Septimius Network Personal Blog – Septimius Paul Tompa

12Jul/1223

Linux – howto setup OpenVPN server

OpenVPN Logo

OpenVPN is an awesome choice for an VPN service. It's free, fast, and secure. The installation is not extremly complicated, so you will able in 1 hour to have a complete free VPN solution for your company. OpenVPN just work on Linux, OSX (Mac), and Windows. It also works fine on iPhone (if you have it jailbroken), but I did not tested on any android based device at this time.

OpenVPN allows peers to authenticate each other using a pre-shared secret key, certificates, or username/password. When used in a multiclient-server configuration, it allows the server to release an authentication certificate for every client, using signature and Certificate authority. It uses the OpenSSL encryption library extensively, as well as the SSLv3/TLSv1 protocol, and contains many security and control features. A more detaliated description can be found on wikipedia.

 Server instalation

- on a debian based system (Ubuntu 12.04).

this will install the necessary files.

I used this sample config file

as a starting point for my instalation. This file needs to be unziped, and moved to the /etc/openvpn/ directory as server.conf.

After the customizations I made the file look like this :

since the logs are saved by default in the /etc/openvpn folder, I did create a /var/log/openvpn (owned by the openvpn user) where the log files are saved.

Next, we need to generate the server and client keys.

The server keys

go to the folder

copy the content to a temporary folder in your home, initialize the PKI, clean up, and start building your certificate authority (CA)

generate certificate & key for server

generate certificate & key for clients

generate Diffie Hellman parameters (i like to increase use a 2048 bit key)

for extra security beyond that provided by SSL/TLS, create an "HMAC firewall" to help block DoS attacks and UDP port flooding.

now move the keys into your /etc/openvpn folder, make sure you have the right permissions on it.

Copy the client keys (client1, client2, client3) to your local machine. Now you are ready to configure the clients.

Setup NAT

You need to setup NAT in order to provide an internet connection to the clients.

See the ip class you are using for the tunnel tun0

now add an iptables rule to do NAT for the VPN clients

now, let's save the iptables rules into a file

next, add a line to load this rules at startup. Edit /etc/network/interfaces and add the following line on the eth0 interface

OK, we are now ready to rock. Make sure you have ip_forwarding enabled by default

if the result is not 1, you need to enable this by editing /etc/sysctl.conf. Make sure that you have ipforward enabled.

now on the next startup the ipforward will be enabled, to force loading now type

you are ready.

Configure clients

Configure OpenVPN OSX (mac) client

Configure OpenVPN windows client

Configure OpenVPN iPhone client

Comments (23) Trackbacks (0)
  1. fix for the iptables rule:.

    iptables -t nat -A POSTROUTING -s 10.1.1.0/24 -o br0 -j MASQUERADE

    Without the “-t nat” if you do not have any iptables rule, the line drop as invalid for there’s no such record into iptables. ;-)

  2. Dear, thank you for you tutor, but i have problem after all.
    When i try to start openvpn i got next:

    # /etc/init.d/openvpn start
    * Starting virtual private network daemon(s)… * Autostarting VPN ‘server’ root@optimus:/etc/openvpn# /etc/init.d/openvpn status
    * could not access PID file for VPN ‘server’

    i was have this problem long time ago and resolve by adding something in server.conf, but now cannot remember what was :S

    any help?
    thank you!

    • Hi y0d4 ! Can you tell me on what OS/Distro/version you have this issue ? If you are on Ubuntu karmic it seems there is a bug #516016 that is similar with the problem you have.

      Note, if you are on a newer version that use upstart, try avoiding calling openvpn from init and use service instead.

  3. Yes, it`s new ubuntu.
    And when i try to start as service, same situation.

    Somewhere i found solution for this (one line in server.conf need to add), but now cannot find :(

    do you know solution? in bug track i cannot find solution .. :S

  4. Hm, i believe it`s for sure problem with conf. file.

    log say next:
    Options error: –server directive network/netmask combination is invalid
    Use –help for more information.

    and conf file:
    http://pastebin.com/BCSShmJ2

  5. Hello,

    again me :)
    I found what i add in server.conf, it`s this line:
    script-security 3 system

    br.

  6. hehe :)
    I add you in rss reader, don`t worry :D

  7. Hi, I am Jack and can some one help me do this OpenVpn ?

  8. Hi Septimius Paul Tompa,

    Did u ever tried this in android device just share me ur views.. Bcoz iam trying to setting up OpenVpn server in Ubuntu 10.04 and use the certifacte in the Android device to check how it work.

    Thanks in Advance

    • I do not have and android setup tutorial at this point since I do not own an android device, but I will try to get one from a friend.

      • Hi Septimius Paul Tompa,

        Thanks for ur reply.. I have few other doubts in the above flow. Why u r creating/genarting 3 certificate & key for clients? What should be the client configuration since in my case my client is an Android devce.? and What Mr.Yoda was conveyed on his reply,, “I found what i add in server.conf, it`s this line:
        script-security 3 system
        “.. Is he meaning to add “script-security 3 system” line in the config file?

        Thanks in Advance

        • Hi Deepak,

          You need to generate a key for each client. To answer to your question I generated 3 client keys becouse I have 3 clients for that specific VPN (IPhone,OSX, and a Ubuntu box).
          I cannot reply at this point about an Android client since I did not tested this yet with an android device. I will publish a tutorial about this soon.
          Mr. y0d4 (Yoda) had a specific problem, he could not start the OpenVPN server, since he was getting an “* could not access PID file for VPN ‘server’
          ” error and adding to conf file “script-security 3 system” line seems to fix this (this can be also added from the command line when you start the service).

          Acording to the OpenVPN documentation:

          –script-security level [method]
          This directive offers policy-level control over OpenVPN’s usage of external programs and scripts. Lower level values are more restrictive, higher values are more permissive. Settings for level:

          0 — Strictly no calling of external programs.
          1 — (Default) Only call built-in executables such as ifconfig, ip, route, or netsh.
          2 — Allow calling of built-in executables and user-defined scripts.
          3 — Allow passwords to be passed to scripts via environmental variables (potentially unsafe).

          The method parameter indicates how OpenVPN should call external commands and scripts. Settings for method:

          execve — (default) Use execve() function on Unix family OSes and CreateProcess() on Windows.
          system — Use system() function (deprecated and less safe since the external program command line is subject to shell expansion).

          The –script-security option was introduced in OpenVPN 2.1_rc9. For configuration file compatibility with previous OpenVPN versions, use: –script-security 3 system

  9. Hi Septimius Paul Tompa,

    I had followed the above steps and setted up my server in my ubuntu 10.04 system (My system IP 192.xxx.xx.xx)..I connected my system through a LAN to a Modem. I tested my Samung S3 in 2 scenario

    1. I enabled Data Usage.. I ran my application with the necessary things.(i.e.,installed test.p12 file) and i clicked connect.. At this point i got TLS handshake failed ..And VPN didnt connect

    2. But when my Device is connected to my modem (through wifi) I could see the Connected status, but no packets are transferred..

    Plz clarify my doubt..

    Thanks in Advance

    Regards,
    Deepak

  10. He paul i am getting errors like no server verification method enable…..

  11. Hello Septimius Paul Tompa,
    I get an error when trying to connect to my OepnVpn server: ” MULTI: bad source address from client”. I can establish a connection but i do not have any internet connection, and i cannot see the local network. Thanks.


Leave a comment

No trackbacks yet.