Ubuntu and OpenVPN

By John C. Rucker (Page 1 of 1)

Introduction

Setting up Ubuntu as an OpenVPN gateway is dead easy, though there are a number of steps. I set up these systems so infrequently that I tend to forget how I did it. These instructions are mostly for my own benefit the next time I have to do this.

These are just step-by-step instructions for a bridged VPN that we use here. If you need a different setup or want to know how things work, you want to read the OpenVPN documentation. Look elsewhere if you don't like the command line. Total time from popping the install CD in to connecting clients: less than 1 hour.

These instructions are mostly a mixture from what I found here:

• The OpenVPN Howto
• The OpenVPN Howto: Ethernet Bridging
• How to Install Openvpn

I recommend the following GUI interfaces for OpenVPN clients:

• OpenVPN GUI for Windows - included by default with the OpenVPN Windows client as of version 2.1_rc20. Configuration file and keys go in C:\Program files\OpenVPN\config\. Need to run as an administrator the first time only.
• network-manager-openvpn package for Linux desktops. Configuration files and keys are selected from the GUI.
• Tunnelblick for Macintosh OS X. This is a free, GPL, client. Configuration files and keys go in ~/Library/openvpn/.
• Viscosity for Macintosh OS X. Viscosity is a very nice proprietary GUI for OpenVPN that is well worth it's $9 USD price. And it does work with Snow Leopard. Configuration files and keys are selected from the GUI.
• OpenVPN support is built in to most every Linux distribution that I've seen, so no problem there.

Installation

Install whatever version of Debian/Ubuntu you want. These instructions will most likely work for any version of any Debian-based Linux distribution, though I most recently tested them on Ubuntu 10.4, Lucid Lynx. I use the base server installation with no additional packages installed at first. We will enable the root user install OpenSSH server, disallow root access to same, install OpenVPN server, then generate the keys we need.

# sudo passwd root
# su
# mv /etc/securetty /etc/securetty.bak
# touch /etc/securetty
# mv /etc/sudoers /etc/sudoers.bak
# apt-get update
# apt-get upgrade
# apt-get install openssh-server openvpn bridge-utils
# vi /etc/issue.net

Copy the following text into /etc/issue.net:

*******************************************************************************
                              NOTICE TO USERS

This computer system is the property of the Branch District Library.  It is
for authorized use only.  Users (authorized or unauthorized) have no explicit
or implicit expectation of privacy.

Any or all uses of this system and all files on this system may be intercepted,
monitored, recorded, copied, audited, inspected, and disclosed to authorized
officials of law enforcement and government agencies.

By using this system, the user consents to such interception, monitoring,
recording, auditing, inspection, and disclosure at the discretion of the Branch
District Library or other authorized officials of law enforcement or government
agencies.

Unauthorized or improper use of this system may result in civil and criminal
penalties and administrative or disciplinary action, as appropriate.  By
continuing to use this system you indicate your awareness of and consent to
these terms and conditions of use.  LOG OFF IMMEDIATELY if you do not agree to
the conditions stated in this notice.

*******************************************************************************

# vi /etc/ssh/sshd_config

Find PermitRootLogin yes in /etc/ssh/sshd_config and change "yes" to "no". Also, uncomment the line that reads #Banner /etc/issue.net.

# cp -Rp /usr/share/doc/openvpn/examples/ /etc/openvpn/
# cd /etc/openvpn/examples/easy-rsa/2.0/
# vi vars

Edit KEY_COUNTRY, etc., as appropriate.

# . ./vars
# ./clean-all
# ./build-ca
# ./build-dh
# ./build-key-server server

Replace 'client1' below with a meaningful name, repeat as many times as needed.

# ./build-key client1
# openvpn --genkey --secret keys/ta.key

Copy ca.crt, client1.crt, client1.key, ta.key to client1. Repeat for all clients.

# vi /etc/openvpn/server.conf

Copy the below into /etc/openvpn/server.conf, modify the server-bridge directive to fit your needs:

server-bridge 192.168.40.5 255.255.255.0 192.168.40.200 192.168.40.209
port 1194
proto udp
dev tap0
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
ca examples/easy-rsa/2.0/keys/ca.crt
cert examples/easy-rsa/2.0/keys/server.crt
key examples/easy-rsa/2.0/keys/server.key 
dh examples/easy-rsa/2.0/keys/dh1024.pem
tls-auth examples/easy-rsa/2.0/keys/ta.key 0
ifconfig-pool-persist ipp.txt
keepalive 10 120
cipher AES-128-CBC

# vi /etc/init.d/bridge

Copy the below into /etc/init.d/bridge, modify the eth, eth_ip, eth_netmask, eth_broadcast, and gw to fit your needs:

#!/bin/bash  
# Create global variables   
# Define Bridge Interface 
br="br0" 

# Define list of TAP interfaces to be bridged, 
# for example tap="tap0 tap1 tap2". 
tap="tap0" 

# Define physical ethernet interface to be bridged 
# with TAP interface(s) above. 
eth="eth0" 
eth_ip="192.168.40.5" 
eth_netmask="255.255.255.0" 
eth_broadcast="192.168.40.255" 
gw="192.168.40.1"   

start_bridge () 
{   
    for t in $tap; do
    openvpn --mktun --dev $t   
    done    
    for t in $tap; do
    ifconfig $t 0.0.0.0 promisc up   
    done
    ifconfig $eth 0.0.0.0 promisc up
    brctl addbr $br 
    brctl addif $br $eth
    for t in $tap; do
    brctl addif $br $t   
    done    
    ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast up   
    route add default gw $gw $br
} 

stop_bridge () 
{       
    ifconfig $br down
    brctl delbr $br    
    for t in $tap; do
    openvpn --rmtun --dev $t   
    done   
    ifconfig $eth $eth_ip netmask $eth_netmask broadcast $eth_broadcast up   
    route add default gw $gw $eth
}
  
case "$1" in
    start)   
        echo -n "Starting Bridge"   
        start_bridge   
    ;; 
    stop)   
        echo -n "Stopping Bridge"   
        stop_bridge   
    ;; 
    restart)   
        stop_bridge   
        sleep 2   
        start_bridge   
    ;; 
    *)   
        echo "Usage: $0 {start|stop|restart}" >&2   
        exit 1   
        ;; 
esac

# cd /etc/init.d/
# chmod +x bridge
# update-rc.d bridge start 15 2 3 4 5 . stop 81 0 1 6 .
# iptables -A INPUT -i tap0 -j ACCEPT
# iptables -A INPUT -i br0 -j ACCEPT
# iptables -A FORWARD -i br0 -j ACCEPT
# /etc/init.d/bridge start
# /etc/init.d/openvpn start

OpenVPN should now be running. Copy the below as BDL.conf (or BDL.ovpn for Windows clients) and place in the proper place for your client, along with ca.crt, client1.crt, client1.key, and ta.key. Inserting your server's IP address or hostname and change "client1" to the appropriate name for your client key and certificate.

client
dev tap
remote VPN-SERVER-IP-OR-HOSTNAME-HERE 1194
proto udp
comp-lzo
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
tls-client 
tls-auth ta.key 1
cipher AES-128-CBC

No try to connect to the VPN from your client. Success? Good, now reboot the server and make sure everything comes up ok after a restart.

As a convenience, you may want to do the following:

• Edit the command in OpenVPN GUI shortcut on the Windows Start menu to look like this: "C:\Program Files\OpenVPN\bin\openvpn-gui-1.0.3.exe" --connect BDL.ovpn
• If you're using UltraVNC (or similar) to remote desktop, edit the shortcut like so: "C:\Program Files\UltraVNC\vncviewer.exe" REMOTE-IP-ADDRESS-HERE /password YOUR-PASSWORD-HERE - Totally insecure, but very convenient.

Done!

Originally published on 15 October 2009. Last modified on 3 August 2011.
Copyright © 2009 John C. Rucker
Verbatim copying and distribution of this entire article is permitted in any medium without royalty provided this notice is preserved.