Background:
When I first decided to create my own server I ran down a list of elements I wanted. The first were obvious, web-server, and e-mail server. However I also realized that I have many games that I would enjoy playing with friends. These are older games that only allow multiplayer over local networks. A very secure and novel solution is to use OpenVPN to make the remote computers appear as though they are on the same local network. So I set out to implement this on my second computer. I used Ubuntu Dapper Drake server edition and then began the painstaking task of configuring all the components. However when I tried to configure OpenVPN the documentation on their web-site was lacking. It has been updated and is very good now (this was in March of 2006) but I wrote a guide to installing and configuring OpenVPN on Ubuntu Dapper Drake. I hope you find this interesting and beneficial.
Purpose:
The purpose of this document is to describe how to install OpenVPN server on an Ubuntu Linux system and have it utilize an Ethernet bridge to access your local network. Ethernet bridges essentially allow the operating system to treat multiple network interfaces as one combined port. When used with OpenVPN a bridge will allow you to easily connect external users to your internal network and have them receive all traffic as though they were locally connected. The alternative is to use OpenVPN with a route but that will not allow some forms of traffic through (such as multicast), multicast traffic is important to me as many games require multicast data.
What is needed:
- Linux System running Ubuntu (tutorial will work with any Linux install with a few modifications)
- Root access to the server
- External computer to test with
Scope:
This tutorial aims to instruct how to install and configure an OpenVPN server with internal network access via an Ethernet bridge. This tutorial does not explain how to install Linux and get the OS environment configured. There are many good tutorials out there that you can use, once you have your Linux server ready simply follow this document.
If you are interested in a tutorial to configure your system I recommend this easy to follow guide:
http://www.howtoforge.com/perfect_setup_ubuntu_6.06
Tutorial:
1. The first thing you should do when installing OpenVPN is to read some of the documentation on the OpenVPN web-site. This seems like a simple step to skip but if you do not know exactly how OpenVPN works then you risk opening your internal network to security problems. Additionally there is a lot of good documentation on the OpenVPN site that will help you understand networking terms and methods. Such as exactly what an Ethernet Bridge is and how it differs from a route.
2. Now that you have taken some time to understand OpenVPN and Bridges we can begin to implement these technologies into a server on your local network. The first step is to collect information about your network, this tutorial is designed for a network that meets the following:
Linux Server Internal IP: 173.23.1.5
Internet Gateway: 173.23.1.1
Gateway's IP Address: 139.142.227.155
Network Layout: Internet ----- Router/Firewall ----- OpenVPN Server (eth1)
|
3. To simplify setup for users you should register your IP address with an Internet Domain service. If you are cheap like me simply use "no-ip.com". Create an account then download their dynamic dns update tool and follow their installation instructions. This will give you a free dynamic domain. Additionally the IP address for your server needs to be static, this is due to the fact that the bridge will not update on a DHCP IP address change. You can configure this in your /etc/network/interfaces file. My server has an entry for my network card that looks like this:
# The primary network interface
# connects to insecure router
auto eth0
iface eth0 inet static
address 173.23.1.5
netmask 255.255.255.0
network 173.23.1.0
broadcast 173.23.1.255
gateway 173.23.1.1
# dns-* options are implemented by the resolvconf package, if installed
dns-nameservers 142.165.200.5
|
4. Now that the information is collected you can begin by installing OpenVPN and the utilities to manage a bridge, to do this simply type:
sudo apt-get install openvpn bridge-utils
|
5. With OpenVPN installed we can now begin to configure, the first step is to move the apt-get directory into /etc/openvpn for easy access, and to preserve the original data (in case you mess up and need to revert).
cp -R /usr/share/doc/openvpn/examples/ /etc/openvpn/
|
6. Now we want to load the vars file with our own defaults. Open the file in your favorite editor and change KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, and KEY_EMAIL to match your information.
cd /etc/openvpn/examples/easy-rsa/
vi ./vars
|
My vars file looks like this: (key components only)
#this is to ensure secure data
export KEY_SIZE=2048
# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
export KEY_COUNTRY=CA
export KEY_PROVINCE=SK
export KEY_CITY=Martensville
export KEY_ORG="TheBakershome"
export KEY_EMAIL="geoff@thebakershome.net"
|
7. Now we to begin the configuration of the server.
. ./vars
./clean-all
./build-ca
|
The purpose of these command are as follows, the first one will clear any old keys or configuration elements, there should not be any there but it does not hurt to be sure. The last command will setup OpenVPN configuration items, be sure to follow the prompt and make sure you fill in using elements to match your situation. Since we loaded the vars file with your settings prior to these steps the default values should work on almost all elements, but the Common Name will need to be specified.
8. Now you need to create the server keys, these are private files that you should keep secure.
./build-key-server server
|
I found that if I did not use the same information that I used in the build-ca step above that the "Sign Certificate" and "commit" did not work. If you experience this problem just repeat this step with the same values, it should work at that point. This should not occur for you as we have loaded the default values into the vars file, but just in case be aware of the cause.
9. Now you are ready to generate keys for users, first decide if you wish to password protect the keys or not. I recommend building with passwords if you are not going to implement authentication in OpenVPN, if you are then simply generate without. This tutorial will assume that you are going to implement authentication in OpenVPN, since it is the most trusted method. Make sure that you specify the correct Common Name when prompted.
#Generate with password
./build-key-pass username
#Generate without password
./build-key username
|
10. Now you need to build the Diffie Hellman parameters, for details on what these are simply check the OpenVPN homepage. The simple answer is that they provide a method to negotiate a secure connection over an insecure channel. This process will take a bit of time so you may want to take a break, just relax we are almost there.
./build-dh
#generate server id key
openvpn --genkey --secret ta.key
|
11. As an aside I found a very interesting table on the OpenVPN web-page. It provides some information on what to do with the various files we just generated. For the purposes of this tutorial I have "borrowed" their table and pasted it here, to view the original visit the OpenVPN installation guide on their homepage.
| Filename |
Needed By |
Purpose |
Secret |
| ca.crt |
server + all clients |
Root CA certificate |
NO |
| ca.key |
key signing machine only |
Root CA key |
YES |
| dh{n}.pem |
server only |
Diffie Hellman parameters |
NO |
| server.crt |
server only |
Server Certificate |
NO |
| server.key |
server only |
Server Key |
YES |
| ta.key |
server+ all clients
|
Server TLS Auth Key
|
YES |
| client1.crt |
client1 only |
Client1 Certificate |
NO |
| client1.key |
client1 only |
Client1 Key |
YES |
| client2.crt |
client2 only |
Client2 Certificate |
NO |
| client2.key |
client2 only |
Client2 Key |
YES |
| client3.crt |
client3 only |
Client3 Certificate |
NO |
| client3.key |
client3 only |
Client3 Key |
YES |
12. Now we need to configure the server.conf file to setup the operation. Here is my configuration file:
# Which local IP address should OpenVPN
# listen on? (optional)
local 173.23.1.5
port 1194
# TCP or UDP server?
proto udp
#This is key to configuring our bridge
dev tap0
#direct these to your generated files
ca /etc/openvpn/openvpn/examples/easy-rsa/keys/ca.crt
cert /etc/openvpn/openvpn/examples/easy-rsa/keys/server.crt
key /etc/openvpn/openvpn/examples/easy-rsa/keys/server.key
dh /etc/openvpn/openvpn/examples/easy-rsa/keys/dh2048.pem
ifconfig-pool-persist ipp.txt
#ensure the range of ip addresses you use in the last two arguments
# of this statement are not in use by either the DHCP server or any other
# device on your internal network.
server-bridge 173.23.1.5 255.255.255.0 173.23.1.60 173.23.1.70
#needed to allow communication to internal network
client-to-client
keepalive 10 120
#encryption - very important ;)
#AES encryption is backed by many security firms
#however if you are concerned about speed use blowfish: "BF-CB"
cipher AES-128-CBC
#if you have another subnet you need to provide the route
push "route 173.23.2.0 255.255.255.0"
#server id protection
tls-auth ta.key 0
#compression for network speed
comp-lzo
# if packets are too large fragment them (only really useful if you have an old router)
#fragment 1400
#limit the number of connections
max-clients 5
#some secuurity settings
# do not use if running server on Windows
user nobody
group nogroup
persist-key
persist-tun
#log file settings
status openvpn-status.log
verb 3
# authentication plugin
#forces client to have a linux acount in order to connect
plugin /usr/lib/openvpn/openvpn-auth-pam.so login
|
13. Now that the server is configured we need to create the bridge interface. The bridge is managed by Linux and is only used by OpenVPN so setup is a little different. I did it using a script to start/stop the interface. Place this script in "/etc/init.d/bridge" and then run the following:
update-rc.d bridge defaults 15
|
Here is the script, before using you will need to edit it for your network and server settings.
#!/bin/bash
# Create global variables
# Define Bridge Interface
br="br0"
# Define list of TAP interfaces to be bridged,
# for example tap="tap0 tap1 tap2".
tap="tap0"
# Define physical ethernet interface to be bridged
# with TAP interface(s) above.
eth="eth0"
eth_ip="173.23.1.5"
eth_netmask="255.255.255.0"
eth_broadcast="173.23.1.255"
gw="173.23.1.1"
start_bridge () {
#################################
# Set up Ethernet bridge on Linux
# Requires: bridge-utils
#################################
for t in $tap; do
openvpn --mktun --dev $t
done
for t in $tap; do
ifconfig $t 0.0.0.0 promisc up
done
ifconfig $eth 0.0.0.0 promisc up
brctl addbr $br
brctl addif $br $eth
for t in $tap; do
brctl addif $br $t
done
ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast up
route add default gw $gw $br
}
stop_bridge () {
####################################
# Tear Down Ethernet bridge on Linux
####################################
ifconfig $br down
brctl delbr $br
for t in $tap; do
openvpn --rmtun --dev $t
done
ifconfig $eth $eth_ip netmask $eth_netmask broadcast $eth_broadcast up
route add default gw $gw $eth
}
case "$1" in
start)
echo -n "Starting Bridge"
start_bridge
;;
stop)
echo -n "Stopping Bridge"
stop_bridge
;;
restart)
stop_bridge
sleep 2
start_bridge
;;
*)
echo "Usage: $0 {start|stop|restart}" >&2
exit 1
;;
esac
|
14. Now you need to edit your client configuration script, client.conf. This will be given to your clients and will be the script they invoke (via openvpn) to connect to your server. In the same way you modified the server.conf file edit the network information to match your internal network. Here is an example of one of my scripts:
client
dev tap
proto udp
# change this to your server's address
remote thebakers.no-ip.org 1194
resolv-retry infinite
nobind
persist-key
persist-tun
# Point the key and crt files to
# the ones for this user
tls-client
ca ca.crt
cert geoff.crt
key geoff.key
#ensure that we are talking to a server
ns-cert-type server
#confirm we are talking to the correct server
tls-auth ta.key 1
# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
cipher AES-128-CBC
# Enable compression on the VPN link.
comp-lzo
#fragment large packets
# I found I needed this for some games but it is
# not required
#fragment 1400
# enable user/pass authentication
auth-user-pass
|
15. Now you are ready to test your server, to do this load the server from the command line:
sudo /etc/init.d/bridge start
sudo openvpn /etc/openvpn/server.conf
|
##Look for any errors that may be reported while OpenVPN parses the server.conf file. If it gets to the "Succeeded" state then switch computers to a PC on an external network (I used my PC at work) and open the OpenVPN connection. If everything is working here reboot your server and attempt to open the connection again, this will ensure that everything is booting correctly.
###Once the connection is established by the client test it by pinging devices on your internal network. Assuming everything is connected correctly you should be able to contact them.
16. If you have any troubles with step 16, the first place to look is at firewalls. If your server has firewall restrictions they may be blocking the bridge from operating, check your config and adjust as necessary. At this point your server should be running, good luck and have fun.
Post-Install
I ended up having some difficulty configuring shorewall on my openvpn server. It is a little tricky since you have to tell shorewall to differentiate between a physical input (eth0) and the virtual input (tap0). To do this open "/etc/shorewall/hosts" and add:
net br0:eth0
vpn br0:tap0
|
This will tell shorewall to differentiate between the vpn and the insecure traffic. Once you have this data you need to add the following to your policy file. This will tell shorewall that the traffic from the vpn is trusted so just let it all through.
You will also need to mention the vpn in the zones file by adding
Lastly you will need to tell shorewall that a tunnel is coming through by opening the tunnels file and adding:
openvpn net 0.0.0.0/0 vpn
|
Conclusion:
I hope your server is working good and that you can now play your old classic games with friends. The other benefit of this network is that you can access your data on your home PC from anywhere and you will be certain that your connection if free from intrusion.
GDs Dynamics ltd
Comments
odd error
I would try regenerating the client keys and then ensure that you copy them to the client correctly. (Use an MD5 sum to confirm the data copies correctly)
Cannot ping anything but the server...
Thanks for the great tutorial Geoff! I have, however, stumbled onto a problem I would like to ask for your help on. To the best of my knowledge I have my OpenVPN server configured identical to your tutorial on a clean install of Fedora 6. From my WinXP clients (the only ones I have) I can establish a connection fine, and also ping the server, but I don't seem to be able to ping any other devices on the remote network. I have tried from two different clients at two different locations with the same results each time. Any idea what i've done wrong?
Thank you!
Route
Do you have the route tables configured correctly on the local machines? Essentially you need to add a route table entry to your local networked machines informing them where to contact the remote subnet. I do this using the DHCP server on my network.
RE: Route
Hi Geoff,
I'm having this problem too - I'm using the exact same config you have supplied. I can connect to the VPN server from the client OK, and ping the server (i.e. from the client...ping -I tap0) but cannot ping other hosts on the same subnet as the server (i.e. the server IP is 192.168.1.2, I can ping that from the client thru the VPN, but cannot ping the router on the subnet of the server with the IP 192.168.1.254!)
Can you please suggest what I might do to add a route to get this working???
Thank you very much for the great tutorial :-)
Reaching other machines on the server subnet
Here's a tip to anyone who might struggle with reaching other machines on the server subnet:
The network interface (eth0) must be put in promiscuous mode for the bridge/tunnel to function properly. The /etc/init.d/bridge script from this tutorial already does this. However, as I soon came to realise; running "ifconfig" displayed eth0 as being in promiscuous mode, when it in fact was not(!)
In my case, I'm using VMWare ESX Server with Ubuntu 8.04 server as a Guest OS on one of the virtual machines. To enable promiscuous mode on VMWare network interfaces, you need to enable this under network settings/properties on the Host machine (Host machine->configuration->networking->properties). Once this is done, the effect should be almost instantaneous, but to be on the safe side, rebooting the OpenVPN server doesn't hurt :)
Thanks for an excellent guide!
Promiscuous
Great TIP!!! We had the same problem and we would have hardly ever found a solution if it weren't for you.
Thanks a lot!!!
Routing?
The lacking ping could be the result of a couple of things:
1. Do the remote clients get provided a route for the remote network that pints to the openvpn server internal ip address?
2. Do the machines you are trying to ping have a route to get back to the openvpn clients through the server?
3. Do the machines you are trying to ping have a firewall running that is blocking pings? (Windows Firewall does this by default, turn it off and retry)
Great tutorial. thx
Great tutorial. thx
No such file or directory error in ubuntu
Thanks for the tutorial!
I am running ubuntu Hardy 8.04 and when I try to execute the "sudo /etc/init.d/bridge start" command, I get this:
root@server:~# /etc/init.d/bridge start
: No such file or directory
I have made the bridge file executable and given the permissions for root. I also modified it for my network.
The "update-rc.d bridge defaults 15" command worked after I created the file and added the script.
If I try to login anyway, I get this over and over:
Fri May 23 13:14:18 2008 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Any ideas?
Thanks
bridge
When you make the bridge file executable is it located in the /etc/init.d directory?
Likely the reset error you are getting is the result of the bridge not being initialized correctly within Openvpn. Openvpn needs to launch the bridge since it also configures itself to make use of it.
Also the reset connection could be the result of firewall settings not properly defined for the tap and bridge interfaces.
bridge
Yes, my file is located in the /etc/init.d directory.
Cannot start bridge script
Hello!
First off, thanks for writing this howto. I am trying this on ubuntu Hardy 8.04 and I am having a few issues.
I was able to complete the guide. However, when I try the bridge script I get the following:
root@server:~# /etc/init.d/bridge start
: No such file or directory
I created the script and modified it to my network settings. I also made the bridge file executable.
If I try to login with the client anyway, I get this error:
Sat May 24 09:29:47 2008 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
I wonder if the errors are related. Any ideas?
Thanks
Great tutorial; I just have a quick question
Hi Geoff,
This is a great tutorial - everything worked great. I just wanted to confirm if it is normal for the openvpn startup to be successful, then seem to hang? I press CTRL-C, and apparently it was waiting in the plugin openvpn-auth-pam.so? This is without any clients connecting.
Thank you for any help you can provide,
Trevor
New One
This is a new error to me. I would try to run the openvpn server/client without the pam authentication option. This would allow you to verify your other configuration. Then following a successful test check your openvpn install to see if that plug-in is there (Linux: /usr/lib/openvpn/)
If you are running your server on Windows then pam authentication would not be valid. You would need to link into the windows authentication, I am not sure how to do that.
Hi Geoff, This is some nice
Hi Geoff,
This is some nice documentation, but openvpn still makes me pulling hair out.
Making te bridged connection between two host was succesfull but the problem is that I can't ping to any host.
My config is:
HOST A LAN<---->HOST A INT IF<---->HOST A EXT IF<---->INTERNET<---->HOST B EXT IF<---->HOST B INT IF<---->HOST B LAN
HOST A = Server
HOST B = Client
The LAN sides on both networks have the segment of 10.0.0.0 255.255.255.0
server.conf
Local (HOST A EXT IF)
port 1194
proto udp
dev tap0
cd /usr/local/etc/openvpn
ca keys/ca.crt
cert keys/server.crt
key keys/server.key
dh keys/dh1024.pem
ifconfig-pool-persist ipp.txt
server-bridge 10.0.0.246 255.255.255.0 10.0.0.247 10.0.0.248
client-to-client
keepalive 10 120
cipher AES-128-CBC
tls-auth keys/ta.key 0
comp-lzo
max-clients 5
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 4
client.conf
client
dev tap
proto udp
remote (HOST A EXT IF) 1194
resolv-retry infinite
ping 30
ping-restart 100
persist-key
persist-tun
cd /usr/local/etc/openvpn
tls-client
ca keys/ca.crt
cert keys/client1.crt
key keys/client1.key
ns-cert-type server
tls-auth keys/ta.key 1
cipher AES-128-CBC
comp-lzo
status openvpn-status.log
verb 4
On the server side i create the tap0 and bridge0 interfaces:
ifconfig tap0 create
ifconfig bridge0 create
ifconfig tap 0 promisc
ifconfig (HOST A INT IF) promisc
ifconfig bridge0 addm (HOST A INT IF) addm tap0
ifconfig bridge0 10.0.0.246 netmask 255.255.255.0 broadcast 10.0.0.255 up
On the client side i create the tap0 interface:
ifconfig tap0 create
server
xl0: flags=28943 metric 0 mtu 1500) metric 0 mtu 1500) metric 0 mtu 1500 metric 0 mtu 1500 metric 0 mtu 16384 metric 0 mtu 1500 metric 0 mtu 1500
options=9
ether 00:01:02:30:43:28
media: Ethernet autoselect (100baseTX
status: active
fxp0: flags=8843
options=8
ether 00:02:a5:ea:51:4b
inet (HOST A EXT IF) netmask 0xfffffff0 broadcast (HOST A BROADCAST)
media: Ethernet autoselect (100baseTX
status: active
bge0: flags=8802
options=9b
ether 00:0a:5e:42:4b:66
media: Ethernet autoselect (none)
status: no carrier
plip0: flags=108810
lo0: flags=8049
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
inet6 ::1 prefixlen 128
inet 127.0.0.1 netmask 0xff000000
tap0: flags=28942
ether 00:bd:1a:d8:d5:00
bridge0: flags=8843
ether 16:88:b6:84:db:90
inet 10.0.0.246 netmask 0xffffff00 broadcast 10.0.0.255
id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200
root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
member: tap0 flags=143
member: xl0 flags=143
Client
bge0: flags=8843 metric 0 mtu 1500) metric 0 mtu 1500) metric 0 mtu 16384 metric 0 mtu 33204 metric 0 mtu 1500
options=9b
ether 00:1c:c4:fa:4e:44
inet 10.0.0.249 netmask 0xffffff00 broadcast 10.0.0.255
media: Ethernet autoselect (1000baseTX
status: active
bge1: flags=8843
options=9b
ether 00:1c:c4:fa:4e:45
inet (HOST B EXT IF) netmask 0xfffffff8 broadcast (HOST B BROADCAST)
media: Ethernet autoselect (100baseTX
status: active
lo0: flags=8049
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
inet6 ::1 prefixlen 128
inet 127.0.0.1 netmask 0xff000000
pflog0: flags=141
tap0: flags=28943
ether 00:bd:c3:a7:91:00
inet 10.0.0.247 netmask 0xffffff00 broadcast 10.0.0.255
Opened by PID 5221
Everything is configured now and the openvpn is started first at the server side and then the client side.
The output is much bigger but is think that this is enough to see that the connection is set up.
Server
Fri Jun 6 09:06:56 2008 us=559135 (HOST B EXT IF):1194 [PHGATEWAY01] Peer Connection Initiated with (HOST B EXT IF):1194
Fri Jun 6 09:06:57 2008 us=765929 PHGATEWAY01/(HOST B EXT IF):1194 PUSH: Received control message: 'PUSH_REQUEST'
Fri Jun 6 09:06:57 2008 us=766030 PHGATEWAY01/(HOST B EXT IF):1194 SENT CONTROL [PHGATEWAY01]: 'PUSH_REPLY,route-gateway 10.0.0.246,ping 10,ping-restart 120,ifconfig 10.0.0.247 255.255.255.0' (status=1)
Fri Jun 6 09:06:57 2008 us=857524 PHGATEWAY01/(HOST B EXT IF):1194 MULTI: Learn: 00:bd:c3:a7:91:00 -> PHGATEWAY01/(HOST B EXT IF):1194
Client
Fri Jun 6 09:58:44 2008 us=195741 PUSH: Received control message: 'PUSH_REPLY,route-gateway 10.0.0.246,ping 10,ping-restart 120,ifconfig 10.0.0.247 255.255.255.0'
Fri Jun 6 09:58:44 2008 us=195774 OPTIONS IMPORT: timers and/or timeouts modified
Fri Jun 6 09:58:44 2008 us=195783 OPTIONS IMPORT: --ifconfig/up options modified
Fri Jun 6 09:58:44 2008 us=195791 OPTIONS IMPORT: route options modified
Fri Jun 6 09:58:44 2008 us=195857 TUN/TAP device /dev/tap0 opened
Fri Jun 6 09:58:44 2008 us=195877 /sbin/ifconfig tap0 10.0.0.247 netmask 255.255.255.0 mtu 1500 up
Fri Jun 6 09:58:44 2008 us=198960 Initialization Sequence Completed
The problem is:
HOST A Server
I can ping on HOST A the bridge0 10.0.0.246
I can't ping 10.0.0.247
I can't ping 10.0.0.249
I can't ping any host on HOST B LAN
HOST B Client
I can't ping 10.0.0.246
I can't ping 10.0.0.247
I can't ping any host on HOST A LAN
Any suggestions about what i do wrong?
If something is missing please post or mail so i can give the information.
volmer@graspol.nl
Volmer
Hardy?
If you are using a relatively new Linux OS (Ubuntu Hardy, or other) then the bridge creation I mention here will not work. I upgraded to Hardy over the weekend and had a lot of trouble. Seems that the Linux kernel has changed to not allow bridging in the way I describe, therefore the best way to create a bridge is a little more difficult.
Perhaps that is what is causing your troubles. Look up shorewall bridge in google. Good luck.
about DH issue
Hi!
Thaks for your greatest Tutorial, almost everything works fine, but i have an issue with DH in a Centos machine
[root@imss keys]# openvpn --config /etc/openvpn/server.conf --tls-server
Mon Jun 23 10:48:51 2008 OpenVPN 2.1_rc7 x86_64-unknown-linux-gnu [SSL] [LZO2] [EPOLL] built on Jun 19 2008
Mon Jun 23 10:48:51 2008 Cannot open /etc/openvpn/easy.rsa/keys/dh1024.pem for DH parameters: error:02001002:system
library:fopen:No such file or directory: error:2006D080:BIO routines:BIO_new_file:no such file
Mon Jun 23 10:48:51 2008 Exiting
The file exists, and also verified with
[root@imss keys]# openssl dhparam -out dh1024.pem 1024
[root@imss keys]# openssl version
OpenSSL 0.9.8b 04 May 2006
Any coment or suggestion?
Regards
Alex Escalante
MEXICO
Not sure
If as you say the file exists then perhaps you should try regenerating it?
Also check in the previous comments on this tutorial. Others had troubles with the same file (dh2048) and it turned out to be that the file was in a different location then what they expected and then what they told openvpn (through the configuration file)
../vars
Hi ! I have a little problem, it seems like i cant do the (../vars) action, my server wont recognize the command. should i do chmod command first ? im using centos5. Thanks
There is a <space> between
There is a <space> between the 2 dots.
".<space>./vars"
Amazing tutorial! Needs to be saved!
Great writeup Geoff! This worked perfectly to get my OpenVPN working on my (Hardy) Ubuntu server and Vista client. They only change was that my easy-rsa directory had a 2.0 subdirectory that I had to insert.
Would it be possible to put this information in the Ubuntu Wiki?
Subnet Error
Geoff,
Nice howto, thanks for taking the time to put it together.
I get the following error in the last step:
Options error: --server-bridge IP addresses 68.238.80.157 and 68.238.80.60 are not in the same 255.255.255.192 subnet
Use --help for more information.
I am not behind any routers, direct from cable modem.
Here is my /etc/network/interface: (modified a little for privacy)
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
# The loopback network interface
auto lo
iface lo inet loopback
address 127.0.0.1
netmask 255.0.0.0
# The primary network interface
allow-hotplug eth1
iface eth1 inet static
address 68.238.80.157
netmask 255.255.255.192
gateway 68.238.80.193
bcast 68.238.80.255
iface eth0 inet dhcp
auto eth1
My bridge.sh:
#!/bin/bash
# Create global variables
# Define Bridge Interface
br="br0"
# Define list of TAP interfaces to be bridged,
# for example tap="tap0 tap1 tap2".
tap="tap0"
# Define physical ethernet interface to be bridged
# with TAP interface(s) above.
eth="eth1"
eth_ip="68.238.80.157"
eth_netmask="255.255.255.192"
eth_broadcast="68.238.80.157.255"
gw="68.238.80.157.193"
start_bridge () {
#################################
# Set up Ethernet bridge on Linux
# Requires: bridge-utils
#################################
for t in $tap; do
openvpn --mktun --dev $t
done
for t in $tap; do
ifconfig $t 0.0.0.0 promisc up
done
ifconfig $eth 0.0.0.0 promisc up
brctl addbr $br
brctl addif $br $eth
for t in $tap; do
brctl addif $br $t
done
ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast up
route add default gw $gw $br
}
stop_bridge () {
####################################
# Tear Down Ethernet bridge on Linux
####################################
ifconfig $br down
brctl delbr $br
for t in $tap; do
openvpn --rmtun --dev $t
done
ifconfig $eth $eth_ip netmask $eth_netmask broadcast $eth_broadcast up
route add default gw $gw $eth
}
case "$1" in
start)
echo -n "Starting Bridge"
start_bridge
;;
stop)
echo -n "Stopping Bridge"
stop_bridge
;;
restart)
stop_bridge
sleep 2
start_bridge
;;
*)
echo "Usage: $0 {start|stop|restart}" >&2
exit 1
;;
esac
And my server.config file:
# Which local IP address should OpenVPN
# listen on? (optional)
local 68.238.80.157
port 1194
# TCP or UDP server?
proto udp
#This is key to configuring our bridge
dev tap0
#direct these to your generated files
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh2048.pem
ifconfig-pool-persist ipp.txt
#ensure the range of ip addresses you use in the last two arguments
# of this statement are not in use by either the DHCP server or any other
# device on your internal network.
server-bridge 68.238.80.157 255.255.255.192 68.238.80.60 68.238.80.157.80
#needed to allow communication to internal network
client-to-client
keepalive 10 120
#encryption - very important ;)
#AES encryption is backed by many security firms
#however if you are concerned about speed use blowfish: "BF-CB"
cipher AES-128-CBC
#if you have another subnet you need to provide the route
#I Commented out
;push "route 173.23.2.0 255.255.255.0"
#server id protection
tls-auth ta.key 0
#compression for network speed
comp-lzo
# if packets are too large fragment them (only really useful if you have an old router)
#fragment 1400
#limit the number of connections
max-clients 100
#some secuurity settings
# do not use if running server on Windows
user nobody
group nogroup
persist-key
persist-tun
#log file settings
status openvpn-status.log
verb 3
# authentication plugin
#forces client to have a linux acount in order to connect
plugin /usr/lib/openvpn/openvpn-auth-pam.so login
Any help you can give would b greatly appreciated.
Thanks,
Rick
same problem...
same problem...
Solution to everyone who can't ping other hosts then server
The solution is quite simple:
You need to allow packet forwarding.
You can test this by doing this as root:
echo 1 > /proc/sys/net/ipv4/ip_forward
Then it should work.
To make this setting permanent you can do this:
1. Edit: /etc/sysctl.conf
2. Change net.ipv4.ip_forward=0 to net.ipv4.ip_forward=1
Hope this will help a ll of you guys!
Maybe add this to the original thread!
Openvpn Server runs on local Firewall. Netfilter, Iptables
Hi. I was implementing openVPN on an Internetgateway, running
pppd for dial-up via DSL and a custom netfilter-script.
For anyone who wants to do so, here a sample of how to make sure
all of your VPN-traffic is allowed without allowing too much.
in short:
pppd, DSL with static IP, but dial-in
tun, not tap -> routed, not bridged
Firewall and openvpn runs son same machine
###### 8< cut ########
############### allow incoming OPENVPN
# this one allows incoming traffic on the local openvpn port.
# if you have changed the listening port, apply it here as well
# valid, if you have a dial-in connection via dsl (ppp, pppoe)
IPTABLES -A INPUT -i ppp0 -p udp --dport 1194 -j ACCEPT
# this one allows all inbound traffic from your external iface to your tun device.
# you could restrict ports here as well, but the external port has already been
# restricted above
IPTABLES -A FORWARD -i ppp0 -o tun+ -j ACCEPT
# this one allows all inbound traffic from your vpn-device to your
# internal network, where eth0 should be your LAN-interface
IPTABLES -A FORWARD -i tun+ -o eth0 -j ACCEPT
# now that all the way from WAN to LAN is done, the answers must be allowed
# this one allows all traffic from LAN to VPN, if connection attempt is already made
IPTABLES -A FORWARD -i eth0 -o tun+ -m state --state ESTABLISHED,RELATED -j ACCEPT
# same, but now VPN to access WAN
IPTABLES -A FORWARD -i tun+ -o ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# WAN port may send packets from OpenVPN-port don't forget to change it
# in case you changed it in your server configuration
IPTABLES -A OUTPUT -o ppp0 -p udp --sport 1194 -j ACCEPT
###### 8< cut ########
I could restrict a little more, p.e. the last one with "-m state --state ESTABLISHED,RELATED"
but i found this one worked. for any suggestions feel free to add your comments here.
Greetings. Kay Urbach
problem with openvpnbridge in smeserver
hi i have this problem
openvpn start failed, demon is not running, tap0 don't have an ip, but to create certificate work fine , what could be the problem
i,m using centos, smeserver-openvpn-bridge-fws-1.0-3.noarch.rpm, openvpn-2.0.7-1.el4.rf.i386.rpm,
lzo-1.08-4.2.el4.rf.i386.rpm, could any body helpme please?
br0 Link encap:Ethernet HWaddr 00:04:76:71:B6:C6
inet addr:192.168.3.21 Bcast:192.168.3.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:12646 errors:0 dropped:0 overruns:0 frame:0
TX packets:20593 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:935089 (913.1 KiB) TX bytes:5349057 (5.1 MiB)
eth0 Link encap:Ethernet HWaddr 00:04:76:71:B6:C6
UP BROADCAST RUNNING PROMISC ALLMULTI MULTICAST MTU:1500 Metric:1
RX packets:16909 errors:0 dropped:0 overruns:0 frame:0
TX packets:21705 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1532091 (1.4 MiB) TX bytes:5646562 (5.3 MiB)
Interrupt:11 Base address:0xd800
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:1316 errors:0 dropped:0 overruns:0 frame:0
TX packets:1316 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:180755 (176.5 KiB) TX bytes:180755 (176.5 KiB)
tap0 Link encap:Ethernet HWaddr 00:FF:43:19:09:63
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:10980 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 b) TX bytes:999561 (976.1 KiB)
need asp
Excellent Article
Geoff,
I have been trying to get my openvpn server working within debian for a few days now. I could get it working internally within my network but after trying from my brothers house I could not get connected - I checked all port forwarding and firewall settings and everything was routing ok - I knew this as I was getting error messages on the Debian VPN server side when trying to authenticate - (I did have openvpn working on my Linksys WRT54GS router with the MMC mod and I used similar settings, but the mmc mod failed so I set up openvpn this time within debian..........)
Using the openvpn tutorial for bridging i just could not get it to work properly - (an error message in the logs due to network unreachable) - Then I stumbled across your article and looked at your bridge script - Volia!!!!! Problem solved. It was all down to the gateway setting.......The original openvpn docs mention nothing about adding the gateway to the script!!! I now have a secure VPN tunnel connection with my Smoothwall acting as the DHCP server.
Thanks Again
Viper
TLS Error
I am experiencing the same TLS errors as others seem to. The logs are stating that the handshake failed due to a plain text packet. I'm not certain why this could be. I have tried your tutorial twice now, both times without fixing.
Thanks for the great tutorial, easiest one I have come across!
Myles
Key generation (Diffie Hellman parameters)
Geoff,
Thanks for the great guide, server is up and running and apart from some dynamic dns issues, everything is perfect.
I had a quick question, I created some keys, but say I wanted to add another one for a new client. Can I just create a new client key and regenerate the Diffie Hellman parameters? This would involve me sending out the new keys to the existing clients, right?
Cheers!
VERIFY ERROR: depth=0, error=self signed certificate
I keep getting a self-signed certificate error when trying to connect :(
"openvpn --config client.conf" gives me:
+++++start+++++
Tue Mar 31 14:51:02 2009 OpenVPN 2.1_rc11 x86_64-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Mar 9 2009
Tue Mar 31 14:51:02 2009 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Tue Mar 31 14:51:02 2009 /usr/bin/openssl-vulnkey -q -b 2048 -m
/usr/bin/openssl-vulnkey:24: DeprecationWarning: the sha module is deprecated; use the hashlib module instead
import sha
Tue Mar 31 14:51:02 2009 Control Channel Authentication: using '/home/<my_username>/.vpn/ta.key' as a OpenVPN static key file
Tue Mar 31 14:51:02 2009 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Mar 31 14:51:02 2009 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Mar 31 14:51:02 2009 LZO compression initialized
Tue Mar 31 14:51:02 2009 Control Channel MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ]
Tue Mar 31 14:51:02 2009 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Tue Mar 31 14:51:02 2009 Local Options hash (VER=V4): '504e774e'
Tue Mar 31 14:51:02 2009 Expected Remote Options hash (VER=V4): '14168603'
Tue Mar 31 14:51:02 2009 Socket Buffers: R=[124928->131072] S=[124928->131072]
Tue Mar 31 14:51:02 2009 UDPv4 link local: [undef]
Tue Mar 31 14:51:02 2009 UDPv4 link remote: <my_external_server_ip>
:1194
Tue Mar 31 14:51:02 2009 TLS: Initial packet from <my_external_server_ip>
:1194, sid=510daf36 d0b24bb7
Tue Mar 31 14:51:03 2009 VERIFY ERROR: depth=0, error=self signed certificate: /C=<my_country>;/ST=<my_state>/L=<my_city>/O=<my_server>/CN=<my_name>/emailAddress=<my_email>
Tue Mar 31 14:51:03 2009 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Tue Mar 31 14:51:03 2009 TLS Error: TLS object -> incoming plaintext read error
Tue Mar 31 14:51:03 2009 TLS Error: TLS handshake failed
Tue Mar 31 14:51:03 2009 TCP/UDP: Closing socket
Tue Mar 31 14:51:03 2009 SIGUSR1[soft,tls-error] received, process restarting
Tue Mar 31 14:51:03 2009 Restart pause, 2 second(s)
+++++end+++++
Bridge Script
I'm getting the same errors when trying to run the bridge script. All I get is:
# Define list of TAP Interfaces to be bridged, : No such file or directory
How can I get this to execute? The file is owned by root, has 755 permission, and is in /etc/init.d.
This problem seems to be quite frequent...What is the solution????
Sounds to me like your
Sounds to me like your script does not have the #!/bin/bash statement at the top, or the comment "#" is not properly loaded in?
Some question about shorewall config
Thanks Jeoff for your great Howto,
I tested the openvpn with no firewall blocks and it works fine.
I have the same network configuration as yours. My scenario is the following:
roadwarrior (openvpn client) -------------> Internet ------------> (X.Y.Z.W) Firewall/Gateway (10.x.x.254) --------> Local Lan -------> OpenVPN Server (10.x.x.249)
I have shorewall 4.06 installed as firewall on my Firewall/Gateway.
I tryed to add your shorewall configuration lines but when i run the command 'shorewall check' i got this error:
Validating hosts file...
ERROR: Unknown interface (br0) in record "net br0:eth0 "
It seem that i have to define br0 in the /etc/shorewall/interfaces file .... which are the lines to add for bridge zones and interfaces?
Thanks in advance for your reply.
Regards Gianni.
A quick question about this great post
Hello Geoff,
thanks very much for this great Howto.
I think i have the same configuration of yours. Mine is the following:
roadwarrior (openvpn client) -------------> Internet ------------> (X.Y.Z.W - eth0) Firewall/Gateway (10.x.x.254 - eth1) --------> Local Lan -------> OpenVPN Server (10.x.x.249 - br0)
and i have Shorewall 4.06 on my firewall/gateway.
If i test the openvpn connection without the firewall blocking all works fine, but i cannot configuring shorewall as you suggested.
if i set your lines in my shorewall and i run the command 'shorewall check' I got the following error:
Validating hosts file...
ERROR: Unknown interface (br0) in record "net br0:eth0 "
I also tried to add the line:
- br0 detect
in /etc/shorewall/interfaces
but after the error was the following:
Validating hosts file...
ERROR: Unknown interface (eth0) in record "vpn eth0:<"ip subnet 1">/24,<"ip subnet 2">/30 "
I have to allow traffic to other vpn old ipsec tunnels, but still living, so I change my shorewall files as the following:
/etc/shorewall/zones
vpn ipv4 # ipsec vpn zone
vpn1 ipv4 # openvpn zone
net ipv4
loc ipv4
/etc/shorewall/interfaces
loc eth1 10.x.x.255 routeback
- br0 detect
vpn ipsec0
/etc/shorewall/hosts
vpn eth0:<"ip subnet 1">/24,<"ip subnet 2">/30 "
net br0:eth0
vpn1 br0:tap0
My question is the following:
if i change the line:
vpn eth0:<"ip subnet 1">/24,<"ip subnet 2">/30 "
in
vpn br0:eth0:<"ip subnet 1">/24,<"ip subnet 2">/30 "
the ipsec tunnel continues to work correctly?
I think that i will have to change also all lines with eth0 in my /etc/shorewall/masq with br0:eth0. Do you thin that is it correct?
Consider that not all of my net traffic is bridged.
Thanks in advance for your precious reply.
Regards Gianni
Remote desktop problem
I have a problem connecting to Microsoft client with remote desktop over OpenVPN tunnel. Connection is established for ~5 seconds and then it gets disconnected with error message "Your remote desktop connection was broken. This might be caused by network error."
I can ping and access shared directories on this machine.
Re: Remote desktop problem
Add these lines to the end of the server.conf and client.conf files:
tun-mtu 1400
fragment 1400
mssfix
You have to restart OpenVPN for these changes to take effect.
How to generate new certificate after new some days
hi i have working openvpn. I have generate server and client key for first time and working nice. but if i want to generate new client certificate later which steps need to do?