Fri, 20 Jan 2012
/Admin/OpenVPN:
Basic OpenVPN as an Internet Gateway
Aka. How to bore through the Great Firewall if you do not want to use an SSH tunnel.
This[1] is the OpenVPN documentation, but it is not altogether straight-forward to read, and it is
missing some necessary detail.
This[2] will get OpenVPN basically working and connected for you. First create your keys:
<![CDATA[
cd /usr/share/doc/openvpn/examples/easy-rsa/2.0
. ./vars
./clean-all
./build-ca
./build-key server
./build-key <client>
./build-dh
]]>
Here I would add a warning from [1] that when creating your certificates above you must enter
something at the "Common Name" prompt. My first time I just accepted all the defaults and got a
connection error when I tried to start OpenVPN on my client. The second time, with a "Common Name" on
the server certificates, everything just worked.
Then distribute the keys to server and client(s) per the references.
This will get the VPN client to the VPN server. However, we want to route *all* network traffic on the
client through VPN and out to the internet. There are two components to this: some additional OpenVPN
configuration, and some routing configuration on the server.
On my VPN server, this is my /etc/openvpn/server.conf:
port 1348
proto udp
dev tap
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh1024.pem
server 10.10.10.0 255.255.255.0 # vpn subnet
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
user nobody
; group nobody
persist-key
persist-tun
verb 10
mute 20
client-to-client
client-config-dir ccd "route 134.33.0.0 255.255.0.0"
; push "route 192.168.1.0 255.255.255.0" # home subnet
push "redirect-gateway def1"
push "dhcp-option DNS 10.10.10.1"
This should be the same as in [2] except that "group nobody" line did not work on my Ubuntu Lucid
server for some reason, and the last two "push" lines are what is needed on the server end to tell
connecting clients to redirect all network traffic to the VPN. (Though I am not convinced that last
dhcp line is having any effect on my Debian box at the moment....) Also, per [1], note that if your
network interface is DHCP, it may die periodically because it is unable to communicate with your DHCP
server.
On my VPN client, this is my /etc/openvpn/client.conf:
client
dev tap
proto udp
resolv-retry infinite # this is necessary for DynDNS
nobind
user nobody
; group nobody
persist-key
persist-tun
ca ca.crt
cert x60s.crt
key x60s.key
comp-lzo
verb 4
mute 20
which is the same as in [2], except for commenting out "group nobody", which did not work on my Debian
Testing client machine.
Now for routing on the server. What a PITA. I tried at some length to get raw iptables to do the job,
but in the end turned to my old faithful, firehol. Here is my /etc/firehol/firehol.conf on my server,
which enables the routing of traffic between tap0 (VPN) and eth0 (internet):
version 5
# interface eth0 internet
interface eth0 internet
protection strong 10/sec 10
server "https http icmp ssh" accept
server openvpn accept
server ident reject with tcp-reset
client all accept
interface tap0 vpn
server all accept
client all accept
router internet2vpn inface eth0 outface tap0
masquerade reverse
client all accept
server ident reject with tcp-reset
(After the fact, I ran into this[3] very interesting post....)
[1] http://www.openvpn.net/index.php/open-source/documentation/howto.html
[2] https://www.debian-administration.org/article/Connecting_to_office_network_using_OpenVPN_tunnel
[3] http://www.hermann-uwe.de/blog/howto-using-openvpn-on-debian-gnu-linux
posted at: 09:58 | path: /Admin/OpenVPN | permanent link to this entry
