OpenVPN tutorial


75 posts   Page 1 of 3   1, 2, 3
by Thijxx » Wed Oct 24, 2012 2:18 pm
This tutorial is based on the Raspberry Pi version B (thanks for the extra memory!) loaded with "2012-09-18-wheezy-raspbian". I've used this tutorial for Debian 6 and Debian 7 as well, on my VPS or in Virtual Machines, it seems to be kind of 'one size fits all'.
So if you use Jessie, you may want to use this tutorial here: https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-debian-8

Updated: 15-02-2016
    Added some info about possibly changed path when using Jessie
    Added a single new bad joke about David
---------------------------------------

Installation

This installs the OpenVPN software
Code: Select all
sudo apt-get install openvpn

The Bridge Utility (not necessary)
Code: Select all
sudo apt-get install bridge-utils

This is the 'locate' tool so you can find stuff. (not necessary)
Code: Select all
sudo apt-get install locate

---------------------------------------

Configuration
Now we have all the software in place, we need to configure the server, the client, some certificates, keys, parameters, variables and many more (yay, fun!)

Locate your easy-rsa folder, it is located at /usr/share/doc/openvpn/examples/easy-rsa
Code: Select all
cd /usr/share/doc/openvpn/examples/easy-rsa

If you are having trouble finding it, try the following:
Code: Select all
updatedb
locate easy-rsa


Once we find the folder, we need to copy it to /etc/openvpn
As David (he he he) pointed out, in Jessie the files may be somewhere else, like
Code: Select all
 /usr/share/easy-rsa/
so make sure you check that.
Code: Select all
sudo cp -R /usr/share/doc/openvpn/examples/easy-rsa /etc/openvpn


Get in there :)
Code: Select all
cd /etc/openvpn/easy-rsa/2.0


Now we need to edit some variables, to make things easier for us.
Code: Select all
sudo nano vars


Once you open up the file vars, you should see the something like the following at the bottom:
export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="SanDiego"
export KEY_ORG="OpenVPN"
export KEY_EMAIL="myemail@mydomain.com"

Change those values to reflect your values.

Also change;
Code: Select all
export KEY_SIZE=1024
into
Code: Select all
export KEY_SIZE=2048
for better encryption

Watch out, this is; dot space dot slash "vars"
Code: Select all
. ./vars


And then, to wipe the plate clean and create a fresh certificate authority:
Code: Select all
sudo ./clean-all 
sudo ./build-ca


You'll get a lot of questions but you already set the default answer in the 'vars' file so you can ENTER trough this. You may want to give it a nice 'Common Name' when asked.

If you get this error:
Code: Select all
Please edit the vars script to reflect your configuration,
  then source it with "source ./vars".
  Next, to start with a fresh PKI configuration and to delete any
  previous certificates and keys, run "./clean-all".
  Finally, you can run this tool (pkitool) to build certificates/keys.

Then please do this:
Code: Select all
sudo /bin/bash
. ./vars
./clean-all
./build-ca


Now let's generate the 'server key':
Code: Select all
./build-key-server server


And to create the 'client key' (just one for now):
Code: Select all
./build-key client1

Again it asks for some information, ENTER it away and maybe give it a nice name like "client 1".

Extra clients
In case you want extra clients, you can re-run this command (now or later) like this
Code: Select all
sudo ./build-key client2

The ca.crt will be the same file as it identifies the server, the client.key and client.crt will be different for every client as it identifies the specific clients. With these 3 files you should be able to connect any client.

Now it's time for Diffie Hellman to do a trick. (Diffie must be some amazing person!)
Code: Select all
./build-dh

http://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange

So now we have a lot of nice files, keys, certificates, the works. They must be copied to the directory where the OpenVPN will look for them (from: /etc/openvpn/easy-rsa/2.0/keys)
Code: Select all
cd /etc/openvpn/easy-rsa/2.0/keys
cp ca.crt ca.key dh2048.pem server.crt server.key /etc/openvpn


We need to edit the openvpn.conf file, but first we need to get one from the 'examples' directory and copy it to the /etc/openvpn directory.
Code: Select all
 cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn
gunzip /etc/openvpn/server.conf.gz
sudo nano /etc/openvpn/server.conf


Check that the .crt and .key files are pointing to the right files you've just created.
Change
Code: Select all
dh dh1024.pem
into
Code: Select all
dh dh2048.pem

CTRL-X, Y, ENTER to close NANO and save your changes.

Time to start the server:
Code: Select all
/etc/init.d/openvpn start


The server acts like a new network interface with a brand spanking new IP-address you setup in te config file or left default. Either way, you can PING this IP to make sure it's working.

---------------------------------------

Client time!

I've used a Mac with the tool Tunnelblick and my iPhone and iPad with THE OpenVPN app. Tunnelblick is a bit crazy software, you should use it exactly the way your supposed to or it will crash, burn, disappear or give you some pop-up loop with many questions.
You may need to donwload a Windows tool if you are unfortunate and run Windows : http://www.openvpn.se
And here is the iOS app: https://itunes.apple.com/uk/app/id590379981?mt=8
The Android people may want to use this: https://play.google.com/store/apps/details?id=de.blinkt.openvpn

The client connection is based on a couple of files and those files are all named in the client.conf file. Getting these files of the Pi into your client can be a real challenge if you do not run FTP or something similar. The trick is using SCP, find instructions here: http://www.garron.me/en/linux/scp-linux-mac-command-windows-copy-files-over-ssh.html
Copy the following files to your wannabe OpenVPN Client:
    client.crt
    client.key
    ca.crt

The fourth file is the config file, in that config file we will point to the client.crt, client.key and ca.crt files so if those files have a different name in your configuration (be creative!) make sure to edit the client.conf. Also, some clients need a .ovpn file, just rename the .conf file.
Looking for config file examples? http://openvpn.net/index.php/open-source/documentation/howto.html#examples

To configure iOS for OpenVPN using a Raspberry Pi:
    Download the iOS app
    Connect to iTunes - go to your device - click Apps - click OpenVPN. (hope I got this right, can't open iTunes anymore, worst software in the world, ever.)
    Copy Client.crt, Ca.crt and Client.conf to the iOS device.
    You cannot copy the .KEY file, you can open it on the Pi using the command line and then copy/paste the key of your screen to a local TEXT file. Save that file as client.key and then add it to iTunes. _there must be a better way to do this but I didn't find it out_
    Now your iOS client OpenVPN shows a profile and you can connect using it.

If you have this working on the local network, feel free to open it up to the internet for your remote access.

How? It depends on your local setup. These are the ports: TCP 443, UDP 1194.
It's kinda an option to choose between TCP 443 and UDP 1194, the UDP port runs more smooth but is more likely to be blocked by 'the coffeeshop', 'library wifi' or the network in your 'mental institution' so you can also use the standard not-blocked 443 port.
Last edited by Thijxx on Mon Feb 15, 2016 7:35 pm, edited 10 times in total.
User avatar
Posts: 86
Joined: Mon Oct 22, 2012 1:25 pm
Location: The Netherlands
by Thijxx » Sun Feb 17, 2013 4:22 pm
Apple went crazy and listened to it's users, now there is an OpenVPN app available so you can connect your iOS devices to the Pi over OpenVPN and stay safe!

https://itunes.apple.com/uk/app/id590379981?mt=8
Mimi: Where'd you come from?
Doyle: My mom and the authorities are still trying to figure that out.
User avatar
Posts: 86
Joined: Mon Oct 22, 2012 1:25 pm
Location: The Netherlands
by Thijxx » Mon Mar 04, 2013 8:21 pm
Using my own tutorial, I ran into a problem :D

when trying to do ./build-ca I get this message:
Code: Select all
Please edit the vars script to reflect your configuration,
  then source it with "source ./vars".
  Next, to start with a fresh PKI configuration and to delete any
  previous certificates and keys, run "./clean-all".
  Finally, you can run this tool (pkitool) to build certificates/keys.


I solve it with this:
Code: Select all
sudo /bin/bash


Then I run the commands again, without sudo..
Code: Select all
. ./vars
./clean-all
./build-ca
Mimi: Where'd you come from?
Doyle: My mom and the authorities are still trying to figure that out.
User avatar
Posts: 86
Joined: Mon Oct 22, 2012 1:25 pm
Location: The Netherlands
by mrgreenglue » Sun Mar 10, 2013 10:15 pm
Hello!
I was following this tutorial, along with others, and I seem to have difficulty setting up the routing for all traffic to the OpenVPN Server on my Pi.
Right after the tutorial, I test it and it works, except I keep my public IP and doesn't go to the public IP of the Pi Server like I would want it to. So I know at least that the OpenVPN can connect since it shows connected and sending occasionally some data packets.

What I did in the OpenVPN SERVER config file on the Pi (CONNECTED VIA WI-FI) was the following:
    Code: Select all
    push "redirect-gateway local def1 bypass-dhcp"
    Code: Select all
    push "dhcp-option DNS 8.8.8.8"
    push "dhcp-option DNS 8.8.4.4"

When I do those above configurations and on my other computer on another network with another public IP tries to connect to it, it connects then suddenly disconnects. When I check the error logs on my CLIENT computer, it shows this message which repeats itself many, many times before I force it to disconnect as it doesn't even work:
"2013-03-10 18:08:33 write UDPv4: No buffer space available (code=55)"
.

Any idea on how I can fix this? I would really appreciate some help!
Thanks so much!
Michael

P.S. I put the version of the OpenVPN config that I have on the Raspberry Pi right now (causing these errors) on pastebin - http://pastebin.com/GQVYAWkj . Also, I know the issue is not in certificates or anything like that as it did connect before trying to do the traffic routing.
Posts: 5
Joined: Mon Nov 26, 2012 5:51 pm
by Thijxx » Mon Mar 11, 2013 12:41 am
mrgreenglue wrote:Hello!
I was following this tutorial, along with others, and I seem to have difficulty setting up the routing for all traffic to the OpenVPN Server on my Pi.
Right after the tutorial, I test it and it works, except I keep my public IP and doesn't go to the public IP of the Pi Server like I would want it to. So I know at least that the OpenVPN can connect since it shows connected and sending occasionally some data packets.

What I did in the OpenVPN SERVER config file on the Pi (CONNECTED VIA WI-FI) was the following:
    Code: Select all
    push "redirect-gateway local def1 bypass-dhcp"
    Code: Select all
    push "dhcp-option DNS 8.8.8.8"
    push "dhcp-option DNS 8.8.4.4"

When I do those above configurations and on my other computer on another network with another public IP tries to connect to it, it connects then suddenly disconnects. When I check the error logs on my CLIENT computer, it shows this message which repeats itself many, many times before I force it to disconnect as it doesn't even work:
"2013-03-10 18:08:33 write UDPv4: No buffer space available (code=55)"
.

Any idea on how I can fix this? I would really appreciate some help!
Thanks so much!
Michael

P.S. I put the version of the OpenVPN config that I have on the Raspberry Pi right now (causing these errors) on pastebin - http://pastebin.com/GQVYAWkj . Also, I know the issue is not in certificates or anything like that as it did connect before trying to do the traffic routing.


Hi MrGreenGlue,

If I get this right, you want all your traffic to go through your OpenVPN connection, that's a setting you also need to set on the client side. I set 'Forward all traffic' in my iPhone or on my Mac.

I'm looking at your server.conf and you may want to set 'client-to-client' on, it's commented out at the moment. Also, aren't those DNS server addresses a bit weird? :roll:
:idea: You also may want to enable ip forwarding:
http://www.ducea.com/2006/08/01/how-to-enable-ip-forwarding-in-linux/

Also take a look on your OpenVPN log file and maybe set the verbose in the config file to a higher level for more information. It's picky. Last but not least you can test how far your connection is reaching, can you SSH the Pi over the VPN?

Cheers, Thijs
Mimi: Where'd you come from?
Doyle: My mom and the authorities are still trying to figure that out.
User avatar
Posts: 86
Joined: Mon Oct 22, 2012 1:25 pm
Location: The Netherlands
by mrgreenglue » Mon Mar 11, 2013 1:06 am
Thijxx wrote:Hi MrGreenGlue,

If I get this right, you want all your traffic to go through your OpenVPN connection, that's a setting you also need to set on the client side. I set 'Forward all traffic' in my iPhone or on my Mac.

I'm looking at your server.conf and you may want to set 'client-to-client' on, it's commented out at the moment. Also, aren't those DNS server addresses a bit weird? :roll:
:idea: You also may want to enable ip forwarding:
http://www.ducea.com/2006/08/01/how-to-enable-ip-forwarding-in-linux/

Also take a look on your OpenVPN log file and maybe set the verbose in the config file to a higher level for more information. It's picky. Last but not least you can test how far your connection is reaching, can you SSH the Pi over the VPN?

Cheers, Thijs


Hi Thijs!

Thanks for the quick reply!
Yea what I want is to send all the traffic through the OpenVPN from my Mac, and maybe eventually my iPhone. I am using Viscosity now for the OpenVPN connection to the Pi and when I check that option, it looks like it requires a default gateway and other information.

I enabled 'client-to-client' in the config and already had the ipv4 forwarding enabled.
Those IPs for the DNS are Google's public DNS servers (8.8.8.8 and 8.8.4.4) both of which I use on almost all computers I manage daily.

Yes, I can SSH to the Pi, as a matter of fact that's how I connect almost always to it. The Pi has full internet access and no problems with that.

So with that option enabled in the OpenVPN client on my Mac without setting those config options that it may or may not need and leaving the SERVER config with this untouched "push "redirect-gateway local def1 bypass-dhcp"" I am still experiencing the same issue. Could it be with that line push redirect-gateway.......?
Thanks,
Michael

EDIT: Also, when removing the parameter "local" from the push gateway line in the config, I can connect to the Pi with OpenVPN but get no internet access...things just load and load and load...
Attachments
Screen Shot 2013-03-10 at 9.00.52 PM.png
Screen Shot 2013-03-10 at 9.00.52 PM.png (19.69 KiB) Viewed 92381 times
Posts: 5
Joined: Mon Nov 26, 2012 5:51 pm
by ashbash » Tue Mar 12, 2013 1:33 pm
Nice guide, ditch bridge-utils and locate - not necessary. Set key to 2048 imho, 1024 minimum otherwise why are you bothering with vpn in the first place.

Could add a bit about adding client setups:
1. Android Keychain using openssl to generate a p12 cert bundle
2. iPhone/iPad using inline config

Thats all for now .... :-)

Ash
Posts: 50
Joined: Fri Jun 01, 2012 9:20 am
by rblockmon » Tue Mar 19, 2013 12:40 am
Honestly, the tutorial needs to be cleaned up, because if someone was going to try and do this - they will only get confused because they are bouncing from tutorial to comment and back again. Just trying to help out.
Posts: 14
Joined: Wed Jan 23, 2013 2:56 pm
by Zagor64 » Tue Mar 19, 2013 3:23 am
Thanks for the guide. I have been trying to follow it and I am now stuck with the openvpn. I have access to an openvpn server that provides a client.ovpn file with keys and certificates. I am not quite sure I to install that to make the vpn connection. Any help would greatly be appreciated.
Posts: 4
Joined: Tue Mar 19, 2013 3:18 am
by Thijxx » Tue Mar 19, 2013 9:51 am
rblockmon wrote:Honestly, the tutorial needs to be cleaned up, because if someone was going to try and do this - they will only get confused because they are bouncing from tutorial to comment and back again. Just trying to help out.


By now, I've learned this is not the place to post a tutorial.
They should be at posted at: http://elinux.org/RPi_Tutorials

I'll post my tutorial there and then update it because I can't change anything here once it's posted.
Mimi: Where'd you come from?
Doyle: My mom and the authorities are still trying to figure that out.
User avatar
Posts: 86
Joined: Mon Oct 22, 2012 1:25 pm
Location: The Netherlands
by Thijxx » Tue Mar 19, 2013 9:55 am
Zagor64 wrote:Thanks for the guide. I have been trying to follow it and I am now stuck with the openvpn. I have access to an openvpn server that provides a client.ovpn file with keys and certificates. I am not quite sure I to install that to make the vpn connection. Any help would greatly be appreciated.


Hi Zagor64,

If your looking for what to do with the client files, here are the client tools:
https://openvpn.net/index.php?option=com_content&id=357

Cheers, Thijs
Mimi: Where'd you come from?
Doyle: My mom and the authorities are still trying to figure that out.
User avatar
Posts: 86
Joined: Mon Oct 22, 2012 1:25 pm
Location: The Netherlands
by Thijxx » Tue Mar 19, 2013 9:57 am
ashbash wrote:Nice guide, ditch bridge-utils and locate - not necessary. Set key to 2048 imho, 1024 minimum otherwise why are you bothering with vpn in the first place.

Could add a bit about adding client setups:
1. Android Keychain using openssl to generate a p12 cert bundle
2. iPhone/iPad using inline config

Thats all for now .... :-)

Ash


Thanks Ash! When I post this at http://elinux.org/RPi_Tutorials I'll process your feedback.
Mimi: Where'd you come from?
Doyle: My mom and the authorities are still trying to figure that out.
User avatar
Posts: 86
Joined: Mon Oct 22, 2012 1:25 pm
Location: The Netherlands
by rblockmon » Wed Mar 20, 2013 12:24 am
Thijxx wrote:
rblockmon wrote:Honestly, the tutorial needs to be cleaned up, because if someone was going to try and do this - they will only get confused because they are bouncing from tutorial to comment and back again. Just trying to help out.


By now, I've learned this is not the place to post a tutorial.
They should be at posted at: http://elinux.org/RPi_Tutorials

I'll post my tutorial there and then update it because I can't change anything here once it's posted.


Just for the record - I was not trying to sound like a jackass - just merely making a kind suggestion. If it sounded rude - I apologize, but it wasn't my intentions.

Ray
Posts: 14
Joined: Wed Jan 23, 2013 2:56 pm
by jolan » Thu Mar 21, 2013 12:55 pm
it seems i got it running However its local and so i wonder how to access the admin
that is, what ip (+port) to use?

with nmap it doesn't show any open port locally!
Posts: 4
Joined: Sat Mar 16, 2013 5:02 pm
by ashbash » Thu Mar 21, 2013 1:26 pm
What type of nmap scan are you doing, OpenVPN by default uses UDP 1194

Ash
Posts: 50
Joined: Fri Jun 01, 2012 9:20 am
by jolan » Fri Mar 22, 2013 10:21 am
ashbash wrote:What type of nmap scan are you doing, OpenVPN by default uses UDP 1194

Ash


nmap localhost
port 1194 is in the config file, yes.

I have no webserver running, but that shouldn't be a problem i guess.
However if i browse to my own http://ipaddress:1194 i should get access to my vpn admin no?
Posts: 4
Joined: Sat Mar 16, 2013 5:02 pm
by Thijxx » Fri Mar 22, 2013 10:29 am
jolan wrote:
ashbash wrote:What type of nmap scan are you doing, OpenVPN by default uses UDP 1194

Ash


nmap localhost
port 1194 is in the config file, yes.

I have no webserver running, but that shouldn't be a problem i guess.
However if i browse to my own http://ipaddress:1194 i should get access to my vpn admin no?


I've never heard of an OpenVPN Admin console in a webservice behind port 1194. Port 1194 is the VPN communication port. The config I used is all command-line. I've never seen any Admin interface.
Mimi: Where'd you come from?
Doyle: My mom and the authorities are still trying to figure that out.
User avatar
Posts: 86
Joined: Mon Oct 22, 2012 1:25 pm
Location: The Netherlands
by ashbash » Fri Mar 22, 2013 10:31 am
VPN data port is 1194, can only assume you are expecting to see a OpenVPN Access Server - web based interface .... some reading - http://openvpn.net/index.php/access-ser ... guide.html

Ash
Posts: 50
Joined: Fri Jun 01, 2012 9:20 am
by jolan » Fri Mar 22, 2013 1:53 pm
@ ash, yes thats the one. I still use this one on my centos machine.

@ thijxx, with the access server in the back of my mind did i tried installing this thing.
However do i have the server running with the tool from openvpn.se now.
So all good.

(all though this is just a test case), running an openvpn locally is like
digging a hole in central park on a sweet summer day hoping that
no one will notice that you are hiding a bag of money.. :ugeek:

in other words, its kinda useless to run openvpn locally
Posts: 4
Joined: Sat Mar 16, 2013 5:02 pm
by jarrodr » Tue Apr 09, 2013 8:21 pm
Thanks for the tutorial.

What do mean enter my values:
export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="SanDiego"
export KEY_ORG="OpenVPN"
export KEY_EMAIL="myemail@mydomain.com"


Where do I get these details from? Do I use my actual details?

How do I test if the VPN was successful (something like www.dnsleaktest.com) ?
Posts: 19
Joined: Tue Jun 19, 2012 4:55 pm
Location: South Africa
by xXAzazelXx » Thu Apr 25, 2013 8:04 am
any updates on the full updated guide? :) Including the client setup ? :D
Posts: 126
Joined: Tue Sep 18, 2012 8:32 am
Location: Australia
by xXAzazelXx » Thu Apr 25, 2013 9:10 pm
also.

I am trying to connect to the VPN from iPhone, but it keeps timing out.
Code: Select all
Apr 26 06:59:10 raspberrypi ovpn-server[3105]: 112.213.162.94:62747 LZO compression initialized
Apr 26 06:59:10 raspberrypi ovpn-server[3105]: 112.213.162.94:62747 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Apr 26 06:59:10 raspberrypi ovpn-server[3105]: 112.213.162.94:62747 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Apr 26 06:59:10 raspberrypi ovpn-server[3105]: 112.213.162.94:62747 Local Options hash (VER=V4): '530fdded'
Apr 26 06:59:10 raspberrypi ovpn-server[3105]: 112.213.162.94:62747 Expected Remote Options hash (VER=V4): '41690919'
Apr 26 06:59:10 raspberrypi ovpn-server[3105]: 112.213.162.94:62747 TLS: Initial packet from [AF_INET]112.213.162.94:62747, sid=23a85533 9be332e3

Apr 26 07:00:10 raspberrypi ovpn-server[3105]: 112.213.162.94:62747 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Apr 26 07:00:10 raspberrypi ovpn-server[3105]: 112.213.162.94:62747 TLS Error: TLS handshake failed
Apr 26 07:00:10 raspberrypi ovpn-server[3105]: 112.213.162.94:62747 SIGUSR1[soft,tls-error] received, client-instance restarting



The 1194 port is port forwarded and is open in the firewall. :(
Posts: 126
Joined: Tue Sep 18, 2012 8:32 am
Location: Australia
by ashbash » Fri Apr 26, 2013 6:43 am
Post your server/client configs, i would also recommend you anonymise your data in future, external IPs etc.

Ash
Posts: 50
Joined: Fri Jun 01, 2012 9:20 am
by Thijxx » Thu May 09, 2013 7:34 am
jarrodr wrote:Thanks for the tutorial.

What do mean enter my values:
export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="SanDiego"
export KEY_ORG="OpenVPN"
export KEY_EMAIL="myemail@mydomain.com"


Where do I get these details from? Do I use my actual details?

How do I test if the VPN was successful (something like http://www.dnsleaktest.com) ?


You may enter anything, but you should pick Something. What do you want to test about your VPN?
Mimi: Where'd you come from?
Doyle: My mom and the authorities are still trying to figure that out.
User avatar
Posts: 86
Joined: Mon Oct 22, 2012 1:25 pm
Location: The Netherlands
by Thijxx » Thu May 09, 2013 7:35 am
xXAzazelXx wrote:any updates on the full updated guide? :) Including the client setup ? :D


Updating right now! :D
Hope I get to the client setup...
Mimi: Where'd you come from?
Doyle: My mom and the authorities are still trying to figure that out.
User avatar
Posts: 86
Joined: Mon Oct 22, 2012 1:25 pm
Location: The Netherlands