Howto/20130118 Setup Routed Tun OpenVPN server on Ubuntu 12.04: Difference between revisions

From Interpause
Jump to navigationJump to search
No edit summary
No edit summary
 
(45 intermediate revisions by the same user not shown)
Line 1: Line 1:
== Donations ==
Donations are not required but much appreciated. If you find the following helpful, you may send donations to my Paypal address lucky13bbq@yahoo.com. Thanks!
== Motivation ==
== Motivation ==
To be able to workaround Petro-Canada Mobility/7-11 Speakout's proxied 3g data connection so that I can make free calls to a landline using a voip app such as Fongo. My previous solution was to use another app Droidvpn but this had two issues: 1) it is only free for 100 megs/day and 2) it requires a rooted android phone. Setting up and using my own server therefore removes the 100 meg/day limit and does not require a rooted android phone. I initially did the following steps on my own home server as a test, but because it requires using port 443 which my webserver was already using, I ended up renting an unmanaged VPS for much cheaper than droidvpn charges (especially when it's split amongst me, the wife and my dad).
# To be able to workaround Petro-Canada Mobility/7-11 Speakout's proxied 3g data connection so that I can make free calls to a landline using a voip app such as Fongo. My previous solution was to use another app Droidvpn but this had two issues: 1) it is only free for 100 megs/day and 2) it requires a rooted android phone. Setting up and using my own server therefore removes the 100 meg/day limit and does not require a rooted android phone. I initially did the following steps on my own home server as a test, but because it requires using port 443 which my webserver was already using, I ended up renting an unmanaged VPS for much cheaper than droidvpn charges (especially when it's split amongst me, the wife and my dad).
# To able to access hulu.com and netflix US. Should also work with Amazon Instant Video. Assumes that your vpn server is located in the US.


== Source material ==
== Source material ==
Line 6: Line 10:
# Redflagdeals post: http://forums.redflagdeals.com/speakout-data-android-calling-all-users-tips-tricks-1053209/175/#post15982561
# Redflagdeals post: http://forums.redflagdeals.com/speakout-data-android-calling-all-users-tips-tricks-1053209/175/#post15982561
# My previous OpenVPN setup guide for bridged VPNs: [[Howto/Setup Bridged OpenVPN server on Ubuntu 10.04]]
# My previous OpenVPN setup guide for bridged VPNs: [[Howto/Setup Bridged OpenVPN server on Ubuntu 10.04]]
# Workaround if ipt_MASQUERADE module is missing: http://forum.openvz.org/index.php?t=msg&goto=8117 (and to some extent http://ubuntuforums.org/showthread.php?t=1795535 )
# bytecounts: https://openvpn.net/archive/openvpn-users/2007-08/msg00184.html


== My setup ==
== My setup ==
* An android phone (tested with an Xperia Ray running stock Sony Android 4.0 ROM) with a proxied 3g data connection via Petro-Canada Mobility
* An android phone running the openvpn client (tested with an Xperia Ray running stock Sony Android 4.0 ROM) with a proxied 3g data connection via Petro-Canada Mobility
* A server running Ubuntu 12.04 64-bit with port 443 available
* A server running Ubuntu 12.04 64-bit with port 443 available
* OpenVPN server configuration: tun, tcp, pre-shared key/cert authentication
* OpenVPN server configuration: tun, tcp, pre-shared key/cert authentication
* Ouput openvpn bytecounts to log server usage
* The Phantom (thephantom1492@yahoo.com) has tested running the openvpn client on his iphone (see below), thanks for the contribution!


== The Steps ==
== The Steps ==
Line 27: Line 35:


; Step 4) Edit the server.conf file.
; Step 4) Edit the server.conf file.
Notes: Only tun is supported on android 4.0, port 443 and tcp rather than udp must be used for proxied openvpn connections.
Notes: Only tun is supported on the openvpn android 4.0 client. Also, port 443 and tcp rather than udp must be used for proxied openvpn connections.
<pre>
<pre>
port 443
port 443
Line 47: Line 55:
user nobody
user nobody
group nogroup
group nogroup
management localhost 8000 # enable management interface
script-security 2 # to run scripts
client-disconnect "scripts/client-disconnect.sh" # log bytecounts to a file
</pre>
</pre>


Line 56: Line 67:


; Step 6) Route all traffic through the vpn using iptables
; Step 6) Route all traffic through the vpn using iptables
Note: 10.8.0.0 was defined in server.conf and eth0 is assumed to be the network device as defined in the output of ifconfig.
Note: 10.8.0.0 was defined in server.conf and eth0 is assumed to be the network device as defined in the output of ifconfig. For a VPS, this might be venet0.
Tip: Using iptables-save (iptables-persistent) will ensure that the settings are reloaded on next reboot.
Tip: Using iptables-save (iptables-persistent) will ensure that the settings are reloaded on next reboot.
<pre>
<pre>
sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
sudo iptables-save > /etc/iptables/rules.v4
sudo iptables-save | sudo tee /etc/iptables/rules.v4
</pre>
Troubleshooting tip: On a second VPS I setup up under OpenVZ, I had a problem with the ipt_MASQUERADE module being absent. So I had to do the following instead:
<pre>
sudo iptables -t nat -A POSTROUTING -j SNAT --to-source <server_wan_ip_or_vps_venet_ip>
sudo iptables-save | sudo tee /etc/iptables/rules.v4
</pre>
</pre>


; Step 7) Start the server
; Step 7) Log bytecounts to a file using a script
Simply rebooting should start the server. Tip: Run the openvpn server manually rather than as a daemon to facilitate debugging.
Every time a user disconnects, bytecounts will written to a file. Place the following script in /etc/openvpn/scripts/client-disconnect.sh
<pre>
<pre>
sudo openvpn --config server.conf --script-security 2
#!/bin/sh
 
LOGGER=/usr/bin/logger
 
$LOGGER -s -plocal3.debug -t "[openvpn client-disconnect] `date`" NAME=${common_name} SENT/RECEIVED=${bytes_sent}/${bytes_received}
VIRT_IP=${ifconfig_pool_remote_ip} REAL_IP=${untrusted_ip} 2>> /etc/openvpn/bytecounts.log
</pre>
Change permissions of the script file and bytecounts.log file
<pre>
sudo chmod a+x /etc/openvpn/scripts/client-disconnect.sh
sudo touch /etc/openvpn/bytecounts.log && sudo chown nobody /etc/openvpn/bytecounts.log
</pre>
</pre>


; Step 8) Copy necessary files to the openvpn client (the phone)
; Step 8) Start the server
Simply rebooting should start the server.
<pre>
sudo /etc/init.d/openvpn restart
</pre>
Tip: Run the openvpn server manually rather than as a daemon to facilitate debugging as follows.
<pre>
sudo openvpn --config server.conf
</pre>
 
; Step 9) Copy necessary files to the openvpn client (the phone)
Copy the 4 following files: 1) ca*.crt the Root CA certificate, 2) client1*.crt the Client1 Certificate, 3) client1*.key the Client1 Key, 4) client*.conf the sample openvpn client config file which we shall modify next
Copy the 4 following files: 1) ca*.crt the Root CA certificate, 2) client1*.crt the Client1 Certificate, 3) client1*.key the Client1 Key, 4) client*.conf the sample openvpn client config file which we shall modify next


; Step 9) Edit the openvpn client config file
; Step 10) Edit the openvpn client config file
Tip: It might be easier to edit the config file on a computer before transferring to the phone.
Tip: It might be easier to edit the config file on a computer before transferring to the phone.
<pre>
<pre>
Line 79: Line 115:
proto tcp
proto tcp
;proto udp
;proto udp
remote buffalo.interpause.com 443 # change this to the ip of your server
remote your.server.com 443 # change this to the ip of your server
resolv-retry infinite
resolv-retry infinite
http-proxy 10.128.1.69 80 # this is petro-canada mobility's APN http proxy
http-proxy 10.128.1.69 80 # this is petro-canada mobility's APN http proxy
# do not use the previous line with wifi
# more info: http://mobility.petro-canada.ca/en/questions/138.aspx
# more info: http://mobility.petro-canada.ca/en/questions/138.aspx
ca ca.crt # this was generated previously and is the same file used by the server
ca ca.crt # this was generated previously and is the same file used by the server
Line 90: Line 127:
</pre>
</pre>


; Step 10) Install client software on phone
; Step 11a) Install client software on an android smartphone
Two options for Android 4.0:
Two options for Android 4+ that don't require root:
* Official (not yet tested): https://play.google.com/store/apps/details?id=net.openvpn.openvpn&hl=en
* Official (recommended): https://play.google.com/store/apps/details?id=net.openvpn.openvpn&hl=en You will need to import the profile from SD then add a proxy manually in the Settings menu. If you have more than one VPN server, the client will fallback to the next server if the first server is unavailable which is nice.
* Unofficial (tested): https://play.google.com/store/apps/details?id=de.blinkt.openvpn
* Unofficial: https://play.google.com/store/apps/details?id=de.blinkt.openvpn Open the app, go to the vpn profiles page, open the client conf file, save the imported profile, verify location of 3 client files (server cert, client cert and client key). The proxy must be set in the config file. Note unlike the official app, this app only connects to a single server and will not fallback to a second server if the first is unavailable.
For Android 2.3, need both:
For Android 2.3, root required and need both apps:
# OpenVPN Installer: https://play.google.com/store/apps/details?id=de.schaeuffelhut.android.openvpn.installer&hl=en
# OpenVPN Installer: https://play.google.com/store/apps/details?id=de.schaeuffelhut.android.openvpn.installer&hl=en
# OpenVPN Settings: https://play.google.com/store/apps/details?id=de.schaeuffelhut.android.openvpn&hl=en
# OpenVPN Settings: https://play.google.com/store/apps/details?id=de.schaeuffelhut.android.openvpn&hl=en (Note: If you are unable to browse, it might mean that the dns servers are not getting pushed to the client. In the config preferences, enable "Use VPN DNS server" and set the VPN DNS server to Google's DNS server to 8.8.8.8)
 
; Step 11b) Install client software on a pc
http://openvpn.net/index.php?option=com_content&id=357
 
; Step 11c) Install client software on iphone (thanks The Phantom thephantom1492@yahoo.com)
* IPhone (tested on 4s), should work on ipad too.
* On the appstore, install openvpn, free apps.
* You need to make a config file, here is an example:
<pre>
---- start of config.ovpn ----
dev tun
proto tcp
remote put.your.ip.address.here.or.your.hostname 443
cipher AES-128-CBC
auth SHA1
resolv-retry infinite
nobind
persist-key
persist-tun
client
verb 3
auth-user-pass


; Step 11) Configure the app
<ca>
Open the app, go to the vpn profiles page, open the client conf file, save the imported profile, update location of 3 client files (server cert, client cert and client key).
-----BEGIN CERTIFICATE-----
paste your server.ca certificate here
-----END CERTIFICATE-----
</ca>
 
<cert>
-----BEGIN CERTIFICATE-----
paste your user.crt data here
-----END CERTIFICATE-----
</cert>
 
<key>
-----BEGIN RSA PRIVATE KEY-----
paste your user.key here
-----END RSA PRIVATE KEY-----
</key>
---- end of config.ovpn ----
</pre>
 
* Transfer the file using itune or email it to yourself (use the mail app, then click on the attachment and open with openvpn). OpenVPN will now open.
* Add the profile, put your username and password.
* Then, go to the Settings app, find openvpn.
* Protocol: TCP
* Enable proxy
* Host: 10.128.1.69
* Port: 80
* Then you should be able to connect.


; Step 12) Start the client
; Step 12) Start the client
Disable wifi, enable 3g, connect to the vpn. Most if not all apps should work as if the 3g data connection was not proxied.
Disable wifi, enable 3g, connect to the vpn. Most if not all apps should work as if the 3g data connection was not proxied. Also, if you rented a VPS in the US, you should be able to watch netflix US as well as hulu.com (I needed to sideload the hulu plus app however, google it). Should also work with Amazon Instant Video (untested).
 
; Bonus step 13) Forward torrent traffic through the vpn on port 44444 to 10.8.0.6:
* source: http://superuser.com/questions/972340/do-i-need-to-open-a-specific-port-on-an-openvpn-server-for-torrent-traffic
 
<pre>
iptables -t nat -A PREROUTING -p tcp --dport 6880 -j DNAT --to 10.8.0.6:6880
 
iptables -t nat -A PREROUTING -p tcp --dport 44444 -j DNAT --to 10.8.0.6:44444
 
iptables -t nat -A PREROUTING -p udp --dport 44444 -j DNAT --to 10.8.0.6:44444
</pre>
 
== Troubleshooting ==
 
; On Ubuntu 20.04, if openvpn fails with error "dh key too small", try
<pre>
openssl dhparam -out /etc/openvpn/dh2048.pem 2048
</pre>
* and change in /etc/openvpn/server.conf – from dh dh1024.pem to dh dh2048.pem
 
Source: https://kudzia.eu/b/2019/08/openvpn-openssl-error1408518assl-routinesssl3_ctx_ctrldh-key-too-small-after-upgrade-to-debina-buster/
 
; On Ubuntu 16.04, if openvpn starts manually but fails to start as a service:
Comment out the LimitNPROC line in /lib/systemd/system/openvpn@.service.
 
Source: https://serverfault.com/questions/891810/openvpn-wont-start-as-a-service-with-config-file
 
; On Ubuntu 18.04, if CRL expired error appears in the log:
* Edit the easy-rsa/vars file and raised the CRL publish time to 10 years
<pre>
set_var EASYRSA_CRL_DAYS 3650
</pre>
* Generate new crl.pem
<pre>
easyrsa gen-crl
</pre>
* Copy or sym link new crl.pem file to openvpn server config folder
* Restart server
 
Source: https://forum.openwrt.org/t/solved-openvpn-tls-handshake-timeout/46662/13

Latest revision as of 01:27, 2 November 2020

Donations

Donations are not required but much appreciated. If you find the following helpful, you may send donations to my Paypal address lucky13bbq@yahoo.com. Thanks!

Motivation

  1. To be able to workaround Petro-Canada Mobility/7-11 Speakout's proxied 3g data connection so that I can make free calls to a landline using a voip app such as Fongo. My previous solution was to use another app Droidvpn but this had two issues: 1) it is only free for 100 megs/day and 2) it requires a rooted android phone. Setting up and using my own server therefore removes the 100 meg/day limit and does not require a rooted android phone. I initially did the following steps on my own home server as a test, but because it requires using port 443 which my webserver was already using, I ended up renting an unmanaged VPS for much cheaper than droidvpn charges (especially when it's split amongst me, the wife and my dad).
  2. To able to access hulu.com and netflix US. Should also work with Amazon Instant Video. Assumes that your vpn server is located in the US.

Source material

  1. OpenVPN howto: http://openvpn.net/index.php/open-source/documentation/howto.html
  2. Redflagdeals post: http://forums.redflagdeals.com/speakout-data-android-calling-all-users-tips-tricks-1053209/175/#post15982561
  3. My previous OpenVPN setup guide for bridged VPNs: Howto/Setup Bridged OpenVPN server on Ubuntu 10.04
  4. Workaround if ipt_MASQUERADE module is missing: http://forum.openvz.org/index.php?t=msg&goto=8117 (and to some extent http://ubuntuforums.org/showthread.php?t=1795535 )
  5. bytecounts: https://openvpn.net/archive/openvpn-users/2007-08/msg00184.html

My setup

  • An android phone running the openvpn client (tested with an Xperia Ray running stock Sony Android 4.0 ROM) with a proxied 3g data connection via Petro-Canada Mobility
  • A server running Ubuntu 12.04 64-bit with port 443 available
  • OpenVPN server configuration: tun, tcp, pre-shared key/cert authentication
  • Ouput openvpn bytecounts to log server usage
  • The Phantom (thephantom1492@yahoo.com) has tested running the openvpn client on his iphone (see below), thanks for the contribution!

The Steps

Step 1) Install server software
sudo apt-get install openvpn iptables-persistent openssl
Step 2) Obtain conf files

Copy sample conf files located in /usr/share/doc/openvpn/examples/sample-config-files/ to /etc/openvpn

Step 3) Generate certificates and keys for the server and multiple clients

Follow guide @ http://openvpn.net/index.php/open-source/documentation/howto.html#pki Tip: You may need to rename the openssl-1.0.0.cnf file to openssl.cnf.

Step 4) Edit the server.conf file.

Notes: Only tun is supported on the openvpn android 4.0 client. Also, port 443 and tcp rather than udp must be used for proxied openvpn connections.

port 443
proto tcp
;proto udp
dev tun
;dev tap
ca ca.crt # this was generated in previous step
cert server.crt # this was generated in previous step
key server.key # this was generated in previous step
dh dh1024.pem # this was generated in previous step
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
push "dhcp-option DNS 8.8.8.8"
duplicate-cn # it's not recommended for clients to share cert/keys,
             # but I'm gonna do it anyways
user nobody
group nogroup
management localhost 8000 # enable management interface
script-security 2 # to run scripts
client-disconnect "scripts/client-disconnect.sh" # log bytecounts to a file
Step 5) Enable ip forwarding

Edit /etc/sysctl.conf

net.ipv4.ip_forward=1
Step 6) Route all traffic through the vpn using iptables

Note: 10.8.0.0 was defined in server.conf and eth0 is assumed to be the network device as defined in the output of ifconfig. For a VPS, this might be venet0. Tip: Using iptables-save (iptables-persistent) will ensure that the settings are reloaded on next reboot.

sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
sudo iptables-save | sudo tee /etc/iptables/rules.v4

Troubleshooting tip: On a second VPS I setup up under OpenVZ, I had a problem with the ipt_MASQUERADE module being absent. So I had to do the following instead:

sudo iptables -t nat -A POSTROUTING -j SNAT --to-source <server_wan_ip_or_vps_venet_ip>
sudo iptables-save | sudo tee /etc/iptables/rules.v4
Step 7) Log bytecounts to a file using a script

Every time a user disconnects, bytecounts will written to a file. Place the following script in /etc/openvpn/scripts/client-disconnect.sh

#!/bin/sh

LOGGER=/usr/bin/logger

$LOGGER -s -plocal3.debug -t "[openvpn client-disconnect] `date`" NAME=${common_name} SENT/RECEIVED=${bytes_sent}/${bytes_received} 
VIRT_IP=${ifconfig_pool_remote_ip} REAL_IP=${untrusted_ip} 2>> /etc/openvpn/bytecounts.log

Change permissions of the script file and bytecounts.log file

sudo chmod a+x /etc/openvpn/scripts/client-disconnect.sh
sudo touch /etc/openvpn/bytecounts.log && sudo chown nobody /etc/openvpn/bytecounts.log
Step 8) Start the server

Simply rebooting should start the server.

sudo /etc/init.d/openvpn restart

Tip: Run the openvpn server manually rather than as a daemon to facilitate debugging as follows.

sudo openvpn --config server.conf
Step 9) Copy necessary files to the openvpn client (the phone)

Copy the 4 following files: 1) ca*.crt the Root CA certificate, 2) client1*.crt the Client1 Certificate, 3) client1*.key the Client1 Key, 4) client*.conf the sample openvpn client config file which we shall modify next

Step 10) Edit the openvpn client config file

Tip: It might be easier to edit the config file on a computer before transferring to the phone.

;dev tap
dev tun
proto tcp
;proto udp
remote your.server.com 443 # change this to the ip of your server
resolv-retry infinite
http-proxy 10.128.1.69 80 # this is petro-canada mobility's APN http proxy
# do not use the previous line with wifi
# more info: http://mobility.petro-canada.ca/en/questions/138.aspx
ca ca.crt # this was generated previously and is the same file used by the server
cert client.crt # this was generated previously
key client.key # this was generated previously
;ns-cert-type server
remote-cert-tls server
Step 11a) Install client software on an android smartphone

Two options for Android 4+ that don't require root:

  • Official (recommended): https://play.google.com/store/apps/details?id=net.openvpn.openvpn&hl=en You will need to import the profile from SD then add a proxy manually in the Settings menu. If you have more than one VPN server, the client will fallback to the next server if the first server is unavailable which is nice.
  • Unofficial: https://play.google.com/store/apps/details?id=de.blinkt.openvpn Open the app, go to the vpn profiles page, open the client conf file, save the imported profile, verify location of 3 client files (server cert, client cert and client key). The proxy must be set in the config file. Note unlike the official app, this app only connects to a single server and will not fallback to a second server if the first is unavailable.

For Android 2.3, root required and need both apps:

  1. OpenVPN Installer: https://play.google.com/store/apps/details?id=de.schaeuffelhut.android.openvpn.installer&hl=en
  2. OpenVPN Settings: https://play.google.com/store/apps/details?id=de.schaeuffelhut.android.openvpn&hl=en (Note: If you are unable to browse, it might mean that the dns servers are not getting pushed to the client. In the config preferences, enable "Use VPN DNS server" and set the VPN DNS server to Google's DNS server to 8.8.8.8)
Step 11b) Install client software on a pc

http://openvpn.net/index.php?option=com_content&id=357

Step 11c) Install client software on iphone (thanks The Phantom thephantom1492@yahoo.com)
  • IPhone (tested on 4s), should work on ipad too.
  • On the appstore, install openvpn, free apps.
  • You need to make a config file, here is an example:
---- start of config.ovpn ----
dev tun
proto tcp
remote put.your.ip.address.here.or.your.hostname 443
cipher AES-128-CBC
auth SHA1
resolv-retry infinite
nobind
persist-key
persist-tun
client
verb 3
auth-user-pass

<ca>
-----BEGIN CERTIFICATE-----
paste your server.ca certificate here
-----END CERTIFICATE-----
</ca>

<cert>
-----BEGIN CERTIFICATE-----
paste your user.crt data here
-----END CERTIFICATE-----
</cert>

<key>
-----BEGIN RSA PRIVATE KEY-----
paste your user.key here
-----END RSA PRIVATE KEY-----
</key>
---- end of config.ovpn ----
  • Transfer the file using itune or email it to yourself (use the mail app, then click on the attachment and open with openvpn). OpenVPN will now open.
  • Add the profile, put your username and password.
  • Then, go to the Settings app, find openvpn.
  • Protocol: TCP
  • Enable proxy
  • Host: 10.128.1.69
  • Port: 80
  • Then you should be able to connect.
Step 12) Start the client

Disable wifi, enable 3g, connect to the vpn. Most if not all apps should work as if the 3g data connection was not proxied. Also, if you rented a VPS in the US, you should be able to watch netflix US as well as hulu.com (I needed to sideload the hulu plus app however, google it). Should also work with Amazon Instant Video (untested).

Bonus step 13) Forward torrent traffic through the vpn on port 44444 to 10.8.0.6
iptables -t nat -A PREROUTING -p tcp --dport 6880 -j DNAT --to 10.8.0.6:6880

iptables -t nat -A PREROUTING -p tcp --dport 44444 -j DNAT --to 10.8.0.6:44444

iptables -t nat -A PREROUTING -p udp --dport 44444 -j DNAT --to 10.8.0.6:44444

Troubleshooting

On Ubuntu 20.04, if openvpn fails with error "dh key too small", try
openssl dhparam -out /etc/openvpn/dh2048.pem 2048
  • and change in /etc/openvpn/server.conf – from dh dh1024.pem to dh dh2048.pem

Source: https://kudzia.eu/b/2019/08/openvpn-openssl-error1408518assl-routinesssl3_ctx_ctrldh-key-too-small-after-upgrade-to-debina-buster/

On Ubuntu 16.04, if openvpn starts manually but fails to start as a service

Comment out the LimitNPROC line in /lib/systemd/system/openvpn@.service.

Source: https://serverfault.com/questions/891810/openvpn-wont-start-as-a-service-with-config-file

On Ubuntu 18.04, if CRL expired error appears in the log
  • Edit the easy-rsa/vars file and raised the CRL publish time to 10 years
set_var EASYRSA_CRL_DAYS 3650
  • Generate new crl.pem
easyrsa gen-crl
  • Copy or sym link new crl.pem file to openvpn server config folder
  • Restart server

Source: https://forum.openwrt.org/t/solved-openvpn-tls-handshake-timeout/46662/13