Announcement

Collapse
No announcement yet.

How to install and configure opennvpn in ubuntu

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • How to install and configure opennvpn in ubuntu

    OpenVpn Package Installaion

    write below commands on the terminal.

    Code:
    sudo apt-get update
    sudo apt-get upgrade 
    sudo apt-get install openvpn
    Certificate Authority Setup

    To setup your own Certificate Authority (CA) and generating certificates and keys for an OpenVPN server and multiple clients first copy the easy-rsa directory to /etc/openvpn. This will ensure that any changes to the scripts will not be lost when the package is updated. From a terminal change to user root and:

    Code:
    mkdir /etc/openvpn/easy-rsa/
    cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa/
    Next, edit /etc/openvpn/easy-rsa/vars adjusting the following to your environment:

    Code:
    sudo vi /etc/openvpn/easy-rsa/vars
    output as follows:

    Code:
    export KEY_COUNTRY="US"
    export KEY_PROVINCE="NC"
    export KEY_CITY="Winston-Salem"
    export KEY_ORG="Example Company"
    export KEY_EMAIL="steve@example.com"
    Enter the following to generate the master Certificate Authority (CA) certificate and key:

    Code:
    cd /etc/openvpn/easy-rsa/
    source vars
    ./clean-all
    ./build-ca

    Server Certificates


    Next, we will generate a certificate and private key for the server:

    Code:
    ./build-key-server server
    As in the previous step, most parameters can be defaulted. Two other queries require positive responses, "Sign the certificate? [y/n]" and "1 out of 1 certificate requests certified, commit? [y/n]".

    Diffie Hellman parameters must be generated for the OpenVPN server:

    Code:
    ./build-dh
    All certificates and keys have been generated in the subdirectory keys/. Common practice is to copy them to /etc/openvpn/:

    Code:
    cd keys/
    cp server.crt server.key ca.crt dh1024.pem /etc/openvpn/
    Client Certificates

    The VPN client will also need a certificate to authenticate itself to the server. Usually you create a different certificate for each client. To create the certificate, enter the following in a terminal while being user root:

    Code:
    cd /etc/openvpn/easy-rsa/
    source vars
    ./build-key client1
    Copy the following files to the client using a secure method:

    1. /etc/openvpn/ca.crt
    2. /etc/openvpn/easy-rsa/keys/client1.crt
    3. /etc/openvpn/easy-rsa/keys/client1.key


    As the client certificates and keys are only required on the client machine, you should remove them from the server.

    Transfer Method

    1. scp: you can transfer the client keys through scp(secure copy).
    2. sftp: this is another which is used to transfer keys in windows.
    3. samba: you can share your keys through samba as well.


    Simple Server Configuration

    Along with your OpenVPN installation you got these sample config files (and many more if if you check):

    Code:
    root@server:/# ls -l /usr/share/doc/openvpn/examples/sample-config-files/
    total 68
    -rw-r--r-- 1 root root 3427 2011-07-04 15:09 client.conf
    -rw-r--r-- 1 root root 4141 2011-07-04 15:09 server.conf.gz
    Start with copying and unpacking server.conf.gz to /etc/openvpn/server.conf.
    Code:
    sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
    sudo gzip -d /etc/openvpn/server.conf.gz
    Edit /etc/openvpn/server.conf to make sure the following lines are pointing to the certificates and keys you created in the section above.

    Code:
    sudo vi /etc/openvpn/server.conf
    Changing the following options to resemble and uncomment lines which are commented:
    Code:
    port 1194
    proto udp
    ca ca.crt
    cert server.crt
    key server.key 
    dh dh1024.pem
    server 10.8.0.0 255.255.255.0
    ifconfig-pool-persist ipp.txt
    push "redirect-gateway def1"       # uncomment this line to redirect their default network gateway through the VPN,
                                         causing all IP traffic such as web browsing and DNS lookups to go through the VPN
    push "dhcp-option DNS 8.8.8.8"     # add this line to resolve DNS for windows client
    keepalive 10 120
    comp-lzo
    persist-key
    persist-tun
    status openvpn-status.log
    verb 3
    Restart OpenVpn:

    Code:
    sudo /etc/init.d/openvpn start

    Now check if OpenVPN created a tun0 interface:

    Code:
    sudo ifconfig tun0
    Simple Client Configuration

    Copy the example client configuration file:

    Code:
    sudo cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn
    Edit the client configuration file:

    Code:
    sudo vi /etc/openvpn/client.conf
    Change it to resemble:
    Code:
    client
    remote vpnserver.example.com 1194
    ca ca.crt
    cert client1.crt
    key client1.key

    note: Replace vpn.mycompany.com with the hostname of your VPN server, and hostname.* with the actual certificate and key filenames that correspond to the client.

    Now start the OpenVPN client:

    Code:
    /etc/init.d/openvpn start
    Check if it created a tun0 interface:
    Code:
    ifconfig tun0
    Check if you can ping the OpenVPN server:

    Code:
    ping 10.8.0.1
    PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.
    64 bytes from 10.8.0.1: icmp_req=1 ttl=64 time=0.920 ms
    First trouble shooting

    If the above didn't work for you, check this:

    1. Check your syslog, e.g. grep -i vpn /var/log/syslog
    2. Can the client connect to the server machine? Maybe a firewall is blocking access? Check syslog on server.
    3. Client and server must use same protocol and port, e.g. UDP port 1194, see port and proto config option
    4. Client and server must use same config regarding compression, see comp-lzo config option
    5. Client and server must use same config regarding bridged vs routed mode, see server vs server-bridge config option


    Client software implementations

    Linux Network-Manager GUI for OpenVPN

    Many Linux distributions including Ubuntu desktop variants come with Network Manager, a nice GUI to configure your network settings. It also can manage your VPN connections. Make sure you have package network-manager-openvpn installed. Here you see that the installation installs all other required packages as well:

    Code:
    apt-get install network-manager-openvpn
    To inform network-manager about the new installed packages you will have to restart it:
    Code:
    restart network-manager
    Open the Network Manager GUI, select the VPN tab and then the 'Add' button. Select OpenVPN as the VPN type in the opening requester and press 'Create'. In the next window add the OpenVPN's server name as the 'Gateway', set 'Type' to 'Certificates (TLS)', point 'User Certificate' to your user certificate, 'CA Certificate' to your CA certificate and 'Private Key' to your private key file. Use the advanced button to enable compression (e.g. comp-lzo), dev tap, or other special settings you set on the server. Now try to establish your VPN.


    OpenVPN with GUI for Win 7

    First download and install the latest OpenVPN Windows Installer. OpenVPN 2.3.4 was the latest when this was written. As of this writing, the management GUI is included with the Windows binary installer.

    You need to start the OpenVPN service. Goto Start > Computer > Manage > Services and Applications > Services. Find the OpenVPN service and start it. Set it's startup type to automatic. When you start the OpenVPN MI GUI the first time you need to run it as an administrator. You have to right click on it and you will see that option.

    You will have to write your OpenVPN config in a textfile and place it in C:\Program Files\OpenVPN\config\client.ovpn along with the CA certificate, Client.key and Client.crt like the following example.

    Code:
    client
    remote server.example.com # openvpn server's ip
    port 1194
    proto udp
    dev tun
    dev-type tun
    ns-cert-type server
    reneg-sec 86400
    auth-user-pass
    auth-retry interact
    comp-lzo yes
    verb 3
    ca ca.crt
    cert client1.crt"
    key client1.key"
Working...
X