[How to] Dynamic DNS and Openvpn server


13 posts
by john564 » Tue Oct 30, 2012 7:29 am
################################################
#### Dynamic DNS from website http://www.no-ip.com/
################################################


# First, create an account over at http://www.no-ip.com/ then goto
# https://www.no-ip.com/members/dns/ and click “add a host”.
# Then use this lazy command list for pi.

sudo bash
cd /usr/local/src/
wget http://www.no-ip.com/client/linux/noip-duc-linux.tar.gz
tar xf noip-duc-linux.tar.gz
cd noip-2.1.9-1/
make install

# Add a new text line /usr/local/bin/noip2 into file /etc/rc.local
# just before its last line “exit 0″ so no-ip starts automatically after reboot

nano /etc/rc.local

/usr/local/bin/noip2

#CTRL+o ENTER # write output, save in other words
#CTRL+x # exit nano editor

# start it with
sudo /usr/local/bin/noip2

# check status with
sudo /usr/local/bin/noip2 -S

# kill it
sudo /usr/local/bin/noip2 -K ‘pid’ (get pid from -S)

# If you need to recreate the default config file
sudo /usr/local/bin/noip2 -C

################################################
#### Openvpn server and client from website http://openvpn.net
################################################


# Openvpn Based upon these blogs
http://wingloon.com/2012/05/25/how-to-i ... ntication/

http://www.serverubuntu.it/openvpn-bridge-configuration

# Using SD card with “2012-08-08-wheezy-armel”
# Remember you gotta do port forwarding, not covered in this post
# Lets get started, start with an updated installation

sudo apt-get update

# Now install openvpn
sudo apt-get install openvpn -y
sudo mkdir /etc/openvpn/easy-rsa/
sudo cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa/
sudo chown -R $USER /etc/openvpn/easy-rsa/

# You can put whatever you like in the vars file, just don’t leave these data fields blank
# I left everything as it was default, even “changeme” data

nano /etc/openvpn/easy-rsa/vars

# Now build certs and keys for server and client
# TIP: answer yes to sign and commit, leave everything else default

cd /etc/openvpn/easy-rsa/
source vars
./clean-all
./build-ca
./build-key-server server
./build-dh
./build-key clientpi

cd /etc/openvpn/easy-rsa/keys
sudo cp ca.crt ca.key dh1024.pem server.crt server.key /etc/openvpn
sudo mkdir $HOME/openvpn-client-files
sudo cp ca.crt clientpi.crt clientpi.key $HOME/openvpn-client-files
sudo mv $HOME/openvpn-client-files/ca.crt $HOME/openvpn-client-files/capi.crt
sudo chmod +r $HOME/openvpn-client-files/clientpi.key

# Now, copy the $HOME/openvpn-client-files directory using WinSCP to client Windows system:
# tip, I had to copy directory to C:\
# then directory contents clientpi.key, capi.crt clientpi.crt to
# C:\Program Files (x86)\OpenVPN\config
# windows 32bit will have a different OpenVPN directory
# C:\Program Files\OpenVPN\config

# in Windows, create a new text file called
# C:\Program Files (x86)\OpenVPN\config\raspberry.ovpn
# this is the OpenVPN client configuration

Code: Select all
    client
    dev tun
    proto tcp
    remote change_this_to_your_to_own_address_from_no-ip.com 34567
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    ca capi.crt
    cert clientpi.crt
    key clientpi.key
    ns-cert-type server
    cipher AES-256-CBC
    comp-lzo
    verb 3


# Back to the Raspberry Pi, create new file for server config
# Below is my OpenVPN server configuration saved as /etc/openvpn/server.conf

sudo nano /etc/openvpn/server.conf

Code: Select all
    port 34567
    proto tcp
    dev tun
    ca ca.crt
    cert server.crt
    key server.key
    dh dh1024.pem
    server 10.8.0.0 255.255.255.0
    cipher AES-256-CBC
    comp-lzo
    persist-key
    persist-tun
    status openvpn-status.log
    verb 3
    tun-mtu 1500
    tun-mtu-extra 32
    mssfix 1450
    push "redirect-gateway def1"
    push "dhcp-option DNS 208.67.222.222"
    push "dhcp-option DNS 208.67.220.220"
    keepalive 5 30


# Nano editor TIP: CTRL+o writeout, in other words save the file
# CTRL+x exit

# uncomment to allow data redirect

sudo nano /etc/sysctl.conf

net.ipv4.ip_forward=1

# Make file for firewall setting
sudo nano /usr/local/bin/firewall.sh

Code: Select all
    #!/bin/bash
    iptables -t filter -F
    iptables -t nat -F
    iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
    iptables -A FORWARD -s "10.8.0.0/24" -j ACCEPT
    iptables -A FORWARD -j REJECT
    iptables -t nat -A POSTROUTING -s "10.8.0.0/24" -j MASQUERADE


sudo chmod +x /usr/local/bin/firewall.sh

# run firewall
sudo /usr/local/bin/firewall.sh
# TIP: I got an error here
# /bin/bash^M: bad interpreter: No such file or directory
# seems to copy from wordpress adds hidden DOS CTRL characters
# I had to do

sudo apt-get install dos2unix
# then
sudo dos2unix /usr/local/bin/firewall.sh
sudo /usr/local/bin/firewall.sh
# check firewall
Code: Select all
sudo iptables --list


# put a line /usr/local/bin/firewall.sh into /etc/rc.local
# before ‘exit 0′ to ensure the iptables rules is created every reboot or power up.

sudo nano /etc/rc.local

/usr/local/bin/firewall.sh

# reboot the pi
sudo reboot

# connect VPN client from remote location
# did not work for me when client and server where connected
# to same router
# check VPN is working by checking your IP address
# changes after you connect http://ipchicken.com/
Last edited by john564 on Sat Jun 01, 2013 12:49 am, edited 8 times in total.
Posts: 47
Joined: Tue Oct 30, 2012 7:05 am
by Danimal » Wed Nov 21, 2012 12:34 am
I followed this all the way through from start to finish without a hitch, until crunch time there at the end. When going to restart my openvpn

"sudo /etc/init.d/openvpn restart"

I get:

[b][ok] Stopping virtual private network daem[b][ok] Stopping virtual private network daem[b][ok] Stopping virtual private network daem[b][ok] Stopping virtual private network daem[b][ok] Stopping virtual private network daem[b][ok] Stopping virtual private network daem[b][ok] Stopping virtual private network daem[b][ok] Stopping virtual private network daemon:.
[....] Stopping virtual private network daemon: myvpnOptions error: Unknown key direction 'key' -- must be '0' [....] Stopping virtual private network daemon: myvpnOptions error: Unknown key direction [....] Stopping virtual private network daemon: myvpnOptions error: Unknown key direction 'key' -- must be '0' [....[....] Stopping virtual private network daemon: myvpnOptions error: Unknown key direction 'key' -- must be '0' [....] Stopping virtual priv
Posts: 1
Joined: Wed Nov 21, 2012 12:29 am
by leomoon » Sun Dec 30, 2012 8:09 am
Hello,

Very detailed tutorial. I followed everything but I keep getting error on the client side. The part I don't get is that even if I turn off the linux server, the client will give the same error. Shouldn't the client say connection failure or something like that?

Code: Select all
Sat Dec 29 23:39:50 2012 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Sat Dec 29 23:39:50 2012 Re-using SSL/TLS context
Sat Dec 29 23:39:50 2012 Control Channel MTU parms [ L:1541 D:138 EF:38 EB:0 ET:0 EL:0 ]
Sat Dec 29 23:39:50 2012 Socket Buffers: R=[8192->8192] S=[8192->8192]
Sat Dec 29 23:39:51 2012 Data Channel MTU parms [ L:1541 D:1450 EF:41 EB:4 ET:0 EL:0 ]
Sat Dec 29 23:39:51 2012 Local Options hash (VER=V4): '3514370b'
Sat Dec 29 23:39:51 2012 Expected Remote Options hash (VER=V4): '239669a8'
Sat Dec 29 23:39:51 2012 UDPv4 link local: [undef]
Sat Dec 29 23:39:51 2012 UDPv4 link remote: 24.87.62.120:1194
Sat Dec 29 23:39:51 2012 TLS: Initial packet from 24.87.62.120:1194, sid=7c1856aa 16021aeb
Sat Dec 29 23:39:57 2012 VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: /C=CA/ST=BC/L=BBY/O=LeoMoon/OU=LMDEV/CN=LMDEV_CA/name=DEV/emailAddress=admin@leomoon.com
Sat Dec 29 23:39:57 2012 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Sat Dec 29 23:39:57 2012 TLS Error: TLS object -> incoming plaintext read error
Sat Dec 29 23:39:57 2012 TLS Error: TLS handshake failed
Sat Dec 29 23:39:57 2012 TCP/UDP: Closing socket
Sat Dec 29 23:39:57 2012 SIGUSR1[soft,tls-error] received, process restarting
Sat Dec 29 23:39:57 2012 Restart pause, 2 second(s)

Here is the server.conf:
Code: Select all
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
server 10.8.0.0 255.255.255.0
#cipher none
#cipher AES-128-CBC
#cipher AES-256-CBC
cipher BF-CBC
#comp-lzo
client-to-client
persist-key
persist-tun
status openvpn-status.log
verb 3
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
push "redirect-gateway def1"
push "dhcp-option DNS 192.168.50.1"
keepalive 5 30
#crl-verify /etc/openvpn/easy-rsa/keys/crl.pem

And here is the client.ovpn:
Code: Select all
client
dev tun0
proto udp
remote <ip.is.removed> 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ns-cert-type server
#cipher none
#cipher AES-128-CBC
#cipher AES-256-CBC
cipher BF-CBC
#comp-lzo
verb 3
ca ca.crt
cert leomoon.crt
key leomoon.key

I checked multiple tutorials on how to setup OpenVPN on Debian/Ubuntu/RaspberyPi. All of them are more or less the same but I get the same error on the client side on all of them.

Can someone please tell me what I'm doing wrong?
Posts: 1
Joined: Sun Dec 30, 2012 7:41 am
by tomw889 » Thu Jan 31, 2013 1:00 am
Here is a tutorial written for getting dynamic DNS running on raspbian.. more beginner spec:

http://www.administeria.com/raspberry-pi-dynamic-dns-on-raspbian/
Posts: 6
Joined: Fri Jan 18, 2013 4:07 am
by john564 » Tue Mar 19, 2013 5:32 pm
Found error, could not copy key file to PC, gives permission denied, need to change permission
sudo chmod +r $HOME/openvpn-client-files/clientpi.key

Also, when your finished, you should delete this temp directory $HOME/openvpn-client-files/

All I can say, for a start, just do everything the same as above, same script and names
and just get it up. Then play with your own tweaks and improvements and differences









e.g. add tls-auth
Posts: 47
Joined: Tue Oct 30, 2012 7:05 am
by ludalex » Thu Apr 11, 2013 9:17 am
Great tutorial, thanks.
One problem though: I can connect just fine to my Pi and tunnell all traffic from my home Pi server to any location, but I can't access the Pi internal addresses like I normally do at home.

For example, I have sickbeard on 192.168.1.107:8080. At home, connected directly to the LAN I can access it just fine, when connected to the VPN (not under the same Internet connection, of course) I can't see anything.

Here's the server conf:
Code: Select all
port 8080
proto udp
dev tun
ca ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
dh /etc/openvpn/dh1024.pem
server 10.8.0.0 255.255.255.0
cipher AES-256-CBC
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 5 30


Here's the client conf (#viscosity lines are parameters added automatically by the client I'm using):
Code: Select all
#viscosity startonopen false
#viscosity dhcp true
#viscosity dnssupport true
#viscosity name Pi
remote ludalex.no-ip.org 8080 udp
pull
tls-client
persist-key
ca ca.crt
redirect-gateway def1
dev tun
persist-tun
cert cert.crt
comp-lzo no
nobind
key key.key
cipher AES-256-CBC


Here's a screenshot of the status of the VPN connection using Viscosity (OSX VPN Client):
Image

Thanks in advance!
Posts: 2
Joined: Thu Apr 11, 2013 9:06 am
by ashbash » Thu Apr 11, 2013 11:40 am
Check "push route" config

Ash
Posts: 50
Joined: Fri Jun 01, 2012 9:20 am
by ludalex » Thu Apr 11, 2013 2:10 pm
It worked. Thanks.

Now I have another problem: where I work we have the same subnet pool (192.168.1.x) that I have at home. What's the best/easiest way to resolve this conflict? I'd like to avoid changing my home router DHCP pool addresses.
Posts: 2
Joined: Thu Apr 11, 2013 9:06 am
by ashbash » Thu Apr 11, 2013 2:23 pm
You know the answer, unfortunately, :cry:

Ash
Posts: 50
Joined: Fri Jun 01, 2012 9:20 am
by Ogoshi » Thu May 30, 2013 8:03 pm
Thank you for this guide. I could connect to my VPN, but couldn't access anything further from that (other devices on the LAN, internet). Borrowed a couple of bits from your guide and now it works perfectly :-) Cheers!
Posts: 44
Joined: Wed Dec 28, 2011 5:13 pm
Location: Southend-on-Sea, Essex, England
by Jamezina » Fri Aug 02, 2013 1:53 pm
First of all, thanks for the code!

ludalex wrote:It worked. Thanks.

Now I have another problem: where I work for a dentist Malvern we have the same subnet pool (192.168.1.x) that I have at home. What's the best/easiest way to resolve this conflict? I'd like to avoid changing my home router DHCP pool addresses.


I was also having this problem, changed the DHCP pool addresss at home to fix it :\
EDIT: Obviously you could also change your DHCP pool addressing at work if that's easier...
Posts: 1
Joined: Fri Aug 02, 2013 1:51 pm
by chrisjtaylor » Wed Aug 14, 2013 7:53 pm
ludalex: Where did you put the openvpn-client-files (capi.crt, clientpi.crt, clientpi.key) on your Mac? I'm not sure where they go as this tutorial assumes you're using Windows as a client.
Posts: 1
Joined: Wed Aug 14, 2013 7:43 pm
by WV8VFD » Tue Jan 21, 2014 3:41 pm
I've done all this step by step, and I can get my client to connect, but the public IP does not change. Any suggestions? I'll post the logs when I get home.
Posts: 3
Joined: Sat Jan 18, 2014 6:05 am