Content:
1. Preliminary
2. Installing GCC and Dependencies
3. Installing OpenVPN
4. Creating Certificate and Key
5. Creating OpenVPN COnfiguration
6. Starting OpenVPN, IP Forwarding, NAT
7. Client Configuration
Preliminary
Before we are going to the main course, why Debian Squeeze comes first in title? Because i recommend it. Simple answer for me, it is light so you can (even) use 64MB or 128MB VPS for this software. But i will also write the how to for another three Distros i (or people) almost use. So what is OpenVPN Community Software and why is it very popular among another VPN?
It is an open source SSL VPN with full features inside that can gather lots of configurations and includes site to site VPN, remote access, load balancing, and failover. Many people move to OpenVPN because it is Open Source which means free and easy to use, configure, and implement. More about OpenVPN Community Software can be read at http://openvpn.net/index.php/open-source/245-community-open-source-software-overview.html
Okay now let’s begin. Anyway i am using fresh installed OS, first you need to check whether your TUN is already activated or not because our main purpose of OpenVPN here is for anonymous and safe browsing.
1 | cat /dev/net/tun |
If you got the “File descriptor in bad state” status, then you are ready to (means TUN active), otherwise you need to ask your VPS provider to activate it or you yourself can activate it from SolusVM Control Panel
tun-tap-device-activate
Installing GCC and Dependencies
Always do update your fresh installed OS right before install anything.
1 | apt-get update -y |
1 | yum install update -y |
After that, we go for basic tools for manual configuration installation
1 | apt-get install -y build-essential openssl libssl-dev libpam0g-dev |
1 | yum install -y gcc make openssl openssl-devel pam-devel |
Install LZO Data Compression Library for OpenVPN
1 2 3 4 5 6 7 8 9 10 11 12 | wget https://repo.regolithmedia.com/ovpn/lzo-2.06.tar.gz tar -zxvf lzo-2.06.tar.gz cd lzo-2.06 #Pay attention for ./configure #below is configuration for Debian, Ubuntu, & CentOS 32bit ./configure --prefix=/usr --libdir=/usr/lib #for CentOS 64bit or x86_64 ./configure --prefix=/usr --libdir=/usr/lib64 make make install |
Tools and dependencies have been successfully installed, it is time for the main course, install the OpenVPN. Current stable version are 2.2.2 released 2011/12/22, soon after version 2.3 is not beta anymore, i will update this tutorial.
Installing OpenVPN
1 2 3 4 5 6 7 8 9 10 11 12 | wget https://repo.regolithmedia.com/ovpn/openvpn-2.2.2.tar.gz tar -zxvf openvpn-2.2.2.tar.gz cd openvpn-2.2.2 #Pay attention for ./configure #below is configuration for Debian, Ubuntu, & CentOS 32bit ./configure --prefix=/usr --libdir=/usr/lib #for CentOS 64bit or x86_64 ./configure --prefix=/usr --libdir=/usr/lib64 make make install |
Installation of OpenVPN has been completed, don’t go anywhere outside the openvpn-2.2.2 folder, copy easy-rsa folder inside it to “/etc/openvpn/easy-rsa“. Easy-rsa contains files for creating certificate and others need by OpenVPN.
1 2 | mkdir -p /etc/openvpn cp -r easy-rsa /etc/openvpn |
Still inside the openvpn 2.2.2 folder, now we build openvpn-auth-pam for authentication using SSH
1 2 3 4 5 6 7 | cd plugin/auth-pam make #For Debian, Ubuntu, & CentOS 32bit cp openvpn-auth-pam.so /usr/lib #For CentOS 64bit cp openvpn-auth-pam.so /usr/lib64 |
1 2 3 4 5 | cd /etc/openvpn/easy-rsa/2.0 chmod 755 * source ./vars ./vars ./clean-all |
================================================================================
INTERMEZZO: if you are experiencing the following error when executing “source ./vars” command
it means OpenVPN does not recognize your OpenSSL version, you need to edit whichopensslcnf file inside “/etc/openvpn/easy-rsa/2.0”
change the openssl.cnf under else
with openssl-1.0.0.cnf, so it will be like this
after that you continue again from source ./vars command
================================================================================
clean-all
While build certificate authority, you will be asked to fill the “Country, State / Province, City, Organization / Company, Unit, Common Name, Name, and Email”, you can fill all of it according to your data, or if you don’t then just press enter and fill only the Common Name with any (usually your vps hostname) name. Check the image below.
1 | ./build-ca |
build-ca
After CA, we continue with building key server. It is as the same as build ca, but this time you need to fill the Common Name with “server” (take a look at the image below), and when you asked about “challenge password” i suggest you to enter / passed it because we already have one authentication for OpenVPN, so it will not be necessary to have more than one authentication.
1 | ./build-key-server server |
build-key-server
Build Diffie Hellman Key Exchange, more at Wikipedia or RSA
1 | ./build-dh |
The time required to build diffie hellman depends on your server’s spec.
Creating OpenVPN Configuration
We will place the configuration inside “/etc/openvpn” directory, also we are using port 1194 UDP (default).
1 | nano /etc/openvpn/1194-udp.conf |
*you can use another text editor you like such as vi or pico
Below here the configuration
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 | #The first three lines would be your server ip, port target, and protocol local 123.123.123.123 port 1194 proto udp #We use TUN driver and other standard TUN configuration dev tun tun-mtu 1500 tun-mtu-extra 32 mssfix 1450 #This is where the required certificates and keys need are located ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt cert /etc/openvpn/easy-rsa/2.0/keys/server.crt key /etc/openvpn/easy-rsa/2.0/keys/server.key dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem #Authentication with SSH login plugin /usr/lib/openvpn-auth-pam.so /etc/pam.d/login #Do not forget /usr/lib64 just like below for CentOS 64bit #plugin /usr/lib/openvpn-auth-pam.so /etc/pam.d/login client-cert-not-required username-as-common-name #Example of local IP address we use for client server 10.2.3.0 255.255.255.0 #Tunnel all of client's network activity via OpenVPN server push "redirect-gateway def1" #Or add local flag if the clients are on the same wireless subnet #push "redirect-gateway local def1" #Add DNS extra for OpenVPN route #You can add more like from GoogleDNS, OpenDNS, etc. push "dhcp-option DNS 208.67.222.222" push "dhcp-option DNS 4.2.2.1" #Ping every 5 seconds, assuming that network #will be down in 30 seconds keepalive 5 30 #User LZO Compression (faster) comp-lzo #Avoid Ping from restarting persist-key #Avoid TUN/TAP driver from restarting persist-tun #Write status of the connection status 1194-udp.log #Normal output verbosity level verb 3 |
Starting OpenVPN, IP Forwarding, NAT
Now we are ready to start the OpenVPN with 1194 UDP config
1 | openvpn /etc/openvpn/1194-udp.conf & |
If the status message is “Initialization Sequence Completed” then you are ready to roll, run it in background with “bg” command
1 | bg |
starting-ovpn-server
Enabling IP Forward
1 | echo 1 > /proc/sys/net/ipv4/ip_forward |
NAT clients traffic to the internet, where 10.2.3.0 is your client’s IP address and 123.123.123.123 is your server’s IP address
1 | iptables -t nat -A POSTROUTING -s 10.2.3.0/24 -j SNAT --to 123.123.123.123 |
or use this if you are using dedicated machine
1 | iptables -t nat -A POSTROUTING -s 10.2.3.0/24 -o eth0 -j MASQUERADE |
Client Configuration
Add user for OpenVPN authentication without SSH privilege and give it password
1 2 | useradd -s /bin/false anyusername passwd anyusername |
Download OpenVPN for Windows OS from: https://repo.regolithmedia.com/ovpn/openvpn-2.2.2-install.exe and install it. Don’t forget to run it as administrator if you are using Windows 7.
Create configuration for client, example: 1194-udp.ovpn, and save it in your OpenVPN client config folder, usually “C:\Program Files\OpenVPN\config” or “C:\Program Files (x86)\OpenVPN\config” for 64bit OS.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 | client dev tun proto udp remote 123.123.123.123 1194 # This is your server IP address and port resolv-retry infinite nobind tun-mtu 1500 tun-mtu-extra 32 mssfix 1450 persist-key persist-tun ca ca.crt auth-user-pass comp-lzo verb 3 |
The last thing before runs OpenVPN client GUI, download ca.crt file located at “/etc/openvpn/easy-rsa/2.0/keys” in your server, save it in the place where 1194-udp.ovpn is located.
ovpn-client-running