Configure openvpn on a Debian server and client
These notes cover the installation of OpenVPN on a Debian server and client. Once setup, all internet traffic, including browser traffic, from the client will travel via the VPN to the server. We do a quick "client baseline," then the server config, then the client config, then testing.
These notes presume you are not ethernet bridging: i.e., these instructions are for dev tun not dev tap.
First, let's be sure that you know the real IP#s of both your client and your server, and that your underlying networking is sound. Switch to your client and run the following diagnostics:
1. Your client's ifconfig should not have an entry for tun0. E.g., from a workstation with both wired and wireless ethernet interface, you should see something like
you@client:~$ sudo ifconfig -a Sat Nov 8 17:26:05 EST 2014 eth0 Link encap:Ethernet HWaddr ... ... lo Link encap:Local Loopback ... wlan0 Link encap:Ethernet HWaddr ... ...
2. From your ifconfig, note the IP# (or inet addr) of the ethernet interface you are using. This is your client's IP#.
3. ping your server from your client using the server's IP#. If this fails, you probably don't actually know its IP#, and you must know it, so stop now and learn it.
4. ping your server from your client using IP#=10.8.0.1. This should fail, since you have not yet setup your VPN.
5. Check that DNS works from your client. Use www.whatismyip.com (or the IP-echo website you prefer), since you will access this website later. You should see something like
you@client:~$ nslookup www.whatismyip.com ... Non-authoritative answer: Name: www.whatismyip.com Address: 188.8.131.52 Name: www.whatismyip.com Address: 184.108.40.206
6. ping www.whatismyip.com (or the IP-echo website you prefer): this will later be used to establish validity of routing beyond your VPN. You should see something like
you@client:~$ ping -c 4 www.whatismyip.com PING www.whatismyip.com (220.127.116.11) 56(84) bytes of data. 64 bytes from 18.104.22.168: icmp_seq=1 ttl=57 time=94.7 ms 64 bytes from 22.214.171.124: icmp_seq=2 ttl=57 time=157 ms 64 bytes from 126.96.36.199: icmp_seq=3 ttl=57 time=88.3 ms 64 bytes from 188.8.131.52: icmp_seq=4 ttl=57 time=88.8 ms --- www.whatismyip.com ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 15621ms rtt min/avg/max/mdev = 88.370/107.325/157.369/29.002 ms
7. Trace the route to www.whatismyip.com (or the IP-echo website you prefer). You should see something like
you@client:~$ traceroute www.whatismyip.com traceroute to www.whatismyip.com (184.108.40.206), 30 hops max, 60 byte packets 1 192.168.15.1 (192.168.15.1) 0.850 ms 0.838 ms 1.378 ms ... 10 220.127.116.11 (18.104.22.168) 96.397 ms 96.392 ms 95.841 ms
The first IP# is your IP gateway (e.g., the modem/router on your client's physical LAN). The last IP# must be that of your target IP-echo website (as noted by nslookup and ping). The number of lines of traceroute output (aka the number of "hops") is probably not relevant.
8. Open a web browser and access http://www.whatismyip.com (or the IP-echo website you prefer). It should return the client IP# as listed in your ifconfig.
Note that, in section=Client configuration (below), you'll be installing some network-related packages. If you're cautious (and that's a good thing!), repeat these baseline diagnostics after installing those packages, to be extra-sure your client is still networking properly.
Switch to your server. First, install OpenVPN on it, with (e.g.)
aptitude install openvpn
Next, create the keys needed by both server and client.
mkdir /etc/openvpn/easy-rsa cp -ai /usr/share/doc/openvpn/examples/easy-rsa/2.0/ /etc/openvpn/easy-rsa cd /etc/openvpn/easy-rsa/2.0 vi vars
In the vars file, edit the KEY_* entries at the bottom of the file, such as KEY_COUNTRY, KEY_ORG, KEY_EMAIL, etc. Next, source the vars file and then clean the directory.
. ./vars ./clean-all
Next build the certificates. For the 'Common Name' field, you can use anything to your liking. I used 'OpenVPN-CA-rustybear'. For the Certificate Authority (build-ca), use 'server'. For the client keys (build-key), use 'client1' or 'client2' or whatever you like, I used 'client_kevin'.
./build-ca ./build-key-server server ./build-key client_kevin ./build-key client2
Generate the Diffie Hellman parameters for the server.
When this is done, you will have a number of files in the keys/ subdirectory. Copy the keys listed below to the server's /etc/openvpn directory.
cd /etc/openvpn cp easy-rsa/2.0/keys/ca.crt . cp easy-rsa/2.0/keys/server.key . cp easy-rsa/2.0/keys/server.crt . cp easy-rsa/2.0/keys/dh1024.pem .
And copy the keys needed for the client either directly to the client via scp or to a USB disk. The files needed by the client are ca.crt, client_kevin.crt, and client_kevin.key (or whatever you named the files when you generated them with the build-key script).
Switching to the client machine for just a moment, copy the client keys to the /etc/openvpn directory.
Next, back on the server, create the openvpn server config file. Start with the example in the docs.
cd /etc/openvpn cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf .
Gunzip it if necessary then edit it. Here's a simple but workable example:
1 # [server.conf] 2 port 1194 3 proto udp 4 dev tun 5 ca /etc/openvpn/ca.crt 6 cert /etc/openvpn/server.crt 7 key /etc/openvpn/server.key 8 dh /etc/openvpn/dh1024.pem 9 server 10.8.0.0 255.255.255.0 10 ifconfig-pool-persist ipp.txt 11 push "redirect-gateway def1 bypass-dhcp" 12 # choose DNS server(s) depending on your location 13 # `nslookup 22.214.171.124` -> '126.96.36.199.in-addr.arpa name = google-public-dns-a.google.com.' 14 push "dhcp-option DNS 188.8.131.52" 15 push "dhcp-option DNS 184.108.40.206" 16 # `whois 220.127.116.11` -> China Unicom 17 # push "dhcp-option DNS 18.104.22.168" 18 # push "dhcp-option DNS 22.214.171.124" 19 keepalive 10 120 20 comp-lzo 21 user nobody 22 group nogroup 23 persist-key 24 persist-tun 25 status openvpn-status.log 26 verb 3
Note the entries for push "dhcp-option DNS. The DNS servers you list must be accessible from your server and client. They will be pushed out to the client and can cause networking problems on the client if incorrect.
Now start the openvpn server with either of the following commands.
You will need to enable IP forwarding.
echo 1 > /proc/sys/net/ipv4/ip_forward
You can make this a permanent change by uncommenting the line:
net.ipv4.ip_forward = 1
in the file /etc/sysctl.conf.
You'll also have to allow NAT forwarding through your firewall. This will most likely be accomplished with something like the following rule in iptables:
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
This assumes you have set up your openvpn server with the IP 10.8.0.0 in the server.conf file as described above.
Switch to your client. You'll need to install two packages on it:
openvpn for OpenVPN (you guessed !-)
resolvconf. This is more problematic (resolvconf can potentially conflict with other DNS-writing programs on your client) but we need it to make DNS work correctly on the client. If you're cautious (and that's a good thing!), read README.Debian in the OpenVPN docs and the README for resolvconf.
Install the packages with (e.g.)
aptitude install openvpn resolvconf
In the server config above, you created keys for the client, which you should have already copied from the server to the client's directory at /etc/openvpn. This includes the ca.crt file.
Next you need a client.conf file, a sample of which is found in the docs.
cd /etc/openvpn cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf . vi client.conf
or feel free to use this simple but workable example ... after you substitute
your server's IP number for your.server.IP.number
your client name for client_kevin (unless you used that name when generating certificates and keys)
1 # [client.conf] 2 client 3 dev tun 4 proto udp 5 remote your.server.IP.number 1194 6 resolv-retry infinite 7 nobind 8 user nobody 9 group nogroup 10 persist-key 11 persist-tun 12 mute-replay-warnings 13 ca /etc/openvpn/ca.crt 14 cert /etc/openvpn/client_kevin.crt 15 key /etc/openvpn/client_kevin.key 16 ns-cert-type server 17 comp-lzo 18 verb 3 19 up /etc/openvpn/update-resolv-conf 20 down /etc/openvpn/update-resolv-conf
Some obvious things: You'll want to use your server's IP for the remote entry. List your client keys and the server CA. Uncomment the user and group entries.
Not so obvious are the last two lines. They call the script update-resolv-conf, which should be in your /etc/openvpn directory. The script will use resolvconf (which you installed above) and the DNS settings of your openvpn server, to rewrite your client's resolv.conf file.
To start openvpn on the client, issue the command:
openvpn --script-security 2 --config /etc/openvpn/client.conf &
You'll need the --script-security setting to get the update-resolv-conf script to execute. You can place this setting in the client.conf file if you like.
On both the server and the client, you can control whether your vpn is automatically started on machine startup by editing the AUTOSTART lines in the file /etc/default/openvpn.
Check your installation by
1. Start your server (as instructed above) if you have not already done so.
2. Start your client (as instructed above) if you have not already done so.
3. Run ifconfig on your client. You should see a new entry for tun0: i.e., in addition to the ifconfig entries you noted in your client baseline (above), you should now also see an entry like the following (possibly with slightly different inet addr)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:10.8.0.6 P-t-P:10.8.0.5 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:14 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:0 (0.0 B) TX bytes:896 (896.0 B)
4. ping your server from your client using the server's real IP#: i.e., the one you listed in your client.conf in the line beginning with remote. This is just a sanity test: if this does not work, something is very wrong with your networking.
5. ping your server from your client using IP#=10.8.0.1. You should see something like
you@client:~$ date ; ping -c 4 10.8.0.1 Sat Nov 8 17:49:40 EST 2014 PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data. 64 bytes from 10.8.0.1: icmp_seq=1 ttl=64 time=100 ms 64 bytes from 10.8.0.1: icmp_seq=2 ttl=64 time=92.0 ms 64 bytes from 10.8.0.1: icmp_seq=3 ttl=64 time=80.7 ms 64 bytes from 10.8.0.1: icmp_seq=4 ttl=64 time=83.5 ms --- 10.8.0.1 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3004ms rtt min/avg/max/mdev = 80.705/89.308/100.980/7.930 ms
6. Check that DNS works from your client, using www.whatismyip.com (or the IP-echo website you prefer). You should see something like
you@client:~$ date ; nslookup www.whatismyip.com Sat Nov 8 17:51:21 EST 2014 ... Non-authoritative answer: Name: www.whatismyip.com Address: 126.96.36.199 Name: www.whatismyip.com Address: 188.8.131.52
7. ping www.whatismyip.com (or the IP-echo website you prefer) to establish validity of routing beyond your VPN. You should see output similar to those you got when you did this for your client baseline, though the response times will probably be longer. If instead you see something like
you@client:~$ ping -c 4 www.whatismyip.com PING www.whatismyip.com (184.108.40.206) 56(84) bytes of data. --- www.whatismyip.com ping statistics --- 4 packets transmitted, 0 received, 100% packet loss, time 3023ms
you have a routing problem at your server, which you need to fix.
7. Trace the new route to www.whatismyip.com, or the IP-echo website you prefer, or some other IP address beyond your VPN. You should see output not too different to those you got when you did this for your client baseline, though you will probably see more lines/hops. If instead you see something like
you@client:~$ traceroute www.whatismyip.com traceroute to www.whatismyip.com (220.127.116.11), 30 hops max, 60 byte packets 1 10.8.0.1 (10.8.0.1) 99.579 ms 99.584 ms 104.230 ms 2 * * * ... 30 * * *
you have a routing problem at your server, which you need to fix.
8. Open a web browser and access http://www.whatismyip.com (or the IP-echo website you prefer). It should return the IP of the server (i.e., the one you listed in your client.conf in the line beginning with remote), not the client. The browser should not hang while either looking up or connecting.
-- KevinCoyner 2011-02-23 08:07:04