Adding a machine to OpenVPN

From Seamonster

Jump to: navigation, search


Contents

Overview

Installation

Get Packages

On a debian style linux distribution you can install the OpenVPN packages by using the following command. 

 sudo aptitude update
 sudo aptitude install openvpn

For a OpenWRT style host you can use ipkg: 

  ipkg update
  ipkg install openvpn

For a windows machine, download the latest openvpn installer with gui:

http://openvpn.net/index.php/downloads.html

Double-click to install.

for macs, grab http://www.tunnelblick.net/

Configure the Client

For a linux machine create a directory called /etc/openvpn on the client, if it wasn't already created by installing the package. In this directory create a text file called client.conf.

For windows, look in your Program Files for an OpenVPN directory. Create a text file called client.ovpn.

For macs, put the config file in ~/Library/openvpn/

Paste the example text into the client config file. Notice that for the windows client you need to use the dev-node directive. The dev-node corresponds to the name of the openvpn network connection. This is commented out in the example.

You will also need to change SERVERNAME to the address of the openvpn server. We are currently using nsrl1 for this. And change CLIENTNAME to be a unique identifier string for the client. Something like "nsrlwrt" or "seamonster2" would work. 

#Tell this is a client
client

#Protocol the VPN uses
proto tcp

port 8084

#Type of VPN connection (you will notice you have tun0 on the server, and tun on the clients)
dev tun


#dev-node is need for a windows client.  Look for Win32-TAP adapter in your Network Connections.
#dev-node "Local Area Connection 3"

#ip address of the VPN Server. This is your WAN ip address is
remote SERVERNAME

#Something dealing with the keys
persist-key
persist-tun


#The keys for the clients (see below for more info)
ca /etc/openvpn/ca.crt
cert /etc/openvpn/CLIENTNAME.crt
key /etc/openvpn/CLIENTNAME.key

#The server is using aes-128-cbc so we need to tell the client to use that
cipher aes-128-cbc

#Compression as the same on the server
comp-lzo

verb 3


mute 20


Create Authentication Certificate

In order for the vpn client to authenticate with the server, we need to create a key. On the development server execute the following commands: 

 cd /usr/share/doc/openvpn/examples/easy-rsa/2.0/
 source ./vars
 ./build-key clientname

Clientname must be a unique identifier for the client. Leave the password blank. This will create several files in the 'keys' subdirectory.

Transfer clientname.crt, clientname.key and ca.crt to /etc/openvpn on a linux client, or in the OpenVPN config dir under windows (for ex: C:\Program Files\OpenVPN\config).

Testing the Connection

For linux: as root execute the following command to start the vpn process: 

 openvpn /etc/openvpn/client.conf

For windows right click on the .ovpn config file and click "Start OpenVPN on this config file".

This will bring up the openvpn interface and present diagnostic information. If it works, it will tell you the ip address of the client vpn interface. This will be an ip from 10.8.1.x range. You should be able to ping 10.8.1.1, which corresponds to the vpn server.

Starting OpenVPN on Boot

Windows will automatically look in the OpenVPN config directory for .ovpn files and start the vpn client automatically on system boot.

Installing openVPN via package on a debian/ubuntu system will automatically create a startup file in /etc/init.d. You can start openvpn by issuing the following command: 

 sudo /etc/init.d/openvpn start

For the microservers, the "tun" kernel module isn't automatically loaded on reboot, thus openvpn won't run. so add the line "tun" to /etc/modules.

For openwrt (from http://martybugs.net/wireless/openwrt/openvpn.cgi):

Configure OpenVPN to Auto-Start To get OpenVPN to start each time the WRT is rebooted, create /etc/init.d/S65openvpn with the following contents: 

 #!/bin/sh

 # start the VPN
 openvpn --daemon --config /etc/openvpn/client.conf --ifconfig-nowarn


and make the script executable: 

 chmod 755 /etc/init.d/S65openvpn

For windows (from the howto):

The Windows installer will set up a Service Wrapper, but leave it turned off by default. To activate it, go to Control Panel / Administrative Tools / Services, select the OpenVPN service, right-click on properties, and set the Startup Type to Automatic. This will configure the service for automatic start on the next reboot.

When started, the OpenVPN Service Wrapper will scan the \Program Files\OpenVPN\config folder for .ovpn configuration files, starting a separate OpenVPN process on each file.

Microserver VPN installation recipe 

root@brick57:brick# apt-get install openvpn

Would you like a TUN/TAP device to be created? y

Would you like to stop openvpn before it gets upgraded? y

cat > /etc/openvpn/client.conf

see above "configuring the client" for details about what to cat and then edit in client.conf above

SERVERNAME is 137.229.208.19

CLIENTNAME is whatever (Brick57 in my case..) 

ssh nsrl1.jun.alaska.edu
sudo bash
cd /usr/share/doc/openvpn/examples/easy-rsa/2.0/
source ./vars
./build-key clientname
root@dev:/usr/share/doc/openvpn/examples/easy-rsa/2.0/keys# scp Brick57.key 137.229.208.157:/etc/openvpn/
The authenticity of host '137.229.208.157 (137.229.208.157)' can't be established.
RSA key fingerprint is 51:d2:74:29:3f:86:dc:c0:d9:d0:e8:0b:9b:1f:98:0c.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '137.229.208.157' (RSA) to the list of known hosts.
Password: 
Brick57.key                                   100%  887     0.9KB/s   00:00    
root@dev:/usr/share/doc/openvpn/examples/easy-rsa/2.0/keys# scp Brick57.crt 137.229.208.157:/etc/openvpn/
Password: 
Brick57.crt                                   100% 3720     3.6KB/s   00:00    
root@dev:/usr/share/doc/openvpn/examples/easy-rsa/2.0/keys# scp ca.crt 137.229.208.157:/etc/openvpn/
Password: 
ca.crt                                        100% 1196     1.2KB/s   00:00

Add the "tun" kernel module: 

root@brick57:openvpn# modprobe tun

Add this so the "tun" kernel module is loaded automatically on a reboot (make sure and use >> so you append to the existing list of modules! and use CTRL-D to end your input to the file) 

root@brick57:openvpn# cat >> /etc/modules
tun
CTRL-D

Ready to test: 

root@brick57:openvpn# openvpn /etc/openvpn/client.conf

add the new IP to the VPN wiki page [Seamonster_VPN] (look for the line that looks like: 

Wed Jul  2 11:48:51 2008 ifconfig tun0 10.8.1.46 pointopoint 10.8.1.45 mtu 1500

to see that the new IP is 10.8.1.46

Hit CTRL-C to stop the openvpn test, and start it up "for real" by using 

root@brick57:openvpn# /etc/init.d/openvpn start
Retrieved from "http://robfatland.net/seamonster/index.php?title=Adding_a_machine_to_OpenVPN"
Personal tools