OpenVPN
Introduction
OpenVPN is the open source virtual private network software, capable of connecting computers securely across the internet.
Download
https://openvpn.net/community-downloads/
VPN Comparison
PPTP vs L2TP vs OpenVPN vs Chameleon
Overview
laptop --> openvpn --> firewall --> server --> openvpn --> files
Modem Settings
OpenVPN requires a port to be opened on DSL/broadband modem.
Default Port: 1195 UDP
OpenVPN 2.0 HOWTO
This has nice notes and examples.
http://www.imped.net/oss/misc/openvpn-2.0-howto-edit.html
HOWTO: INSTALL:
AUTOMATED
sudo -i curl -O https://raw.githubusercontent.com/angristan/openvpn-install/master/openvpn-install.sh bash openvpn-install.sh
MANUAL
Ubuntu & Debian Linux
Where <version> can be one of
- stable: stable releases only - no alphas, betas or RCs
- testing: latest releases, including alphas/betas/RCs
- release/2.3: OpenvPN 2.3 releases
- release/2.4: OpenVPN 2.4 releases, including alphas/betas/RCs
and <osrelease> depends your distribution:
- wheezy (Debian 7.x)
- jessie (Debian 8.x)
- precise (Ubuntu 12.04)
- trusty (Ubuntu 14.04)
- xenial (Ubuntu 16.04)
- beaver (Ubuntu 18.04)
- focal (Ubuntu 20.04)
sudo -i sudo wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | sudo apt-key add - sudo echo "deb http://build.openvpn.net/debian/openvpn/stable focal main" > /etc/apt/sources.list.d/openvpn-aptrepo.list sudo apt-get update && sudo apt-get install openvpn easy-rsa
https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos
https://help.ubuntu.com/community/OpenVPN
Raspberry Pi
http://readwrite.com/2014/04/10/raspberry-pi-vpn-tutorial-server-secure-web-browsing
Gentoo Linux
Add the local portage file:
** UPDATE **
Version 2.1.3 is now in the Portage tree. Do not use the method below.
Skip the to section Installing the software:
The latest version available in the official Gentoo portage tree is 2.1.0, however the latest community version of OpenVPN is 2.1.1
Download the latest version custom ebuild and install it as follows:-
su - root echo "PORTDIR_OVERLAY=\"/usr/local/portage\"" >> /etc/make.conf mkdir -p /usr/local/portage/net-misc/openvpn cd /usr/local/portage/net-misc/openvpn/ wget http://www.paully.co.uk/openvpn-2.1.1.ebuild
Download OpenVPN Community Version 2.1.1 custom Gentoo Linux ebuild by Paul Littlefield openvpn-2.1.1.ebuild 2010-05-12
Copy the important files directory:
cp -av /usr/portage/net-misc/openvpn/files /usr/local/portage/net-misc/openvpn/
Create the portage manifest file:
cd /usr/local/portage/net-misc/openvpn/ ebuild openvpn-2.1.1.ebuild digest
Update the EIX portage cache:
eix-update
Allow beta software:
echo "net-misc/openvpn ~amd64" >> /etc/portage/package.keywords
Install the software:
You will need to make sure that the minimal USE flag is not set, and that the examples and ssl USE flags are set.
echo "net-misc/openvpn -minimal examples ssl" >> /etc/portage/package.use
Then test the software.
emerge -pv openvpn
Then install the software.
emerge openvpn
SSL keys / certificates:
Change to the directory with the OpenVPN scripts to set up the keys.
cd /usr/share/openvpn/easy-rsa/
Or
cd /usr/share/easy-rsa/
Then, edit the basic parameters for the certificates. Edit the vars file and set the KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, and KEY_EMAIL parameters. Don't leave any of these parameters blank.
nano vars export KEY_COUNTRY="UK" export KEY_PROVINCE="Kent" export KEY_CITY="Canterbury" export KEY_ORG="My Company" export KEY_EMAIL="me@mycompany.com"
Next, initialize the PKI.
source ./vars ./clean-all ./build-ca
The final command (build-ca) will build the certificate authority (CA) certificate and key by invoking the interactive openssl command:
Generating a 1024 bit RSA private key ...........................++++++ ........++++++ writing new private key to 'ca.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [UK]: State or Province Name (full name) [Kent]: Locality Name (eg, city) [Folkestone]: Organization Name (eg, company) [Company Ltd]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) [Company Ltd CA]:server1.company.com Name []: Email Address [myname@company.com]:
Note that in the above sequence, most queried parameters were defaulted to the values set in the vars or vars.bat files. The only parameter which must be explicitly entered is the Common Name. In the example above, I used "server1.company.com".
Generate certificate & key for server
Next, we will generate a certificate and private key for the server.
./build-key-server server
As in the previous step, most parameters can be defaulted. When the Common Name is queried, enter "server". When asked for a challenge password, leave it blank and hit Enter. Two other queries require positive responses, "Sign the certificate? [y/n]" and "1 out of 1 certificate requests certified, commit? [y/n]".
Generating client certificates is very similar to the previous step. On Linux/BSD/Unix:
./build-key-pass client1
Remember that for each client, make sure to type the appropriate Common Name when prompted, i.e. "client1", "client2", or "client3". Always use a unique common name for each client.
Generate Diffie Hellman parameters
Diffie Hellman parameters must be generated for the OpenVPN server.
./build-dh
'Server Configuration:
This is for a Gentoo Linux server with 2 network interface cards, acting as as gateway / firewall / file share...
ip addr show 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 brd 127.255.255.255 scope host lo inet6 ::1/128 scope host 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000 link/ether e0:cb:4e:3a:da:a4 brd ff:ff:ff:ff:ff:ff inet 10.0.0.1/24 brd 10.0.0.255 scope global eth0 inet6 fe80::e2cb:4eff:fe3a:daa4/64 scope link 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000 link/ether 00:50:bf:10:05:6e brd ff:ff:ff:ff:ff:ff inet 192.168.0.1/24 brd 192.168.0.255 scope global eth1 inet6 fe80::250:bfff:fe10:56e/64 scope link 4: sit0: <NOARP> mtu 1480 qdisc noop state DOWN link/sit 0.0.0.0 brd 0.0.0.0 11: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100 link/[65534] inet 192.168.1.1 peer 192.168.1.2/32 scope global tun0 12: tun1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100 link/[65534] inet 192.168.2.1 peer 192.168.2.2/32 scope global tun1
Create a directory for your 'named' VPN, e.g 'vpn'...
mkdir /etc/openvpn/vpn
Copy the keys and certificates from the previous steps into the new directory...
rsync -av /usr/share/openvpn/easy-rsa/keys/* /etc/openvpn/vpn/
Routing:
Method A:
We will try the simpler method of a 'routed ip tunnel'.
OK, create the first VPN server configuration file...
nano /etc/openvpn/openvpn.conf
port 1194 proto udp dev tun ca /etc/openvpn/vpn/ca.crt cert /etc/openvpn/vpn/server.crt key /etc/openvpn/vpn/server.key dh /etc/openvpn/vpn/dh1024.pem server 192.168.1.0 255.255.255.0 ifconfig-pool-persist /etc/openvpn/vpn/ipp.txt push "route 192.168.0.0 255.255.255.0" keepalive 10 120 comp-lzo user nobody group nogroup persist-key persist-tun verb 3 log /var/log/openvpn.log
Now create the second VPN server configuration file...
nano /etc/openvpn/openvpn2.conf port 1195 proto udp dev tun ca /etc/openvpn/vpn/ca.crt cert /etc/openvpn/vpn/server.crt key /etc/openvpn/vpn/server.key dh /etc/openvpn/vpn/dh1024.pem server 192.168.2.0 255.255.255.0 ifconfig-pool-persist /etc/openvpn/vpn/ipp.txt push "route 172.20.0.0 255.255.255.0" keepalive 10 120 comp-lzo user nobody group nogroup persist-key persist-tun verb 3 log /var/log/openvpn2.log
Next, create the Gentoo Linux system start-up files...
cd /etc/init.d/ ln -s openvpn openvpn.openvpn2 rc-update add openvpn default rc-update add openvpn.openvpn2 default
Finally, start the 2 OpenVPN servers...
/etc/init.d/openvpn start /etc/init.d/openvpn.openvpn2 start
Check that you have both of the new VPN interfaces...
ifconfig tun0 tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:192.168.1.1 P-t-P:192.168.1.2 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:2294 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:0 (0.0 B) TX bytes:247206 (241.4 KiB)
ifconfig tun1 tun1 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:192.168.2.1 P-t-P:192.168.2.2 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:3216 errors:0 dropped:0 overruns:0 frame:0 TX packets:3214 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:433830 (423.6 KiB) TX bytes:607390 (593.1 KiB)
Your log file should look like this...
tail /var/log/openvpn.log
Fri May 21 14:02:51 2010 OpenVPN 2.1.1 i686-pc-linux-gnu [SSL] [LZO2] [EPOLL] built on May 14 2010 Fri May 21 14:02:51 2010 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables Fri May 21 14:02:51 2010 Diffie-Hellman initialized with 1024 bit key Fri May 21 14:02:51 2010 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ] Fri May 21 14:02:51 2010 ROUTE default_gateway=10.0.0.2 Fri May 21 14:02:51 2010 TUN/TAP device tun1 opened Fri May 21 14:02:51 2010 TUN/TAP TX queue length set to 100 Fri May 21 14:02:51 2010 /sbin/ifconfig tun1 192.168.2.1 pointopoint 192.168.2.2 mtu 1500 Fri May 21 14:02:51 2010 /sbin/route add -net 192.168.2.0 netmask 255.255.255.0 gw 192.168.2.2 Fri May 21 14:02:51 2010 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ] Fri May 21 14:02:51 2010 GID set to nogroup Fri May 21 14:02:51 2010 UID set to nobody Fri May 21 14:02:51 2010 Socket Buffers: R=[112640->131072] S=[112640->131072] Fri May 21 14:02:51 2010 UDPv4 link local (bound): [undef]:1195 Fri May 21 14:02:51 2010 UDPv4 link remote: [undef] Fri May 21 14:02:51 2010 MULTI: multi_init called, r=256 v=256 Fri May 21 14:02:51 2010 IFCONFIG POOL: base=192.168.2.4 size=62 Fri May 21 14:02:51 2010 IFCONFIG POOL LIST Fri May 21 14:02:51 2010 Initialization Sequence Completed
'Method B: Bridged
to be done
Shoreline Firewall / Shorewall Configuration:
We would like to allow staff on the road (Roadwarriors :) access to the files on their server in the office. Our server acts as a gateway and firewall using 2 network interface cards (eth0 and eth1)
Internet <--> [123.456.789.0 Modem 10.0.0.2] <--> [10.0.0.1 Firewall | Server 192.168.0.1] <--> [Network]
http://www.shorewall.net/OPENVPN.html#RoadWarrior
IMPORTANT - If the roadwarrior uses a hotel WiFI, you have to allow for both ends of the tunnel to be the same IP address range. This ROUTING config will take care of that :-)
[192.168.0.x roadwarrior] <-- VPN --> [server 192.168.0.x]
Edit the Shorewall config files, adding the lines shown in bold below:-
/etc/shorewall/zones ############################################################################### #ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS fw firewall net ipv4 loc ipv4 vpn ipv4 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
/etc/shorewall/interfaces ############################################################################### #ZONE INTERFACE BROADCAST OPTIONS net eth0 detect routefilter,tcpflags loc eth1 detect dhcp,tcpflags vpn tun+ #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
/etc/shorewall/tunnels ############################################################################### #TYPE ZONE GATEWAY GATEWAY # ZONE openvpnserver:1194 net 0.0.0.0/0 openvpnserver:1195 net 0.0.0.0/0 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
/etc/shorewall/policy ############################################################################### #SOURCE DEST POLICY LOG LIMIT: CONNLIMIT: # LEVEL BURST MASK loc net ACCEPT loc fw ACCEPT fw net ACCEPT fw loc ACCEPT vpn loc ACCEPT loc vpn ACCEPT vpn fw ACCEPT fw vpn ACCEPT net all DROP info # THE FOLLOWING POLICY MUST BE LAST all all REJECT info #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
/etc/shorewall/netmap ############################################################################## #TYPE NET1 INTERFACE NET2 SNAT 192.168.0.0/24 tun+ 172.20.0.0/24 DNAT 172.20.0.0/24 tun+ 192.168.0.0/24 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
Check your firewall configuration, and correct any errors.
shorewall check
Then restart.
/etc/init.d/shorewall restart
ERROR: iptables-restore Failed. Input is in /var/lib/shorewall/.iptables-restore-input
Make sure CONFIG_IP_NF_TARGET_NETMAP is set.
Thanks to Gentoo Wiki.
Quick and Dirty Gentoo Linux Install
This will install OpenVPN just for 1 client with a simple secret file instead of keys.
http://briancarper.net/blog/243/
Client Configuration
This will install OpenVPN so that the client can use it anywhere - even if both networks at each end of the VPN tunnel share the same IP address range.
Microsoft Windows
https://www.sparklabs.com/viscosity/download/
NOTE: The following examples are for Windows 7 64-bit, the file paths for 32-bit systems are slightly different - C:\Program Files (x86)\.
As Administrator
Install the latest OpenVPN Community Edition Microsoft Windows software from here, then reboot.
Copy the example config file (C:\Program Files\OpenVPN\config-samples\client.ovpn) into the actual config folder (C:\Program Files\OpenVPN\config) as something like 'office.ovpn' or 'server.ovpn'
Edit the file adding the following lines of the new .ovpn file:
# Site details remote server1.myoffice.com 1195 # Windows tweaks route-method exe route-delay 2 # Prevent caching of password in Windows auth-nocache
The 1195 is important, because you will be connecting to the second OpenVPN server which then passes the requests for data through the firewall by cool network mapping to the first openvpn server :-)
Copy the necessary client key files (ca.crt, client.crt, client.key) which have been generated from the server (as shown above) to the C:\Program Files\OpenVPN\config folder.
Follow this guide to have OpenVPN run as a privileged user, this saves following the steps in the As User section below.
As User
Right-click on the OpenVPN GUI shortcut icon, and choose Run as Administrator. Put in the Windows Administrator password and click OK.
Right-click on the little OpenVPN icon on the task bar near the clock, and choose Connect.
With any luck you see the connect log whizz buy and it will show Connected.
Then you can do a quick ping test...
ping 172.20.0.x (the last number in the IP address of your server)
Then you can do a share test...
net view \\172.20.0.x
Then you can launch Windows Explorer and put the following in the address bar...
\\172.20.0.x\shared\ (or whatever your Samba share is called)
Thanks to Surfbouncer.
Linux
Install the package...
emerge openvpn
Create the directory for the VPN files...
mkdir -p /etc/openvpn/domain.co.uk
Copy the client and server files to that directory...
server1.ovpn client1.key client1.crt ca.crt
Load the tun module...
modprobe tun
Start the client...
cd /etc/openvpn/domain.co.uk openvpn server1.ovpn
Android
OpenVPN Connect
https://play.google.com/store/apps/details?id=net.openvpn.openvpn
OpenVPN Connect does not like X509 Certificates with the standard DSA encryption, so you have to change this to DES encryption before it will work and prompt you for the private key password...
cd /etc/openvpn/vpn/ openssl rsa -in client1.key -out client1_unencrypted.key openssl rsa -in client1_unencrypted.key -des3 -out client1_DES.key rm client1.key mv client1_unencrypted.key rm client1_unencrypted.key mv client1_DES.key client1.key
Then transfer the following 4 files to your MicroSD card / directory...
ca.crt client1.crt client1.key server.ovpn
Start OpenVPN Connect > Menu > Import > Import Profile from SD card > Choose server.ovpn
Type in your Private Key password but do not tick Save.
You will now connect to the VPN and Android will show a notification near the clock.
You can now use an app like X-Plore File Manager to connect to the LAN Samba server or email app.
FAQS
https://forums.openvpn.net/topic14432.html
HELP
http://wiki.hidemyass.com/Tutorials:OpenVPN_Connect_on_Android
TROUBLESHOOTING
If you receive an error saying "cannot acquire tun interface", then you need to install the TUN module into your kernel.
TUN.ko Installer
https://play.google.com/store/apps/details?id=com.aed.tun.installer
Apple
NEW
https://www.sparklabs.com/viscosity/download/
https://tunnelblick.net/cUsingTunnelblick.html#the-first-time-tunnelblick-is-run-on-a-computer
OLD
https://forums.openvpn.net/post30830.html#p30830
HOWTO: FIX:
TAP Driver Problems
Authenticate/Decrypt packet error: cipher final failed
You have to exactly match the cipher's used at both ends of the VPN tunnel because of new security rules.
Default...
cipher BF-CBC
New...
cipher AES-128-CBC
Thanks - http://matthewcasperson.blogspot.co.uk/2015/03/fixing-openvpn-authenticatedecrypt.html
FIX 1
If you are not running an 'Administrator' profile, then you need to ensure that the User Account Control (UAC) is enabled.
Thanks to PersonalVPN.
FIX 2 (POSSIBLE)
If you are running OpenVPN under Home Editions of Vista in a 'Standard User' profile its permissions need to be set to allow it to run.
Log on in an administrator profile
Open Windows Explorer and navigate to the Program Files folder, locate and right-click on the OpenVPN folder and select 'Properties' from the shell menu.
Select the 'Security' tab and click the 'Edit' button.
On the next window click the 'Add' button
On the next window click the 'Advanced' button
On the next window click the 'Find' button
Under the search results click once on the user you want to add and then click the 'OK' buttons through to the window which reads 'Permissions for OpenVPN'
In the top box click on the user just added and in the permissions box below select the check box next to 'Full Control' in the 'Allow' column
Other possibles
http://www.surfbouncer.com/Windows_7.htm
http://forums.openvpn.net/topic9972.html
HOWTO: Change The Passphrase On An OpenVPN Key
OpenVPN keys are generated using openssl and can be edited using the openssl command.
To change the passphrase on the key use openssl to write out a new key and move it into place.
openssl rsa -des3 -in /etc/openvpn/vpn/client.key -out /etc/openvpn/vpn/client-new.key mv /etc/openvpn/vpn/client-new.key /etc/openvpn/vpn/client.key
To remove the passphrase all together, leave -des3 out of the openssl command.
openssl rsa -in /etc/openvpn/vpn/client.key -out /etc/openvpn/vpn/client-new.key mv /etc/openvpn/vpn/client-new.key /etc/openvpn/vpn/client.key
Thanks - http://www.linuxsysadmintutorials.com/change-the-passphrase-on-an-openvpn-key/
HOWTO: Check the OpenVPN UDP Port Is Open
Use netcat to check the connection worked...
netcat -z -v -u vpn.mydomain.com 1194 Connection to vpn.mydomain.com 1194 port [udp/openvpn] succeeded!
Check it is alive...
sudo nmap -sP -Pn server.domain.co.uk
Scan the port...
sudo nmap -sU -Pn server.domain.co.uk -p 1194
Check Server Certificate Date
openssl x509 -noout -text -in ca.crt
Check Client Certificate
openssl verify -CAfile ca.crt client.crt client.crt: OK error 10 at 1 depth lookup:certificate has expired
Start OpenVPN Automatically
https://www.ovpn.com/en/blog/windows-run-openvpn-automatically-on-computer-startup
Help and Troubleshooting
OpenVPN Forum - Scripts and Customisations (iptables)