Few days ago I bought VPS account which I installed Ubuntu 11.04. This is how I installed OpenVPN into the VPS.
The network configuration:
# ifconfig
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:11947 errors:0 dropped:0 overruns:0 frame:0
TX packets:11947 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1287068 (1.2 MB) TX bytes:1287068 (1.2 MB)venet0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
UP BROADCAST POINTOPOINT RUNNING NOARP MTU:1500 Metric:1
RX packets:33189 errors:0 dropped:0 overruns:0 frame:0
TX packets:33130 errors:0 dropped:10 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:7778081 (7.7 MB) TX bytes:7956162 (7.9 MB)venet0:0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:208.89.210.232 P-t-P:208.89.210.232 Bcast:0.0.0.0 Mask:255.255.255.255
UP BROADCAST POINTOPOINT RUNNING NOARP MTU:1500 Metric:1venet0:1 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:208.89.210.78 P-t-P:208.89.210.78 Bcast:0.0.0.0 Mask:255.255.255.255
UP BROADCAST POINTOPOINT RUNNING NOARP MTU:1500 Metric:1
Install OpenVPN package and add openvpn user:
# apt-get install openvpn
# adduser --system --no-create-home --group openvpn
Configure Easy-RSA:
Easy-RSA is tool to manage security certificates (for granting client access to OpenVPN server).
# mkdir /etc/openvpn/easy-rsa
# cp /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa
# cd /etc/openvpn/easy-rsa
# nano vars
Now you’re editing /etc/openvpn/easy-rsa/vars file. Scroll down to bottom until you see “export KEY_COUNTRY=” and make sure you edit accordingly:
export KEY_COUNTRY="SG"
export KEY_PROVINCE="Singapore"
export KEY_CITY="Singapore"
export KEY_ORG="My Company"
export KEY_EMAIL="root@server.local"
After edit, exit by pressing CTRL+X and answer Y to save the file.
Run the following command, and answer the question with default answer:
# source ./vars
# ./clean-all
# chmod 700 /etc/openvpn/easy-rsa/keys/
# ./build-ca
# ./build-dh
Create server key, in this case I use domain ‘vpn.id-ebook.com’.
# ./build-key-server vpn.id-ebook.com
If you want to create more domains, just use these 3 commands:
# cd /etc/openvpn/easy-rsa
# source ./vars
# ./build-key-server <domain name>
Now we create server configuration file. You can replace myserver.conf to any name.
# nano /etc/openvpn/myserver.conf
and type in the following configuration lines:
server 10.8.0.0 255.255.255.0
# YOUR LOCAL SERVER IP HERE: (I decided to comment out this value)
# local a.b.c.d
dev tun
proto udp
comp-lzo
# THESE 2 LINES ARE HELPFUL FOR THOSE WITH MOBILE (G3 / G3.5) BROADBAND:
tun-mtu 1500
tun-mtu-extra 32
# ROUTE THE CLIENT'S INTERNET ACCESS THROUGH THIS SERVER:
push "redirect-gateway def1"
keepalive 10 60
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
ca /etc/openvpn/easy-rsa/keys/ca.crt
# ENSURE THE DOMAIN NAME/FILENAME IS CORRECT:
cert /etc/openvpn/easy-rsa/keys/vpn.id-ebook.com.crt
key /etc/openvpn/easy-rsa/keys/vpn.id-ebook.com.key
# LEAVE THE FOLLOWING LINE COMMENTED FOR NOW:
# crl-verify /etc/openvpn/easy-rsa/keys/crl.pem
user openvpn
group openvpn
persist-key
persist-tun
Client configuration:
First of all, we create client access certificate (CSR file) on the server.
# cd /etc/openvpn/easy-rsa
# source ./vars
# ./build-key-pkcs12 <csr name>
CSR name can be any name, for example: mylaptop. This will generate a file /etc/openvpn/easy-rsa/keys/mylaptop.p12.
And then configure IP forward and NAT on the server:
# echo 1 > /proc/sys/net/ipv4/ip_forward
# iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j SNAT --to 208.89.210.232
208.89.210.232 is Ubuntu public IP.
For the client, I use Windows XP. So I download and install OpenVPN GUI from http://openvpn.se
Create mylaptop.vpn.id-ebook.com.ovpn config file and put in C:\Program Files\OpenVPN\config\ using the following content:
client
dev tun
proto udp
# THE IP OF THE REMOTE OPENVPN SERVER:
remote 208.89.210.232
# THE CSR FILE:
pkcs12 mylaptop.p12
comp-lzo
Don’t forget to copy mylaptop.p12 from server to client PC and put also in C:\Program Files\OpenVPN\config\ folder.
At this stage, all configuration is done.
Now restart OpenVPN server:
# /etc/init.d/openvpn restart
And run OpenVPN client to connect to the server.