Howto/Setup Bridged OpenVPN server on Ubuntu 10.04: Difference between revisions

From Interpause
Jump to navigationJump to search
m (.)
 
(25 intermediate revisions by the same user not shown)
Line 1: Line 1:
== The desired setup requirements ==
I want my users to be able to access my network remotely as if they were locally. Also, I want client side configuration steps kept to a minimum. Specifically, I want clients to use the "alternative OpenVPN authentication method". Also, I want clients to be able to see all machines on the server's side (this last bit was what cost me a LOT of time to figure out). Last but not least, I do NOT want all traffic being forwarded through the VPN.
I want users to be able to access my network remotely as if they were locally. Also, I want client side configuration steps kept to a minimum. Specifically, I want clients to use the "alternative OpenVPN authentication method". Also, I want clients to be able to see all machines on the server's side (this last bit was what cost me a LOT of time to figure out). Last but not least, I do NOT want all traffic being forwarded through the VPN.


== My setup ==
== My setup ==
* The following was tested on '''OpenVPN 2.1''' but may work for other version
* The following was tested on '''OpenVPN 2.1''' but may work for other version
* I have a standard router that acts as my gateway, located at '''192.168.8.1'''
* I have a standard router that acts as my gateway, located at '''192.168.8.1'''
* My OpenVPN server has '''one NIC on eth1''' and its ip address is '''192.168.8.141'''
* My OpenVPN server has '''one NIC on eth0''' and its ip address is '''192.168.8.141''' and it is using the default '''UDP 1194''' port
* My router is setup to assign ip addresses upon requests via '''dhcp''' but my servers have '''static ips'''.
* My router is setup to assign ip addresses upon requests via '''dhcp''' in the range 192.168.8.100 to 192.168.8.199, and my servers have '''static leases'''.
* The OpenVPN server will be responsible for handing out ips to clients in the range 192.168.8.5 to 192.168.8.99


== The Steps ==
== The Steps ==
; Step 1) Install openvpn
Using the following as a guide,
  sudo apt-get install openvpn
https://help.ubuntu.com/lts/serverguide/openvpn.html
https://help.ubuntu.com/10.04/serverguide/C/openvpn.html
https://help.ubuntu.com/10.04/serverguide/C/network-configuration.html#bridging
 
; Step 1) Install prerequisites
  sudo apt-get install openvpn bridge-utils easy-rsa


; Step 2) Install a virtual bridged adapter
; Step 2) Install a virtual bridged adapter
Using the following as a guide,
https://help.ubuntu.com/10.04/serverguide/C/network-configuration.html#bridging
Install the necessary package
sudo apt-get install bridge-utils
Modify /etc/network/interfaces
Modify /etc/network/interfaces
<pre>  
<pre>
# The loopback network interface
auto lo
auto lo
iface lo inet loopback
iface lo inet loopback


# The primary network interface
auto eth0
iface eth0 inet manual
# bridge, if router can lease static ips (static ip: 192.168.8.141)
auto br0
auto br0
iface br0 inet static
iface br0 inet dhcp
        address 192.168.8.141
         bridge_ports eth0
        network 192.168.8.0
        netmask 255.255.255.0
        broadcast 192.168.8.255
        gateway 192.168.8.1
         bridge_ports eth1
         bridge_fd 9
         bridge_fd 9
         bridge_hello 2
         bridge_hello 2
         bridge_maxage 12
         bridge_maxage 12
         bridge_stp off
         bridge_stp off
## bridge, if router cannot lease static ips
#auto br0
#iface br0 inet static
#        address 192.168.8.141
#        network 192.168.8.0
#        netmask 255.255.255.0
#        broadcast 192.168.8.255
#        gateway 192.168.8.1
#        bridge_ports eth0
#        bridge_fd 9
#        bridge_hello 2
#        bridge_maxage 12
#        bridge_stp off
</pre>
</pre>
Restart networking
Restart networking
  sudo /etc/init.d/networking restart
  sudo /etc/init.d/networking restart


Step 2: Install
; Step 3) Create the server certificates
Follow the directions
https://help.ubuntu.com/10.04/serverguide/C/openvpn.html
 
; Step 4) Configure the server
Note: Do not create client certificates as we wish to only authenticate with a username and password as per the instructions at
http://openvpn.net/index.php/open-source/documentation/howto.html#auth
Specifically, start by getting a sample config file
sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
sudo gzip -d /etc/openvpn/server.conf.gz
Then modify the server.conf
<pre>
local 192.168.8.141
dev tap0
;dev tun
;server 10.8.0.0 255.255.255.0
server-bridge 192.168.8.141 255.255.255.0 192.168.8.5 192.168.8.99
push "route 192.168.8.0 255.255.255.0"
push "dhcp-option DNS 192.168.8.1"
client-to-client
duplicate-cn
;tls-auth ta.key 0
user nobody
group nogroup
plugin /usr/lib/openvpn/openvpn-auth-pam.so login
client-cert-not-required
username-as-common-name
up "/etc/openvpn/up.sh br0"
down "/etc/openvpn/down.sh br0"
push "ip-win32 dynamic 0 3600"
</pre>
 
Create the up.sh and down.sh scripts as per the Ubuntu guide
https://help.ubuntu.com/10.04/serverguide/C/openvpn.html
place them in /etc/openvpn and make them executable
sudo chmod 755 /etc/openvpn/down.sh
sudo chmod 755 /etc/openvpn/up.sh
 
Here was the part that took me MANY HOURS to figure out as it was only by browsing the OpenVPN FAQ that I figured it out. For clients to see all machines on the server's side, edit /etc/sysctl.conf
net.ipv4.ip_forward=1
 
Restart the server for changes to take effect.
 
; Step 5) Forward ports on the router
Forward requests for port 1194 on the router to the ip address of the server via the router's web interface.
 
; Step 6) On another machine outside the network, install the client
For Ubuntu it is already installed after doing
sudo apt-get install openvpn
For Windows, get the complete installation package here
http://openvpn.se/download.html
 
; Step 6) Configure the client
Get a sample config file. On Ubuntu, it is located here
/usr/share/doc/openvpn/examples/sample-config-files/client.conf
and, if run as a daemon, it must be placed in /etc/openvpn along with the ca.crt file that was generated in Step 3.
 
On Windows, it is located at
C:\Program Files\OpenVPN\sample-config\client.opvn
and it must be placed in
C:\Program Files\OpenVPN\config
along with the ca.crt file that was generated in Step 3.
Modify the following lines in client.conf or client.opvn
<pre>
dev tap
;dev tun
remote www.interpause.com 1194
user nobody
group nobody
;cert client.crt
;key client.key
;tls-auth ta.key 1
auth-user-pass
</pre>
 
; Step 7) Start the client
On Ubuntu, it can be started as a daemon or at the command prompt using
sudo openvpn --config client.conf
 
On Windows, reload the GUI and there should be a Connect option that appears if the config file and the ca.crt certificate and in the correct place.
 
You should be able to ping and access any shares located on the server's side.
 
; Troubleshooting Tip
On an Ubuntu server and client, instead of running the server (and client) as a daemon, execute it at the command prompt using
sudo openvpn --config server.conf --script-security 2
and observe the output.

Latest revision as of 11:49, 16 February 2017

I want my users to be able to access my network remotely as if they were locally. Also, I want client side configuration steps kept to a minimum. Specifically, I want clients to use the "alternative OpenVPN authentication method". Also, I want clients to be able to see all machines on the server's side (this last bit was what cost me a LOT of time to figure out). Last but not least, I do NOT want all traffic being forwarded through the VPN.

My setup

  • The following was tested on OpenVPN 2.1 but may work for other version
  • I have a standard router that acts as my gateway, located at 192.168.8.1
  • My OpenVPN server has one NIC on eth0 and its ip address is 192.168.8.141 and it is using the default UDP 1194 port
  • My router is setup to assign ip addresses upon requests via dhcp in the range 192.168.8.100 to 192.168.8.199, and my servers have static leases.
  • The OpenVPN server will be responsible for handing out ips to clients in the range 192.168.8.5 to 192.168.8.99

The Steps

Using the following as a guide,

https://help.ubuntu.com/lts/serverguide/openvpn.html
https://help.ubuntu.com/10.04/serverguide/C/openvpn.html
https://help.ubuntu.com/10.04/serverguide/C/network-configuration.html#bridging
Step 1) Install prerequisites
sudo apt-get install openvpn bridge-utils easy-rsa
Step 2) Install a virtual bridged adapter

Modify /etc/network/interfaces

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto eth0
iface eth0 inet manual

# bridge, if router can lease static ips (static ip: 192.168.8.141)
auto br0
iface br0 inet dhcp
        bridge_ports eth0
        bridge_fd 9
        bridge_hello 2
        bridge_maxage 12
        bridge_stp off

## bridge, if router cannot lease static ips
#auto br0
#iface br0 inet static
#        address 192.168.8.141
#        network 192.168.8.0
#        netmask 255.255.255.0
#        broadcast 192.168.8.255
#        gateway 192.168.8.1
#        bridge_ports eth0
#        bridge_fd 9
#        bridge_hello 2
#        bridge_maxage 12
#        bridge_stp off

Restart networking

sudo /etc/init.d/networking restart
Step 3) Create the server certificates

Follow the directions

https://help.ubuntu.com/10.04/serverguide/C/openvpn.html
Step 4) Configure the server

Note: Do not create client certificates as we wish to only authenticate with a username and password as per the instructions at http://openvpn.net/index.php/open-source/documentation/howto.html#auth Specifically, start by getting a sample config file

sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
sudo gzip -d /etc/openvpn/server.conf.gz

Then modify the server.conf

local 192.168.8.141
dev tap0
;dev tun
;server 10.8.0.0 255.255.255.0
server-bridge 192.168.8.141 255.255.255.0 192.168.8.5 192.168.8.99
push "route 192.168.8.0 255.255.255.0"
push "dhcp-option DNS 192.168.8.1"
client-to-client
duplicate-cn
;tls-auth ta.key 0
user nobody
group nogroup
plugin /usr/lib/openvpn/openvpn-auth-pam.so login
client-cert-not-required
username-as-common-name
up "/etc/openvpn/up.sh br0"
down "/etc/openvpn/down.sh br0"
push "ip-win32 dynamic 0 3600"

Create the up.sh and down.sh scripts as per the Ubuntu guide

https://help.ubuntu.com/10.04/serverguide/C/openvpn.html

place them in /etc/openvpn and make them executable

sudo chmod 755 /etc/openvpn/down.sh
sudo chmod 755 /etc/openvpn/up.sh

Here was the part that took me MANY HOURS to figure out as it was only by browsing the OpenVPN FAQ that I figured it out. For clients to see all machines on the server's side, edit /etc/sysctl.conf

net.ipv4.ip_forward=1

Restart the server for changes to take effect.

Step 5) Forward ports on the router

Forward requests for port 1194 on the router to the ip address of the server via the router's web interface.

Step 6) On another machine outside the network, install the client

For Ubuntu it is already installed after doing

sudo apt-get install openvpn

For Windows, get the complete installation package here

http://openvpn.se/download.html
Step 6) Configure the client

Get a sample config file. On Ubuntu, it is located here

/usr/share/doc/openvpn/examples/sample-config-files/client.conf

and, if run as a daemon, it must be placed in /etc/openvpn along with the ca.crt file that was generated in Step 3.

On Windows, it is located at

C:\Program Files\OpenVPN\sample-config\client.opvn

and it must be placed in

C:\Program Files\OpenVPN\config

along with the ca.crt file that was generated in Step 3. Modify the following lines in client.conf or client.opvn

dev tap
;dev tun
remote www.interpause.com 1194
user nobody
group nobody
;cert client.crt
;key client.key
;tls-auth ta.key 1
auth-user-pass
Step 7) Start the client

On Ubuntu, it can be started as a daemon or at the command prompt using

sudo openvpn --config client.conf

On Windows, reload the GUI and there should be a Connect option that appears if the config file and the ca.crt certificate and in the correct place.

You should be able to ping and access any shares located on the server's side.

Troubleshooting Tip

On an Ubuntu server and client, instead of running the server (and client) as a daemon, execute it at the command prompt using

sudo openvpn --config server.conf --script-security 2

and observe the output.