TUTORIAL Easy OpenVPN

dad311

Guru
Joined
Jan 13, 2008
Messages
604
Reaction score
2
Easy OpenVPN scripts and Easy OpenVPN Proxmox Template

Easy OpenVPN is intended to create a working OpenVPN server within a just a few minutes.

Easy OpenVPN consist of only three scripts. Two scripts to setup the server and one script to create client key(s).

See the script in action here.

The Easy OpenVPN project is located here.

Direct Easy Openvpn v1.2 download script(s)

Easy OpenVPN v1.2 - tested on Centos 6 32 and 64 bit

Easy OpenVPN v1.1.1 - tested on Centos 5 32 and 64 bit here.

NEW! Easy OpenVPN 1.2 Proxmox Template. PDFs are located here. TESTERS NEEDED!! FEEDBACK NEEDED!

The Proxmox templates have been updated to Centos 6.

There is now an Easy OpenVPN Proxmox template that creates clients with login and password authentication.


Basic instructions:

Untar the EasyOpenVPN.tar in the /root directory.

cd /root/EasyOpenVPN

Run the first script (install-EasyOpenVPN_part1.sh). At the end of this script it will ask you to edit a few lines at the end of the vars file. Basic address and email stuff.

Run the second script (install-EasyOpenVPN_part2.sh), the script will ask for more address info for your certificate. MAKE SURE EACH QUESTION is answered with some text and except ALL defaults(from the vars file) answers. Leave NO BLANK answers, all fields should be are filled in.

Do not change the "common name" when ask. The script expects to see the name "server".

After the second script finishes, you should have a working Openvpn server.

Please note:
You will need a static public IP address OR a domain name with a dynamic DNS or similar.

=================================================================================


Proxmox VM instructions

Create a VM using the Easy OpenVPN template. See PDF link above.
 

tshif

Guru
Joined
Jan 3, 2008
Messages
1,240
Reaction score
4
It's at the Development Support Site!

Thats right - DAD311 has chosen to open up his project to the community! :D

If you're a developer who wants to get involved in maintaining or updateing these cools scripts, cantact dad311 the project manager - he can credential you for the project.

Welcome aboard dad311 - thanks for choosing the dev support site as your projects home base.
 

sircolin

Guru
Joined
Mar 6, 2009
Messages
172
Reaction score
0
Thanks for posting, Santa does read my letters after all :)

Before i go ahead and rip down openvpn-AS and do a part install of this script avoiding the tun script on the Proxmox host (as i already created one) can i ask the following

Currently i can access any machine in the 10.1.1.255 range,
As i don't wish to run a Pbx over Openvpn will this be possible to do with this script or will this push all clients through to their own virtual machines and not the network.

Also does this script point the vm tun interface at the hosts tun interface or does this require a tun per vm on the hostnode.

Sorry for such a strange question but i have a strange setup.

And just want to check beefore i start

Merry Christmas

Col
 

dad311

Guru
Joined
Jan 13, 2008
Messages
604
Reaction score
2
Thanks for posting, Santa does read my letters after all :)

Before i go ahead and rip down openvpn-AS and do a part install of this script avoiding the tun script on the Proxmox host (as i already created one) can i ask the following

Currently i can access any machine in the 10.1.1.255 range,
As i don't wish to run a Pbx over Openvpn will this be possible to do with this script or will this push all clients through to their own virtual machines and not the network.

Also does this script point the vm tun interface at the hosts tun interface or does this require a tun per vm on the hostnode.

Sorry for such a strange question but i have a strange setup.

And just want to check beefore i start

Merry Christmas

Col

I was also using OpenVPN-AS. Although I had no issues with OpenVPN-AS and their support was very good, I wanted to create my own open source VPN without paying for clients or support.

Your question is not strange. Everyone has their own VPN needs and wants, so one VPN will not fit all.

I created Easy OpenVPN with only basic VPN functions. With Easy OpenVPN VPN 95+% of the work has been completed.

I have not enabled routing or masquerading in the VPN and I have not enabled traffic between clients(I probably should,because whats the point if you can only talk to the vpn server?).

All OpenVPN options are contained in the /etc/openvpn/server.conf file.

By enable traffic between clients(uncomment the last line the /etc/openvpn/server.conf) file. All clients will be able to communicate over the 10.x VPN, but no routing between subnets will take place. All other traffic will be over the default route of each client (ie. no routing in the VPN)

As for your question about VMs and tun interfaces, I not 100% sure what you are asking. The Easy OpenVPN Server will have only one tun interface (tun0). Each client will have their own tun interface.

If you wish to have routing between subnets, make sure to read the notes section at the bottom of the latest pdf document. There you will find a few commands to enable the routing.
 

sircolin

Guru
Joined
Mar 6, 2009
Messages
172
Reaction score
0
I'm Gob smacked !

You have understood ALL my questions and answered ALL my questions, thanks

This is what i have been looking for, but never had the time to produce.

time to get stuck in.

thanks
Col
 

MyKroFt

Guru
Joined
Oct 31, 2008
Messages
659
Reaction score
3
Will this client setup work with OpenVPN in my PFSense appliance to use as the master server?
 

dad311

Guru
Joined
Jan 13, 2008
Messages
604
Reaction score
2
Will this client setup work with OpenVPN in my PFSense appliance to use as the master server?

Easy OpenVPN is a standalone OpenVPN server, with easy to use client creation scripts. Any machine (Mac,Windows, Linux, FreeBSD) thats running OpenVPN 2.x should be able to connect as a client.


Does this answer your question?
 

bmore

Guru
Joined
Feb 12, 2009
Messages
118
Reaction score
1
Will this client setup work with OpenVPN in my PFSense appliance to use as the master server?

I had a similar misunderstanding too. Pfsense has an Openvpn server and client which can be enabled. This now my understanding :wink5:

The pfsense openvpn server can be enabled/setup which will then allow remote clients to connect to the server and tunnel into the LAN.

The pfsense openvpn client can be used to connect to a remote openvpn server and provide the LAN clients access to remote server resources.

Easy Openvpn creates a openvpn server running on a Proxmox virtualized machine and client scripts for clients to connect to this server... Including a pfsense client connection, if you wanted to do that.

However from your question, I infer in your case it would be better to enable/setup the pfsense openvpn server so that remote clients can connect.
 

MyKroFt

Guru
Joined
Oct 31, 2008
Messages
659
Reaction score
3
that is what i am thinking about, am using hamachi and getting tired of depending on them for network interconnect etc. I use the hamachi vpn to do remote main/monitor and also have interconnect IAX trunks between boxes. Figured if I could use the pfsense openvpn for the master server, then the piaf boxes as clients connecting to that server.

But I dont know a thing about openvpn :(

Myk
 

dad311

Guru
Joined
Jan 13, 2008
Messages
604
Reaction score
2
I got tried of depending on Hamachi also, thats why I moved to OpenVPN. PFSense OpenVPN and Easy OpenVPN will accomplish the same thing.

If you decide to use the PFSense OpenVPN server, you can then use Easy OpenVPN to install all the required software on PBXiaf for a client setup. Just run the first script and then delete all files from directory /etc/openvpn. After deleting all the files from /etc/openvpn, copy you new client config files (created on PFSense) to /etc/openvpn.
 

MyKroFt

Guru
Joined
Oct 31, 2008
Messages
659
Reaction score
3
ok, thanks for the directions - will try it when i get home from work tonight....

Thanks!

Myk
 

dad311

Guru
Joined
Jan 13, 2008
Messages
604
Reaction score
2
For those that would like static addresses for your clients, here is a quick how-to.

1) Edit /etc/openvpn/server.conf and add the following line:

client-config-dir ccd

2) Create a file in directory /etc/openvpn/ccd with the EXACT name of the client that was created with the Easy OpenVPN client script(example: bbfs).

If you want your client to have an IP address of 10.5.0.5 the contents of file would look like the following:

[root@CentosVPN ccd]# cat bbfs
ifconfig-push 10.5.0.5 10.5.0.6

3) After the above edits restart Openvpn to read the new configuration options.

All the above info was taken from the OpenVPN web site. I would strongly suggest reading this page regarding static IPs.
 
Joined
Nov 20, 2010
Messages
159
Reaction score
0
dad311 said:
I got tried of depending on Hamachi also, thats why I moved to OpenVPN.


I'm not trying to dissuade you from OpenVPN. But, I am curious as to what issues made you "tired of depending on Hamachi".
 

dad311

Guru
Joined
Jan 13, 2008
Messages
604
Reaction score
2
I'm not tryng to dissuade you from OpenVPN. But, I am curious as to w hat issues made you "tired of depending on Hamachi".

There were two issues that got me to rid myself of Hamachi.

1) Being dependent on Hamachi servers or any other 3rd party server for my connections. I had one month with nothing but intermittent Hamachi server issues.

2) Several times in a 12 month time frame I had PBXs running at 100% CPU usage. It was always a Hamachi issue.

Hamachi is a good product, but I would choose Openvpn or Neo Router first. Both OpenVPN and Neo Router do not depend on a third party for connections.

If I were setting up a network of PCs for file sharing and playing games, I would go with Neo Router because of the GUI.

For a network of servers used for VOIP and data transfer I prefer OpenVPN. Also, OpenVPN is Open Source.

OpenVPN-AS is also a great product, but its not free (for more that 2 clients). Never the less, it does a great job and has a nice GUI interface.
 

sircolin

Guru
Joined
Mar 6, 2009
Messages
172
Reaction score
0
thank you
everything seems easy enough but

you have a typo in your pdf
The file is located at “/etc/network-scripts/ifcfg-eth0”
its not really there is it. :) really it's here
/etc/sysconfig/network-scripts
Also i note for people who have used Martin Lanners openvpn-as server on this host node before this install of a new tun device , you still at this time need to run STEP1 on you hostnode.
to create the tun interface.

Which brings me back to my post i think we have at least one problem with routing

1.I cannot seem to route traffic to other virtual machines

IP MASQUERADE:
2. the instructions for masq traffic seem incorrect and not persistent other cmds are needed to make this so

3. Just to confirm this is run on the virtual machine
iptables -t nat -A PREROUTING -i tun0 -j DNAT --to 10.1.1.16" (where VM.ip is the ipaddress of eth0)
Vpn at christmas and what joys lol, to think i set my time aside for this glad you wrote this script you have taken MOST of the pain out :)

looking forward th gettings this working for me, and once again thanks for your work.

Col
 

dad311

Guru
Joined
Jan 13, 2008
Messages
604
Reaction score
2
sircolin, thx for the info.

Yes, the ifcfg-eth0 location was a typo, Ill update the PDF. Thanks!


On the Proxmox server, you will need to-do "modprobe tun" and then edit /etc/modules and add tun to the last line. See below.....

proxmox:/etc# cat modules
# /etc/modules: kernel modules to load at boot time.
#
# This file contains the names of kernel modules that should be loaded
# at boot time, one per line. Lines beginning with "#" are ignored.
# Parameters can be specified after the module name.
tun

Ok on to Routing............

Just so I know how much you have completed, please answer a few questions:

Did you use Easy OpenVPN for Proxmox or just run the scripts?

Did all the scripts STEP1, STEP2 and STEP3 complete and do you have a tun0 interface in the VM?

Did you create a OpenVPN client and can it ping the OpenVPN server from the client?

Do you have more than one OpenVPN client? If so did you add "client-to-client" to the /etc/openvpn/server.conf to allow clients to see each other and then restart OpenVPN?



When I created these scripts, I on purpose did not allow routing for security reasons. Easy OpenVPN was created to to get OpenVPN up and running in a basic setup mode.

To allow routing:

You must push the route info to the clients:
push "route 10.1.1.0 255.255.255.0"

You must do the following on the OpenVPN VM to allow VPN to communicate with local lan:

1) iptables -t nat -A PREROUTING -i tun0 -j DNAT --to VM.ip" (where VM.ip is the ipaddress of eth0)
To save these changes to the firewall type “service iptables save”

2) Edit file “/etc/sysctl.conf” line “net.ipv4.ip_forward = 0” to read “net.ipv4.ip_forward = 1”.

$ /sbin/sysctl -w net.ipv4.ip_forward=1


NEXT, you need to tell your local LAN traffic (10.1.1.0) how to access your VPN (10.8.0.0). This can been done a few different ways Im sure. I added a static route in my router that points all 10.8.0.0 traffic to the eth0 of my VPN. So when I ping 10.8.0.5 (first vpn client) from my local desktop, the ping goes to my router then to eth0 of my VPN server.

With the above setup, only the remote machines will need a VPN 10.8.0.x address. Everything local will be accessible from the VPN and every VPN client will be able to access everything on the local LAN. No restrictions, no firewall!

Hope this helps, thanks for your feedback:wink5:
 

sircolin

Guru
Joined
Mar 6, 2009
Messages
172
Reaction score
0
Sorry for the lack of information i should know better

Im running the proxmox template and i did use scripts 1 2 3 and also the client script and all work as expected.

i have entered
iptables -t nat -A PREROUTING -i tun0 -j DNAT --to 10.1.1.16
into the virtual machine is this correct ?

and i have also pushed 10.1.1.0 via /etc/openvpn/server.conf
push "route 10.1.1.0 255.255.255.0"

atm i have only one vpn client, i understood
client-to-client
only needs to be used if you want to open up client side subnets not server side subnets.so this should not be needed as the only subnet i want clients to reach in the serverside subnet of 10.1.1.0

NEXT, you need to tell your local LAN traffic (10.1.1.0) how to access your VPN (10.8.0.0). This can been done a few different ways Im sure. I added a static route in my router that points all 10.8.0.0 traffic to the eth0 of my VPN. So when I ping 10.8.0.5 (first vpn client) from my local desktop, the ping goes to my router then to eth0 of my VPN server.

so route add is needed here on the guess machine ?
 

dad311

Guru
Joined
Jan 13, 2008
Messages
604
Reaction score
2
Sorry for the lack of information i should know better

Im running the proxmox template and i did use scripts 1 2 3 and also the client script and all work as expected.

i have entered into the virtual machine is this correct ?

and i have also pushed 10.1.1.0 via /etc/openvpn/server.conf


atm i have only one vpn client, i understood only needs to be used if you want to open up client side subnets not server side subnets.so this should not be needed as the only subnet i want clients to reach in the serverside subnet of 10.1.1.0



so route add is needed here on the guess machine ?


iptables -t nat -A PREROUTING -i tun0 -j DNAT --to 10.1.1.16 is correct if your IP address is 10.1.1.16 for eth0 on the VM.

Correct client-client is only for VPN clients to see each other.

Make sure your routes are getting push down to the client by typing netstat -nr on the client. You should see your 10.1.1.0 route in the table. Here is an example of one of my clients, my local network is 192.168.100.0 and my VPN is 10.5.0.0.

root@pbx:~ $ netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
10.5.0.26 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
192.168.100.0 10.5.0.26 255.255.255.0 UG 0 0 0 tun0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
10.5.0.0 10.5.0.26 255.255.255.0 UG 0 0 0 tun0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
0.0.0.0 192.168.1.254 0.0.0.0 UG 0 0 0 eth0


I did not need to-do any routes on the VM only the router. I added a static route on my local Firewall/Router (Asus dd-wrt). See below, again my VPN network is 10.5.0.0 and my VPN server is 192.168.100.250.

root@DD-WRT:~# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.100.0 * 255.255.255.0 U 0 0 0 br0
10.5.0.0 192.168.100.250 255.255.255.0 UG 0 0 0 br0
174.103.16.0 * 255.255.248.0 U 0 0 0 vlan2
169.254.0.0 * 255.255.0.0 U 0 0 0 br0
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
default cpe-174-103-16- 0.0.0.0 UG 0 0 0 vlan2
 

sircolin

Guru
Joined
Mar 6, 2009
Messages
172
Reaction score
0
thank you for all the information

i have
sircolin@thunderchild:~$ netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
10.8.0.5 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
18*.165.2*7.1*0 192.168.1.1 255.255.255.255 UGH 0 0 0 eth0
10.8.0.0 10.8.0.5 255.255.255.0 UG 0 0 0 tun0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
10.1.1.0 10.8.0.5 255.255.255.0 UG 0 0 0 tun0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
0.0.0.0 10.8.0.5 0.0.0.0 UG 0 0 0 tun0
Which seems correct but ALL traffic is routed to the to openvpn machine and not the machine it's destined for so for example when i ssh to 10.1.1.12 i get connection refused from 10.1.1.16 when i vist a web page also it's being routed the the openvpn machine and not the page requested.

any idea's about this
 

Members online

No members online now.

Forum statistics

Threads
25,770
Messages
167,441
Members
19,181
Latest member
ejrubin
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.
Top