john564
Posts: 84
Joined: Tue Oct 30, 2012 7:05 am

[howto] Install latest openvpn and easyrsa3

Tue Oct 14, 2014 12:33 pm

#
#
# Summary of Files that we will use
###############################################
# Script to start openvpn [ /etc/init.d/openvpn ]
# https://www.dropbox.com/s/nz4dyons6tlsbr4/etcinitdopenvpn.sh
#
# Script to merge Client keys and certs
# https://www.dropbox.com/s/v228zvccef9d10c/merge.sh
#
# Script to merge Server keys and certs
# https://www.dropbox.com/s/9wc3we8ezfucj1j/merge_server.sh
#
# Latest openvpn source code
# http://build.openvpn.net/downloads/releases/latest/openvpn-latest-stable.tar.gz
###############################################


cd $HOME
wget http://build.openvpn.net/downloads/releases/latest/openvpn-latest-stable.tar.gz
gzip -dc openvpn-latest-stable.tar.gz | tar xvf -

# at this time, the latest is openvpn-2.4.0
# you will see what revision it is when you unzip it

# We need to add a few components to be able to compile

sudo apt-get update
sudo apt-get build-dep openvpn -y
sudo apt-get install gcc make automake autoconf dh-autoreconf file patch perl dh-make debhelper devscripts gnupg lintian quilt libtool pkg-config libssl-dev liblzo2-dev libpam0g-dev libpkcs11-helper1-dev -y

# This is the bit where we make and install the new openvpn server
sudo mkdir /etc/openvpn/
cd $HOME/openvpn-2.4.0/
./configure --prefix=/usr
make
sudo make install
sudo wget --no-check-cert https://www.dropbox.com/s/nz4dyons6tlsbr4/etcinitdopenvpn.sh -O /etc/init.d/openvpnsudo chmod +x /etc/init.d/openvpn
sudo update-rc.d openvpn defaults

# Now we create keys and certs
# easyrsa3 using batch with no prompts, no password protection


mkdir $HOME/clientside
mkdir $HOME/serverside
cd $HOME/serverside
wget https://github.com/OpenVPN/easy-rsa/archive/master.zip
unzip master.zip
cd easy-rsa-master/easyrsa3
openvpn --genkey --secret ta.key
./easyrsa init-pki
./easyrsa --batch build-ca nopass
./easyrsa --batch build-server-full server nopass
./easyrsa --batch build-client-full client1 nopass
./easyrsa gen-dh

# we will merge certs and keys into config files
# one for server and one for client


cp $HOME/serverside/easy-rsa-master/easyrsa3/pki/ca.crt $HOME/serverside/
cp $HOME/serverside/easy-rsa-master/easyrsa3/pki/issued/server.crt $HOME/serverside/
cp $HOME/serverside/easy-rsa-master/easyrsa3/pki/dh.pem $HOME/serverside/dh2048.pem
cp $HOME/serverside/easy-rsa-master/easyrsa3/pki/private/server.key $HOME/serverside/
cp $HOME/serverside/easy-rsa-master/easyrsa3/ta.key $HOME/serverside/
cp $HOME/serverside/easy-rsa-master/easyrsa3/pki/issued/client1.crt $HOME/clientside/
cp $HOME/serverside/easy-rsa-master/easyrsa3/ta.key $HOME/clientside/
cp $HOME/serverside/easy-rsa-master/easyrsa3/pki/ca.crt $HOME/clientside/
cp $HOME/serverside/easy-rsa-master/easyrsa3/pki/private/client1.key $HOME/clientside/

# Client Script
nano $HOME/clientside/raspberrypi.ovpn

client
dev tun
proto udp
remote change_this_to_server_address 34557
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
tls-auth ta.key 1
remote-cert-tls server
cipher AES-256-CBC
comp-lzo
verb 3

# Now merge certs and keys into client script, so we only have one file to handle
cd $HOME/clientside/
wget --no-check-cert https://www.dropbox.com/s/v228zvccef9d10c/merge.sh -O merge.sh
sudo chmod +x merge.sh
sudo ./merge.sh
sudo chown $USER $HOME/clientside/raspberrypi.ovpn

# Now transfer client script raspberrypi.ovpn
# in $HOME/clientside/ to your client PC
# Due to permissions, I had to transfer it to C:\
# Then in windows, copy the file
# to C:\Program Files (x86)\OpenVPN\config

# Server Script

nano $HOME/serverside/server.conf

port 34557
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
tls-auth ta.key 0
dh dh2048.pem
server 10.8.0.0 255.255.255.0
cipher AES-256-CBC
comp-lzo
persist-key
persist-tun
user nobody
group nogroup
status openvpn-status.log
verb 3
push "redirect-gateway def1"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
keepalive 5 30

# Now merge certs and keys into server script, so we only have one file to handle
cd $HOME/serverside/
wget --no-check-cert https://www.dropbox.com/s/9wc3we8ezfucj1j/merge_server.sh -O merge_server.sh
sudo chmod +x merge_server.sh
sudo ./merge_server.sh

# Now copy the merged server script to /etc/openvpn/
sudo cp $HOME/serverside/server.conf /etc/openvpn/

# uncomment to allow data redirect
sudo nano /etc/sysctl.conf

net.ipv4.ip_forward=1

#
# The firewall settings can really screw everything up
# There are a number of ways, it depends of how you're using the PI
# I am using it as a headless remote server, this means no desktop
# environment, and no other firewall conflicting data loaded.
# Here is alternative Firewall data using a static IP address
# check with ifconfig. Also this should be the firewall.sh file
#
# iptables -t nat -A POSTROUTING -s VPNIP -o interface -j SNAT --to-source LOCALIP
#
# e.g.
#iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source 10.0.0.2
#
# And Start everything
# sudo sysctl -w net.ipv4.ip_forward=1
#
#
#

# Make file for firewall setting

sudo nano /usr/local/bin/firewall.sh

#!/bin/bash
iptables -t filter -F
iptables -t nat -F
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s "10.8.0.0/24" -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s "10.8.0.0/24" -j MASQUERADE

# Make firewall script executable, run it and check
sudo chmod +x /usr/local/bin/firewall.sh
sudo /usr/local/bin/firewall.sh
sudo iptables --list

# add new text line into file /etc/rc.local
# before ‘exit 0' to ensure the firewall rules are run at reboot or power up.

sudo nano /etc/rc.local

/usr/local/bin/firewall.sh

# reboot the pi
sudo reboot

# Connect VPN client from remote location
# does not work when client and server are connected
# to same router and you try external IP address.
# If you want to do a local test at home
# connect to local IP address of server e.g. 192.168.1.4
# when you go to your remote location, connect to no-ip address or external static IP
Last edited by john564 on Sat Feb 18, 2017 10:45 am, edited 6 times in total.

slate
Posts: 1
Joined: Mon Nov 03, 2014 3:48 am

Re: [howto] Install latest openvpn and easyrsa3

Mon Nov 03, 2014 11:12 pm

Thanks for this write-up. I had tried several other methods (L2TP and OpenPVN) without any luck. This was the first one that actually worked. Of course, it might have also been due to the fact that I upgraded my DSL router/firewall with slightly newer code just before trying this method. It's working, so I don't care to try the others again to verify!

slate

sberniz
Posts: 7
Joined: Tue Nov 04, 2014 3:38 am

Re: [howto] Install latest openvpn and easyrsa3

Tue Nov 04, 2014 3:49 am

Hello. I've followed everything here and on server side seems to work. However, my friend who is suppose to connect to the vpn gets an error with the config file i sent him. he is connecting from a linux machine as well. he gets tls-auth error check network connectivity. Does anyone know why is that?
Thanks.

john564
Posts: 84
Joined: Tue Oct 30, 2012 7:05 am

Re: [howto] Install latest openvpn and easyrsa3

Tue Nov 04, 2014 5:43 pm

sberniz wrote:Hello. I've followed everything here and on server side seems to work. However, my friend who is suppose to connect to the vpn gets an error with the config file i sent him. he is connecting from a linux machine as well. he gets tls-auth error check network connectivity. Does anyone know why is that?
Thanks.
does it work locally for you, for IP address, use the local address of PI , e.g. 192.168.1.3
not your external IP you give him.

if it works locally, then your problem is either
1) router port forwarding
2) router firewall
3) you give him wrong external IP address

sberniz
Posts: 7
Joined: Tue Nov 04, 2014 3:38 am

Re: [howto] Install latest openvpn and easyrsa3

Wed Nov 05, 2014 5:06 am

Thanks for the reply. it looks like it is working now it looks like it was a conflict with the ip address by both being 192.
. However, how can i do route forwarding so that he can access my network printer and shared files or share a folder on the network for him to access? he is using Ubuntu, I'm using Kubuntu. Below is my Server configuration File.

Code: Select all

port 34557
proto udp
dev tun
server 10.8.0.0 255.255.255.0
cipher AES-256-CBC
comp-lzo
persist-key
persist-tun

user nobody
group nogroup
status openvpn-status.log
verb 3

push "redirect-gateway def1"
push "dhcp-option DNS 176.16.0.1"
push "dhcp-option DNS 172.16.0.1"
keepalive 5 30
key-direction 0
<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>
<cert>
-----END CERTIFICATE-----
</cert>
<key>

-----END PRIVATE KEY-----
</key>
<tls-auth>
-----BEGIN OpenVPN Static key V1-----

-----END OpenVPN Static key V1-----
</tls-auth>
<dh>
-----BEGIN DH PARAMETERS-----

-----END DH PARAMETERS-----
</dh>


random_comments
Posts: 2
Joined: Wed Nov 05, 2014 7:44 am

Re: [howto] Install latest openvpn and easyrsa3

Wed Nov 05, 2014 7:54 am

I'm very much a RPi noob, so I could use your expert guidance. If I'm using a dynamic dns service, would I install ddclient and then use my assigned URL in the client script? So...

Code: Select all

remote change_this_to_server_address 34557
would become

Code: Select all

remote http://example.dynamic.dns.url 34557
Thanks!

john564
Posts: 84
Joined: Tue Oct 30, 2012 7:05 am

Re: [howto] Install latest openvpn and easyrsa3

Wed Nov 05, 2014 9:38 am

sberniz wrote:Thanks for the reply. it looks like it is working now it looks like it was a conflict with the ip address by both being 192.
. However, how can i do route forwarding so that he can access my network printer and shared files or share a folder on the network for him to access? he is using Ubuntu, I'm using Kubuntu. Below is my Server configuration File.
never tried it
But I know you need different iptables firewall rules.
and not sure what changes (if any) you might need to make to the server script

If you can figure it out, please share

john564
Posts: 84
Joined: Tue Oct 30, 2012 7:05 am

Re: [howto] Install latest openvpn and easyrsa3

Wed Nov 05, 2014 9:44 am

random_comments wrote:. If I'm using a dynamic dns service, would I install ddclient and then use my assigned URL in the client script? So...

Code: Select all

remote change_this_to_server_address 34557
would become

Code: Select all

remote http://example.dynamic.dns.url 34557
Thanks!
I use it as

Code: Select all

remote example.dynamic.dns.url 34557
without the http://

random_comments
Posts: 2
Joined: Wed Nov 05, 2014 7:44 am

Re: [howto] Install latest openvpn and easyrsa3

Wed Nov 05, 2014 9:57 am

john564 wrote:
random_comments wrote:. If I'm using a dynamic dns service, would I install ddclient and then use my assigned URL in the client script? So...

Code: Select all

remote change_this_to_server_address 34557
would become

Code: Select all

remote http://example.dynamic.dns.url 34557
Thanks!
I use it as

Code: Select all

remote example.dynamic.dns.url 34557
without the http://
Thanks for the clarification. I'm having a problem with one of your lines:

Code: Select all

debhelper devscripts gnupg lintian quilt libtool pkg-config libssl-dev liblzo2-dev
My pi is returning "-bash: debhelper: command not found". It's probably something simple, but I'm not seeing it. Any suggestions? I'm running Raspbian from NOOBS.

john564
Posts: 84
Joined: Tue Oct 30, 2012 7:05 am

Re: [howto] Install latest openvpn and easyrsa3

Wed Nov 05, 2014 1:21 pm

Code: Select all

sudo apt-get install gcc make automake autoconf dh-autoreconf file patch perl dh-make debhelper devscripts gnupg lintian quilt libtool pkg-config libssl-dev liblzo2-dev libpam0g-dev libpkcs11-helper1-dev chkconfig -y

all one line

sberniz
Posts: 7
Joined: Tue Nov 04, 2014 3:38 am

Re: [howto] Install latest openvpn and easyrsa3

Thu Nov 06, 2014 5:36 am

never tried it
But I know you need different iptables firewall rules.
and not sure what changes (if any) you might need to make to the server script

If you can figure it out, please share
I found a tutorial the other day and for some reason i can't fnd it. However, I htink the tutorial was for windows Clients. I'll try this one editing for linux may be
https://forums.openvpn.net/topic10565.html

Question about certificate. Does each computer need to have a separate certificate or should i just transfer the certificate to all client pc's that i want to connect to the vpn server??

john564
Posts: 84
Joined: Tue Oct 30, 2012 7:05 am

Re: [howto] Install latest openvpn and easyrsa3

Thu Nov 06, 2014 6:56 am

sberniz wrote: Question about certificate. Does each computer need to have a separate certificate or should i just transfer the certificate to all client pc's that i want to connect to the vpn server??
Just use the one client script e.g. raspberrypi.ovpn with inline certs/keys on all devices,
the idea of different certs/keys is so you can revoke user rights later.

sberniz
Posts: 7
Joined: Tue Nov 04, 2014 3:38 am

Re: [howto] Install latest openvpn and easyrsa3

Thu Nov 06, 2014 7:18 am

Thanks John for the reply.
My friend looks like he can be connected to my vpn because i can pin his ip.. but his internet connnection is failing. for web browser. also, he gets linux route add failed. when he tries to cnnect the openvpn. On linux, how does the client.conf work? do i have to run it manually or just put it in the /etc/openvpn folder?
and restart openvpn? i'm really new with this so i'm learning as trial /error but already trying for 5 days.
thanks again.

sberniz
Posts: 7
Joined: Tue Nov 04, 2014 3:38 am

Re: [howto] Install latest openvpn and easyrsa3

Thu Nov 06, 2014 7:23 am

Also, the same certificate configuration worked on windows client but not on linux?..

sberniz
Posts: 7
Joined: Tue Nov 04, 2014 3:38 am

Re: [howto] Install latest openvpn and easyrsa3

Sat Nov 08, 2014 6:07 am

Still can't connect. I followed all steps. re did new certificate. now still getting tls handshake error, check connectivity.
any ideas? shouldnt be firewall problem, since i tried it before with different configuration and was able to connect.
any help appreciated
thanks

plugh
Posts: 41
Joined: Sun Dec 02, 2012 6:58 pm

Re: [howto] Install latest openvpn and easyrsa3

Sun Jul 26, 2015 1:06 pm

Not trying to hijack an (oldish) thread, but it seemed a good place to post this for docu purposes...

I recently needed openvpn 2.3 on raspian wheezy to use a particular vpn provider. Build instructions similar to base note were provided, but end result using current openvpn tarball had issues. Browsing around net I came across this page. Further investigation revealed 'official' openvpn and easy-rsa debian wheezy armhf backports existed, dated dec-2014.

The general procedure on that page worked like a charm, with the following notes/caveats.

1) When you edit sources.list, uncomment existing raspian deb-src line before adding the backports deb-src, and don't forget to 'apt-get update' afterwards.

2) Not sure how critical it is, but it seems there are now two keys needed to make apt happy. Do the gpg steps for both 8b48ad6246925553 and 7638d0442b90d010 key ids.

3) Prior to installing the resulting *.deb files on a virgin raspian wheezy system, add and/or update to the latest raspian versions of these packages:
apt-get install libssl1.0.0 liblzo2-2 libpam0g libpkcs11-helper1 openssl

plugh

edit: just in case that page disappears down the road...

The easiest way to build a package from Wheezy backports on the Pi is as follows. Add the source repository to /etc/apt/sources.list:

deb-src http://ftp.debian.org/debian/ wheezy-backports main

And add the backports public key:

gpg --keyserver pgpkeys.mit.edu --recv-key 8B48AD6246925553
gpg -a --export 8B48AD6246925553 | sudo apt-key add -

Let's say we need package $PACKAGE version $VERSION (an easy way to see what's available in which release is to go to http://packages.debian.org/$PACKAGE). First install the build dependencies:

apt-get build-dep "$PACKAGE=$VERSION"

Then get the package source and compile it:

apt-get source "$PACKAGE=$VERSION"
cd $PACKAGE*
dpkg-buildpackage

Install the package:

dpkg -i $PACKAGE*.deb

marmotte
Posts: 1
Joined: Tue Dec 27, 2016 4:59 pm

Re: [howto] Install latest openvpn and easyrsa3

Tue Dec 27, 2016 5:06 pm

Thanks to this nice tut', I migrated this morning my server from Windows to my newly acquired Rasp :)

I just have one question: what's the best way to update OpenVPN once a new version has been released without messing with the configuration?

Return to “Networking and servers”