OpenVPN Install Ubuntu 9.10

A good buddy of mine, Trevor, had mentioned wanting to bridge his Brother‘s and his networks. Having done an OpenVPN install many moons ago it had resonated with the “I need to do that again” list in my head. When the N900 arrived it seemed like the perfect opportunity to have the n900 use a VPN tunnel to secure traffic while on open AP. Here is my config:

The first step was to get a current version of OpenVPN installed on the Ubuntu 9.10 server. I decided to go with the bridge setup rather than a routed so that I could play more easily with my VMware clusters at the house and the lab with my BeOS and OpenBSD boxes.

sudo apt-get install openvpn bridge-utils

Next I setup a bridged adapter to use on the Ubuntu 9.10 box that would give me transparent access. Open the /etc/network/interfaces file in vi

auto lo br0

iface lo inet loopback

iface br0 inet static

address 172.16.1.102

network 172.16.1.0

broadcast 172.16.1.255

netmask 255.255.255.0

gateway 172.16.1.1

bridge_ports eth0

bridge_fd 9

bridge_hello 2

bridge_maxage 12

bridge_stp off

iface eth0 inet manual

up ifconfig $IFACE 0.0.0.0 up

up ip link set $IFACE promisc on

down ip link set $IFACE promisc off

down ifconfig $IFACE down

Afterward you need to restart the network interfaces

sudo /etc/init.d/networking restart

Since I was using the desktop edition of Ubuntu rather than Server (this machine was a pseudo desktop for a little bit) I had to enable ip forwarding by editing /etc/sysctl.conf with vi and adding

net.ipv4.ip_forward=1

Next few steps are to setup the CA you need for certificate generation. Easy-rsa is pretty sweet for quick and dirty CA for these type of things. You can also use the openvpn tools to do static keys, but where is the fun in that?

sudo mkdir /etc/openvpn/easy-rsa/

sudo cp -R /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa/

sudo vi /etc/openvpn/easy-rsa/vars

Change these lines at the bottom so that they reflect your new CA.

export KEY_COUNTRY=”US”

export KEY_PROVINCE=”VA”

export KEY_CITY=”Alexandria”

export KEY_ORG=”oneguynick”

export KEY_EMAIL=”nick@notlikelytopostinanopenwebsite.com”

Now to generate your root

cd /etc/openvpn/easy-rsa/ ## move to the easy-rsa directory

sudo chown -R root:admin . ## make this directory writable by the system administrators

sudo chmod g+w . ## make this directory writable by the system administrators

source ./vars ## execute your new vars file

./clean-all ## Setup the easy-rsa directory (Deletes all keys)

./build-dh ## takes a while consider backgrounding

./pkitool –initca ## creates ca cert and key

./pkitool –server server ## creates a server cert and key

cd keys

openvpn –genkey –secret ta.key ## Build a TLS key

sudo cp server.crt server.key ca.crt dh1024.pem ta.key ../../

These next two up/down scripts setup the bridge when the server starts. This is the magic in not having to perform the routing you used to be required to do in OpenVPN1

sudo vi /etc/openvpn/up.sh

This script should contain the following

#!/bin/sh

BR=$1

DEV=$2

MTU=$3

/sbin/ifconfig $DEV mtu $MTU promisc up

/usr/sbin/brctl addif $BR $DEV

Now, we’ll create a “down” script.

sudo vi /etc/openvpn/down.sh

It should contain the following.

#!/bin/sh

BR=$1

DEV=$2

/usr/sbin/brctl delif $BR $DEV

/sbin/ifconfig $DEV down

Now, make both scripts executable.

sudo chmod +x /etc/openvpn/up.sh /etc/openvpn/down.sh

Below is my example /etc/openvpn/server.conf Customize as you see fit

mode server

tls-server

local 172.16.1.102

port 443 ## i am running on 443 rather than the default for firewall bypassing

proto udp

#bridging directive

dev tap0

up “/etc/openvpn/up.sh br0”

down “/etc/openvpn/down.sh br0”

persist-key

persist-tun

#certs

ca ca.crt

cert server.crt

key server.key

dh dh1024.pem

tls-auth ta.key 0

#cipher and compression

cipher BF-CBC # Blowfish (default)

comp-lzo

#DHCP

ifconfig-pool-persist ipp.txt

server-bridge 172.16.1.102 255.255.255.0 172.16.1.50 172.16.1.60

push “dhcp-option DNS 172.16.1.1”

push “dhcp-option DOMAIN geekyschmidt.com”

max-clients 10

#log and security

user nobody

group nogroup

keepalive 10 120

status openvpn-status.log

verb 3

Afterward restart the OpenVPN Server

sudo /etc/init.d/openvpn restart

Now it is time to generate your client certs that you will need to copy to each device. I use n900 as the name here, but you can replace with whatever you wish. I try to keep names and machines close for my poor memory

cd /etc/openvpn/easy-rsa/

source ./vars

./pkitool n900

You will be left with a few files in your /etc/openvpn/easy-rsa/keys directory you need to copy to the device. In my case I copied them to the MyDocs/openvpn area of my N900 to be sure the applet could see them. Most linux machines store them in /etc/openvpn. The list of files to copy is below. Keep in mind that mine are named n900 due to the above pkitool n900 command.

  1. ca.crt
  2. ta.key
  3. n900.key
  4. n900.crt

Once those are on the machine you need to generate a config file. Here is mine from the n900.

### Client configuration file for OpenVPN

# Specify that this is a client

client

# Bridge device setting

dev tap

# Host name and port for the server (default port is 1194)

# note: replace with the correct values your server set up

remote notlikelytopostinanopenwebsite.com 443

# Client does not need to bind to a specific local port

nobind

# Keep trying to resolve the host name of OpenVPN server.

## The windows GUI seems to dislike the following rule.

##You may need to comment it out.

resolv-retry infinite

# Preserve state across restarts

persist-key

persist-tun

# SSL/TLS parameters – files created previously

ca ca.crt

cert n900.crt

key n900.key

# Since we specified the tls-auth for server, we need it for the client

# note: 0 = server, 1 = client

tls-auth ta.key 1

# Specify same cipher as server

cipher BF-CBC

# Use compression

comp-lzo

# Log verbosity (to help if there are problems)

verb 3

On the n900 you will need to install from extras-testing the openvpn packages

sudo gainroot

apt-get install openvpn openvpn-applet

Thats it! Click in your status bar with the n900 and import the config file stored in MyDocs/openvpn from earlier. It will import the keys into the correct locations and allow you to test the connection.

Updated: