Linux – howto setup OpenVPN server

12Jul/1223

Linux – howto setup OpenVPN server

OpenVPN is an awesome choice for an VPN service. It's free, fast, and secure. The installation is not extremly complicated, so you will able in 1 hour to have a complete free VPN solution for your company. OpenVPN just work on Linux, OSX (Mac), and Windows. It also works fine on iPhone (if you have it jailbroken), but I did not tested on any android based device at this time.

OpenVPN allows peers to authenticate each other using a pre-shared secret key, certificates, or username/password. When used in a multiclient-server configuration, it allows the server to release an authentication certificate for every client, using signature and Certificate authority. It uses the OpenSSL encryption library extensively, as well as the SSLv3/TLSv1 protocol, and contains many security and control features. A more detaliated description can be found on wikipedia.

Server instalation

- on a debian based system (Ubuntu 12.04).


apt-get install openvpn openvpn-blacklist

this will install the necessary files.

 openvpn: /etc/bash_completion.d/openvpn
 openvpn: /etc/default/openvpn
 openvpn: /etc/init.d/openvpn
 openvpn: /etc/network/if-down.d/openvpn
 openvpn: /etc/network/if-up.d/openvpn
 openvpn: /etc/openvpn/update-resolv-conf
 openvpn: /usr/include/openvpn/openvpn-plugin.h
 openvpn: /usr/lib/openvpn/openvpn-auth-pam.so
 openvpn: /usr/lib/openvpn/openvpn-down-root.so
 openvpn: /usr/sbin/openvpn
 openvpn: /usr/share/doc/openvpn/AUTHORS
 openvpn: /usr/share/doc/openvpn/NEWS.Debian.gz
 openvpn: /usr/share/doc/openvpn/PORTS
 openvpn: /usr/share/doc/openvpn/README
 openvpn: /usr/share/doc/openvpn/README.Debian.gz
 openvpn: /usr/share/doc/openvpn/README.IPv6
 openvpn: /usr/share/doc/openvpn/README.auth-pam
 openvpn: /usr/share/doc/openvpn/README.down-root
 openvpn: /usr/share/doc/openvpn/README.ipv6
 openvpn: /usr/share/doc/openvpn/TODO.IPv6.gz
 openvpn: /usr/share/doc/openvpn/TODO.ipv6
 openvpn: /usr/share/doc/openvpn/changelog.Debian.gz
 openvpn: /usr/share/doc/openvpn/copyright
 openvpn: /usr/share/doc/openvpn/examples/easy-rsa/1.0/README.gz
 openvpn: /usr/share/doc/openvpn/examples/easy-rsa/1.0/build-ca
 openvpn: /usr/share/doc/openvpn/examples/easy-rsa/1.0/build-dh
 openvpn: /usr/share/doc/openvpn/examples/easy-rsa/1.0/build-inter
 openvpn: /usr/share/doc/openvpn/examples/easy-rsa/1.0/build-key
 openvpn: /usr/share/doc/openvpn/examples/easy-rsa/1.0/build-key-pass
 openvpn: /usr/share/doc/openvpn/examples/easy-rsa/1.0/build-key-pkcs12
 openvpn: /usr/share/doc/openvpn/examples/easy-rsa/1.0/build-key-server
 openvpn: /usr/share/doc/openvpn/examples/easy-rsa/1.0/build-req
 openvpn: /usr/share/doc/openvpn/examples/easy-rsa/1.0/build-req-pass
 openvpn: /usr/share/doc/openvpn/examples/easy-rsa/1.0/clean-all
 openvpn: /usr/share/doc/openvpn/examples/easy-rsa/1.0/list-crl
 openvpn: /usr/share/doc/openvpn/examples/easy-rsa/1.0/make-crl
 openvpn: /usr/share/doc/openvpn/examples/easy-rsa/1.0/openssl.cnf
 openvpn: /usr/share/doc/openvpn/examples/easy-rsa/1.0/revoke-crt
 openvpn: /usr/share/doc/openvpn/examples/easy-rsa/1.0/revoke-full
 openvpn: /usr/share/doc/openvpn/examples/easy-rsa/1.0/sign-req
 openvpn: /usr/share/doc/openvpn/examples/easy-rsa/1.0/vars
 openvpn: /usr/share/doc/openvpn/examples/easy-rsa/2.0/Makefile
 openvpn: /usr/share/doc/openvpn/examples/easy-rsa/2.0/README.gz
 openvpn: /usr/share/doc/openvpn/examples/easy-rsa/2.0/build-ca
 openvpn: /usr/share/doc/openvpn/examples/easy-rsa/2.0/build-dh
 openvpn: /usr/share/doc/openvpn/examples/easy-rsa/2.0/build-inter
 openvpn: /usr/share/doc/openvpn/examples/easy-rsa/2.0/build-key
 openvpn: /usr/share/doc/openvpn/examples/easy-rsa/2.0/build-key-pass
 openvpn: /usr/share/doc/openvpn/examples/easy-rsa/2.0/build-key-pkcs12
 openvpn: /usr/share/doc/openvpn/examples/easy-rsa/2.0/build-key-server
 openvpn: /usr/share/doc/openvpn/examples/easy-rsa/2.0/build-req
 openvpn: /usr/share/doc/openvpn/examples/easy-rsa/2.0/build-req-pass
 openvpn: /usr/share/doc/openvpn/examples/easy-rsa/2.0/clean-all
 openvpn: /usr/share/doc/openvpn/examples/easy-rsa/2.0/inherit-inter
 openvpn: /usr/share/doc/openvpn/examples/easy-rsa/2.0/list-crl
 openvpn: /usr/share/doc/openvpn/examples/easy-rsa/2.0/openssl-0.9.6.cnf
 openvpn: /usr/share/doc/openvpn/examples/easy-rsa/2.0/openssl-0.9.8.cnf
 openvpn: /usr/share/doc/openvpn/examples/easy-rsa/2.0/openssl-1.0.0.cnf
 openvpn: /usr/share/doc/openvpn/examples/easy-rsa/2.0/openssl-1.0.0.cnf-old-copy
 openvpn: /usr/share/doc/openvpn/examples/easy-rsa/2.0/pkitool
 openvpn: /usr/share/doc/openvpn/examples/easy-rsa/2.0/revoke-full
 openvpn: /usr/share/doc/openvpn/examples/easy-rsa/2.0/sign-req
 openvpn: /usr/share/doc/openvpn/examples/easy-rsa/2.0/tmp/README.gz
 openvpn: /usr/share/doc/openvpn/examples/easy-rsa/2.0/tmp/build-ca
 openvpn: /usr/share/doc/openvpn/examples/easy-rsa/2.0/tmp/build-dh
 openvpn: /usr/share/doc/openvpn/examples/easy-rsa/2.0/tmp/build-inter
 openvpn: /usr/share/doc/openvpn/examples/easy-rsa/2.0/tmp/build-key
 openvpn: /usr/share/doc/openvpn/examples/easy-rsa/2.0/tmp/build-key-pass
 openvpn: /usr/share/doc/openvpn/examples/easy-rsa/2.0/tmp/build-key-pkcs12
 openvpn: /usr/share/doc/openvpn/examples/easy-rsa/2.0/tmp/build-key-server
 openvpn: /usr/share/doc/openvpn/examples/easy-rsa/2.0/tmp/build-req
 openvpn: /usr/share/doc/openvpn/examples/easy-rsa/2.0/tmp/build-req-pass
 openvpn: /usr/share/doc/openvpn/examples/easy-rsa/2.0/tmp/clean-all
 openvpn: /usr/share/doc/openvpn/examples/easy-rsa/2.0/tmp/file
 openvpn: /usr/share/doc/openvpn/examples/easy-rsa/2.0/tmp/inherit-inter
 openvpn: /usr/share/doc/openvpn/examples/easy-rsa/2.0/tmp/list-crl
 openvpn: /usr/share/doc/openvpn/examples/easy-rsa/2.0/tmp/openssl-0.9.6.cnf
 openvpn: /usr/share/doc/openvpn/examples/easy-rsa/2.0/tmp/openssl-1.0.0.cnf
 openvpn: /usr/share/doc/openvpn/examples/easy-rsa/2.0/tmp/pkitool
 openvpn: /usr/share/doc/openvpn/examples/easy-rsa/2.0/tmp/revoke-full
 openvpn: /usr/share/doc/openvpn/examples/easy-rsa/2.0/tmp/sign-req
 openvpn: /usr/share/doc/openvpn/examples/easy-rsa/2.0/tmp/vars
 openvpn: /usr/share/doc/openvpn/examples/easy-rsa/2.0/tmp/whichopensslcnf
 openvpn: /usr/share/doc/openvpn/examples/easy-rsa/2.0/vars
 openvpn: /usr/share/doc/openvpn/examples/easy-rsa/2.0/whichopensslcnf
 openvpn: /usr/share/doc/openvpn/examples/sample-config-files/README
 openvpn: /usr/share/doc/openvpn/examples/sample-config-files/client.conf
 openvpn: /usr/share/doc/openvpn/examples/sample-config-files/firewall.sh
 openvpn: /usr/share/doc/openvpn/examples/sample-config-files/home.up
 openvpn: /usr/share/doc/openvpn/examples/sample-config-files/loopback-client
 openvpn: /usr/share/doc/openvpn/examples/sample-config-files/loopback-server
 openvpn: /usr/share/doc/openvpn/examples/sample-config-files/office.up
 openvpn: /usr/share/doc/openvpn/examples/sample-config-files/openvpn-shutdown.sh
 openvpn: /usr/share/doc/openvpn/examples/sample-config-files/openvpn-startup.sh
 openvpn: /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz
 openvpn: /usr/share/doc/openvpn/examples/sample-config-files/static-home.conf
 openvpn: /usr/share/doc/openvpn/examples/sample-config-files/static-office.conf
 openvpn: /usr/share/doc/openvpn/examples/sample-config-files/tls-home.conf
 openvpn: /usr/share/doc/openvpn/examples/sample-config-files/tls-office.conf
 openvpn: /usr/share/doc/openvpn/examples/sample-config-files/xinetd-client-config
 openvpn: /usr/share/doc/openvpn/examples/sample-config-files/xinetd-server-config
 openvpn: /usr/share/doc/openvpn/examples/sample-keys/README
 openvpn: /usr/share/doc/openvpn/examples/sample-keys/ca.crt
 openvpn: /usr/share/doc/openvpn/examples/sample-keys/ca.key
 openvpn: /usr/share/doc/openvpn/examples/sample-keys/client.crt
 openvpn: /usr/share/doc/openvpn/examples/sample-keys/client.key
 openvpn: /usr/share/doc/openvpn/examples/sample-keys/dh1024.pem
 openvpn: /usr/share/doc/openvpn/examples/sample-keys/pass.crt
 openvpn: /usr/share/doc/openvpn/examples/sample-keys/pass.key
 openvpn: /usr/share/doc/openvpn/examples/sample-keys/pkcs12.p12
 openvpn: /usr/share/doc/openvpn/examples/sample-keys/server.crt
 openvpn: /usr/share/doc/openvpn/examples/sample-keys/server.key
 openvpn: /usr/share/doc/openvpn/examples/sample-keys/ta.key
 openvpn: /usr/share/doc/openvpn/examples/sample-scripts/auth-pam.pl
 openvpn: /usr/share/doc/openvpn/examples/sample-scripts/bridge-start
 openvpn: /usr/share/doc/openvpn/examples/sample-scripts/bridge-stop
 openvpn: /usr/share/doc/openvpn/examples/sample-scripts/openvpn.init.gz
 openvpn: /usr/share/doc/openvpn/examples/sample-scripts/ucn.pl
 openvpn: /usr/share/doc/openvpn/examples/sample-scripts/verify-cn
 openvpn: /usr/share/doc/openvpn/management-notes.txt.gz
 openvpn: /usr/share/man/man8/openvpn.8.gz
 openvpn: /usr/share/openvpn/verify-cn
 openvpn-blacklist: /usr/sbin/openvpn-vulnkey
 openvpn-blacklist: /usr/share/doc/openvpn-blacklist/README.Debian
 openvpn-blacklist: /usr/share/doc/openvpn-blacklist/changelog.gz
 openvpn-blacklist: /usr/share/doc/openvpn-blacklist/copyright
 openvpn-blacklist: /usr/share/doc/openvpn-blacklist/examples/bad.key
 openvpn-blacklist: /usr/share/doc/openvpn-blacklist/examples/gen_openvpn_shared_keys.sh
 openvpn-blacklist: /usr/share/doc/openvpn-blacklist/examples/getpid.c
 openvpn-blacklist: /usr/share/man/man1/openvpn-vulnkey.1.gz
 openvpn-blacklist: /usr/share/openvpn-blacklist/blacklist.RSA-2048

I used this sample config file

openvpn: /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz

as a starting point for my instalation. This file needs to be unziped, and moved to the /etc/openvpn/ directory as server.conf.

After the customizations I made the file look like this :


# Which TCP/UDP port should OpenVPN listen on?
# If you want to run multiple OpenVPN instances
# on the same machine, use a different port
# number for each one.  You will need to
# open up this port on your firewall.
port 1194

# TCP or UDP server?
proto udp

# "dev tun" will create a routed IP tunnel,
# "dev tap" will create an ethernet tunnel.
# Use "dev tap0" if you are ethernet bridging
# and have precreated a tap0 virtual interface
# and bridged it with your ethernet interface.
# If you want to control access policies
# over the VPN, you must create firewall
# rules for the the TUN/TAP interface.
# On non-Windows systems, you can give
# an explicit unit number, such as tun0.
# On Windows, use "dev-node" for this.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.

dev tun

# SSL/TLS root certificate (ca), certificate
# (cert), and private key (key).  Each client
# and the server must have their own cert and
# key file.  The server and all clients will
# use the same ca file.
#
# See the "easy-rsa" directory for a series
# of scripts for generating RSA certificates
# and private keys.  Remember to use
# a unique Common Name for the server
# and each of the client certificates.
#
# Any X509 key management system can be used.
# OpenVPN can also use a PKCS #12 formatted key file
# (see "pkcs12" directive in man page).
ca ca.crt
cert server.crt
key server.key  # This file should be kept secret

# Diffie hellman parameters.
# Generate your own with:
#   openssl dhparam -out dh1024.pem 1024
# Substitute 2048 for 1024 if you are using
# 2048 bit keys.
dh dh2048.pem

# Configure server mode and supply a VPN subnet
# for OpenVPN to draw client addresses from.
# The server will take 10.8.0.1 for itself,
# the rest will be made available to clients.
# Each client will be able to reach the server
# on 10.8.0.1. Comment this line out if you are
# ethernet bridging. See the man page for more info.
server 10.13.13.0 255.255.255.0

# Maintain a record of client  virtual IP address
# associations in this file.  If OpenVPN goes down or
# is restarted, reconnecting clients can be assigned
# the same virtual IP address from the pool that was
# previously assigned.
ifconfig-pool-persist ipp.txt

# Push routes to the client to allow it
# to reach other private subnets behind
# the server.  Remember that these
# private subnets will also need
# to know to route the OpenVPN client
# address pool (10.8.0.0/255.255.255.0)
# back to the OpenVPN server.
push "route 10.50.201.0 255.255.255.0"

# If enabled, this directive will configure
# all clients to redirect their default
# network gateway through the VPN, causing
# all IP traffic such as web browsing and
# and DNS lookups to go through the VPN
# (The OpenVPN server machine may need to NAT
# or bridge the TUN/TAP interface to the internet
# in order for this to work properly).
push "redirect-gateway def1 bypass-dhcp"

# Certain Windows-specific network settings
# can be pushed to clients, such as DNS
# or WINS server addresses.  CAVEAT:
# http://openvpn.net/faq.html#dhcpcaveats
# The addresses below refer to the public
# DNS servers provided by opendns.com.
push "dhcp-option DNS 10.13.13.1"

# Uncomment this directive to allow different
# clients to be able to "see" each other.
# By default, clients will only see the server.
# To force clients to only see the server, you
# will also need to appropriately firewall the
# server's TUN/TAP interface.
client-to-client

# The keepalive directive causes ping-like
# messages to be sent back and forth over
# the link so that each side knows when
# the other side has gone down.
# Ping every 10 seconds, assume that remote
# peer is down if no ping received during
# a 120 second time period.
keepalive 10 120

# For extra security beyond that provided
# by SSL/TLS, create an "HMAC firewall"
# to help block DoS attacks and UDP port flooding.
#
# Generate with:
#   openvpn --genkey --secret ta.key
#
# The server and each client must have
# a copy of this key.
# The second parameter should be '0'
# on the server and '1' on the clients.
tls-auth ta.key 0 # This file is secret
tls-server

# Select a cryptographic cipher.
# This config item must be copied to
# the client config file as well.
cipher AES-256-CBC

# Enable compression on the VPN link.
# If you enable it here, you must also
# enable it in the client config file.
comp-lzo

# The maximum number of concurrently connected
# clients we want to allow.
max-clients 10

# It's a good idea to reduce the OpenVPN
# daemon's privileges after initialization.
#
# You can uncomment this out on
# non-Windows systems.
user openvpn
group openvpn

# The persist options will try to avoid
# accessing certain resources on restart
# that may no longer be accessible because
# of the privilege downgrade.
persist-key
persist-tun

# Output a short status file showing
# current connections, truncated
# and rewritten every minute.
status /var/log/openvpn/openvpn-status.log

# By default, log messages will go to the syslog (or
# on Windows, if running as a service, they will go to
# the "\Program Files\OpenVPN\log" directory).
# Use log or log-append to override this default.
# "log" will truncate the log file on OpenVPN startup,
# while "log-append" will append to it.  Use one
# or the other (but not both).
log         /var/log/openvpn/openvpn.log
;log-append  openvpn.log

# Set the appropriate level of log
# file verbosity.
#
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 4

# Silence repeating messages.  At most 20
# sequential messages of the same message
# category will be output to the log.
mute 20

since the logs are saved by default in the /etc/openvpn folder, I did create a /var/log/openvpn (owned by the openvpn user) where the log files are saved.

mkdir -p /var/log/openvpn
chown openvpn:openvpn /var/log/openvpn
chmod 750 /var/log/openvpn

 10.13.13.0/24 is the class used for your VPN clients.
 10.50.201.0/24 is a class that I want to be accessable via the VPN.

Next, we need to generate the server and client keys.

The server keys

go to the folder

cd /usr/share/doc/openvpn/examples/easy-rsa/2.0/

copy the content to a temporary folder in your home, initialize the PKI, clean up, and start building your certificate authority (CA)

. ./vars
./clean-all
./build-ca

generate certificate & key for server

./build-key-server server

generate certificate & key for clients


./build-key client1
./build-key client2
./build-key client3

generate Diffie Hellman parameters (i like to increase use a 2048 bit key)

openssl dhparam -out dh2048.pem 2048

for extra security beyond that provided by SSL/TLS, create an "HMAC firewall" to help block DoS attacks and UDP port flooding.

openvpn --genkey --secret ta.key

now move the keys into your /etc/openvpn folder, make sure you have the right permissions on it.

-rw-r--r--   1 root root  1826 Jun 27 04:30 ca.crt
-rw-------   1 root root  1704 Jun 27 04:30 ca.key
-rw-r--r--   1 root root   424 Jun 27 04:35 dh2048.pem
-rw-------   1 root root    58 Jul 13 02:29 ipp.txt
-rw-r--r--   1 root root 10442 Jun 28 02:19 server.conf
-rw-r--r--   1 root root  5642 Jun 27 04:32 server.crt
-rw-r--r--   1 root root  1102 Jun 27 04:32 server.csr
-rw-------   1 root root  1704 Jun 27 04:32 server.key
-rw-------   1 root root   636 Jun 27 04:45 ta.key

Copy the client keys (client1, client2, client3) to your local machine. Now you are ready to configure the clients.

Setup NAT

You need to setup NAT in order to provide an internet connection to the clients.

See the ip class you are using for the tunnel tun0

</pre>
root@zeus:~# ifconfig tun0
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.13.13.1  P-t-P:10.13.13.2  Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
RX packets:7570 errors:0 dropped:0 overruns:0 frame:0
TX packets:1752 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:622314 (622.3 KB)  TX bytes:242952 (242.9 KB)
<pre>

now add an iptables rule to do NAT for the VPN clients

iptables -A POSTROUTING -s 10.13.13.0/24 -o eth0 -j MASQUERADE

now, let's save the iptables rules into a file

iptables-save > /etc/iptables.rules

next, add a line to load this rules at startup. Edit /etc/network/interfaces and add the following line on the eth0 interface

pre-up iptables-restore < /etc/iptables.rules

OK, we are now ready to rock. Make sure you have ip_forwarding enabled by default

cat /proc/sys/net/ipv4/ip_forward

if the result is not 1, you need to enable this by editing /etc/sysctl.conf. Make sure that you have ipforward enabled.

net.ipv4.ip_forward=1

now on the next startup the ipforward will be enabled, to force loading now type

sysctl -p

you are ready.

Configure clients

Configure OpenVPN OSX (mac) client

Configure OpenVPN windows client

Configure OpenVPN iPhone client

Enjoy this article?

Consider subscribing to our rss feed!

Tagged as: debian, linux, openvpn, ubuntu, vpn Leave a comment

Comments (23) Trackbacks (0) ( subscribe to comments on this post )

Daniel
August 22nd, 2012 - 18:32

fix for the iptables rule:.

iptables -t nat -A POSTROUTING -s 10.1.1.0/24 -o br0 -j MASQUERADE

Without the “-t nat” if you do not have any iptables rule, the line drop as invalid for there’s no such record into iptables.

( REPLY )
- Septimius Paul Tompa
  September 15th, 2012 - 00:11
  
  Thanks for the note!
  
  ( REPLY )
  - Jack Morris
    November 5th, 2012 - 08:58
    
    Please can you show me how to do this openvpn please.
    
    ( REPLY )
y0d4
September 14th, 2012 - 08:41

Dear, thank you for you tutor, but i have problem after all.
When i try to start openvpn i got next:

# /etc/init.d/openvpn start
* Starting virtual private network daemon(s)… * Autostarting VPN ‘server’ root@optimus:/etc/openvpn# /etc/init.d/openvpn status
* could not access PID file for VPN ‘server’

i was have this problem long time ago and resolve by adding something in server.conf, but now cannot remember what was :S

any help?
thank you!

( REPLY )
- Septimius Paul Tompa
  September 15th, 2012 - 00:10
  
  Hi y0d4 ! Can you tell me on what OS/Distro/version you have this issue ? If you are on Ubuntu karmic it seems there is a bug #516016 that is similar with the problem you have.
  
  Note, if you are on a newer version that use upstart, try avoiding calling openvpn from init and use service instead.
  
  ( REPLY )
Yoda
September 16th, 2012 - 09:54

Yes, it`s new ubuntu.
And when i try to start as service, same situation.

Somewhere i found solution for this (one line in server.conf need to add), but now cannot find

do you know solution? in bug track i cannot find solution .. :S

( REPLY )
- Septimius Paul Tompa
  September 17th, 2012 - 16:40
  
  Can you make sure that the file /var/run/openvpn.server.pid does not exist on your system ?
  
  What is the error message from /var/log/openvpn/openvpn.log ?
  It is possible that this is not starting due some errors into the server.conf file.
  
  ( REPLY )
y0d4
September 18th, 2012 - 08:48

Hm, i believe it`s for sure problem with conf. file.

log say next:
Options error: –server directive network/netmask combination is invalid
Use –help for more information.

and conf file:
http://pastebin.com/BCSShmJ2

( REPLY )
y0d4
September 24th, 2012 - 10:56

Hello,

again me
I found what i add in server.conf, it`s this line:
script-security 3 system

br.

( REPLY )
- Septimius Paul Tompa
  September 24th, 2012 - 16:05
  
  Perfect. Next time you have the same problem come up and read the comments
  
  ( REPLY )
Yoda
September 24th, 2012 - 16:57

hehe
I add you in rss reader, don`t worry

( REPLY )
- Jack Morris
  November 5th, 2012 - 09:17
  
  Hi, My name is Jack and i am really finding it very difficult to do this Openvpn … Can you help me do this please.
  
  ( REPLY )
  - Septimius Paul Tompa
    November 6th, 2012 - 10:14
    
    Sure. Give me some details about your problem.
    
    ( REPLY )
Jack Morris
November 5th, 2012 - 09:18

Hi, I am Jack and can some one help me do this OpenVpn ?

( REPLY )
Deepak
November 19th, 2012 - 05:53

Hi Septimius Paul Tompa,

Did u ever tried this in android device just share me ur views.. Bcoz iam trying to setting up OpenVpn server in Ubuntu 10.04 and use the certifacte in the Android device to check how it work.

Thanks in Advance

( REPLY )
- Septimius Paul Tompa
  November 19th, 2012 - 09:54
  
  I do not have and android setup tutorial at this point since I do not own an android device, but I will try to get one from a friend.
  
  ( REPLY )
  - Deepak
    November 20th, 2012 - 00:23
    
    Hi Septimius Paul Tompa,
    
    Thanks for ur reply.. I have few other doubts in the above flow. Why u r creating/genarting 3 certificate & key for clients? What should be the client configuration since in my case my client is an Android devce.? and What Mr.Yoda was conveyed on his reply,, “I found what i add in server.conf, it`s this line:
    script-security 3 system
    “.. Is he meaning to add “script-security 3 system” line in the config file?
    
    Thanks in Advance
    
    ( REPLY )
    - Septimius Paul Tompa
      November 23rd, 2012 - 21:46
      
      Hi Deepak,
      
      You need to generate a key for each client. To answer to your question I generated 3 client keys becouse I have 3 clients for that specific VPN (IPhone,OSX, and a Ubuntu box).
      I cannot reply at this point about an Android client since I did not tested this yet with an android device. I will publish a tutorial about this soon.
      Mr. y0d4 (Yoda) had a specific problem, he could not start the OpenVPN server, since he was getting an “* could not access PID file for VPN ‘server’
      ” error and adding to conf file “script-security 3 system” line seems to fix this (this can be also added from the command line when you start the service).
      
      Acording to the OpenVPN documentation:
      
      –script-security level [method]
      This directive offers policy-level control over OpenVPN’s usage of external programs and scripts. Lower level values are more restrictive, higher values are more permissive. Settings for level:
      
      0 — Strictly no calling of external programs.
      1 — (Default) Only call built-in executables such as ifconfig, ip, route, or netsh.
      2 — Allow calling of built-in executables and user-defined scripts.
      3 — Allow passwords to be passed to scripts via environmental variables (potentially unsafe).
      
      The method parameter indicates how OpenVPN should call external commands and scripts. Settings for method:
      
      execve — (default) Use execve() function on Unix family OSes and CreateProcess() on Windows.
      system — Use system() function (deprecated and less safe since the external program command line is subject to shell expansion).
      
      The –script-security option was introduced in OpenVPN 2.1_rc9. For configuration file compatibility with previous OpenVPN versions, use: –script-security 3 system
      
      ( REPLY )
      - Deepak
        November 25th, 2012 - 12:00
        
        Hi Septimius Paul Tompa,
        
        Is the steps given above will be suitable for Ubuntu 10.04?
      - Septimius Paul Tompa
        November 26th, 2012 - 23:53
        
        Yes.
Deepak
November 27th, 2012 - 00:33

Hi Septimius Paul Tompa,

I had followed the above steps and setted up my server in my ubuntu 10.04 system (My system IP 192.xxx.xx.xx)..I connected my system through a LAN to a Modem. I tested my Samung S3 in 2 scenario

1. I enabled Data Usage.. I ran my application with the necessary things.(i.e.,installed test.p12 file) and i clicked connect.. At this point i got TLS handshake failed ..And VPN didnt connect

2. But when my Device is connected to my modem (through wifi) I could see the Connected status, but no packets are transferred..

Plz clarify my doubt..

Thanks in Advance

Regards,
Deepak

( REPLY )
ajay
January 27th, 2013 - 05:06

He paul i am getting errors like no server verification method enable…..

( REPLY )
Cornel Paduraru
March 31st, 2013 - 14:48

Hello Septimius Paul Tompa,
I get an error when trying to connect to my OepnVpn server: ” MULTI: bad source address from client”. I can establish a connection but i do not have any internet connection, and i cannot see the local network. Thanks.

( REPLY )