developer.shyd.de. studying my hobby

6Feb/1119

Dockstar: HowTo setup OpenVPN on Debian

(8 votes, average: 5.00 out of 5)
Loading...

Well, if you want to have a secure connection to your dockstar or even your home net, this post describes all steps you have to take to get this done. In my setup I have a dd-wrt router connected to the internet and forwarding all needed ports to the dockstar. You probably don't use a firewall on the debian machine, but you will have to, because we need package forwarding to reach the home net through the VPN tunnel. I assume you don't use your dockstar as the default gateway for your LAN, so you will need an additional route in the router:

Let me explain the path of the packages of a ping from a remote machine to a host in the LAN. For the different subnets refer to the exhibit (VPN: 10.8.0.0/24; LAN: 192.168.0.0/24).


Let us ping the hostaddress 192.168.0.100 from 10.8.0.6. The ping starts at the VPN-client 10.8.0.6 into the vpn tunnel to the tun device on the dockstar 10.8.0.1. The VPN-client knows about the LAN, because it gets pushed a valid route by the openvpn-server.
The dockstar directly forwards the icmp-package to the LAN-host. Assuming the LAN-host's firewall doesn't block packages from/to 10.8.0.0/24, it will send out the respond-package to its default gateway (192.168.0.1) because the lan hosts doesn't know anything about the VPN.
Well, by default the router doesn't know the VPN either and will forward the package to its default gateway, yes, its the first hop of your ISP! So we need to redirect packages to 10.8.0.0/24 back to the dockstar. Now the additional route in the router comes to work. In dd-wrt you can set it in the web interface: Setup->Advanced Routing. The icmp-package will be send to dockstar's eth0 (192.168.0.2) and forwarded to the VPN-client (10.8.0.6).
With this knowledge we are ready to install and configure openvpn and the firewall e.g. iptables.

1. OpenVPN

First of all we need to install the package:

1.1 Configure the Server

The configuration files are stored in /etc/openvpn. If you want to run multiple servers you simple create a serverX.conf for each server. In my case I'm running one UDP server, the config file is called tun0.conf and looks like this:

1.2 Build the Certificates and Keys

We will do this with easy-rsa which comes with openvpn:

You may want to edit vars first to get your own defaults:

Now we will create the certificate for CA:

Then we will create the certificate for the server:

Then we will create the certificate for client (you can build one for each vpn-client in order not to share them):

We will build diffie hellman

Now all keys are built, you should have these files:

Now we have the keys and certificates. So we will put them to our clients who want to connect to the vpn. Just be sure that you only copy these files to the clients:

  • client1.crt
  • client1.key
  • ca.crt
  • 1.3 Configure the Client

    A minimal client.conf could look like this:

    2. Some Firewall Rules

    If you don't have a firewall running just install it:

    As mentioned above we need the packages forwarded to enable the communication between the VPN and the LAN.
    To permanently set net.ipv4.ip_forward=1 uncomment this line:

    Add these rules to your firewall-script (tun+ is a wildcard for all tun-devices, $device is set to eth0):

    In case you don't want to set up a script from scratch, this is mine, so some of you might say its a bit overloaded But... security first.
    This is a fully working init-script, (/etc/init.d/firewall)

    Show »

    If you use this script don't forget to make it executable.

    3. Restart the Services

    Now we are ready to restart the services and run a first test:

    If everything works you should be able to ping around your VPN and your LANs. For additional understanding the routes take a look at a traceroute.

    4. Reference

    http://openvpn.net/howto.html
    http://cihan.me/how-to-setup-openvpn-server-on-debian-lenny/

    • hello..firstly i want say thanks to you for sharing such a nice, informative content with us.its reallly awesome posting you have done.i think every people who is not aware with VPN service,must read this.keep going.

      • shyd

        Thank you very much!

    • Todo asap on my dockstar ;) thk

    • hey! can you say something about the up and download speeds and the cpu load?

      thx

      • shyd

        Hi,
        I just did some testing on the download through vpn:
        The Dockstar is connected with 100Mbit/6Mbit, I was testing with a 16Mbit/800kbit connection.
        I downloaded about 50MB using wget in cygwin, these are my results:
        udp: 610kb/s, 15-20%CPU, 1.8%MEM
        tcp: 620kb/s, 18-21%CPU, 1.9%MEM
        the upload is about 500kbit/s

        The overall throughput should be the same. But you have to keep in mind, that additional framedata is transmitted, so the usable speed is slightly slower than your “normal” connection.

    • Pingback: creating VPN problem()

    • Pingback: Raspberry Pi – alternative to smart TV, VPN on your regular HDMI TV |()

    • Oh my gosh! Thank you so much for this. I do want to note for newbies that you need to change the permissions on your firewall script using

      “chmod a+x /etc/init.d/firewall”

      I spent the last two days trying different tutorials…namely the one found here: http://wiki.debian.org/OpenVPN#TLS-enabled_VPN. It was all to no avail.

      This tutorial got me exactly what I needed the first time through. Again, thank you so much!

    • Oh, and I was using a wrt310n router with dd-wrt vpn installed on it. I just used the Services > VPN > OpenVPN Client in the GUI to connect to the server.

      • Sorry, one more thing:
        I had to comment out this line
        #local 192.168.0.2 #lan ip of the dockstar
        to get “service openvpn start” to work

    • Pingback: OpenVPN - Debian Server and DD-WRT client router | AllebrumAllebrum()

    • atorfi

      Hi thanks for the post i need your help to understand how to setup openvpn on debian if you can help me via skype and answer my question i am happy to pay you 10-15 $ per hour your spend time for me please let me know

      • shyd

        Well, I hope my message hasn’t been spammed. If you are still interested – I replied to your comment’s email address a couple of days ago.

    • Mark

      Thanks for a great tutorial

      I’m trying to connect to some openvpn servers I have no server end configuration control over.

      I have successfully connected to various VPN gateways using some provided .ovpn scripts. ifconfig shows I have created a tun0 each time, but I’m having trouble understanding how to getting my machine to use only this tunnel for internet traffic?

      If the tunnel is broken I don’t want any internet. I have found a script that will test for internet connection and re-boot the device if none exists.

      As a test I connected to a US gateway and tried to run BBC iPlayer. I’m in the UK but my thought was that being connected to a US gateway should block access to the service which is intended to be accessed only from within the UK.

      It doesn’t block the access. I can see the tun0 is present, but I can still watch BBC iPlayer.

      Are the firewall setting in section 2.0 above for the client side or the server side? Would they help.

      Thanks for any help,

      Mark.

      • shyd

        Hi Mark,
        thanks for your message!
        Theoretically you need to change your default gateway into the tunnel, to prevent traffic elsewhere than in the tunnel. I assume the script keeps the tunnel alive at the client side, so it should be fine.

        Just tested BBC iPlayer from Germany, I am not allowed to watch. If I want to check weather the tunnel is working or not, I take a look at my ip address at eg. http://www.infosniper.net/

        Did you uncomment lines 21 and 22 from 1.1? Otherwise openvpn only adds a route for the tunnel network, the default gateway will be untouched (client side). That means no internet traffic will go through the tunnel. Taking a look at your local computer’s routes will clarify things.

        The firewall of 2.0 is for the server to manage ip forwarding. Otherwise you wouldn’t be able to connect to the internet even if your tunnel works flawlessly.

        Hopefully this answer helps you out!

        –Dennis

        • Mark

          Thanks for the reply Dennis,

          I have no control over the server side so section 1.1 wasn’t relevant for me.

          I’m using a VPN service called Witopia and they told me that it was not possible to connect using ovenvpn from a Raspberry Pi (RPi), but I have done successfully it before by installing openvpn on the Raspberry Pi and pinching the .ovpn files, certs & keys from my Windows based Witopia install.

          I did a little more testing last night and it appears that my VPN tunnels do get used correctly when I reboot the RPi, I have the UK one in my rc.local file to connect on start-up.

          However with my clumsy command line attempts to kill the current openvpn process and connect to a different vpn gateway things seem to default back to the default en0, something I am trying to stop.

          I think what I need to discover is a scriptable way to close tun0 and restart another, new tun0 connecting to a different witopia vpn gateway when I want.

          I never want internet to go over the en0 even when tun0 is down so I think I may have to create a ‘dead’ tun1 to temporarily force the default route to whilst tun0 is closed and reopened with the new location.

          With PPTP gateways I’ve had success changing routes with ‘sudo pon $TUNNEL’ , but PPTP gateways were a whole lot easier to deal with but didn’t seem to work well with UK based TV services.

          With openvpn I have yet to work out how to change the default route in a script. I will need it to do something like.

          Force route to dead tunnel
          kill tun0
          openvpn to new gateway as tun0
          force route to tun0

          I have also found a script that tests for Internet connection over openvpn that restarts openvpn if it can’t connect to the interent.

          http://www.clearcenter.com/support/documentation/clearos_guides/openvpn_connection_script

          My hope is to implement that to keep the openvpn connection alive.

          I eventually want to create a device that allow opnvpn access from a smart TV and Bluray player to allow me to keep up with my UK tv when I’m abroad visiting family. The goal is to be able to boot the devices and leave it running, pointing the internet connected devices to it as their route to the internet. If the connection break I want the device to reconnect me, whether that can be achieved restarting openvpn or by rebooting the device is unclear to me right now.

          I suspect this will be a little way off. Right now I’m using RaspBMC on the Raspberry Pi and BBC iPlayer, ITV etc. add ons to test whilst I get the hang of openvpn.

          I’ve only been looking at this stuff for a couple of weeks, and it’s a lot of fun learning all this new stuff. Tutorials like your are just the stuff that helps someone like me get the hang of this stuff.

          Thanks for what you’ve done.

          Mark.

    • J

      If I uncomment

      push “redirect-gateway def1”
      push “dhcp-option 8.8.8.8”
      Do I need to edit the client.conf or the firewall? The issue I am meeting is when these are uncommented there’s no tracert to anywhere such as popular websearch webpages. tracert shows the dns #, so it doesn’t seem to be a problem there. Seems to be some client or firewall config.

      • J

        sysctl net.ipv4.ip_forward=1

        Had to issue that, because I did not restart the dockstar. Seems to be working.
        Next challenge is either figuring out why android doesn’t work or waiting for the future, at which time the server certs were generated matches my timezone.

        • Great, you figured out the problem!
          What is the issue with Android? Which app do you use?

          • J

            Thank you for the nice tutorial and response. Hope the command above can help other’s new to this like myself.

            I use openvpn connect android app and tried online cert and filename reference certs with same results. The cert is no longer in the future. Has local timezone validity. Same cert works with windows openvpn software run under admin elevated cmd.

            Android error as reflected in server log is about padding.

            TLS_ERROR: BIO read tls_read_plaintext error: error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01: error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed: error:1408807A:SSL routines:SSL3_GET_CERT_VERIFY:bad rsa signature: error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure

            • J

              in tun0.conf
              I changed MTU (tun-mtu) to 1500 and added this on the next line: mssfix
              Android working now.

              • You’re welcome!
                Thanks for your feedback