TUTORIAL Easy OpenVPN

Joined
Jun 29, 2009
Messages
258
Reaction score
0
You're seeing why many of us stuck with Hamachi. :wink5:

Wish I could, Ward. Unfortunately, there is no version of the Tomato firmware (used on routers) that natively supports Hamachi, whereas there is for OpenVPN. That means that you can make all communication through that router go through the VPN tunnel if you like, but only when using OpenVPN, sadly.
 

newvoiper

Member
Joined
Nov 20, 2010
Messages
94
Reaction score
25
I flashed my LG Optimus V to a Cyanogen7 7.1RC (Gingerbread) ROM, mainly for the OpenVPN client support that is built into this ROM. My OpenVPN server is on my PBX.

Using the mobile network, I could get my server to authenticate the client and assign IP addresses, with the default server.conf configuration for OpenVPN. Then the client (Optimus) immediately refused the connection.

Here are the log entries:

Sep 21 21:30:13 pbx openvpn[20925]: <snip>:36700 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Sep 21 21:30:13 pbx openvpn[20925]: <snip>:36700 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sep 21 21:30:13 pbx openvpn[20925]: <snip>:36700 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Sep 21 21:30:13 pbx openvpn[20925]: <snip>:36700 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sep 21 21:30:13 pbx openvpn[20925]: <snip>:36700 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Sep 21 21:30:13 pbx openvpn[20925]: <snip>:36700 [LGPhone] Peer Connection Initiated with <snip>:36700
Sep 21 21:30:13 pbx openvpn[20925]: LGPhone/<snip>:36700 MULTI: Learn: 10.8.0.10 -> LGPhone/<snip>:36700
Sep 21 21:30:13 pbx openvpn[20925]: LGPhone/<snip>:36700 MULTI: primary virtual IP for LGPhone/<snip>:36700: 10.8.0.10
Sep 21 21:30:15 pbx openvpn[20925]: read UDPv4 [ECONNREFUSED]: Connection refused (code=111)

One thing I noticed, that seemed strange: the IP in the logs, is not the IP of my Optimus in Virgin Mobile's network, it seems to try connecting to proxy server on my mobile network.

Has anyone else got CM7 to work with OpenVPN?
 

MyKroFt

Guru
Joined
Oct 31, 2008
Messages
659
Reaction score
3
I got tried of depending on Hamachi also, thats why I moved to OpenVPN. PFSense OpenVPN and Easy OpenVPN will accomplish the same thing.

If you decide to use the PFSense OpenVPN server, you can then use Easy OpenVPN to install all the required software on PBXiaf for a client setup. Just run the first script and then delete all files from directory /etc/openvpn. After deleting all the files from /etc/openvpn, copy you new client config files (created on PFSense) to /etc/openvpn.

Am now just finally getting back to this - dam hamachi....

I am going to assume I create a client in pfsense openvpn, which looks like it is storeing its files in /var/etc/openvpn.

I have server1 and client2 sets of files - only have 1 client defined - am going to assume the client2.* files are what I need?

Thanks
Myk
 

dad311

Guru
Joined
Jan 13, 2008
Messages
604
Reaction score
2
Am now just finally getting back to this - dam hamachi....

I am going to assume I create a client in pfsense openvpn, which looks like it is storeing its files in /var/etc/openvpn.

I have server1 and client2 sets of files - only have 1 client defined - am going to assume the client2.* files are what I need?

Thanks
Myk

Here is a listing of my client files in /etc/openvpn on the PBX.
root@pbx:/etc/openvpn $ ls
ca.crt client1.conf client1.crt client.key client1.tar ta.key

The .conf file may needed edited to point to the correct dirrectory for the above files.

When the first Easy OpenVPN script finishes, it will ask you to edit some files. Ignore, this step if you only setting up a Openvpn client.

Of all the Open Source stuff Ive have, OpenVPN maybe the most reliable. Once setup, it runs no stop and auto reconnects if needed. Its been built proof for over 3 years.
 

MyKroFt

Guru
Joined
Oct 31, 2008
Messages
659
Reaction score
3
here are the files in my /var/etc/openvpn dir

Code:
client2.ca              client2.tls-auth        server1.key
client2.cert            server1.ca              server1.sock
client2.conf            server1.cert            server1.tls-auth
client2.key             server1.conf            server1.tls-verify.php
client2.sock            server1.crl-verify
So all I need are the client2.* files minus the .sock file?

here is the contents of client2.conf sanatized....

Code:
dev ovpnc2
dev-type tun
dev-node /dev/tun2
writepid /var/run/openvpn_client2.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-128-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local xxx.xx.xx.xx
tls-client
client
lport 0
management /var/etc/openvpn/client2.sock unix
remote xxxxx.dyndns.org 1194
ifconfig 192.168.1.2 192.168.1.1
I am over my head here :(

Myk
 

dad311

Guru
Joined
Jan 13, 2008
Messages
604
Reaction score
2
I would copy ALL the client2 files to the client machine. Restart OpenVPN, check your /var/log/messages files for errors.
 

MyKroFt

Guru
Joined
Oct 31, 2008
Messages
659
Reaction score
3
ok, getting somewhere slowly...

execute:

Code:
root@pbx:/etc/openvpn $ service openvpn start
Starting openvpn: [  OK  ]
here is what /var/log/messages states:

Code:
Jan 21 10:54:25 pbx openvpn[12931]: OpenVPN 2.1.0 i686-pc-linux-gnu [SSL] [LZO1] [EPOLL] [PKCS11] built on Jan 20 2012
Jan 21 10:54:25 pbx openvpn[12931]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jan 21 10:54:25 pbx openvpn[12931]: WARNING: file '/etc/openvpn/client2.key' is group or others accessible
Jan 21 10:54:25 pbx openvpn[12931]: LZO compression initialized
Jan 21 10:54:25 pbx openvpn[12931]: Control Channel MTU parms [ L:1558 D:138 EF:38 EB:0 ET:0 EL:0 ]
Jan 21 10:54:26 pbx openvpn[12931]: Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]
Jan 21 10:54:26 pbx openvpn[12931]: Local Options hash (VER=V4): '1a7820b3'
Jan 21 10:54:26 pbx openvpn[12931]: Expected Remote Options hash (VER=V4): '3e6cc37d'
Jan 21 10:54:26 pbx openvpn[12932]: Socket Buffers: R=[110592->131072] S=[110592->131072]
Jan 21 10:54:26 pbx openvpn[12932]: UDPv4 link local (bound): [undef]:1194
Jan 21 10:54:26 pbx openvpn[12932]: UDPv4 link remote: 174.19.16.29:1194
but no other device shows up in ifconfig for a ip address...

ideas?

thanks
Myk
 

dad311

Guru
Joined
Jan 13, 2008
Messages
604
Reaction score
2
No other messages? No error messages?

Also check the log file on your pf server for clues.
 

MyKroFt

Guru
Joined
Oct 31, 2008
Messages
659
Reaction score
3
openvpn[215]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]192.168.0.29:1194

over and over on the pfsense box
 

MyKroFt

Guru
Joined
Oct 31, 2008
Messages
659
Reaction score
3
after 60 seconds i get this added to messages

Jan 21 12:17:05 pbx openvpn[14313]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Jan 21 12:17:05 pbx openvpn[14313]: TLS Error: TLS handshake failed
Jan 21 12:17:05 pbx openvpn[14313]: TCP/UDP: Closing socket
Jan 21 12:17:05 pbx openvpn[14313]: SIGUSR1[soft,tls-error] received, process restarting
Jan 21 12:17:05 pbx openvpn[14313]: Restart pause, 2 second(s)
 

MyKroFt

Guru
Joined
Oct 31, 2008
Messages
659
Reaction score
3
here is current .conf file...

port 1194
dev /dev/tun
proto udp
remote xxxxxxxxxx.dyndns.org 1194
ping 30

persist-tun
persist-key

cipher AES-128-CBC

tls-client

ca /etc/openvpn/client2.crt
cert /etc/openvpn/client2.crt
key /etc/openvpn/client2.key

ns-cert-type server
comp-lzo
 

MyKroFt

Guru
Joined
Oct 31, 2008
Messages
659
Reaction score
3
added

auth /etc/openvpn/client2.tls-auth

to the .conf file and now get

Jan 21 12:33:17 pbx openvpn[14703]: Message hash algorithm '/etc/openvpn/client2.tls-auth' not found (OpenSSL)
Jan 21 12:33:17 pbx openvpn[14703]: Exiting

the client2.tls-auth came from the pfsene router....

so I think I am getting close....

Myk
 

dad311

Guru
Joined
Jan 13, 2008
Messages
604
Reaction score
2
All the links in post one have been updated to reflect several changes to the Easy OpenVPN project.

Changes / additions include:

  • Centos 6 amd64 OS.
  • Openvpn Client Username & password authentication(OpenVZ template).
  • Scripts to build and OpenVPN server with dd-wrt clients on Centos 6.
 

stuck

Member
Joined
Nov 8, 2007
Messages
238
Reaction score
1
dad311,
I know this thread is old, but I am interested in installing easyopenvpn on my existing rentpbx machine (configured with travelin man3). The reason mainly is to see if I can resolve some registration issue with one remote site behind pfsense with a mixture of various endpoints.
Do you know how (if possible) to make openvpn play nice with travelin man3? On a test system, the scripts wipes all of the travelin man3's iptable entries...
 

dad311

Guru
Joined
Jan 13, 2008
Messages
604
Reaction score
2
It appears that some of the links in the thread no longer work. Below are the Easy-OpenVPN scripts for version 1.2. These scripts will create DD-wrt and Yealink clients.
 

Attachments

  • Easy-OpenVPN-1.2-with-DD-WRT-clients.tar.gz
    113.3 KB · Views: 27

ghurty

Senior Member
Joined
Jan 13, 2009
Messages
852
Reaction score
4
Is there a ubuntu version of this script?

Thank you
 

markd89

Member
Joined
Sep 3, 2013
Messages
97
Reaction score
9
The scripts download Open VPN 2.1.3.

Current is 2.3.14. Normally, I like to use something a little old so I know it's solid, but for security software, having the fixes is probably smart.

I'm thinking it's probably going to be easier to manually install Open VPN than tweak the scripts.

Any Open VPN users have an opinion? (I am currently usine Neorouter, but having issues (another thread))

Thanks,
Mark
 

ou812

Guru
Joined
Oct 18, 2007
Messages
479
Reaction score
79
I used this script many years ago "I think about 4" for a customer which has 3 remote Yealink t28 phones, works Very well still to this day.

Gary
 

Members online

Forum statistics

Threads
25,782
Messages
167,509
Members
19,203
Latest member
frapu
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.
Top