Monday, March 8, 2010

Tutorial on how to Setup an Openvpn Server on Debian, with a Windows Client

Installation

First, we need to quickly install openvpn on our debian server.
aptitude install openvpn
 Next we need to locate our easy-rsa folder, on debian it is located at /usr/share/doc/openvpn/examples/easy-rsa
If you are having trouble finding it, try the following:
updatedb
locate easy-rsa
Once we find the folder, we need to copy it to /etc/openvpn:
cp -R /usr/share/doc/openvpn/examples/easy-rsa /etc/openvpn
cd /etc/openvpn/easy-rsa/2.0

Editing the vars (variables) file

Now we need to edit some variables, to make things easier for us.
sudo nano vars
Once you open up the file vars, you should see the something like the following at the bottom:

 Change those values to reflect your values.
Now we need to build the certificate authority, so in the /etc/openvpn/easy-rsa/2.0 directory run the following commands:
. ./vars
(dot space ./vars)
./clean-all  ./build-ca
This should build the certificate authority (CA) certificate
 Many of the values should be autopopulated since we filled out the information. The one value you may need to fill is the Common Name. Enter the name of your server for the value.

Building the Server and Client Keys

Next we need to generate the server key:
build-key-server server

Next, we need to setup some keys for the clients, so that they can connect to the server. You have two choices for setting up clients. You can require the clients to enter a password to connect, or just generate the key files needed to connect. In this example we will be generating the files without password. If you wish to use a password, replace ./build-key with ./build-key-pass.
./build-key client1
 Again, it will ask you for a client name, enter the name of the client. When it asks for a challenge password just leave it black and press enter.

Next we need to generate Diffie Hellman paramaters.
./build-dh
This command may take a while to complete. Once the command completes, you should be able to navigate to /etc/openvpn/easy-rsa/keys/ and the files you generated should be located within.

Placing the Server Keys and Creating Server Config

Next, we need to copy the keys that are needed for the OpenVPN server into the correct folder:
cp ca.crt ca.key dh1024.pem server.crt server.key /etc/openvpn

 Obviously, whatever the name will reflect whatever you entered originally. Next, navigate to /etc/openvpn, to edit the configuration file.
sudo nano openvpn.conf
This is an example configuration, very basic, change the names of the .crt and .key files to the ones you made, and you should be all set. As well, I added the client-to-client line because I want my clients to be able to talk to eachother.
NOTE:  You may want to change the "server" line from 172.17.0.0 to something that won't possibly cause routing issues depending on your (and remote) network setups.  This won't happen in every use case, but it can come into play.  Something like "172.17.2.0" may work.

Next, lets start OpenVPN:
/etc/init.d/openvpn start
You can ping yourself as a quick test to see if you are up and running.

$ ping 172.17.0.1
 PING 172.17.0.1 (172.17.0.1) 56(84) bytes of data.
 64 bytes from 172.17.0.1: icmp_seq=1 ttl=64 time=0.041 ms 64 bytes from 172.17.0.1: icmp_seq=2 ttl=64 time=0.030 ms

Client Configuration

Next, we need to configure the clients.  In this example, I am using two windows clients to connect to the server.
I like the gui for OpenVpn, available here: http://openvpn.se.  (See below for Windows 7 fix). Once you install it, navigate to  C:\Program Files\OpenVPN\config.  Now, you need to copy the following files to our config folder from our server:
client.crt
client.key
ca.crt

Next, we need to create a client configuration file to use.  For windows, the client configurations all end with .ovpn.  So lets create a file called config.ovpn, and use the following:

You will need to change the name of your .key and .crt files, and your remote IP address as well.  Obviously, if you are connecting remotely, you can enter a domain name as well.

Once you connect, you should now be able to easily ping the Openvpn server.  If not you may need to check your firewall to make sure everything is working.  Don't forget to port forward the correct port to your OpenVPN server, or you will not be able to access your server from outside of your network.

If you need clients to be able to talk to eachother, you may need to execute the following command on your linux box.
echo 1 > /proc/sys/net/ipv4/ip_forward

Windows Client Options

Currently, setup on Windows 7 requires a little bit more setup than other versions of windows.  First, download the latest release client, from http://openvpn.net/release/, and run the program in compatibility mode for Windows Vista Service Pack 1, and run as administrator.  This will give the program the permissions it needs.

Another option is securepoint client at http://sourceforge.net/projects/securepoint/.  I have run it successfully on Windows 7 without any issues.

If you encounter problems, remember to turn off any firewalls that may be in the way.

Connecting to Internal Resources

This is a rather important point, that should have been here from the beginning (my bad).  This setup allows you to connect to the internal device that you have openvpn setup on.  Look at the picture below:


If your OpenVPN client needs to connect to your other server or desktop on your LAN, it has no way to do so!  If you attempt to ping 192.168.1.105 from your remote OpenVPN client, you will not get a response, or if you do, it will be the local network, not the remote network.  This requires further setup.  

Server Setup for Internal Access

You will need to push a route to your client.  To do so add the following line to your server conf file:
push "route 192.168.1.0 255.255.255.0"
Now when the OpenVPN client connects, it will know that to access the 192.168.1.0 network it needs to forward the traffic through the VPN connection.

Router Setup for Internal Access

However, when you attempt to ping 192.168.1.105, you will still not be able to ping (or RDP, or w/e protocol you want to test if ping is disabled).  This is because the router (192.168.1.1) still does not know the route back to the 172.17.0.0 network.  In dd-wrt it is simple to add the network route.


Now when you attempt to connect to an internal resource it should work correctly.

Logging

If you experience problems and need to troubleshoot the server, openvpn logging is pushed to syslog, but if you want the log file separate, you can add the following line to your server conf file:  "log openvpn.log" or "log-append openvpn.log".  This will output the OpenVPN log separately instead of adding it to syslog.

Web Management of OpenVPN

I need programmers :D.  I am attempting to create a web interface to simplify OpenVPN installation and management at github:  https://github.com/deranjer/OpenVPN-PHP-Management-Gui.  I am really busy with school and work so only have it working in beta (not to be run on production servers).  But if you know PHP at all (I am barely able to code in PHP so this won't be too complex) I would love to have help on this. 

Conclusion

I will try and keep this blog post updated and post answers or solutions to common issues with OpenVPN configuration and management.

23 comments:

  1. What I don't get is that if I
    follow this tutorial you can simply connect without anything ever asking your for a password. What if you the client.crt, client.key, client.ca and client.ovpn files are compromised? (laptop stolen or whatever) Someone could simply connect to your vpn, right?

    Is this tutorial missing something?

    ReplyDelete
  2. Ron,

    In short, yes, if your laptop was stolen and no password was specified then you would have to revoke the key... see http://openvpn.net/index.php/open-source/documentation/howto.html#revoke

    And yes, it is mentioned in my tutorial:

    "You can require the clients to enter a password to connect, or just generate the key files needed to connect. In this example we will be generating the files without password. If you wish to use a password, replace ./build-key with ./build-key-pass."

    ReplyDelete
  3. Congrats, a great tutorial. I've been searching out there and everything was too complicated until I came across your tutorial.

    Just two questions: 1) is it ok if openvpn clients match the same name as LAN clients? (it will be the same people accesing from LAN and also from their homes via VPN).

    2)Which are the internal ports of Openvpn I should open on the router?

    ReplyDelete
  4. As for your first question, that can get complicated... first off, your VPN LAN cannot (as far as I know) occupy the same IP space as your Local LAN... routing on your client PC would not work as it would not be able how to send what traffic where. In the same vein, you cannot have two clients on your VPN with the same IP. OpenVpn assigns IP addresses by client name (in the file ipp.txt) so it may get confused if it is asked to assign different IP's to clients with the same name.. you may have to try this ensure it will be a problem though...

    As for the second question, you can assign whatever port number you chose, as well as define whether you would like to use UDP or TCP (I use UDP as you can see in the config (proto UDP)) I also assign port 1194, the default port OpenVpn uses.

    ReplyDelete
  5. If you want to share the same subnet between LAN and VPN clients you just need to bridge the eth interface of the LAN with the tap interface of the VPN. Actually this is the typical setup for a VPN.
    Then, if you want a notebook to always have the same IP when it connects by VPN or LAN you have to configure the dhcp server to assign it a fixed address based on the ethernet address of its network card and the vpn server to assign it the same address based on the client key.

    ReplyDelete
  6. There's missing

    ./build-key-server server

    which shall be invoked somewhere after ./build-ca and before you copy keys out

    ReplyDelete
  7. Wouldn't hurt if you could update the tutorial with information on interfaces and network IPs used for clients/servers

    ReplyDelete
  8. Hi, nice tutorial, maybe it also worth mentioning that in order to generate aa second client, while keeping keeping the client one, you canstart over the steps from './build-key client2', and then give
    /etc/openvpn/easy-rsa/2.0/keys/ca.crt
    /etc/openvpn/easy-rsa/2.0/keys/client2.crt
    /etc/openvpn/easy-rsa/2.0/keys/client2.key
    to client2

    ReplyDelete
  9. Thanks for the guide. I followed the step described but got stuck when it came to edit openvpn.conf file. There is no file like that under /etc/openvpn. The only file there is "update-resolv-conf", I also did a search after running updatedb. I am using Debian Lenny

    ReplyDelete
  10. Well I found the file, its under /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz. you need to copy this to /etc/openvpn and unzip it using gunzip.

    But the file I got is called server.conf, not openvpn.conf as you described in your post. Is it possible that I can use any name?

    ReplyDelete
  11. Did you do the following steps?

    locate easy-rsa
    Once we find the folder, we need to copy it to /etc/openvpn:
    cp -R /usr/share/doc/openvpn/examples/easy-rsa /etc/openvpn
    cd /etc/openvpn/easy-rsa/2.0

    If you do not follow those steps you will not create the /etc/openvpn folder with the correct files...

    ReplyDelete
  12. Thanks deranjer, I followed all the steps and its up and running in the internal ip, got 2 NICs, but I am unable to connect it from outside. I have opened the UDP port in the firewall also changed the line in the server.conf file to "local 192.168.0.104", which is the ip for external nic. The client side ovpn file is also changed accordingly. Could you please help to resolve this?.

    ReplyDelete
  13. Again after changing udp to tcp, from bot server and client, I am able to connect to the server from outside. is there any disadvantage in using tcp over udp?.

    ReplyDelete
  14. Not really, I believe tcp will have a slightly smaller overhead, but that shouldn't be much. As well, UDP traditionally does better against DOS attacks and port scanning.... but other than that it should be fine...

    ReplyDelete
  15. Hi. I am very very newbie to linux. I have installed debian with 2.6.32-5-686 (no graphical desktops, just command prompt). I have followed your instructions step-by-step till creating the openvpn.conf file. When I attempt to start openvpn, it say failed. Any suggestions? I don't know where the error log is located. I searched /var/log directory and it is not there. Thanks. Kevin. My mail address is hot_wireless@yahoo.com

    ReplyDelete
  16. on debian squeeze, i need to add "tls-server" in openvpn.conf
    the only way i would know this by enabling logging "log-append /var/log/openvpn.log" in openvpn.conf

    ReplyDelete
  17. I have the same problem, when i do /etc/init.d/openvpn start i receive the message faild in red, also openvpn.conf does not exist in etc/openvpn when i type nano openvpn.conf it creates a new file

    ReplyDelete
  18. great article, extremely helpful

    ReplyDelete
  19. Why should a ping to 172.17.0.1 return a pong? there was never any IP configured to listen for vpn connections :-?

    ReplyDelete
  20. nice tutorial. is there a way to control the bandwidth available to a tunnel?
    i do have 4 clients(A, B, c, D) in a server. i would like to give only 2 mbps to A and B client. clients C and D will get 1Mbps only.

    ReplyDelete
  21. Good tutorial for VPN Client.Thanks.
    top10-bestvpn.com

    ReplyDelete
  22. Nice installation guide for OpenVPN server.
    Cool tutorial.It works fine.
    Many thanks.
    10webhostingservice.com

    ReplyDelete
  23. It was really nice to read article written on this blog. I would also like to add few techniques with best of my knowledge which can help reader more and more.
    ขาย server

    ReplyDelete