Virtual Private Networks are a useful tool, to allow us to securely reach an isolated computer or network.
Yet, is requires more tweaking then one would imagine. So here’s a step by step guide on how I did it, with a LOT of help in understanding some of the key concepts, provided by my friend Joe, and protocol explanations from Darren of hak5.
1. What’s the first thing we do? Why install openvpn of course!
sudo apt-get install openvpn
2. Now we need to generate our secret key. This is used to authenticate a remote user trying to gain access. We will use openvpn itself to generate the secret key. NOTE: Debian by default, does NOT provide a path to /usr/sbin
You can fully qualify it: /usr/sbin/openvpn
temporarily add it to the PATH variable: export PATH=$PATH:/sbin:/usr/sbin:/usr/sbin
Or just add:
export PATH=$PATH:/sbin:/usr/sbin:/usr/sbin
to .bashrc
If you add it to .bashrc, you will need to logout and back in again, so it will re-read the file.
Let’s generate that key!
openvpn --genkey --secret vpn.key
Simple, huh?
3. Let’s move some files, and create the configuration file for openvpn.
first, let’s move our secret key file:
sudo cp vpn.key /etc/openvpn/.
The period at the end, is significant. It says copy the file, right here.
4. Next is the configuration file. Using your favourite editor (nano in my case) create the
/etc/openvpn/openvpn.conf file as follows: Most of the explanations of the parameters come from here.
# Sample openvpn configuration file
# jjs June 6, 2012 V1.0
#
# annotated by Wayno
#
# remote specifies the address of the server
remote 172.229.15.5
# dev tun specifies that we are using a tunnel device
dev tun
# ifconfig tells ip address for the interface
ifconfig 192.168.224.253 192.168.224.254
# and the secret key name (in /etc/openvpn)
secret vpn.key
# use port 5001 (default) to connect to the vpn. This may require
# you to add this in your router.
port 5001
# if you want data compression
comp-lzo
# ping every 10 seconds, if no ping in 120 seconds, other side dead
keepalive 10 120
# ping timer starts after it receives a connection
ping-timer-rem
# don't recreate a virtual net interface TUN after automatic restart
persist-tun
# Don't read pre-shared static key file again after auto restart
persist-key
# user and group
user nobody
group nogroup
# after initialization, run in the background as a daemon
daemon
# setup the route after ifconfig
route 192.168.111.0 255.255.255.0
# append the /etc/openvpn/openvpn.log
log-append openvpn.log
5. Restart openvpn
sudo service openvpn restart
If you check /etc/openvpn/openvpn.log you will get something like this:
sudo cat openvpn.log
Tue Oct 2 01:22:07 2012 OpenVPN 2.1.3 x86_64-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [MH] [PF_INET6] [eurephia] built on Feb 21 2012
Tue Oct 2 01:22:07 2012 NOTE: OpenVPN 2.1 requires ‘–script-security 2’ or higher to call user-defined scripts or executables
Tue Oct 2 01:22:07 2012 /usr/sbin/openvpn-vulnkey -q vpn.key
Tue Oct 2 01:22:07 2012 WARNING: file ‘vpn.key’ is group or others accessible
Tue Oct 2 01:22:07 2012 LZO compression initialized
Tue Oct 2 01:22:07 2012 TUN/TAP device tun0 opened
Tue Oct 2 01:22:07 2012 /sbin/ifconfig tun0 192.168.224.253 pointopoint 192.168.224.254 mtu 1500
Tue Oct 2 01:22:07 2012 GID set to nogroup
Tue Oct 2 01:22:07 2012 UID set to nobody
Tue Oct 2 01:22:07 2012 UDPv4 link local (bound): [undef]
Tue Oct 2 01:22:07 2012 UDPv4 link remote: [AF_INET]72.200.67.229:5001
Tue Oct 2 01:22:07 2012 OpenVPN 2.1.3 x86_64-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [MH] [PF_INET6] [eurephia] built on Feb 21 2012
Tue Oct 2 01:22:07 2012 NOTE: OpenVPN 2.1 requires ‘–script-security 2’ or higher to call user-defined scripts or executables
Tue Oct 2 01:22:07 2012 /usr/sbin/openvpn-vulnkey -q vpn.key
Tue Oct 2 01:22:07 2012 WARNING: file ‘vpn.key’ is group or others accessible
Tue Oct 2 01:22:07 2012 LZO compression initialized
Tue Oct 2 01:22:07 2012 TCP/UDP: Socket bind failed on local address [undef]: Address already in use
Tue Oct 2 01:22:07 2012 Exiting
Tue Oct 2 01:22:10 2012 read UDPv4 [EHOSTUNREACH]: No route to host (code=113)
Tue Oct 2 01:22:20 2012 read UDPv4 [EHOSTUNREACH]: No route to host (code=113)
Tue Oct 2 01:22:20 2012 read UDPv4 [EHOSTUNREACH]: No route to host (code=113)
6. Let’s see if it works?
ping -c 5 192.168.224.253
PING 192.168.224.253 (192.168.224.253) 56(84) bytes of data.
64 bytes from 192.168.224.253: icmp_req=1 ttl=64 time=0.033 ms
64 bytes from 192.168.224.253: icmp_req=2 ttl=64 time=0.041 ms
64 bytes from 192.168.224.253: icmp_req=3 ttl=64 time=0.030 ms
64 bytes from 192.168.224.253: icmp_req=4 ttl=64 time=0.041 ms
64 bytes from 192.168.224.253: icmp_req=5 ttl=64 time=0.040 ms
— 192.168.224.253 ping statistics —
5 packets transmitted, 5 received, 0% packet loss, time 3999ms
rtt min/avg/max/mdev = 0.030/0.037/0.041/0.004 ms
Related Articles
No user responded in this post