OpenVPN Server

liamcrane · 6 Oct 2014 at 22:56

Hi All

Do any of you have an openvpn server setup in your home networks? Im trying to set one up and its proving to be a right pain! I have tried it on Ubuntu but the config seems very complicated to get up and running. Also tried to install the server on a windows 7 with no luck. Im kinda easy to which linux distro to use, but i have never really played around with it much before.

Would be really grateful for some advice if anyone has one of these up and running. Been looking at the openvpn access server instead as this appears to have some sort of gui which may make things a little easier.

Thanks guys

Shad · 7 Oct 2014 at 07:52

I do yes, but it's built-in to pfSense which makes life easier.

If I was to set up something separate I'd look at the appliance (https://openvpn.net/index.php/access-server/download-openvpn-as-vm.html) as that should be the easiest way to get up and running.

Frozennova · 7 Oct 2014 at 09:15

Theres also this script: https://github.com/Nyr/openvpn-install

Not as full functioned as the access server as theres no GUI but it makes install a doddle and means you can have more than 2 clients connected.

randal · 7 Oct 2014 at 09:21

I've got two instances built and running on Debian 7, two factor with keys and Duo Security smart phone app auth.

Give me a yell if you need a hand with your server.conf and client settings. Oh we're using Viscosity as the client as it's cross platform, recommend checking out the demo.

liamcrane · 7 Oct 2014 at 09:50

Thanks so much for the advice guys much appreciated. I will take a look at the access server for sure as i guess its always handy to have a gui. Do you still need to create certs and client config files for this though?

Will take a look at the script above as mentioned as well so thanks for that, if im honest no more than 2 clients will be connected anyway as its only going to be used while abroad and maybe in public wifi areas for me.

Never tried it on debian to be honest, like i say i pretty new when it comes to linux and i have only really looked at Ubuntu but willing to try other distro's to see what work for me. The one part i get a little confused with setting up is the server.conf as it wants to use the 10.0.0.1 network. Is there a reason for this? Would rather not have to go through setting up ip tables if thats whats needed in order to be able to connect to the server on my home network

Thanks again guys

randal · 7 Oct 2014 at 09:57

It's a doddle.

Fire up a terminal, switch to root and type: "apt-get install openvpn".

You will need keys/certs for each user, the scripts to create like in /etc/openvpn/easy-rsa. You'll need to source the .vars script to set up the environment before running the various scripts.

Check out the server and keys section in this guide:

http://dev.shyd.de/2011/02/dockstar-howto-setup-openvpn-debian/

Give us a yell when you've got that sorted and we'll talk clients.

liamcrane · 7 Oct 2014 at 10:48

Thanks so much for your help randal i'll give this a whirl in a mo. Just need to download debian, am i right in thinking that easy-rsa doesn't come with the newest versions of openvpn? think it may have to be installed separately

randal · 7 Oct 2014 at 11:06

Yeah, you're right thinking about it. They decided to split that off into a seperate thing.

You can either clone it down from GIT (apt-get install git), or download the easy-rsa tar.gz from OpenVPN directly. From memory you just need the 2.0 folder from the tar.gz.

There's some good docs here on how to use it. http://openvpn.net/index.php/open-source/documentation/miscellaneous/77-rsa-key-management.html

Check your OpenSSL installation (good ol' apt-get install openssl) first!

liamcrane · 7 Oct 2014 at 12:06

Thanks again for those links, can i not just do a simple apt-get install openvpn easy-rsa? Would try myself now but not in fromt of my linux pc

randal · 7 Oct 2014 at 12:48

liamcrane said:
Thanks again for those links, can i not just do a simple apt-get install openvpn easy-rsa? Would try myself now but not in fromt of my linux pc

Seems that it's in the Ubuntu repos, so should be in Debian's too...

Code:

root@bob:~# apt-get install easy-rsa
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
  libccid opensc pcscd
Suggested packages:
  pcmciautils systemd
The following NEW packages will be installed:
  easy-rsa libccid opensc pcscd
0 upgraded, 4 newly installed, 0 to remove and 24 not upgraded.
Need to get 945 kB of archives.
After this operation, 3,302 kB of additional disk space will be used.

ASE001 · 7 Oct 2014 at 14:00

Use a Raspberry Pi, it works a treat see http://www.raspberrypi.org/forums/viewtopic.php?t=20916

client.opvn file should look like this:
client
dev tun
proto udp
remote {your IP address} 1194
resolv-retry infinite
persist-key
persist-tun
ca ca.crt
cert somename.crt
tls-auth ta.key 1
key somename.key
cipher AES-128-CBC
comp-lzo
auth-nocache

and your Server.conf file should look similar to this:
local 192.168.2.0 # SWAP THIS NUMBER WITH YOUR RASPBERRY PI IP ADDRESS
dev tun
proto udp #Some people prefer to use tcp (if going through a proxy then use tcp). Don't change it if you don't know.
port 1194
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/Server.crt # SWAP WITH YOUR CRT NAME
key /etc/openvpn/easy-rsa/keys/Server.key # SWAP WITH YOUR KEY NAME
dh /etc/openvpn/easy-rsa/keys/dh1024.pem # If you changed to 2048, change that here!
server 10.8.0.0 255.255.255.0
# server and remote endpoints
ifconfig 10.8.0.1 10.8.0.2
# Add route to Client routing table for the OpenVPN Server
push “route 10.8.0.1 255.255.255.255”
# Add route to Client routing table for the OpenVPN Subnet
push “route 10.8.0.0 255.255.255.0”
# your local subnet
push “route 192.168.2.0 255.255.255.0” # SWAP THE IP NUMBER WITH YOUR RASPBERRY PI IP ADDRESS
# Set primary domain name server address to the SOHO Router
# If your router does not do DNS, you can use Google DNS 8.8.8.8
push “dhcp-option DNS 192.168.2.1” # This should already match your router address and not need to be changed.
# Override the Client default gateway by using 0.0.0.0/1 and
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
push “redirect-gateway def1”
client-to-client
duplicate-cn
keepalive 10 120
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
cipher AES-128-CBC
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn-status.log 20
log /var/log/openvpn.log
verb 1

liamcrane · 7 Oct 2014 at 14:01

Excellent cheers for that Randal. Now to find the dir where they have decided to install the sample config files etc

.

Once i have generated my keys etc am i going to need to grant myself permission to the client keys in order to be able to extract them for my windows laptop and iphone?

ASE001 · 7 Oct 2014 at 14:08

If you going through a proxy (lets say at work) then change client.opvn TCPIP port to 443 and then do port forwarding on your router from 443 to 1194 and add the following lines to the client.opvn file:
http-proxy ???.???.???.??? 80 authfile.txt ntlm
http-proxy-timeout 250
http-proxy-retry

???.???.???.??? = proxy server

authfile.ntlm is simple text file with your username on line 1 and password on the second line.

ASE001 · 7 Oct 2014 at 14:10

Just another note, although the setup is for a Pi, it's still a Debian port so the config files should be similar?

ASE001 · 7 Oct 2014 at 14:26

liamcrane; said:
Once i have generated my keys etc am i going to need to grant myself permission to the client keys in order to be able to extract them for my windows laptop and iphone?

You need these files
ca.crt
somename.crt
ta.key
somename.key

try this to copy your files from the Linux box to your client PC, but create a temporary windows share with access granted to all. Once finished kill the share.
cd /etc/openvpn/easy-rsa/2.0/keys
cp somename.key smb://***.***.***.***/share

etc.

randal · 7 Oct 2014 at 14:30

Or scp them up to it.

If you wanted to be super secure disable/uninstall sshd and only access the console. Depends if it's a VM/machine on desk/computer room etc I guess. Oh and how paranoid you are.

ASE001 · 7 Oct 2014 at 15:20

ASE001 said:
If you going through a proxy (lets say at work)

I don't want anyone to lose their jobs, so make sure your aren't breaking any IT policy your company may have in place by connecting through their proxy server? :eek:

liamcrane · 7 Oct 2014 at 15:45

Well i need to 'chmod' the folder that has the keys in before i can use winSCP to access them?

Thanks again

KIA · 7 Oct 2014 at 18:48

https://openvpn.net/index.php/access-server/download-openvpn-as-sw.html

More straightforward but does have a connection limitation.

liamcrane · 7 Oct 2014 at 19:42

Generated all my keys and extracted them all ok, just need some advice on setting up the server.conf and client.conf as well as setting up the IP Tables.

Thanks for the above KIA much appreciated