HowTo install OpenVPN server

[Tamadite]

thank you for your answer,

yes, a little help in configuring ubuntu will be appreciated

my network architecture is:

XP Laptop --- internet --- router(wl500g) --- Ubuntu Desktop

I want to access Ubuntu Desktop from XP Laptop over VPN

I do not understand why you need to establish a VPN between the Ubuntu desktop and the router. Please advice.

You wrote:

Now I have a functional vpn between my Xp laptop and wl500gp.

Please confirm you have understood FINAL NOTES point (ii). If I got it correctly, that should be the answer to your problem.

[mi5hu]

I succeeded!!!
I started all over again from zero.
I don't know where I did wrong
I kept the same firewall rules from this tutorial

server.conf is:


sdev tun0
proto udp
dh dh1024.pem
ifconfig-pool-persist ipp.txt
client-config-dir ccd
server 10.8.0.0 255.255.255.0
keepalive 10 120
comp-lzo
verb 3
ca ca.crt
cert asus.crt
key asus.key
push "route 192.168.99.0 255.255.255.0"



and in client:


client
dev tun0
remote xxx.xxx.xxx.xxx 1194
resolv-retry infinite
nobind
persist-key
persist-tun
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
ca "\\Program Files\\OpenVPN\\config\\ca.crt"
cert "\\Program Files\\OpenVPN\\config\\laptopxp.crt"
key "\\Program Files\\OpenVPN\\config\\laptopxp.key"
comp-lzo
verb 3

[rej]

Hi!
I am not sure what you are asking - do you want to know how to configure OpenVPN on Ubuntu? I can help you with that tomorrow if that is what you want.

Here is a short guide to installing and configuring ubuntu to VPN. It does require that you are knowledged in linux/ubuntu, and it does require you to read the above guide for windows (or the one over at wlhdd.co.uk).

First install the OpenVPN client (from command prompt):

Code:

sudo apt-get install network-manager-openvpn

This installs all the neccessary packages needed to use the VPN client

If you have already generated the client certificates e.g. on an XP machine, all you have to do is left click on your network icon in the notification area and go to VPN Connections -> Configure VPN... Then you click import. Select your client.ovpn (make sure the certificates is located as indicated in the client.ovpn file). Then you are pretty much set to go. To log on to your vpn network click the network icon in the notification area and choose network connctions -> whateveryoucalledyourconnection. A fireball should now fly around your notification area icon until it connects and shows a small lock.

If you also want to generate your keys and certificates on your linux machine, copy the example configuration directory to your home directory. Stand in your home directory, then:

Code:

cp -r /usr/share/doc/openvpn/examples/easy-rsa/ .

navigate to easy-rsa/2.0 directory. I this directory all the configuration files you find in the XP version is located and you more or less just follow the XP guide either in this thread or in the wlhdd.co.uk guide. I have only encountered one difference, init-config does not exist, so don't run this command :-)

BR,
René

[sarlacc]

I can access the samba server on my router, but not any of the other machines on the LAN.

I have the same problem. Do you succeed in it? Maybe it is necessary to configure smb.conf :

Code:

 interfaces = eth0 192.168.1.1
      hosts allow = 192.168.1.1 ... 127.0.0.1

[rej]

I have the same problem. Do you succeed in it? Maybe it is necessary to configure smb.conf :

Code:

 interfaces = eth0 192.168.1.1
      hosts allow = 192.168.1.1 ... 127.0.0.1

No I have not gotten it to work. I will take it up on a later time, first I got to get the router stable while running with a USB stick attached...

By the way, I don't think working on the samba server on the router will help you - in theory you don't even need samba running on your router to access samba on computers in your workgroup.

BR,
René

[Csali]

Hi,

I read the tutorial and installed OpenVpn via ipkg on my wl500gpv2.

My problem is that I cannot start openvpn:

[user@WL500gpv2 sbin]$ /opt/sbin/openvpn
-sh: /opt/sbin/openvpn: not found
[user@WL500gpv2 sbin]$ ls -l /opt/sbin/openvpn
-rwxr-xr-x 1 user root 769724 Feb 22 05:12 /opt/sbin/openvpn

What could be the problem???

[KpaH4iTo]

Hi,
thanks for this tutorial! but i have a problem with it. When i trying to connect from Xp client outside the router, the client do not connect to the router:

Code:

Wed Mar 31 14:41:00 2010 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct  1 2006
Wed Mar 31 14:41:00 2010 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Wed Mar 31 14:41:00 2010 TAP-WIN32 device [tun0] opened: \\.\Global\{CEA93030-2985-4747-B3D3-4267FB40C32B}.tap
Wed Mar 31 14:41:00 2010 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.8.0.2/255.255.255.252 on interface {CEA93030-2985-4747-B3D3-4267FB40C32B} [DHCP-serv: 10.8.0.1, lease-time: 31536000]
Wed Mar 31 14:41:00 2010 Successful ARP Flush on interface [196612] {CEA93030-2985-4747-B3D3-4267FB40C32B}
Wed Mar 31 14:41:00 2010 UDPv4 link local (bound): [undef]:1194
Wed Mar 31 14:41:00 2010 UDPv4 link remote: **.**.**.**:1194

I tryng to telnet **.**.**.** 1194 and there is no answer

Code:

C:\Documents and Settings\alexx>telnet **.**.**.** 1194
Подключение к **.**.**.**...Не удалось открыть подключение к этому узлу, на по
рт 1194: Сбой подключения

I think that may be a port 1194 is not opened...
Please help!)

[Tamadite]

No I have not gotten it to work. I will take it up on a later time, first I got to get the router stable while running with a USB stick attached...

By the way, I don't think working on the samba server on the router will help you - in theory you don't even need samba running on your router to access samba on computers in your workgroup.

BR,
René

You need to route the traffic between tun0 and eth0 interfaces. Use iptables.

[sarlacc]

1. Are the red lines necessary? There is nothing similar in other openvpn tutorials.

Code:

iptables -I INPUT -i tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -j ACCEPT
iptables -I FORWARD -o tun0 -j ACCEPT
iptables -I OUTPUT -o tun0 -j ACCEPT

2. How can I reload firewall rules (on the fly) without rebooting correctly?

[sarlacc]

You need to route the traffic between tun0 and eth0 interfaces. Use iptables.

How? This way?

Code:

iptables -t nat -I PREROUTING -i vlan1 -p udp --dport 1194 -j DNAT --to-destination 192.168.1.1:1194

better -I or -A?

(WL-500gP)

[Kosmotaur]

Hi,

Tried to follow the tutorial exactly, didn't work. Then I tried to tweak the post-firewall rules, yet no matter what I'm doing, I keep getting:

Code:

xxx.dyndns.org isn't responding on port 1194 (openvpn)

when scanning the 1194 port
And yes, I am able to eg. ssh into my router with the given dyndns host.
Conclusion: I don't know how to open the 1194 port for the OpenVPN client to even start doing transactions. Please, help.

[Tamadite]

How? This way?

Code:

iptables -t nat -I PREROUTING -i vlan1 -p udp --dport 1194 -j DNAT --to-destination 192.168.1.1:1194

better -I or -A?

(WL-500gP)

"I" or "A"? It depends on the policy of the table. More on Google.

How to route between tun0 and eth0? What about Googling for a bit only?

http://ubuntuforums.org/showthread.php?t=607519

Just in case the link above gets broken:

Code:

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t filter -A FORWARD -i tun0 -j ACCEPT
iptables -t filter -A FORWARD -i eth0 -j ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.3.2 -j MASQUERADE

I have not tried it my self so I can not confirm if it works. I guess 192.168.3.2 should be replaced by the tun0 IP address.

[Tamadite]

Hi,

Tried to follow the tutorial exactly, didn't work. Then I tried to tweak the post-firewall rules, yet no matter what I'm doing, I keep getting:

Code:

xxx.dyndns.org isn't responding on port 1194 (openvpn)

when scanning the 1194 port
And yes, I am able to eg. ssh into my router with the given dyndns host.
Conclusion: I don't know how to open the 1194 port for the OpenVPN client to even start doing transactions. Please, help.

If firewall rules and the notes given and the end of the rules do not help to open the port, you should take a look at the policy you have on the INPUT and PREROUTING tables to see if it is "I" (insert) or "A" (append) the parameter to use on the rules.

On the other hand "isn't responding on port 1194" does not imply the port is not open. It implies there is no service responding to the request on port 1194; reasons can be multiple, e.g. no service behind the port, closed port, etc.

[dreamer69]

Adding --float to client.ovpn solved the problem.


I'm trying to connect to OpenVPN for days now and i keep getting this error

Code:

TCP/UDP: Incoming packet rejected from 192.168.18.254:1194[2], expected peer address: 79.112.107.146:1194 (allow this incoming source address/port by removing --remote or adding --float)

.
I would really appreciate if someone could help me out.

post-firewall looks like this

Code:

#!/bin/sh
# this opens the ssh port to internet! Be sure to have strong passwords!
iptables -I INPUT -m tcp -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p udp --sport 1194 --dport 1194 -j ACCEPT
iptables -A OUTPUT -p udp --sport 1194 --dport 1194 -j ACCEPT

#OpenVPN access from WAN
iptables -D INPUT -j DROP
iptables -A INPUT -p udp --dport 1194 -j ACCEPT
iptables -t nat -I PREROUTING -i eth1 -p udp --dport 1194 -j DNAT
--to-destination 192.168.18.254:1194
iptables -A INPUT -j DROP

iptables -I INPUT -i tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -j ACCEPT
iptables -I FORWARD -o tun0 -j ACCEPT
iptables -I OUTPUT -o tun0 -j ACCEPT

ifconfig

Code:

ifconfig
br0       Link encap:Ethernet  HWaddr 00:1D:60:9F:1D:3C
          inet addr:192.168.18.254  Bcast:192.168.18.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2431 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1883 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:582528 (568.8 KiB)  TX bytes:826719 (807.3 KiB)

eth0      Link encap:Ethernet  HWaddr 00:1D:60:9F:1D:3C
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1112 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:306676 (299.4 KiB)
          Interrupt:4 Base address:0x1000

eth1      Link encap:Ethernet  HWaddr 00:1D:60:9F:1D:3C
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1824 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1263 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:680250 (664.3 KiB)  TX bytes:368687 (360.0 KiB)
          Interrupt:5 Base address:0x2000

eth2      Link encap:Ethernet  HWaddr 00:1D:60:9F:1D:3C
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2424 errors:0 dropped:0 overruns:0 frame:112907
          TX packets:2577 errors:31 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:615892 (601.4 KiB)  TX bytes:1004952 (981.3 KiB)
          Interrupt:12 Base address:0x4000

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING MULTICAST  MTU:16436  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

ppp0      Link encap:Point-to-Point Protocol
          inet addr:xxx.xxx.107.146  P-t-P:10.0.0.1  Mask:255.255.255.255
          UP POINTOPOINT RUNNING MULTICAST  MTU:1492  Metric:1
          RX packets:1529 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1163 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3
          RX bytes:600547 (586.4 KiB)  TX bytes:340013 (332.0 KiB)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.8.0.1  P-t-P:10.8.0.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

server.conf

Code:

dev tun
proto udp
ifconfig 10.8.0.1 10.8.0.2
secret /opt/etc/openvpn/static.key
push "redirect-gateway def1"
push "dhcp-option DNS 10.8.0.1"
comp-lzo
keepalive 10 60
daemon

client.ovpn

Code:

remote xxx.xxx.xxx.xxx ;server IP address
dev tun
ifconfig 10.8.0.2 10.8.0.1
secret static.key
comp-lzo
keepalive 10 60
redirect-gateway def1
route-method exe
route-delay 2
dhcp-option DNS 10.8.0.1

Works great connecting from LAN , but i can't connect from WAN.

[hodecp]

Hi,

I read the tutorial and installed OpenVpn via ipkg on my wl500gpv2.

My problem is that I cannot start openvpn:

[user@WL500gpv2 sbin]$ /opt/sbin/openvpn
-sh: /opt/sbin/openvpn: not found
[user@WL500gpv2 sbin]$ ls -l /opt/sbin/openvpn
-rwxr-xr-x 1 user root 769724 Feb 22 05:12 /opt/sbin/openvpn

What could be the problem???

Hi Csali, I had the same problem and could find reason for long time. By I found the solution. The problem is in uClib library, which is to be installed explicitly with IPKG http://wl500g.info/showthread.php?t=8205.

Petr