Ubuntu and OpenVPN

By John C. Rucker (Page 1 of 1)

Introduction

Setting up Ubuntu as an OpenVPN gateway is dead easy, though there are a number of steps. I set up these systems so infrequently that I tend to forget how I did it. These instructions are mostly for my own benefit the next time I have to do this.

These are just step-by-step instructions for a bridged VPN that we use here. If you need a different setup or want to know how things work, you want to read the OpenVPN documentation. Look elsewhere if you don't like the command line. Total time from popping the install CD in to connecting clients: less than 1 hour.

These instructions are mostly a mixture from what I found here:

I recommend the following GUI interfaces for OpenVPN clients:

Installation

Install whatever version of Debian/Ubuntu you want. These instructions will most likely work for any version of any Debian-based Linux distribution, though I most recently tested them on Ubuntu 10.4, Lucid Lynx. I use the base server installation with no additional packages installed at first. We will enable the root user install OpenSSH server, disallow root access to same, install OpenVPN server, then generate the keys we need. 

# sudo passwd root
# su
# mv /etc/securetty /etc/securetty.bak
# touch /etc/securetty
# mv /etc/sudoers /etc/sudoers.bak
# apt-get update
# apt-get upgrade
# apt-get install openssh-server openvpn
# vi /etc/issue.net

Copy the following text into /etc/issue.net: 

*******************************************************************************
                              NOTICE TO USERS

This computer system is the property of the Branch District Library.  It is
for authorized use only.  Users (authorized or unauthorized) have no explicit
or implicit expectation of privacy.

Any or all uses of this system and all files on this system may be intercepted,
monitored, recorded, copied, audited, inspected, and disclosed to authorized
officials of law enforcement and government agencies.

By using this system, the user consents to such interception, monitoring,
recording, auditing, inspection, and disclosure at the discretion of the Branch
District Library or other authorized officials of law enforcement or government
agencies.

Unauthorized or improper use of this system may result in civil and criminal
penalties and administrative or disciplinary action, as appropriate.  By
continuing to use this system you indicate your awareness of and consent to
these terms and conditions of use.  LOG OFF IMMEDIATELY if you do not agree to
the conditions stated in this notice.

*******************************************************************************

# vi /etc/ssh/sshd_config

Find PermitRootLogin yes in /etc/ssh/sshd_config and change "yes" to "no". Also, uncomment the line that reads #Banner /etc/issue.net. 

# cp -Rp /usr/share/doc/openvpn/examples/ /etc/openvpn/
# cd /etc/openvpn/examples/easy-rsa/2.0/
# vi vars

Edit KEY_COUNTRY, etc., as appropriate. 

# . ./vars
# ./clean-all
# ./build-ca
# ./build-dh
# ./build-key-server server

Replace 'client1' below with a meaningful name, repeat as many times as needed. If you get an error in the above about "The correct version should have a comment that says: easy-rsa version 2.x", then issue this command: ln -s openssl-1.0.0.cnf openssl.cnf. 

# ./build-key client1
# openvpn --genkey --secret keys/ta.key

Copy ca.crt, client1.crt, client1.key, ta.key to client1. Repeat ./build-key client1 for all clients.

You can choose either a bridged or routed setup. Routing will be most compatible with tablets, as tap interfaces are not widely supported.

Bridged Setup 

# apt-get install bridge-utils
# vi /etc/openvpn/server.conf

For a bridging setup, copy the below into /etc/openvpn/server.conf, modify the server-bridge directive to fit your needs (jump to the routed setup instead): 

server-bridge 192.168.40.5 255.255.255.0 192.168.40.240 192.168.40.249
port 1194
proto udp
dev tap0
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
ca examples/easy-rsa/2.0/keys/ca.crt
cert examples/easy-rsa/2.0/keys/server.crt
key examples/easy-rsa/2.0/keys/server.key 
dh examples/easy-rsa/2.0/keys/dh1024.pem
tls-auth examples/easy-rsa/2.0/keys/ta.key 0
ifconfig-pool-persist ipp.txt
keepalive 10 120
cipher AES-128-CBC
# the below file is needed if you've revoked any client certs
crl-verify /etc/openvpn/examples/easy-rsa/2.0/keys/crl.pem
# vi /etc/init.d/bridge

Copy the below into /etc/init.d/bridge, modify the eth, eth_ip, eth_netmask, eth_broadcast, and gw to fit your needs: 

#!/bin/bash  
# Create global variables   
# Define Bridge Interface 
br="br0" 

# Define list of TAP interfaces to be bridged, 
# for example tap="tap0 tap1 tap2". 
tap="tap0" 

# Define physical ethernet interface to be bridged 
# with TAP interface(s) above. 
eth="eth0" 
eth_ip="192.168.40.5" 
eth_netmask="255.255.255.0" 
eth_broadcast="192.168.40.255" 
gw="192.168.40.1"   

start_bridge () 
{   
    for t in $tap; do
    openvpn --mktun --dev $t   
    done    
    for t in $tap; do
    ifconfig $t 0.0.0.0 promisc up   
    done
    ifconfig $eth 0.0.0.0 promisc up
    brctl addbr $br 
    brctl addif $br $eth
    for t in $tap; do
    brctl addif $br $t   
    done    
    ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast up   
    route add default gw $gw $br
} 

stop_bridge () 
{       
    ifconfig $br down
    brctl delbr $br    
    for t in $tap; do
    openvpn --rmtun --dev $t   
    done   
    ifconfig $eth $eth_ip netmask $eth_netmask broadcast $eth_broadcast up   
    route add default gw $gw $eth
}
  
case "$1" in
    start)   
        echo -n "Starting Bridge"   
        start_bridge   
    ;; 
    stop)   
        echo -n "Stopping Bridge"   
        stop_bridge   
    ;; 
    restart)   
        stop_bridge   
        sleep 2   
        start_bridge   
    ;; 
    *)   
        echo "Usage: $0 {start|stop|restart}" >&2   
        exit 1   
        ;; 
esac
# cd /etc/init.d/
# chmod +x bridge
# update-rc.d bridge start 15 2 3 4 5 . stop 81 0 1 6 .
# /etc/init.d/bridge start

Copy the below as BDL.conf (or BDL.ovpn for Windows clients) and place in the proper place for your client, along with ca.crt, client1.crt, client1.key, and ta.key. Inserting your server's IP address or hostname and change "client1" to the appropriate name for your client key and certificate. 

client
dev tap
remote VPN-SERVER-IP-OR-HOSTNAME-HERE 1194
proto udp
comp-lzo
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
tls-client 
tls-auth ta.key 1
cipher AES-128-CBC
Routed Setup 
# vi /etc/openvpn/server.conf

For a routed setup, copy the below into /etc/openvpn/server.conf, modify the server directive to fit your needs: 

server 10.8.0.0 255.255.255.0
push "route 192.168.40.0 255.255.255.0"
port 1194
proto udp
dev tun
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
ca /etc/openvpn/examples/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/examples/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/examples/easy-rsa/2.0/keys/server.key
dh /etc/openvpn/examples/easy-rsa/2.0/keys/dh1024.pem
tls-auth /etc/openvpn/examples/easy-rsa/2.0/keys/ta.key 0
ifconfig-pool-persist ipp.txt
keepalive 10 120
cipher AES-128-CBC
# the below file is needed if you've revoked any client certs
crl-verify /etc/openvpn/examples/easy-rsa/2.0/keys/crl.pem
# vi /etc/sysctl.conf

Find the line in /etc/sysctl.conf that reads #net.ipv4.ip_forward=1, and remove the comment.

Copy the below as BDL.conf (or BDL.ovpn for Windows clients) and place in the proper place for your client, along with ca.crt, client1.crt, client1.key, and ta.key. Inserting your server's IP address or hostname and change "client1" to the appropriate name for your client key and certificate. 

client
dev tun
remote VPN-SERVER-IP-OR-HOSTNAME-HERE 1194
proto udp
comp-lzo
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
tls-client 
tls-auth ta.key 1
cipher AES-128-CBC
route-method exe
route-delay 2

In routed mode, the OpenVPN GUI client will have to be run as an administrator on Windows Vista and 7. Right-click on the OpenVPN GUI shortcut, select "Properties", Then on the "Compatibility" tab, check "Run this program as an administrator".

Finally, for a routed setup, you'll need to add a static route to the router your openvpn server is under. Syntax will vary by system, here's Cisco IOS (replace with the right IP addresses for your situation): 

ciscorouter(config)# ip route 10.8.0.0 255.255.255.0 192.168.40.5
# /etc/init.d/openvpn start

Start the openvpn service try to connect to the VPN from your client. Success? Good, now reboot the server and make sure everything comes up ok after a restart.

As a convenience, you may want to do the following:

Done!

Originally published on 15 October 2009. Last modified on 2 June 2015.
Copyright © 2009 John C. Rucker
Verbatim copying and distribution of this entire article is permitted in any medium without royalty provided this notice is preserved.