Adding a machine to OpenVPN
- Network, Terminology
- Implementation maps: Mendenhall Local Area Network
- Logistics: Communication, VuS, SLUGs, Routers, Motes, NetRS
- How To: Seamonster VPN, Adding a machine to OpenVPN
On a debian style linux distribution you can install the OpenVPN packages by using the following command.
sudo aptitude update sudo aptitude install openvpn
For a OpenWRT style host you can use ipkg:
ipkg update ipkg install openvpn
For a windows machine, download the latest openvpn installer with gui:
Double-click to install.
for macs, grab http://www.tunnelblick.net/
Configure the Client
For a linux machine create a directory called /etc/openvpn on the client, if it wasn't already created by installing the package. In this directory create a text file called client.conf.
For windows, look in your Program Files for an OpenVPN directory. Create a text file called client.ovpn.
For macs, put the config file in ~/Library/openvpn/
Paste the example text into the client config file. Notice that for the windows client you need to use the dev-node directive. The dev-node corresponds to the name of the openvpn network connection. This is commented out in the example.
You will also need to change SERVERNAME to the address of the openvpn server. We are currently using nsrl1 for this. And change CLIENTNAME to be a unique identifier string for the client. Something like "nsrlwrt" or "seamonster2" would work.
#Tell this is a client client #Protocol the VPN uses proto tcp port 8084 #Type of VPN connection (you will notice you have tun0 on the server, and tun on the clients) dev tun #dev-node is need for a windows client. Look for Win32-TAP adapter in your Network Connections. #dev-node "Local Area Connection 3" #ip address of the VPN Server. This is your WAN ip address is remote SERVERNAME #Something dealing with the keys persist-key persist-tun #The keys for the clients (see below for more info) ca /etc/openvpn/ca.crt cert /etc/openvpn/CLIENTNAME.crt key /etc/openvpn/CLIENTNAME.key #The server is using aes-128-cbc so we need to tell the client to use that cipher aes-128-cbc #Compression as the same on the server comp-lzo verb 3 mute 20
Create Authentication Certificate
In order for the vpn client to authenticate with the server, we need to create a key. On the development server execute the following commands:
cd /usr/share/doc/openvpn/examples/easy-rsa/2.0/ source ./vars ./build-key clientname
Clientname must be a unique identifier for the client. Leave the password blank. This will create several files in the 'keys' subdirectory.
Transfer clientname.crt, clientname.key and ca.crt to /etc/openvpn on a linux client, or in the OpenVPN config dir under windows (for ex: C:\Program Files\OpenVPN\config).
Testing the Connection
For linux: as root execute the following command to start the vpn process:
For windows right click on the .ovpn config file and click "Start OpenVPN on this config file".
This will bring up the openvpn interface and present diagnostic information. If it works, it will tell you the ip address of the client vpn interface. This will be an ip from 10.8.1.x range. You should be able to ping 10.8.1.1, which corresponds to the vpn server.
Starting OpenVPN on Boot
Windows will automatically look in the OpenVPN config directory for .ovpn files and start the vpn client automatically on system boot.
Installing openVPN via package on a debian/ubuntu system will automatically create a startup file in /etc/init.d. You can start openvpn by issuing the following command:
sudo /etc/init.d/openvpn start
For the microservers, the "tun" kernel module isn't automatically loaded on reboot, thus openvpn won't run. so add the line "tun" to /etc/modules.
For openwrt (from http://martybugs.net/wireless/openwrt/openvpn.cgi):
Configure OpenVPN to Auto-Start To get OpenVPN to start each time the WRT is rebooted, create /etc/init.d/S65openvpn with the following contents:
# start the VPN openvpn --daemon --config /etc/openvpn/client.conf --ifconfig-nowarn
and make the script executable:
chmod 755 /etc/init.d/S65openvpn
For windows (from the howto):
The Windows installer will set up a Service Wrapper, but leave it turned off by default. To activate it, go to Control Panel / Administrative Tools / Services, select the OpenVPN service, right-click on properties, and set the Startup Type to Automatic. This will configure the service for automatic start on the next reboot.
When started, the OpenVPN Service Wrapper will scan the \Program Files\OpenVPN\config folder for .ovpn configuration files, starting a separate OpenVPN process on each file.
Microserver VPN installation recipe
root@brick57:brick# apt-get install openvpn
Would you like a TUN/TAP device to be created? y
Would you like to stop openvpn before it gets upgraded? y
cat > /etc/openvpn/client.conf
see above "configuring the client" for details about what to cat and then edit in client.conf above
SERVERNAME is 18.104.22.168
CLIENTNAME is whatever (Brick57 in my case..)
ssh nsrl1.jun.alaska.edu sudo bash cd /usr/share/doc/openvpn/examples/easy-rsa/2.0/ source ./vars ./build-key clientname root@dev:/usr/share/doc/openvpn/examples/easy-rsa/2.0/keys# scp Brick57.key 22.214.171.124:/etc/openvpn/ The authenticity of host '126.96.36.199 (188.8.131.52)' can't be established. RSA key fingerprint is 51:d2:74:29:3f:86:dc:c0:d9:d0:e8:0b:9b:1f:98:0c. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '184.108.40.206' (RSA) to the list of known hosts. Password: Brick57.key 100% 887 0.9KB/s 00:00 root@dev:/usr/share/doc/openvpn/examples/easy-rsa/2.0/keys# scp Brick57.crt 220.127.116.11:/etc/openvpn/ Password: Brick57.crt 100% 3720 3.6KB/s 00:00 root@dev:/usr/share/doc/openvpn/examples/easy-rsa/2.0/keys# scp ca.crt 18.104.22.168:/etc/openvpn/ Password: ca.crt 100% 1196 1.2KB/s 00:00
Add the "tun" kernel module:
root@brick57:openvpn# modprobe tun
Add this so the "tun" kernel module is loaded automatically on a reboot (make sure and use >> so you append to the existing list of modules! and use CTRL-D to end your input to the file)
root@brick57:openvpn# cat >> /etc/modules tun CTRL-D
Ready to test:
root@brick57:openvpn# openvpn /etc/openvpn/client.conf
add the new IP to the VPN wiki page [Seamonster_VPN] (look for the line that looks like:
Wed Jul 2 11:48:51 2008 ifconfig tun0 10.8.1.46 pointopoint 10.8.1.45 mtu 1500
to see that the new IP is 10.8.1.46
Hit CTRL-C to stop the openvpn test, and start it up "for real" by using
root@brick57:openvpn# /etc/init.d/openvpn start