User Tools

Site Tools


linux:ubuntu:openvpn

OpenVPN Server

You can find a similar documentation to install and configure almost everywhere. This guide is for a connection between my Icingaserver and my QNAP, which I wanted to monitor. I dont configure this VPN for browsing the web or anything.

Installation

apt-get install openvpn easy-rsa

Configuration

Create your configuration

gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz > /etc/openvpn/server.conf

Edit the following in “/etc/openvpn/server.conf

#from
dh dh1024.pem
#to
dh dh2048.pem

Edit and uncomment

user nobody
group nogroup

Create the Certificate Authority

cp -r /usr/share/easy-rsa/ /etc/openvpn
mkdir /etc/openvpn/easy-rsa/keys

Edit the default vars in ”/etc/openvpn/easy-rsa/vars“

export KEY_COUNTRY="YOUR COUNTRY eg. DE"
export KEY_PROVINCE="YOUR PROVINCE eg. BW"
export KEY_CITY="YOUR CITY eg. Karlsruhe"
export KEY_ORG="YOUR ORG eg. Lunetikk"
export KEY_EMAIL="YOUR MAILADDRESS"
export KEY_OU="YOUR OU eg. lunetikk"

export KEY_NAME="ANY IDENTIFIER eg. openvpn"

Execute the following and if asked say “y” and enter

openssl dhparam -out /etc/openvpn/dh2048.pem 2048

cd /etc/openvpn/easy-rsa
. ./vars
./clean-all
./build-ca

Build the cert, if asked say “y” and enter

./build-key-server openvpn

Copy your cert and keys

cp /etc/openvpn/easy-rsa/keys/{server.crt,server.key,ca.crt} /etc/openvpn

and start the service

service openvpn start

Create client certificate

execute the following, if asked say “y” and enter

./build-key qnap

copy the client sampleconfig

cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/easy-rsa/keys/qnap.ovpn

edit ”/etc/openvpn/easy-rsa/keys/qnap.ovpn“ and change the following

remote YOUROPENVPNSERVER 1194

#use these on qnap, make sure they exist
user nobody
group everyone

#comment the 3 lines
#ca ca.crt
#cert client.crt
#key client.key

#at the end of the file, add your ca, client-cert and client-key
<ca>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</ca>

<cert>
Certificate:
...
-----END CERTIFICATE-----
...
-----END CERTIFICATE-----
</cert>

<key>
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
</key>

Commands

Command Function
nmap -sL 10.8.0.* shows all connected clients in the given IP range

Connecting a QNAP as client

Edit the file ”/etc/config/vpn.conf“ and add the following

[OPENVPN_CLIENT1]
Enable = TRUE
Status = 1
Index = 1
Gateway = 0
Allow Connect = 0
Reconnect = 1
Server Address = lunetikk.de
Profile File = OpenVPN4
VPN Proto Type = udp
VPN Port = 1194
Compress = 1
Re-direct gateway = 1
Encryption = 1
AccessCode = AAA
Time Stamp = 0

Start your client (parameter 1 is the index in your config)

/etc/init.d/vpn_openvpn_client.sh start 1 &

Check if your connection is up with ifconfig and ping your gateway (OpenVPN server)

# ifconfig
tun0      Link encap:UNSPEC  Hardware Adresse 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet Adresse:10.8.0.6  P-z-P:10.8.0.2  Maske:255.255.255.255

# ping 10.8.0.1
PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.
64 bytes from 10.8.0.1: icmp_seq=1 ttl=64 time=38.6 ms
64 bytes from 10.8.0.1: icmp_seq=2 ttl=64 time=37.9 ms

Connecting an Ubuntu 16 as client

Install the client

apt-get update
apt-get install openvpn

Copy the .ovpn file from your server to your client into /etc/openvpn/
Rename it to .conf, for example client.conf

mv client.ovpn client.conf

If you run OpenVPN with systemd you need to configure your configfiles in ”/etc/default/openvpn“ Add your filename (client) if you only want the single file to be recognized, add “all” if you want any .conf files to be loaded

AUTOSTART="client"
#or
AUTOSTART="all"

Reload the ”/etc/default/“ configs

systemctl daemon-reload 

Restart the OpenVPN

systemctl restart openvpn

Check if your connection is up with ifconfig and ping your gateway (OpenVPN server)

# ifconfig
tun0      Link encap:UNSPEC  Hardware Adresse 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet Adresse:10.8.0.6  P-z-P:10.8.0.2  Maske:255.255.255.255

# ping 10.8.0.1
PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.
64 bytes from 10.8.0.1: icmp_seq=1 ttl=64 time=38.6 ms
64 bytes from 10.8.0.1: icmp_seq=2 ttl=64 time=37.9 ms

Connecting a Raspbian 9 as client

Install the client

apt-get update
apt-get install openvpn

Copy the .ovpn file from your server to your client into /etc/openvpn/
Rename it to .conf, for example client.conf

mv client.ovpn client.conf

If you run OpenVPN with systemd you need to configure your configfiles in ”/etc/default/openvpn“ Add your filename (client) if you only want the single file to be recognized, add “all” if you want any .conf files to be loaded

AUTOSTART="client"
#or
AUTOSTART="all"

Reload the ”/etc/default/“ configs

systemctl restart openvpn

Restart the OpenVPN

systemctl restart openvpn

Check if your connection is up with ifconfig and ping your gateway (OpenVPN server)

# ifconfig
tun0      Link encap:UNSPEC  Hardware Adresse 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet Adresse:10.8.0.6  P-z-P:10.8.0.2  Maske:255.255.255.255

# ping 10.8.0.1
PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.
64 bytes from 10.8.0.1: icmp_seq=1 ttl=64 time=38.6 ms
64 bytes from 10.8.0.1: icmp_seq=2 ttl=64 time=37.9 ms

and with systemctl

# systemctl status openvpn@client.service
● openvpn@client.service - OpenVPN connection to client
   Loaded: loaded (/lib/systemd/system/openvpn@.service; disabled; vendor preset: enabled)
   Active: active (running) since Mon 2019-01-21 12:56:38 CET; 3min 6s ago
     Docs: man:openvpn(8)
           https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage
           https://community.openvpn.net/openvpn/wiki/HOWTO
  Process: 1684 ExecStart=/usr/sbin/openvpn --daemon ovpn-client --status /run/openvpn/client.status 10 --cd /etc/openvpn --config /etc/openvpn/client.conf --writepid /run/openvpn/client.pid (code=exited, status=0/SUCCESS)
 Main PID: 1686 (openvpn)
   CGroup: /system.slice/system-openvpn.slice/openvpn@client.service
           └─1686 /usr/sbin/openvpn --daemon ovpn-client --status /run/openvpn/client.status 10 --cd /etc/openvpn --config /etc/openvpn/client.conf --writepid /run/openvpn/client.pid

Jan 21 12:56:40 raspbian ovpn-client[1686]: ROUTE_GATEWAY 192.168.178.1/255.255.255.0 IFACE=wlan0 HWADDR=xx:xx:xx:xx:xx:xx
Jan 21 12:56:40 raspbian ovpn-client[1686]: TUN/TAP device tun0 opened
Jan 21 12:56:40 raspbian ovpn-client[1686]: TUN/TAP TX queue length set to 100
Jan 21 12:56:40 raspbian ovpn-client[1686]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Jan 21 12:56:40 raspbian ovpn-client[1686]: /sbin/ip link set dev tun0 up mtu 1500
Jan 21 12:56:40 raspbian ovpn-client[1686]: /sbin/ip addr add dev tun0 local 10.8.0.6 peer 10.8.0.1
Jan 21 12:56:40 raspbian ovpn-client[1686]: /sbin/ip route add 10.8.0.1/32 via 10.8.0.1
Jan 21 12:56:40 raspbian ovpn-client[1686]: GID set to nogroup
Jan 21 12:56:40 raspbian ovpn-client[1686]: UID set to nobody
Jan 21 12:56:40 raspbian ovpn-client[1686]: Initialization Sequence Completed
linux/ubuntu/openvpn.txt · Last modified: 2020/04/20 10:48 by lunetikk