Setting up a vpn tunnel using OpenVPN

Posted on 16/05/2010 by Rob
Share on Twitter

Because I was looking for the option of running an Oracle VM server at home, with a couple of virtual machines running on it, I wanted these virtual machines to be accessible remotely, when I’m on the road. The requirements I had where the following:

  • VPN software must be free
  • VPN software must be available for Linux (Oracle Enterprise Linux), Mac OS X and Windows
  • No tweaking of my currently used router (Apple Time Capsule)
  • VPN software must be easy to configure

The first three requirements where not that difficult, but I had some trouble configuring the software. At the end I ended up with the following software:

  • OpenVPN, software for both running a VPN server and client
  • Tunnelblick, software for running a VPN client on Mac OS X

Installing packages on the OpenVPN server

My startup-point was a installed Oracle Enterprise Linux 5 update 5 64 bit. I did a minimal installation, since I only wanted this server to be my OpenVPN server. If you  create this new server as a virtual machine, make sure that your network card is bridged to the physical network card in your computer. Give your new server a dedicated ip-address, since you have to make an adjustment in your router. At my home I use the network segment 192.168.123.0/255.255.255.0. So I gave my OpenVPN server the ip-address 192.168.123.200.

Install the following packages:

If you follow the links above, it will get you to the site where you can download the RPM’s. Copy the packages to your server that you’re going to use as your OpenVPN server.

Install the packages with the rpm command:

[root@openvpn ~]# rpm -ivh lzo2-2.02-3.el5.rf.x86_64.rpm
warning: lzo2-2.02-3.el5.rf.x86_64.rpm: Header V3 DSA signature: NOKEY, key ID 6b8d79e6
Preparing...                ########################################### [100%]
1:lzo2                   ########################################### [100%]
[root@openvpn ~]# rpm -ivh openvpn-2.0.9-1.el5.rf.x86_64.rpm
warning: openvpn-2.0.9-1.el5.rf.x86_64.rpm: Header V3 DSA signature: NOKEY, key ID 6b8d79e6
Preparing...                ########################################### [100%]
1:openvpn                ########################################### [100%]


The packages are installed. Now it’s time to do the configuration of the OpenVPN server.

Configuration of the OpenVPN server

A lot of files of the openvpn package are placed in the directory /usr/share/doc/openvpn-2.0.9.

Thirst thing we’re going to do, is to create the certificates for our OpenVPN server. Go to the directory /usr/share/doc/openvpn-2.0.9/easy-rsa/2.0:

[root@openvpn ~]# cd /usr/share/doc/openvpn-2.0.9/easy-rsa/2.0/


Change the Makefile that’s in this directory and set the DESTDIR to /etc/openvpn. After that the file will look simular to this:

DESTDIR=/etc/openvpn
PREFIX=
all:
echo "All done."
echo "Run make install DESTDIR=/usr/share/somewhere"
install:
install -c --directory "${DESTDIR}/${PREFIX}"
install -c --mode=0755 build-* "${DESTDIR}/${PREFIX}"
install -c --mode=0755 clean-all list-crl inherit-inter pkitool revoke-full sign-req whichopensslcnf "${DESTDIR}/${PREFIX}"
install -c --mode=0644 openssl-0.9.6.cnf openssl.cnf README vars "${DESTDIR}/${PREFIX}"


Run the make install command to install all the necessary files to the directory /etc/openvpn:

[root@openvpn 2.0]# make install
install -c --directory "/etc/openvpn/"
install -c --mode=0755 build-* "/etc/openvpn/"
install -c --mode=0755 clean-all list-crl inherit-inter pkitool revoke-full sign-req whichopensslcnf "/etc/openvpn/"
install -c --mode=0644 openssl-0.9.6.cnf openssl.cnf README vars "/etc/openvpn/"


Go to the directory /etc/openvpn:

[root@openvpn 2.0]# cd /etc/openvpn


Change the last lines of the vars file that’s in this directory:

export KEY_COUNTRY="NL"
export KEY_PROVINCE="NH"
export KEY_CITY="dummytown"
export KEY_ORG="Dummy-Org"
export KEY_EMAIL="foo@dummy.org"


Fill in the Country, Province, City, Organization and an email address.

Make sure that the parameters are set by running the source command. You can ignore the message about the clean-all script:

[root@openvpn openvpn]# source vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/keys


Run the clean-all procedure to clean the keys directory, if this is the first time, than this directory does not exists:

[root@openvpn openvpn]# ./clean-all


Build the certificate authority:

[root@openvpn openvpn]# ./build-ca
Generating a 1024 bit RSA private key
....................................++++++
........++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [NL]:
State or Province Name (full name) [NH]:
Locality Name (eg, city) [dummytown]:
Organization Name (eg, company) [Dummy-Org]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [Dummy-Org CA]:
Email Address [foo@dummy.org]:


Create the server certificates:

[root@openvpn openvpn]# ./build-key-server server
Generating a 1024 bit RSA private key
......++++++
....................++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [NL]:
State or Province Name (full name) [NH]:
Locality Name (eg, city) [dummytown]:
Organization Name (eg, company) [Dummy-Org]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [server]:
Email Address [foo@dummy.org]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'NL'
stateOrProvinceName   :PRINTABLE:'NH'
localityName          :PRINTABLE:'dummytown'
organizationName      :PRINTABLE:'Dummy-Org'
commonName            :PRINTABLE:'server'
emailAddress          :IA5STRING:'foo@dummy.org'
Certificate is to be certified until May 11 14:27:28 2020 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated


Create at least one client key:

[root@openvpn openvpn]# ./build-key client1
Generating a 1024 bit RSA private key
.........................++++++
.....++++++
writing new private key to 'client1.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [NL]:
State or Province Name (full name) [NH]:
Locality Name (eg, city) [dummytown]:
Organization Name (eg, company) [Dummy-Org]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [client1]:
Email Address [foo@dummy.org]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'NL'
stateOrProvinceName   :PRINTABLE:'NH'
localityName          :PRINTABLE:'dummytown'
organizationName      :PRINTABLE:'Dummy-Org'
commonName            :PRINTABLE:'client1'
emailAddress          :IA5STRING:'foo@dummy.org'
Certificate is to be certified until May 11 14:28:33 2020 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated


Create the Diffie-Hellman (DH) settings:

[root@openvpn openvpn]# ./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
.....................................................................


Copy the following files from the /usr/share/doc/openvpn-2.0.9/sample-config-files to the /etc/openvpn directory:
  • openvpn-shutdown.sh
  • openvpn-startup.sh
  • server.conf
[root@openvpn openvpn]# cd /usr/share/doc/openvpn-2.0.9/sample-config-files/
[root@openvpn sample-config-files]# cp -pv openvpn-startup.sh openvpn-shutdown.sh server.conf
`openvpn-startup.sh' -> `/etc/openvpn/openvpn-startup.sh'
`openvpn-shutdown.sh' -> `/etc/openvpn/openvpn-shutdown.sh'
`server.conf' -> `/etc/openvpn/server.conf'


Important: Remove from the openvpn-startup.sh and openvpn-shutdown.sh files the .sh extension. The init script in /etc/init.d/openvpn uses the filenames openvpn-startup and openvpn-shutdown.

Make sure that the files openvpn-shutdown.sh and openvpn-startup.sh can be executed:

[root@openvpn sample-config-files]# cd /etc/openvpn
[root@openvpn openvpn]# chmod u+x openvpn-shutdown openvpn-startup


Modify the file server.conf so that at least it contains the following entries:

port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key  # This file should be kept secret
dh dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.123.0 255.255.255.0"
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3


Copy the files ca.crt, server.crt, server.key and dh1024.epm  from the /etc/openvpn/keys directory to the /etc/openvpn directory:

[root@openvpn openvpn]# cd /etc/openvpn/keys/
[root@openvpn keys]# cp -pv ca.crt server.crt server.key dh1024.pem ..
`ca.crt' -> `../ca.crt'
`server.crt' -> `../server.crt'
`server.key' -> `../server.key'
`dh1024.pem' -> `../dh1024.pem'


Start the openvpn service with the service command:

[root@openvpn openvpn]# service openvpn start
Starting openvpn:                                          [  OK  ]


Make sure that the openvpn service is started at boottime:

[root@openvpn openvpn]# chkconfig openvpn on
[root@openvpn openvpn]# chkconfig openvpn --list
openvpn        	0:off	1:off	2:on	3:on	4:on	5:on	6:off


You can check the file /var/log/messages for the results of the startup:

May 14 17:10:10 openvpn kernel: tun: Universal TUN/TAP device driver, 1.6
May 14 17:10:10 openvpn kernel: tun: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com>
May 14 17:10:10 openvpn openvpn[9060]: OpenVPN 2.0.9 x86_64-redhat-linux-gnu [SSL] [LZO] [EPOLL] built on Mar  8 2007
May 14 17:10:10 openvpn openvpn[9060]: Diffie-Hellman initialized with 1024 bit key
May 14 17:10:10 openvpn openvpn[9060]: TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
May 14 17:10:10 openvpn openvpn[9060]: TUN/TAP device tun0 opened
May 14 17:10:10 openvpn openvpn[9060]: /sbin/ip link set dev tun0 up mtu 1500
May 14 17:10:10 openvpn openvpn[9060]: /sbin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2
May 14 17:10:10 openvpn openvpn[9060]: /sbin/ip route add 10.8.0.0/24 via 10.8.0.2
May 14 17:10:10 openvpn openvpn[9060]: Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
May 14 17:10:10 openvpn openvpn[9068]: UDPv4 link local (bound): [undef]:1194
May 14 17:10:10 openvpn openvpn[9068]: UDPv4 link remote: [undef]
May 14 17:10:10 openvpn openvpn[9068]: MULTI: multi_init called, r=256 v=256
May 14 17:10:10 openvpn openvpn[9068]: IFCONFIG POOL: base=10.8.0.4 size=62
May 14 17:10:10 openvpn openvpn[9068]: IFCONFIG POOL LIST
May 14 17:10:10 openvpn openvpn[9068]: Initialization Sequence Completed


I had the linux firewall (iptables) running on my system, so I added another rule to this firewall, to allow incomming udp traffic on port 1194. I did this with the configuration tool system-config-security-tui.

Select the option Customize and  in the Firewall Configuration – Customize screen add the following to the Other ports section: 1194:udp. Once that’s done you can check you’re newly added rule with the service iptables status command:

[root@openvpn sysconfig]# service iptables status
Table: filter
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination
1    RH-Firewall-1-INPUT  all  --  0.0.0.0/0            0.0.0.0/0
Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination
1    RH-Firewall-1-INPUT  all  --  0.0.0.0/0            0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination
Chain RH-Firewall-1-INPUT (2 references)
num  target     prot opt source               destination
1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
2    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 255
3    ACCEPT     esp  --  0.0.0.0/0            0.0.0.0/0
4    ACCEPT     ah   --  0.0.0.0/0            0.0.0.0/0
5    ACCEPT     udp  --  0.0.0.0/0            224.0.0.251         udp dpt:5353
6    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:631
7    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:631
8    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
9    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:1194
10   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22
11   REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited


The configuration of the OpenVPN server is finished. The following thing to do, is to install and configure the client.

Opening the OpenVPN port on your Apple Time Capsule

To make sure that you can connect to your OpenVPN server from the internet, you must redirect port 1194 on your Time Capsule to your OpenVPN server.

  • Start the Airport Utility (I always use Spotlight to do this)
  • Select your Time Capsule
  • Select the Advanced options and select Port Mapping
  • Click on the plus button to add a new port mapping
  • Fill in the following entries:
      • Service: leave untouched
      • Public UDP Port(s): 1194
      • Public TCP Port(s): leave empty
      • Private IP Address: 192.168.123.200 (use the ip-address of your OpenVPN server)
      • Private UDP Port(s): 1194
      • Private TCP Port(s): leave empty
  • Click on the Continue button to effectuate the changes
  • In the next screen give a description for the portmapping. I used openvpn for that
  • Click on the Done button
  • Click on the the Update button
  • You’re Time Capsule will be restarted to make the changes permanent

If you’re using another router you must check the documentation of that router, how to map ports to particular servers.

Installation and configuration of Tunnelblick

Tunnelblick is an OpenVPN Graphic User Interface (GUI) for Mac OS X. The installation is very straightforward can be done just like installing any other program on Mac OS X.

Download the program at  http://code.google.com/p/tunnelblick/.

Open the downloaded dmg file and double-click on the Tunnelblick icon to start the installation. Answer yes to the question if Tunnelblick should be started.

After the installation a Tunnelblick icon is placed near the Spotlight icon.

The configuration files for Tunnelblick are placed in the directory /Users/<your Mac username>/Library/Application Support/Tunnelblick/Configurations. Open the file openvpn.conf in your favorite editor.

Make sure that the configuration file contains at least the following entries:

client
dev tun
proto udp
remote  <ip-address of your internet connection at home> 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
comp-lzo
verb 3


The ip-address of your internet connection can be determined with the help of the website http://whatismyipaddress.com/. The ip-address is shown in blue at the right.

Copy the following files from your OpenVPN server to your Mac:

  • ca.crt
  • client1.crt
  • client1.key

These files are located at the /etc/openvpn/keys directory. The must be copied to the directory /Users/<your Mac username>/Library/Application Support/Tunnelblick/Configurations. I always use Cyberduck for copying files between Linux and Mac OS X.

Once the files are copied to the right location, you can test your VPN connection.

On the Tunnelblick icon, click with the right mouse button on Details.

Next thing to do is click on the Connect button. If you’re tunnel is working, you should see output similar to the following:

2010-05-16 20:59:19 *Tunnelblick: OS X 10.6.3; Tunnelblick 3.0 (build 1437); OpenVPN 2.1.1
2010-05-16 21:01:42 *Tunnelblick: Attempting connection with openvpn.conf; Set nameserver = 1; monitoring connection
2010-05-16 21:01:42 *Tunnelblick: /Applications/Tunnelblick.app/Contents/Resources/openvpnstart start openvpn.conf 1337 1 0 0 0
2010-05-16 21:01:42 *Tunnelblick: /Applications/Tunnelblick.app/Contents/Resources/openvpn --management-query-passwords
--cd /Users/rob/Library/Application Support/Tunnelblick/Configurations --daemon --management-hold --management 127.0.0.1 1337
--config /Users/rob/Library/Application Support/Tunnelblick/Configurations/openvpn.conf --script-security 2
--up "/Applications/Tunnelblick.app/Contents/Resources/client.up.osx.sh"
--down "/Applications/Tunnelblick.app/Contents/Resources/client.down.osx.sh" --up-restart
2010-05-16 21:01:42 SUCCESS: pid=22922
2010-05-16 21:01:42 SUCCESS: real-time state notification set to ON
2010-05-16 21:01:42 SUCCESS: real-time log notification set to ON
2010-05-16 21:01:42 OpenVPN 2.1.1 i386-apple-darwin10.2.0 [SSL] [LZO2] [PKCS11] built on Feb 24 2010
2010-05-16 21:01:42 MANAGEMENT: TCP Socket listening on 127.0.0.1:1337
2010-05-16 21:01:42  waiting...
2010-05-16 21:01:42 MANAGEMENT: Client connected from 127.0.0.1:1337
2010-05-16 21:01:42 MANAGEMENT: CMD 'pid'
2010-05-16 21:01:42 MANAGEMENT: CMD 'state on'
2010-05-16 21:01:42 MANAGEMENT: CMD 'log on all'
2010-05-16 21:01:42 END
2010-05-16 21:01:42 MANAGEMENT: CMD 'hold release'
2010-05-16 21:01:42 SUCCESS: hold release succeeded
2010-05-16 21:01:42 WARNING: No server certificate verification method has been enabled.
See http://openvpn.net/howto.html#mitm for more info.
2010-05-16 21:01:42 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2010-05-16 21:01:42 LZO compression initialized
2010-05-16 21:01:42 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
2010-05-16 21:01:42 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
2010-05-16 21:01:42 Local Options hash (VER=V4): '41690919'
2010-05-16 21:01:42 Expected Remote Options hash (VER=V4): '530fdded'
2010-05-16 21:01:42 Socket Buffers: R=[42080->65536] S=[9216->65536]
2010-05-16 21:01:42 UDPv4 link local: [undef]
2010-05-16 21:01:42 UDPv4 link remote: <internet ip-address>:1194
2010-05-16 21:01:42
2010-05-16 21:01:44
2010-05-16 21:01:44  sid=e216f399 26ce1e22
2010-05-16 21:01:45  /C=NL/ST=NH/L=dummytown/O=Dummy-Org/CN=Dummy-Org_CA/emailAddress=foo@dummy.org
2010-05-16 21:01:45  /C=NL/ST=NH/L=dummytown/O=Dummy-Org/CN=server/emailAddress=foo@dummy.org
2010-05-16 21:01:46 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
2010-05-16 21:01:46 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
2010-05-16 21:01:46 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
2010-05-16 21:01:46 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
2010-05-16 21:01:46  1024 bit RSA
2010-05-16 21:01:46 [server] Peer Connection Initiated with <internet ip-address>:1194
2010-05-16 21:01:47
2010-05-16 21:01:49 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
2010-05-16 21:01:49 ifconfig 10.8.0.6 10.8.0.5'
2010-05-16 21:01:49 OPTIONS IMPORT: timers and/or timeouts modified
2010-05-16 21:01:49 OPTIONS IMPORT: --ifconfig/up options modified
2010-05-16 21:01:49 OPTIONS IMPORT: route options modified
2010-05-16 21:01:49 ROUTE default_gateway=192.168.100.1
2010-05-16 21:01:49 TUN/TAP device /dev/tun0 opened
2010-05-16 21:01:49
2010-05-16 21:01:49 /sbin/ifconfig tun0 delete
2010-05-16 21:01:49 NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
2010-05-16 21:01:49 /sbin/ifconfig tun0 10.8.0.6 10.8.0.5 mtu 1500 netmask 255.255.255.255 up
2010-05-16 21:01:49 /Applications/Tunnelblick.app/Contents/Resources/client.up.osx.sh tun0 1500 1542 10.8.0.6 10.8.0.5 init
2010-05-16 21:01:49
2010-05-16 21:01:49 /sbin/route add -net 192.168.123.0 10.8.0.5 255.255.255.0
2010-05-16 21:01:49 /sbin/route add -net 10.8.0.1 10.8.0.5 255.255.255.255
2010-05-16 21:01:49 Initialization Sequence Completed
2010-05-16 21:01:49 <internet ip-address>


Make sure that on your other systems, which you want to connect to remotly, a route is added. In my example I’ve added a route for the network segment 10.8.0.0 to 192.168.123.200 (my OpenVPN server).


Share on Twitter
This entry was posted in Apple, linux. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong> <pre lang="" line="" escaped="" highlight="">