Installing OpenVPN on Ubuntu 10.04
Madison Linux Users Group (MadLUG)Brad Stone
Introduction
There are many tutorials on the web which explain how to install OpenVPN, but I found that most of them lack critical pieces of information that are essential to getting it installed and running. Much of this material came from the official Ubuntu documentation, but a lot of additional information and detail has been added. I'm not an expert on OpenVPN, and this procedure may not be perfect, but I can attest that it will work with a stock installation of Ubuntu 10.04.
Audience
These instructions are designed for an average Linux user who has an Ubuntu server and wants to set up a VPN so they can securely use the Internet from an insecure wifi hotspot. It assumes that you do not have any Linux administration training, but are comfortable with tinkering with your server. There are some prerequisites:1)You will need to be able to install and configure software on your server.2)You will need to be able to copy files from your server (i.e. scp, mounting a USB drive, etc)3)You will need to be able to set up a port forward on your router.If you can do these things then you should be all set. The install will probably take about an hour or so. Let's get started.
Our Sample Setup
To simplify the instructions and make things a little clearer, we will assume that you have a home server behind a firewall/router and you want to connect to your VPN with a laptop. In VPN terms, your server will be running a “VPN Server” and the laptop will be a “VPN Client.” We are also going to assign sample network IP addresses, which you will need to change to reflect your real system. Just replace all instances of the sample IP addresses for your actual ones when come across them. I have elected to document a bridged network instead of routed, primarily due to the fact that it was the way the official Ubuntu documentation did it. A bridged network should work just fine for a small setup. What's the difference, you ask? A routed VPN will have the clients on a different subnet from the server, while a bridged VPN will have the VPN clients on the same subnet as the server. The bridged setup is a little harder to install, but ensures that you can hit your local network devices (printers, file shares, etc.) when you VPN in. We are also going to make the decision to route all network traffic through the VPN. This will slow down your web browsing when connected to the VPN, but it will make it secure. Basically, your
Installing OpenVPN on Ubuntu 10.04
Version 1.0
Page 1 of 11
Internet browsing speed will be limited to your server's network upload limit.This document will require the use of Ubuntu's Network Manager on the client. There are other tutorials which describe how to modify the configuration files with a text editor, but for the sake of ease and simplicity, we will stick to Network Manager.The topology would look something like this:
As shown in the network diagram, we assume the VPN server has a static IP of 192.168.101.50.Note: VPNs can get confused if the client and the server subnets are the same. (i.e. your coffeeshop happens to use the same router that you do and they are both 192.168.1.1) Therefore, it is advisable to put your home network on a non-standard subnet, so you will have no problems connecting from public hotspots. In our examples, we have put our server on 192.168.101.1.To test your VPN at home, you will need two routers with different subnets; one to host the VPN and the other to allow the client to connect to the Internet. Those routers can be plugged into each other, but they must have different subnets. You can also use a client that is in a virtual machine, just as long as they appear on a different network.
Installing OpenVPN on Ubuntu 10.04
Version 1.0
Page 2 of 11
Overview of the Installation
1.Installing a network bridge and configure network settings on the server 2.Installation and Configuration of OpenVPN on the server 3.Creating the Keys and Certificates4.Install and Configure OpenVPN Client5.Troubleshooting and Tips
Installing the Network Bridge and Configure Network Settings
OpenVPN requires that you install a network bridge, which is basically a type of virtual network device that will interact with your existing network hardware. In essence we will be setting up an OpenVPN device called “tap1” and will link it to our standard “eth0” network interface. This conduit connection will be called “br0.” (If your server uses something other than “eth0” to connect to the Internet, then make the appropriate substitutions throughout this document.)
1) Install the OpenVPN and the bridge utilities onto the server:
sudo apt-get install openvpn bridge-utils
2) Change your network to use the new interface by modifying your /etc/network/interfaces file. Make sure you back it up first. The file should be changed to look something like this:
# This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces(5). # The loopback network interface auto lo iface lo inet loopback #### NOTE COMMENT OUT THESE LINES (original eth0 declaration) OR DELETE THEM FOR OPENVPN# The primary network interface #iface eth0 inet static#address 192.168.101.10#netmask 255.255.255.0#gateway 192.168.101.1# Set up the bridge interface for OpenVPN auto br0 iface br0 inet static address 192.168.101.50 netmask 255.255.255.0 gateway 192.168.101.1 bridge_ports eth0 #### NOTE: If you are running OpenVPN in a virtual machine, then uncomment these lines:# bridge_fd 9 # bridge_hello 2 # bridge_maxage 12 # bridge_stp off iface eth0 inet manual up ifconfig $IFACE 0.0.0.0 up up ip link set $IFACE promisc on down ip link set $IFACE promisc off down ifconfig $IFACE down
Note: It is very important to either delete or comment out the original stanza that defined eth0. (As shown above, but yours may look different.) Your system may lose networking if you don't.
Installing OpenVPN on Ubuntu 10.04
Version 1.0
Page 3 of 11
3) To allow your VPN client to browse the Internet, you will need to enable IPv4 forwarding.
sudo nano /etc/sysctl.confUncomment the line that reads: net.ipv4.ip_forward=1
4) You will need to open a port on your firewall to allow the VPN traffic get to the server. OpenVPN uses port 1194 by default, so on your router, forward that port (as UDP) to your server running OpenVPN.5) Reboot your server and ensure that networking is working by trying to SSH into it or pinging a site on the Internet.
Create the Server Keys and Certificates
We need to create keys and certificates that will eventually be installed onto our laptop. This will ensure that only authorized machines can connect to our VPN. Here we create them and copy them into the correct locations on the server. Easy-RSA is a series of scripts which greatly simplifies this process. We will modify a text file then issue the commands to generate the keys.
1) Create an easy-rsa folder, copy the example files into it, and set the permissions:
sudo mkdir /etc/openvpn/easy-rsa/ sudo cp -R /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa/ sudo chown -R $USER /etc/openvpn/easy-rsa/
2) Edit the text file so that it reflects your information:
sudo nano /etc/openvpn/easy-rsa/vars
3) Change these items (located at the end of the file) to personalize your certificate.
export KEY_COUNTRY="US"export KEY_PROVINCE="CA"export KEY_CITY="SanFrancisco"export KEY_ORG="Fort-Funston"export KEY_EMAIL="me@myhost.mydomain"
4) Generate the server keys and copy them to the correct locations.
cd /etc/openvpn/easy-rsa/source vars./clean-all./build-dh./pkitool --initca./pkitool --server servercd keysopenvpn --genkey --secret ta.keysudo cp server.crt server.key ca.crt dh1024.pem ta.key /etc/openvpn/
Generate the Client Keys and Certificates
It's now time to generate the client keys. These are created on the server, not on the laptop. It is good practice to generate a different client key for each machine that will be connecting to the VPN. By default, OpenVPN won't allow multiple users to connect using the same keys. You can name the keys
Installing OpenVPN on Ubuntu 10.04
Version 1.0
Page 4 of 11