mariusv.com

Watch as I awkwardly stumble through life

Linux and Windows OpenVPN HOWTO and tutorial, including VPN routing

Posted by Marius Voila on February 18, 2010 in London, U.K . — 0 comments This post contains 555 words

OpenVPN is a popular Windows/Linux VPN Server/Client pair. I think there’s a separate GUI available for it if you’re so minded. This howto will cover command line usage only.

I’ll provide example configuration based on a Linux server and a Windows client, however the same applies pretty easily if you wanted to mix and match.

On debian, apt-get install openvpn. On any other linux distro, use your own package manager or alternatively download from source and compile.

I create my config /etc/openvpn/myvpn.conf and enter the following:

dev tun
proto udp
ifconfig 10.8.0.1 10.8.0.2
secret /etc/openvpn/static.key
comp-lzo
keepalive 10 60
daemon

In short, I’m specifying that we’ll use the ‘tun’ interface as opposed to ‘tap’, and that we’ll communicate over UDP. Next I specify that this machine’s tun0 interface will have IP 10.8.0.1 and the client will be given 10.8.0.2. My secret key is stored in /etc/openvpn/static.key which you can generate with openvpn –genkey –secret static.key. I’d like to use comp-lzo for compression and also specify a keepalive time to prevent problems on those networks that terminate idle connections. We’ll also have openvpn daemonize. For the client:

remote XX.XXX.124.95 ;server IP address
dev tun
ifconfig 10.8.0.2 10.8.0.1
secret static.key
comp-lzo
keepalive 10 60

This configure is mostly identical to the server’s above.

Now copy the static.key that you generated on the server, to the client. Then just run ‘openvpn config.conf’ it’ll print the relevant debug messages and you’ll be there. At this point, you should be able to ping 10.8.0.1from your client and 10.8.0.2 from your server. If you can, all is good.

On your server, you’ll now need to allow routing so your client is able to route it’s traffic through the VPN:

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
iptables -A FORWARD -i tun0 -s 10.8.0.0/24 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o tun0 -m state –state ESTABLISHED,RELATED -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward

…Or similar to suit your needs.

On your windows client, you’ll now need to change your default gateway:

Use route print and find out your current default gateway, then, assuming your current local default gateway is: 192.168.1.1 and server’s IP address is XX.XXX.124.95, issue the following commands:

route DELETE 0.0.0.0
route ADD XX.XXX.124.95 MASK 255.255.255.255 192.168.1.1
route ADD 0.0.0.0 MASK 0.0.0.0 10.8.0.1

The first ADD command is used to tell your client how to access the ‘new default gateway’. Without specifying your real default gateway, the client machine would have no idea how to reach your VPN server. You can specify 10.8.0.1 as your default gateway, as it is now virtually on the same LAN as your 10.8.0.2 adapter, but without the additional route to XX.XXX.124.95, your connection to the server would have to terminate and you’d lose your tun interface.

Now try and ping something – it should be successful. If not, get onto the server and run tcpdump -n tun0. If the server is seeing your traffic but not forwarding it to the outside world, chances are your iptables and masquerading is set up incorrectly. If the server isn’t even seeing any traffic from you, then chances are your windows routing setup is incorrect.

Hope this was useful! Comments and feedback are welcome as always.