1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

TUTORIAL Easy OpenVPN

Discussion in 'Add-On Install Instructions' started by dad311, Dec 17, 2010.

  1. MichiganTelephone

    MichiganTelephone
    Expand Collapse
    Guru

    Joined:
    Jun 29, 2009
    Messages:
    259
    Likes Received:
    0
    Wish I could, Ward. Unfortunately, there is no version of the Tomato firmware (used on routers) that natively supports Hamachi, whereas there is for OpenVPN. That means that you can make all communication through that router go through the VPN tunnel if you like, but only when using OpenVPN, sadly.
     
  2. newvoiper

    newvoiper
    Expand Collapse
    Member

    Joined:
    Nov 20, 2010
    Messages:
    32
    Likes Received:
    0
    I flashed my LG Optimus V to a Cyanogen7 7.1RC (Gingerbread) ROM, mainly for the OpenVPN client support that is built into this ROM. My OpenVPN server is on my PBX.

    Using the mobile network, I could get my server to authenticate the client and assign IP addresses, with the default server.conf configuration for OpenVPN. Then the client (Optimus) immediately refused the connection.

    Here are the log entries:

    Sep 21 21:30:13 pbx openvpn[20925]: <snip>:36700 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
    Sep 21 21:30:13 pbx openvpn[20925]: <snip>:36700 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Sep 21 21:30:13 pbx openvpn[20925]: <snip>:36700 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
    Sep 21 21:30:13 pbx openvpn[20925]: <snip>:36700 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Sep 21 21:30:13 pbx openvpn[20925]: <snip>:36700 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
    Sep 21 21:30:13 pbx openvpn[20925]: <snip>:36700 [LGPhone] Peer Connection Initiated with <snip>:36700
    Sep 21 21:30:13 pbx openvpn[20925]: LGPhone/<snip>:36700 MULTI: Learn: 10.8.0.10 -> LGPhone/<snip>:36700
    Sep 21 21:30:13 pbx openvpn[20925]: LGPhone/<snip>:36700 MULTI: primary virtual IP for LGPhone/<snip>:36700: 10.8.0.10
    Sep 21 21:30:15 pbx openvpn[20925]: read UDPv4 [ECONNREFUSED]: Connection refused (code=111)

    One thing I noticed, that seemed strange: the IP in the logs, is not the IP of my Optimus in Virgin Mobile's network, it seems to try connecting to proxy server on my mobile network.

    Has anyone else got CM7 to work with OpenVPN?
     
  3. MyKroFt

    MyKroFt
    Expand Collapse
    Guru

    Joined:
    Oct 31, 2008
    Messages:
    655
    Likes Received:
    3
    Am now just finally getting back to this - dam hamachi....

    I am going to assume I create a client in pfsense openvpn, which looks like it is storeing its files in /var/etc/openvpn.

    I have server1 and client2 sets of files - only have 1 client defined - am going to assume the client2.* files are what I need?

    Thanks
    Myk
     
  4. dad311

    dad311
    Expand Collapse
    Guru

    Joined:
    Jan 13, 2008
    Messages:
    601
    Likes Received:
    1
    Here is a listing of my client files in /etc/openvpn on the PBX.
    root@pbx:/etc/openvpn $ ls
    ca.crt client1.conf client1.crt client.key client1.tar ta.key

    The .conf file may needed edited to point to the correct dirrectory for the above files.

    When the first Easy OpenVPN script finishes, it will ask you to edit some files. Ignore, this step if you only setting up a Openvpn client.

    Of all the Open Source stuff Ive have, OpenVPN maybe the most reliable. Once setup, it runs no stop and auto reconnects if needed. Its been built proof for over 3 years.
     
  5. MyKroFt

    MyKroFt
    Expand Collapse
    Guru

    Joined:
    Oct 31, 2008
    Messages:
    655
    Likes Received:
    3
    here are the files in my /var/etc/openvpn dir

    Code:
    client2.ca              client2.tls-auth        server1.key
    client2.cert            server1.ca              server1.sock
    client2.conf            server1.cert            server1.tls-auth
    client2.key             server1.conf            server1.tls-verify.php
    client2.sock            server1.crl-verify
    So all I need are the client2.* files minus the .sock file?

    here is the contents of client2.conf sanatized....

    Code:
    dev ovpnc2
    dev-type tun
    dev-node /dev/tun2
    writepid /var/run/openvpn_client2.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp
    cipher AES-128-CBC
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local xxx.xx.xx.xx
    tls-client
    client
    lport 0
    management /var/etc/openvpn/client2.sock unix
    remote xxxxx.dyndns.org 1194
    ifconfig 192.168.1.2 192.168.1.1
    I am over my head here :(

    Myk
     
  6. dad311

    dad311
    Expand Collapse
    Guru

    Joined:
    Jan 13, 2008
    Messages:
    601
    Likes Received:
    1
    I would copy ALL the client2 files to the client machine. Restart OpenVPN, check your /var/log/messages files for errors.
     
  7. MyKroFt

    MyKroFt
    Expand Collapse
    Guru

    Joined:
    Oct 31, 2008
    Messages:
    655
    Likes Received:
    3
    ok, getting somewhere slowly...

    execute:

    Code:
    root@pbx:/etc/openvpn $ service openvpn start
    Starting openvpn: [  OK  ]
    here is what /var/log/messages states:

    Code:
    Jan 21 10:54:25 pbx openvpn[12931]: OpenVPN 2.1.0 i686-pc-linux-gnu [SSL] [LZO1] [EPOLL] [PKCS11] built on Jan 20 2012
    Jan 21 10:54:25 pbx openvpn[12931]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Jan 21 10:54:25 pbx openvpn[12931]: WARNING: file '/etc/openvpn/client2.key' is group or others accessible
    Jan 21 10:54:25 pbx openvpn[12931]: LZO compression initialized
    Jan 21 10:54:25 pbx openvpn[12931]: Control Channel MTU parms [ L:1558 D:138 EF:38 EB:0 ET:0 EL:0 ]
    Jan 21 10:54:26 pbx openvpn[12931]: Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]
    Jan 21 10:54:26 pbx openvpn[12931]: Local Options hash (VER=V4): '1a7820b3'
    Jan 21 10:54:26 pbx openvpn[12931]: Expected Remote Options hash (VER=V4): '3e6cc37d'
    Jan 21 10:54:26 pbx openvpn[12932]: Socket Buffers: R=[110592->131072] S=[110592->131072]
    Jan 21 10:54:26 pbx openvpn[12932]: UDPv4 link local (bound): [undef]:1194
    Jan 21 10:54:26 pbx openvpn[12932]: UDPv4 link remote: 174.19.16.29:1194
    but no other device shows up in ifconfig for a ip address...

    ideas?

    thanks
    Myk
     
  8. dad311

    dad311
    Expand Collapse
    Guru

    Joined:
    Jan 13, 2008
    Messages:
    601
    Likes Received:
    1
    No other messages? No error messages?

    Also check the log file on your pf server for clues.
     
  9. MyKroFt

    MyKroFt
    Expand Collapse
    Guru

    Joined:
    Oct 31, 2008
    Messages:
    655
    Likes Received:
    3
    openvpn[215]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]192.168.0.29:1194

    over and over on the pfsense box
     
  10. MyKroFt

    MyKroFt
    Expand Collapse
    Guru

    Joined:
    Oct 31, 2008
    Messages:
    655
    Likes Received:
    3
    after 60 seconds i get this added to messages

    Jan 21 12:17:05 pbx openvpn[14313]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    Jan 21 12:17:05 pbx openvpn[14313]: TLS Error: TLS handshake failed
    Jan 21 12:17:05 pbx openvpn[14313]: TCP/UDP: Closing socket
    Jan 21 12:17:05 pbx openvpn[14313]: SIGUSR1[soft,tls-error] received, process restarting
    Jan 21 12:17:05 pbx openvpn[14313]: Restart pause, 2 second(s)
     
  11. MyKroFt

    MyKroFt
    Expand Collapse
    Guru

    Joined:
    Oct 31, 2008
    Messages:
    655
    Likes Received:
    3
    here is current .conf file...

    port 1194
    dev /dev/tun
    proto udp
    remote xxxxxxxxxx.dyndns.org 1194
    ping 30

    persist-tun
    persist-key

    cipher AES-128-CBC

    tls-client

    ca /etc/openvpn/client2.crt
    cert /etc/openvpn/client2.crt
    key /etc/openvpn/client2.key

    ns-cert-type server
    comp-lzo
     
  12. MyKroFt

    MyKroFt
    Expand Collapse
    Guru

    Joined:
    Oct 31, 2008
    Messages:
    655
    Likes Received:
    3
  13. MyKroFt

    MyKroFt
    Expand Collapse
    Guru

    Joined:
    Oct 31, 2008
    Messages:
    655
    Likes Received:
    3
    added

    auth /etc/openvpn/client2.tls-auth

    to the .conf file and now get

    Jan 21 12:33:17 pbx openvpn[14703]: Message hash algorithm '/etc/openvpn/client2.tls-auth' not found (OpenSSL)
    Jan 21 12:33:17 pbx openvpn[14703]: Exiting

    the client2.tls-auth came from the pfsene router....

    so I think I am getting close....

    Myk
     
  14. dad311

    dad311
    Expand Collapse
    Guru

    Joined:
    Jan 13, 2008
    Messages:
    601
    Likes Received:
    1
  15. dad311

    dad311
    Expand Collapse
    Guru

    Joined:
    Jan 13, 2008
    Messages:
    601
    Likes Received:
    1
    All the links in post one have been updated to reflect several changes to the Easy OpenVPN project.

    Changes / additions include:

    • Centos 6 amd64 OS.
    • Openvpn Client Username & password authentication(OpenVZ template).
    • Scripts to build and OpenVPN server with dd-wrt clients on Centos 6.
     
  16. stuck

    stuck
    Expand Collapse
    Member

    Joined:
    Nov 8, 2007
    Messages:
    225
    Likes Received:
    0
    dad311,
    I know this thread is old, but I am interested in installing easyopenvpn on my existing rentpbx machine (configured with travelin man3). The reason mainly is to see if I can resolve some registration issue with one remote site behind pfsense with a mixture of various endpoints.
    Do you know how (if possible) to make openvpn play nice with travelin man3? On a test system, the scripts wipes all of the travelin man3's iptable entries...
     
  17. dad311

    dad311
    Expand Collapse
    Guru

    Joined:
    Jan 13, 2008
    Messages:
    601
    Likes Received:
    1
    It appears that some of the links in the thread no longer work. Below are the Easy-OpenVPN scripts for version 1.2. These scripts will create DD-wrt and Yealink clients.
     

    Attached Files:

  18. ghurty

    ghurty
    Expand Collapse
    Senior Member

    Joined:
    Jan 13, 2009
    Messages:
    843
    Likes Received:
    2
    Is there a ubuntu version of this script?

    Thank you
     

Share This Page