1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
  2. If you had a PIAF Forum account in the vBulletin days, log in with your old credentials. Otherwise, sign up again and we'll get you back in business as soon as we can.
  3. A serious FreePBX vulnerability has been reported. Update your Framework Module immediately. Click here for details.
  4. Critical FreePBX vulnerability! Update your server immediately. Details here.

TUTORIAL Easy OpenVPN

Discussion in 'Add-On Install Instructions' started by dad311, Dec 17, 2010.

  1. dad311 Guru

    Easy OpenVPN scripts and Easy OpenVPN Proxmox Template

    Easy OpenVPN is intended to create a working OpenVPN server within a just a few minutes.

    Easy OpenVPN consist of only three scripts. Two scripts to setup the server and one script to create client key(s).

    See the script in action here.

    The Easy OpenVPN project is located here.

    Direct Easy Openvpn v1.2 download script(s)

    Easy OpenVPN v1.2 - tested on Centos 6 32 and 64 bit

    Easy OpenVPN v1.1.1 - tested on Centos 5 32 and 64 bit here.

    NEW! Easy OpenVPN 1.2 Proxmox Template. PDFs are located here. TESTERS NEEDED!! FEEDBACK NEEDED!

    The Proxmox templates have been updated to Centos 6.

    There is now an Easy OpenVPN Proxmox template that creates clients with login and password authentication.


    Basic instructions:

    Untar the EasyOpenVPN.tar in the /root directory.

    cd /root/EasyOpenVPN

    Run the first script (install-EasyOpenVPN_part1.sh). At the end of this script it will ask you to edit a few lines at the end of the vars file. Basic address and email stuff.

    Run the second script (install-EasyOpenVPN_part2.sh), the script will ask for more address info for your certificate. MAKE SURE EACH QUESTION is answered with some text and except ALL defaults(from the vars file) answers. Leave NO BLANK answers, all fields should be are filled in.

    Do not change the "common name" when ask. The script expects to see the name "server".

    After the second script finishes, you should have a working Openvpn server.

    Please note:
    You will need a static public IP address OR a domain name with a dynamic DNS or similar.

    =================================================================================


    Proxmox VM instructions

    Create a VM using the Easy OpenVPN template. See PDF link above.
  2. tshif Guru

    It's at the Development Support Site!

    Thats right - DAD311 has chosen to open up his project to the community! :D

    If you're a developer who wants to get involved in maintaining or updateing these cools scripts, cantact dad311 the project manager - he can credential you for the project.

    Welcome aboard dad311 - thanks for choosing the dev support site as your projects home base.
  3. TheShniz Guru

  4. sircolin Guru

    Thanks for posting, Santa does read my letters after all :)

    Before i go ahead and rip down openvpn-AS and do a part install of this script avoiding the tun script on the Proxmox host (as i already created one) can i ask the following

    Currently i can access any machine in the 10.1.1.255 range,
    As i don't wish to run a Pbx over Openvpn will this be possible to do with this script or will this push all clients through to their own virtual machines and not the network.

    Also does this script point the vm tun interface at the hosts tun interface or does this require a tun per vm on the hostnode.

    Sorry for such a strange question but i have a strange setup.

    And just want to check beefore i start

    Merry Christmas

    Col
  5. dad311 Guru

    I was also using OpenVPN-AS. Although I had no issues with OpenVPN-AS and their support was very good, I wanted to create my own open source VPN without paying for clients or support.

    Your question is not strange. Everyone has their own VPN needs and wants, so one VPN will not fit all.

    I created Easy OpenVPN with only basic VPN functions. With Easy OpenVPN VPN 95+% of the work has been completed.

    I have not enabled routing or masquerading in the VPN and I have not enabled traffic between clients(I probably should,because whats the point if you can only talk to the vpn server?).

    All OpenVPN options are contained in the /etc/openvpn/server.conf file.

    By enable traffic between clients(uncomment the last line the /etc/openvpn/server.conf) file. All clients will be able to communicate over the 10.x VPN, but no routing between subnets will take place. All other traffic will be over the default route of each client (ie. no routing in the VPN)

    As for your question about VMs and tun interfaces, I not 100% sure what you are asking. The Easy OpenVPN Server will have only one tun interface (tun0). Each client will have their own tun interface.

    If you wish to have routing between subnets, make sure to read the notes section at the bottom of the latest pdf document. There you will find a few commands to enable the routing.
  6. sircolin Guru

    I'm Gob smacked !

    You have understood ALL my questions and answered ALL my questions, thanks

    This is what i have been looking for, but never had the time to produce.

    time to get stuck in.

    thanks
    Col
  7. MyKroFt Guru

    Will this client setup work with OpenVPN in my PFSense appliance to use as the master server?
  8. dad311 Guru

    Easy OpenVPN is a standalone OpenVPN server, with easy to use client creation scripts. Any machine (Mac,Windows, Linux, FreeBSD) thats running OpenVPN 2.x should be able to connect as a client.


    Does this answer your question?
  9. bmore Guru

    I had a similar misunderstanding too. Pfsense has an Openvpn server and client which can be enabled. This now my understanding :wink5:

    The pfsense openvpn server can be enabled/setup which will then allow remote clients to connect to the server and tunnel into the LAN.

    The pfsense openvpn client can be used to connect to a remote openvpn server and provide the LAN clients access to remote server resources.

    Easy Openvpn creates a openvpn server running on a Proxmox virtualized machine and client scripts for clients to connect to this server... Including a pfsense client connection, if you wanted to do that.

    However from your question, I infer in your case it would be better to enable/setup the pfsense openvpn server so that remote clients can connect.
  10. MyKroFt Guru

    that is what i am thinking about, am using hamachi and getting tired of depending on them for network interconnect etc. I use the hamachi vpn to do remote main/monitor and also have interconnect IAX trunks between boxes. Figured if I could use the pfsense openvpn for the master server, then the piaf boxes as clients connecting to that server.

    But I dont know a thing about openvpn :(

    Myk
  11. dad311 Guru

    I got tried of depending on Hamachi also, thats why I moved to OpenVPN. PFSense OpenVPN and Easy OpenVPN will accomplish the same thing.

    If you decide to use the PFSense OpenVPN server, you can then use Easy OpenVPN to install all the required software on PBXiaf for a client setup. Just run the first script and then delete all files from directory /etc/openvpn. After deleting all the files from /etc/openvpn, copy you new client config files (created on PFSense) to /etc/openvpn.
  12. MyKroFt Guru

    ok, thanks for the directions - will try it when i get home from work tonight....

    Thanks!

    Myk
  13. dad311 Guru

    For those that would like static addresses for your clients, here is a quick how-to.

    1) Edit /etc/openvpn/server.conf and add the following line:

    client-config-dir ccd

    2) Create a file in directory /etc/openvpn/ccd with the EXACT name of the client that was created with the Easy OpenVPN client script(example: bbfs).

    If you want your client to have an IP address of 10.5.0.5 the contents of file would look like the following:

    [root@CentosVPN ccd]# cat bbfs
    ifconfig-push 10.5.0.5 10.5.0.6

    3) After the above edits restart Openvpn to read the new configuration options.

    All the above info was taken from the OpenVPN web site. I would strongly suggest reading this page regarding static IPs.

  14. I'm not trying to dissuade you from OpenVPN. But, I am curious as to what issues made you "tired of depending on Hamachi".
  15. dad311 Guru

    There were two issues that got me to rid myself of Hamachi.

    1) Being dependent on Hamachi servers or any other 3rd party server for my connections. I had one month with nothing but intermittent Hamachi server issues.

    2) Several times in a 12 month time frame I had PBXs running at 100% CPU usage. It was always a Hamachi issue.

    Hamachi is a good product, but I would choose Openvpn or Neo Router first. Both OpenVPN and Neo Router do not depend on a third party for connections.

    If I were setting up a network of PCs for file sharing and playing games, I would go with Neo Router because of the GUI.

    For a network of servers used for VOIP and data transfer I prefer OpenVPN. Also, OpenVPN is Open Source.

    OpenVPN-AS is also a great product, but its not free (for more that 2 clients). Never the less, it does a great job and has a nice GUI interface.
  16. sircolin Guru

    thank you
    everything seems easy enough but

    you have a typo in your pdf
    its not really there is it. :) really it's here
    Also i note for people who have used Martin Lanners openvpn-as server on this host node before this install of a new tun device , you still at this time need to run STEP1 on you hostnode.
    to create the tun interface.

    Which brings me back to my post i think we have at least one problem with routing

    1.I cannot seem to route traffic to other virtual machines

    IP MASQUERADE:
    2. the instructions for masq traffic seem incorrect and not persistent other cmds are needed to make this so

    3. Just to confirm this is run on the virtual machine
    Vpn at christmas and what joys lol, to think i set my time aside for this glad you wrote this script you have taken MOST of the pain out :)

    looking forward th gettings this working for me, and once again thanks for your work.

    Col
  17. dad311 Guru

    sircolin, thx for the info.

    Yes, the ifcfg-eth0 location was a typo, Ill update the PDF. Thanks!


    On the Proxmox server, you will need to-do "modprobe tun" and then edit /etc/modules and add tun to the last line. See below.....

    proxmox:/etc# cat modules
    # /etc/modules: kernel modules to load at boot time.
    #
    # This file contains the names of kernel modules that should be loaded
    # at boot time, one per line. Lines beginning with "#" are ignored.
    # Parameters can be specified after the module name.
    tun

    Ok on to Routing............

    Just so I know how much you have completed, please answer a few questions:

    Did you use Easy OpenVPN for Proxmox or just run the scripts?

    Did all the scripts STEP1, STEP2 and STEP3 complete and do you have a tun0 interface in the VM?

    Did you create a OpenVPN client and can it ping the OpenVPN server from the client?

    Do you have more than one OpenVPN client? If so did you add "client-to-client" to the /etc/openvpn/server.conf to allow clients to see each other and then restart OpenVPN?



    When I created these scripts, I on purpose did not allow routing for security reasons. Easy OpenVPN was created to to get OpenVPN up and running in a basic setup mode.

    To allow routing:

    You must push the route info to the clients:
    push "route 10.1.1.0 255.255.255.0"

    You must do the following on the OpenVPN VM to allow VPN to communicate with local lan:

    1) iptables -t nat -A PREROUTING -i tun0 -j DNAT --to VM.ip" (where VM.ip is the ipaddress of eth0)
    To save these changes to the firewall type “service iptables save”

    2) Edit file “/etc/sysctl.conf” line “net.ipv4.ip_forward = 0” to read “net.ipv4.ip_forward = 1”.

    $ /sbin/sysctl -w net.ipv4.ip_forward=1


    NEXT, you need to tell your local LAN traffic (10.1.1.0) how to access your VPN (10.8.0.0). This can been done a few different ways Im sure. I added a static route in my router that points all 10.8.0.0 traffic to the eth0 of my VPN. So when I ping 10.8.0.5 (first vpn client) from my local desktop, the ping goes to my router then to eth0 of my VPN server.

    With the above setup, only the remote machines will need a VPN 10.8.0.x address. Everything local will be accessible from the VPN and every VPN client will be able to access everything on the local LAN. No restrictions, no firewall!

    Hope this helps, thanks for your feedback:wink5:
  18. sircolin Guru

    Sorry for the lack of information i should know better

    Im running the proxmox template and i did use scripts 1 2 3 and also the client script and all work as expected.

    i have entered
    into the virtual machine is this correct ?

    and i have also pushed 10.1.1.0 via /etc/openvpn/server.conf
    atm i have only one vpn client, i understood
    only needs to be used if you want to open up client side subnets not server side subnets.so this should not be needed as the only subnet i want clients to reach in the serverside subnet of 10.1.1.0

    so route add is needed here on the guess machine ?
  19. dad311 Guru


    iptables -t nat -A PREROUTING -i tun0 -j DNAT --to 10.1.1.16 is correct if your IP address is 10.1.1.16 for eth0 on the VM.

    Correct client-client is only for VPN clients to see each other.

    Make sure your routes are getting push down to the client by typing netstat -nr on the client. You should see your 10.1.1.0 route in the table. Here is an example of one of my clients, my local network is 192.168.100.0 and my VPN is 10.5.0.0.

    root@pbx:~ $ netstat -nr
    Kernel IP routing table
    Destination Gateway Genmask Flags MSS Window irtt Iface
    10.5.0.26 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
    192.168.100.0 10.5.0.26 255.255.255.0 UG 0 0 0 tun0
    192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
    10.5.0.0 10.5.0.26 255.255.255.0 UG 0 0 0 tun0
    169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
    0.0.0.0 192.168.1.254 0.0.0.0 UG 0 0 0 eth0


    I did not need to-do any routes on the VM only the router. I added a static route on my local Firewall/Router (Asus dd-wrt). See below, again my VPN network is 10.5.0.0 and my VPN server is 192.168.100.250.

    root@DD-WRT:~# route
    Kernel IP routing table
    Destination Gateway Genmask Flags Metric Ref Use Iface
    192.168.100.0 * 255.255.255.0 U 0 0 0 br0
    10.5.0.0 192.168.100.250 255.255.255.0 UG 0 0 0 br0
    174.103.16.0 * 255.255.248.0 U 0 0 0 vlan2
    169.254.0.0 * 255.255.0.0 U 0 0 0 br0
    127.0.0.0 * 255.0.0.0 U 0 0 0 lo
    default cpe-174-103-16- 0.0.0.0 UG 0 0 0 vlan2
  20. sircolin Guru

    thank you for all the information

    i have
    Which seems correct but ALL traffic is routed to the to openvpn machine and not the machine it's destined for so for example when i ssh to 10.1.1.12 i get connection refused from 10.1.1.16 when i vist a web page also it's being routed the the openvpn machine and not the page requested.

    any idea's about this

Share This Page