OpenVPN Server/Client on Ubuntu 9.04/9.10  
Last Updated: January 02, 2010
(01) Introduction

The following how-to will show you the step-by-step procedure to up and run the Open-VPN Server (in Linux) and Open-VPN Client (in Linux/Windows). This how to also include the conceptual configuration of Site-to-Site and Client-to-Site VPN tunnel with Open VPN.

Disclaimer: Here, I am giving no warranty that my howto will work for you. Use it as your own risk. Test it first before you go for any production server. Secure your server as your own.

You may mail me to helpdesk@linux-bd.com if you have any asking regarding this howto. You also may catch me on google-talk, my gtalk id is 'rkarim1981'


(02) Scenario:

In this scenario, I suppose, we have a corporate Head Office (HQ), and two branch offices (BO) and a laptop which will travel in several places and will use public Internet connection.

Our VPN Server will be kept in the HQ and two branch offices will be connected to this HQ (to share some application server/services) by VPN tunnel (site-to-site VPN) and the laptop will be connected as road-warrior VPN client (Client-to-Site) to share the same application server/services.


Consider,
In HQ,
VPN Server's Public/Leased IP address is:123.49.42.180/29; connected to Internet
VPN Server's Local IP address is:192.168.111.1/24; connected to local network
In BO1,
VPN Client's Public/Leased IP address is:202.22.199.10/29; connected to Internet
VPN Clinet's Private IP address is:192.168.112.1/24; connected to Local network
In BO2,
VPN Client's Public/Leased IP address is:202.22.166.10/29; connected to Internet
VPN Clinet's Private IP address is:192.168.113.1/24; connected to Local network
In Laptop,
There is any public Internet connection is being used, such as CDMA/EGE/WiFi/WiMAX hence, the IP address is dynamic.

IP subnet 10.10.10.0/24 will be used in ip-pool, from which vpn client will be assinged ip address while establishing the vpn-connection.

Here, our goal is to access the application-server in HQ (IP of Subnet 192.168.111.0/24) from the Branch offices Local network (192.168.112.0/24 in BO1 and 192.168.113.0/24 in BO2 and also from the laptop (Windows XP-SP3/Ubuntu Desktop as road-warrior).

Use this how-to as your configuration module and modify it according to your own setup and network-diagram/configuration.

So, lets start ...


(03) Configuring the VPN Server In HQ:

Login as root, to your VPN-Server BOX where you already installed Ubuntu Server Edition 9.04/9.10, and this server is connected to the internet, now apply (you may copy/past) the following shell commands (removing preceding "cmd:");

cmd:apt-get update
cmd:apt-get upgrade; you may skip this if internet speed is less than 512kpbs
cmd:apt-get install openvpn openssl liblzo2-2 liblzo2-dev lzop rcconf vim-nox
cmd:cp /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/
cmd:cd /etc/openvpn/
cmd:./clean-all
cmd:mkdir keys
cmd:touch keys/index.txt
cmd:echo 00 > keys/serial
cmd:source ./vars
note:[note:]every time while bulding ca certificates, put your own parameters and give no password;
cmd:./build-ca; this will build the ca certificate for server & client
cmd:./build-key-server server; this will build the key file for server
cmd:
cmd:./build-key bo1; this will build the key file for Branch Office-1
cmd:./build-key bo2; this will build the key file for Branch Office-2
cmd:./build-key laptop1; this will build the key file for Laptop
cmd:./build-dh
cmd:
note:[note:] when you will add more clients, please follow next steps:
cmd:cd /etc/openvpn/
cmd:source ./vars
cmd:./build-key clientX; this will build the key file for clientX
cmd:./build-dh
cmd:
next:[OK] Now modify the Server Configuration file as follows;
cmd:
cmd:vim /etc/openvpn/server.conf; you have to create this file
next:[OK] copy/past the following content;
cmd:
copy:
########## server configuration file ...
port 443# I changed the default port from 1194 to 443
proto tcp
dev tun
ca keys/ca.crt
cert keys/server.crt
key keys/server.key
dh keys/dh1024.pem
server 10.10.10.0 255.255.255.0# IP address pool, will be assigned to the VPN client
route 192.168.112.0 255.255.255.0# route IP subnet for Branch Office-1
route 192.168.113.0 255.255.255.0# route IP subnet for Branch Office-2
push "route 192.168.111.0 255.255.255.0"# route Local IP subnet of HQ
;push "redirect-gateway def1"# enable this line if you want to override the default route
client-to-client
client-config-dir /etc/openvpn/ccd# per client custom configuration directory
keepalive 10 120
persist-key
persist-tun
mute 20
mode server
ping-timer-rem
ifconfig-pool-persist ipp.txt
status /var/log/openvpn-status.log
log /var/log/openvpn.log
log-append /var/log/openvpn.log
verb 3
user nobody
group nogroup
max-clients 10# defines how many vpn-clients you will allow to connect
;comp-lzo # enable this if you want to compression of data for low speed
cmd:[Save + Exit]
cmd:
cmd:mkdir /etc/openvpn/ccd
cmd:vim /etc/openvpn/ccd/bo1 ; create this file for branch office-1
next:[OK] copy/past the following content;
cmd:
copy:
ifconfig-push 10.10.10.102 10.10.10.101
iroute 192.168.112.0 255.255.255.0
cmd:[Save + Exit]
cmd:
cmd:vim /etc/openvpn/ccd/bo2 ; create this file for branch office-2
next:[OK] copy/past the following content;
cmd:
copy:
ifconfig-push 10.10.10.104 10.10.10.103
iroute 192.168.113.0 255.255.255.0
cmd:[Save + Exit]
cmd:
cmd:vim /etc/openvpn/ccd/laptop1 ; create this file for branch laptop1 if it is linux laptop
next:[OK] copy/past the following content; ; windows (XP/win7) laptop/desktop, don't need this file.
cmd:
copy:
ifconfig-push 10.10.10.106 10.10.10.105
cmd:[Save + Exit]
cmd:
cmd:/etc/init.d/openvpn restart ; restart the openvpn service
cmd:
cmd:vim /usr/bin/route_nat.sh ; create this file in HQ
next:[OK] copy/past the following content;
cmd:
copy:
#!/bin/bash
echo -e "\n\n>>> LOADING ROUTE _NAT ...\n"
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
IPT="/sbin/iptables"
$IPT -F
$IPT -X
$IPT -Z
$IPT -t nat -F
$IPT -t nat -X
$IPT -t nat -Z
$IPT -F -t nat
$IPT -F INPUT
$IPT -F OUTPUT
$IPT -F FORWARD
$IPT -F -t mangle
$IPT --table nat -F
$IPT --delete-chain
$IPT --table nat --delete-chain
$IPT -t mangle --delete-chain
$IPT -t nat -A POSTROUTING -s 10.10.10.0/24 -d 0/0 -j SNAT --to-source 123.49.42.180
echo -e "\n\n>>> LOADING ROUTE _NAT [DONE]... \n"
cmd:[Save + Exit]
cmd:chmod 755 /usr/bin/route_nat.sh
cmd:vim /etc/rc.local
next:[OK] Now add the following line to "/etc/rc.local" before the lie "exit 0";
cmd:
copy:
/usr/bin/route_nat.sh
exit 0
cmd:[Save + Exit]
cmd:/usr/bin/route_nat.sh; run/execute the script "route_nat.sh"
cmd:
done:[OK] You are done in Server Configuration; end of server configuration
done:[DONE]


(04) Configuring the VPN Client In BO1:

Login as root, to your VPN-Client BOX in BO1 (Branch Office-1) where you already installed Ubuntu Server Edition 9.04/9.10, and this BOX is connected to the internet, now apply (you may copy/past) the following shell commands (removing preceding "cmd:");

cmd:apt-get update
cmd:apt-get upgrade; you may skip this if internet speed is less than 512kpbs
cmd:apt-get install openvpn openssl liblzo2-2 liblzo2-dev lzop rcconf vim-nox
cmd:cp /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/
cmd:cd /etc/openvpn/
cmd:
next:Now, Copy following files from the HQ VPN-Server found from "/etc/openvpn/keys/" to this VPN Client BOX in "/etc/openvpn/"
copy:files: ca.crt, bo1.crt, bo1.key
note:note: you may use scp to copy files from HQ Server to BO VPN Client BOX
cmd:
next:[OK] Now modify the Configuration file as follows;
cmd:
cmd:vim /etc/openvpn/client.conf; you have to create this file
next:[OK] copy/past the following content;
cmd:
copy:
########## client configuration file ...
client
proto tcp
dev tun
remote 123.49.42.180 443
resolv-retry infinite
nobind
ca ca.crt
cert bo1.crt
key bo1.key
keepalive 10 120
persist-key
persist-tun
mute 20
ping-timer-rem
verb 3
;comp-lzo # enable this if you want to compression of data for low speed
cmd:[Save + Exit]
cmd:
cmd:vim /usr/bin/route_nat.sh ; create this file in branch office-1
next:[OK] copy/past the following content;
cmd:
copy:
#!/bin/bash
echo -e "\n\n>>> LOADING ROUTE _NAT ...\n"
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
IPT="/sbin/iptables"
$IPT -F
$IPT -X
$IPT -Z
$IPT -t nat -F
$IPT -t nat -X
$IPT -t nat -Z
$IPT -F -t nat
$IPT -F INPUT
$IPT -F OUTPUT
$IPT -F FORWARD
$IPT -F -t mangle
$IPT --table nat -F
$IPT --delete-chain
$IPT --table nat --delete-chain
$IPT -t mangle --delete-chain
# $IPT -t nat -A POSTROUTING -s 192.168.112.0/24 -d 0/0 -j SNAT --to-source 202.22.199.10; nat option-1
# $IPT -t nat -A POSTROUTING -s 192.168.112.0/24 -d 0/0 -j SNAT --to-source 10.10.10.102; nat option-2
echo -e "\n\n>>> LOADING ROUTE _NAT [DONE]... \n"
cmd:[Save + Exit]
cmd:chmod 755 /usr/bin/route_nat.sh
cmd:vim /etc/rc.local
next:[OK] Now add the following line to "/etc/rc.local" before the lie "exit 0";
cmd:
copy:
/usr/bin/route_nat.sh
exit 0
cmd:[Save + Exit]
cmd:/etc/init.d/openvpn start ; start the openvpn service
cmd:/etc/init.d/openvpn restart ; restart the openvpn service
note:note: at this stage you should see the vpn-interface tun0 is up, by the command "ifconfig"
cmd:/usr/bin/route_nat.sh; run/execute the script "route_nat.sh"
cmd:
next:[OK] Now Run rcconf and put tick (*) to the openvpn service and Exit from rcconf
cmd:rcconf
cmd:
done:[OK] You are done in Client Configuration; end of client configuration
done:[DONE]


(05) Local Network Configuration in BO1 (Branch Office-1)

At this stage your vpn-client in BO1 (Branch Office-1) is configured and connected to your HQ VPN Server and acquired IP address 10.10.10.102 in tun0 virtual interface. So, now the local subnet of this office (BO1) will get the access to the local-network (subnet 192.168.111.0/24) of HQ.

As I supposed, here the local interface IP address of VPN-Client is 192.168.112.1, So, put any IP address from subnet 192.168.112.0/24 (except 192.168.112.1) to any of the local workstation and put 192.168.112.1 as gateway. Now you will be able to access any of HQ workstations/servers of subnet 192.168.111.0/24. Normally, you may access the application server from HQ by HTTP, Samba, Windows Share etc. as you require them.

What about Internet In Branch Office-1? As I need Internet connection to the local network workstations.

Well, You will have several options/way to provide Internet Connection to your local workstations of Branch Office. I will provide some options bellow;

Option-1:
If you have dedicate Internet connection in Branch Office, then, make your VPN BOX as your Internet Gateway also, that means enable the "nat opton-1" in the script "route_nat.sh" and put valid caching dns-server address to your local-network workstations and you will be able to browse Internet. You may also configure a proxy-server in that VPN-BOX (follow my Gateway+Proxy howto from http://www.linux-bd.com), then up/configure the VPN Client in the same system using this howto.

Option-2:
If you are using leased line/private data connection or you want to supply Internet form HQ to the Branch Office, then, enable (remove preceding semicolon) the line ';push "redirect-gateway def1"' in the HQ VPN Server configuration file (/etc/openvpn/server.conf). Also enable the "nat opton-2" in the script "route_nat.sh" in BO1 VPN-BOX and put valid caching dns-server address to your local-network workstations and you will be able to browse Internet.

Option-3:
You may also configure a proxy server in HQ using the IP of subnet 192.168.111.0/24 and In Branch Office VPN-BOX enable "nat opton-2" in the script "route_nat.sh" and put that proxy-server IP address with port into the BO1 local-network workstation's Internet Browsers (Opera, Firefox etc ...), thus you will get Internet in the Branch Offices local-network workstations.


(06) Configuring the VPN Client In BO2:

Login as root, to your VPN-Client BOX in BO2 (Branch Office-2) where you already installed Ubuntu Server Edition 9.04/9.10, and this BOX is connected to the internet, now apply (you may copy/past) the shell commands mentioned in STEP-04 (Configuring the VPN Client In BO1) (removing preceding "cmd:"); changing the required parameters appropriate for the Branch Office-2 (BO2).

Also the local-network configuration will be same as STEP-05; changing the required parameters appropriate for the Branch Office-2 (BO2).


(07) Configuring the VPN Client In Laptop (Windows XP-SP3 / Windows7):

Coming soon ...

(08) References:

Ref-1: http://openvpn.net/index.php/open-source/documentation/howto.html
Ref-2: http://www.ossramblings.com/configuring_openvpn_ubuntu_hardy
Ref-3: http://www.monkeedev.co.uk/blog/2009/03/06/setting-up-openvpn-in-debianubuntu/
Ref-4: http://cihan.me/how-to-setup-openvpn-server-on-debian-lenny/

"share your good knowledge..."
Copyright @ all people of open-source world