment this line
push "dhcp-option DNS 10.8.0.1"; add this line
script-security 3 ; add this line
push: are directives to add networking options for clients.

After configuring the server, restart openvpn by entering:
sudo /etc/init.d/openvpn restart


Network Configuration

This network configuration is for openvz virtualization only, This guide is not related to dedicated or xen server.


Edit  /etc/sysctl.conf file and uncomment the following line:
net.ipv4.ip_forward=1
We want the ipv4 forward to be persistent even on reboot:
sudo echo 1 > /proc/sys/net/ipv4/ip_forward


Firewall / iptables Configuration


Setup iptables to allow vpn connection
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source 1.1.1.1
Replace 1.1.1.1 with the actual ip address.


Saving iptables

You may want to have your iptables saved everytime you reboot. You could add a line like this one in /etc/network/interfaces

pre-up iptables-restore < /etc/iptables.rules
post-down iptables-save > /etc/iptables.rules
The line "post-down iptables-save > /etc/iptables.rules" will save the rules to be used on the next boot.


Manage users

You may want to add multiple users to your vpn server with the command:

useradd username -s /bin/false
passwd username
You may want to delete a user with the command
userdel username 
Finally, restart openvpn:
sudo /etc/init.d/openvpn restart 
You should now be able to connect to the remote LAN through the VPN..


Client Configuration 

First, install openvpn on the client:
sudo apt-get install openvpn
Then with the server configured and the client certificates copied to the /etc/openvpn/ directory, create a client configuration file by copying the example. In a terminal on the client machine enter:
sudo cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn
Now edit /etc/openvpn/client.conf changing the following options:

remote vpn.example.com 1194
cert hostname.crt
key hostname.key
ca ca.crt
tls-auth ta.key 1
script-security 3
Replace vpn.example.com with the hostname of your VPN server, and hostname.* with the actual certificate and key filenames.


Windows Client Configuration 

  • Download and install openvpn-gui stable
  • copy client.conf file to c:\program files\openvpn\config\ rename client.conf to client.ovpn
  • copy ca.crt, hostname.crt, hostname.key, ta.key to c:\program files\openvpn\config\
  • Right click openvpn tray icon and connect




Sample server configuration

port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 10.8.0.1"
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
script-security 3

Sample client configuration


client
dev tun
proto udp
remote vps4.tidydns.net 1194
resolv-retry infinite
nobind
persist-key
persist-tun
script-security 3
ca ca.crt
cert vps4.tidydns.net.crt
key vps4.tidydns.net.key
ns-cert-type server
comp-lzo
verb 3

3 comments:

  1. Thanks so much for this post it made setting up on my VPS very easy however I am still having trouble using the Internet when connected to OpenVPN. I am able to connect ok and I get assigned the correct IP address however I am unable to use the internet/ping/tracert from my windows machine using the OpenVPN client I think it has to do this line of code but I am unsure how to fix it.

    iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source 1.1.1.1

    *Note I have replaced 1.1.1.1 with the actual IP address of the VPS

    ReplyDelete
    Replies
    1. Hello James,

      Two point to check
      1. check your iptables rules [code : iptables -L ], iptables serves rules first cum first if there is a rule clash then it will not work.
      2. copy my server.conf and client.conf from the examples above and edit the hostname.

      The above works flawless with my machine.

      Delete
    2. Hello James,

      Also check these without which openvpn will not work

      Edit /etc/sysctl.conf file and uncomment the following line:
      net.ipv4.ip_forward=1

      We want the ipv4 forward to be persistent even on reboot:
      sudo echo 1 > /proc/sys/net/ipv4/ip_forward

      Delete