To install OpenVPN on Ubuntu is pretty simple. Configuring it correctly is where most people's problems lie. There are two ways to setup the vpn:
- Bridged (VPN clients get their IP from the LAN's DHCP server. VPN Server acts as a bridge to the LAN.)
- Routed (VPN server creates a separate network and acts as the DHCP server and router handing out IPs to VPN clients. VPN clients then access the LAN via the VPN Server acting as the gateway.)
Routed is a little easier to setup and will work for most scenarios unless you need non-IP or broadcast traffic. So that's what I'll walk through here.
First, lets install the packages:
# sudo apt-get install openvpn
That was easy. Next we need to start the configuration and create some keys for encryption of the VPN tunnel.
Let me start of saying I've done this on Ubuntu 10 and 11 and CentOS 4 and 5. This walkthrough was done based on what I did to setup on Ubuntu 11 but you can adapt for various OS'.
After installation you should have a /etc/openvpn directory to work in and we have some examples in /usr/share/doc/openvpn/examples. We're going to start by copying some example files to /etc/openvpn to work with (no use recreating the wheel).
# cp -R /usr/share/doc/openvpn/examples/easy-rsa/ /etc/openvpn
Now you'll have an easy-rsa directory inside your /etc/openvpn and it'll have 2 sub-directories, we're only interested in the 2.0 directory. (so feel free to delete the 1.0 directory. not also that you may want to restrict rights to this directory after we're done so that only root can read/edit it.)
You may want to read the /etc/openvpn/easy-rsa/2.0/vars file and edit anything in there you want (key size for example). Once you're satisfied, we need to run the clean-all script followed by the build scripts:
# cd /etc/openvpn/easy-rsa/2.0
# source ./vars
# ./clean-all
# ./build-ca
# ./build-key-server server
Now you have the key for your server. Next we need to create client keys. Feel free to replace "client" in the following commands with descriptive client names that you prefer if you're setting up more than 1 client. If this is just for you, you can leave it as client.
# ./build-key client
# ./build-dh
Next we want to copy the keys that were generated for the server from the keys directory up to /etc/openvpn. Copy the following files to /etc/openvp/:
- ca.crt
- ca.key
- dh1024.pem
- server.crt
- server.key
Now we need a basic configuration file for the server that we can start with and edit to our needs. Luckily this is in the examples area. Go to /usr/share/doc/openvpn/examples/sample-config=files/ and unzip server.conf.gz if necessary. We then want to copy that server.conf file to /etc/openvpn. Next copy the client.conf file out of that directory into another directory like your home directory to work on later.
Next we want to edit some of the config file:
First, if you have multiple NICs, then you may want to set the local a.b.c.d to the IP address of the NIC you want to dedicate to openvpn traffic. (should go without saying that your NIC needs a static IP address for this to work) This is optional. I do recommend if you are using multiple NICs and they are not bonded that you dedicate VPN traffic to one NIC.
Next we will run openvpn on the standard port 1194 but you can change this if you like. Just make sure nothing else is running on that port on any servers on your network. (last thing you want to do is pick something like port 80 and then have your firewall forwarding 80 to your webserver on a different box; then your VPN will never work)
Leave UDP set for protocol unless you need to run it on TCP for some reason.
The next section is where you determine how your going to setup VPN bridged or routed. If doing bridged, you must select dev tap here and server-bridge setting further down. (there's also other things that you need to do to get bridged working that we aren't covering here) Since we are doing routed, we'll select dev tun here and server setting further down. You will see:
server 10.8.0.0 255.255.255.0
This is ok to leave as is unless you use 10.8.0.0 for your LAN or another VPN network. If so then change this.
Next we need to configure the server to push the route to the LAN to the VPN client. We set that via (replace 192.168.1.0 with your LAN subnet):
push "route 192.168.1.0 255.255.255.0"
That will expose the LAN to the VPN clients and allow them to communicate to the network. However, to allow traffic to truly flow, we have to tell the network how to route return traffic to the VPN clients. This is done by configuring a static route on your gateway/router to direct all traffic to the 10.8.0.0 (or whatever subnet you chose above) to go to the static IP of the VPN server's NIC (the address you may have used above in the a.b.c.d section). Also, you need to enable IP forwarding which can be done by entering the following at a shell after you've finished editing the config:
# sudo echo 1 > /proc/sys/net/ipv4/ip_forward
The last things I'll mention in the server config is that if you want vpn clients to see each other, you will want to uncomment the line:
client-to-client
And I would suggest uncommenting the following so that the server doesn't run as root. Make sure that "nobody" and "nogroup" exists on your server. If not, you'll need to create them or use a comparable user.
user nobody
group nogroup
Now save the file and setup the additional routing and IP forwarding mentioned above if you haven't yet. One additional thing you'll need to do is to setup port forwarding on your router to allow port 1194 to go to your VPN server unless you have your VPN server in a DMZ.
Next you'll want to edit the copy of the client.conf file you put in your home directory earlier to match up with the server.conf file you just edited. Then copy that client.conf and the following files from /etc/openvpn/easy-rsa/2.0/keys directory to your client machine
- client.key
- client.crt
- ca.crt
Now start the openvpn service on the server:
# /etc/init.d/openvpn start
If there are no errors, that's a good start. Next try to connect from the client machine and if it works, test that you have access to the LAN. Note you can test connection to the openvpn server from inside the network if you use it's IP for the server IP in the client config file. Then you can change that to the public IP or FQDN.
(a sub note here for windows users, you will need to rename client.conf to client.ovpn on windows, but it's still a text file and you can edit on windows with wordpad)
* Once you have it up and running, I recommend reviewing the following information on ways to make it more secure as necessary:
