RAM Host Community Forums

Knowledge and Help for our Customers (and everyone else)

You are not logged in.

#1 15 Nov 2009 5:15:25 pm

ramnet
Moderator
From: USA
Registered: 15 Nov 2009
Posts: 582
Website

Debian/Ubuntu - Install OpenVPN

This tutorial shows you how to install and configure an OpenVPN tunnel on your VPS.

These instructions were developed with Debian / Ubuntu in mind, however the procedure should be similar for other Linux distro's (I've only tested these on Debian 5 but should work unmodified for other deb-variants).

------

1) Download and Install OpenVPN:

# apt-get install openvpn

2) Move some things into the correct place:

# cp -R /usr/share/doc/openvpn/examples/easy-rsa /etc/openvpn

3) Generate Server and Client Encryption:

# cd /etc/openvpn/easy-rsa/2.0

# . ./vars 	

# ./clean-all 	

# ./build-ca 

# ./build-key-server server

# ./build-key client1

# ./build-dh

Press enter at each prompt, and answer yes to all yes/no questions.

DO NOT ENTER ANY PASSWORD IF PROMPTED TO DO SO - PRESS ENTER.

4) Apply iptables rule to forward traffic from the VPN to the Internet:

# chmod 755 /etc/rc.local

# nano /etc/rc.local

the default contents of this file are as follows:

#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.

exit 0

We are going to add the following before "exit 0"

replace "208.110.73.134" with the actual IP address of your VPS

When you are done you should have something that looks like this:

#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.

# add iptables rule for openvpn
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j SNAT --to 208.110.73.134

exit 0

5) Create OpenVPN configuration file:

# nano /etc/openvpn/openvpn.conf

Insert the following:

    dev tun
    proto tcp
    port 1194

    ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
    cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
    key /etc/openvpn/easy-rsa/2.0/keys/server.key
    dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem

    user nobody
    group nogroup
    server 10.8.0.0 255.255.255.0

    persist-key
    persist-tun

    #status openvpn-status.log
    #verb 3
    client-to-client

    push "redirect-gateway def1"
    push "dhcp-option DNS 8.8.8.8"
    push "dhcp-option DNS 4.2.2.4"

    comp-lzo

6) Start OpenVPN:

# /etc/init.d/openvpn start
# /etc/rc.local &

---------------

Now, download the following files to your local computer (the client):

/etc/openvpn/easy-rsa/2.0/keys/ca.crt

/etc/openvpn/easy-rsa/2.0/keys/client1.crt

/etc/openvpn/easy-rsa/2.0/keys/client1.key

And finally, here is an example client configuration (client.ovpn):

client
dev tun
proto tcp

# The hostname/IP and port of the server.
# CHANGE THIS TO YOUR VPS IP ADDRESS
remote 208.110.73.134 1194

resolv-retry infinite
nobind

persist-key
persist-tun

ca ca.crt
cert client1.crt
key client1.key

comp-lzo
verb 3

-----------

If you're on Microsoft Windows you can grab an OpenVPN client and tun driver from http://deploy.ramhost.org/vps/openvpn-2 … nstall.exe

Step-By-Step OpenVPN Client configuration howto for Microsoft Windows users:

http://forums.ramhost.org/bbs/viewtopic.php?id=165

Linux/BSD/Apple users can install the usual openvpn client software using their package manager.

Last edited by ramnet (17 Nov 2009 11:29:29 am)


Alex, RAM Host

Offline

#2 19 Nov 2009 9:29:42 pm

ksx4system
Member
From: Poland, Europe
Registered: 19 Nov 2009
Posts: 29
Website

Re: Debian/Ubuntu - Install OpenVPN

Great guide (I did it on Ubuntu 9.04 upgraded to 9.10)!

I would like to know too:

1) how to change default port for VPN (via something in openvpn.conf?)?
2) the comp-lzo option is for compression, right? is it high compression level or not? I want the highest.

Greetings,
have a nice day! ;-)


Happy ramhost.us VPS user since September 2009 :-)

Offline

#3 19 Nov 2009 10:55:11 pm

ramnet
Moderator
From: USA
Registered: 15 Nov 2009
Posts: 582
Website

Re: Debian/Ubuntu - Install OpenVPN

ksx4system wrote:

1) how to change default port for VPN (via something in openvpn.conf?)?

Inside the server config (/etc/openvpn/openvpn.conf):

....
port 1194
....

change to whatever you want.

And then inside the client configuration file (client.ovpn):

.....
# The hostname/IP and port of the server.
# CHANGE THIS TO YOUR VPS IP ADDRESS
remote 208.110.73.134 1194
.....

the "1194" at the end is the port to use.

It must be the same number in both the server and client config files, otherwise it won't work.

-------------

ksx4system wrote:

2) the comp-lzo option is for compression, right? is it high compression level or not? I want the highest.

yes it is for compression, using Lempel-Ziv-Oberhumer compression scheme - the same kind used to compress GIF images. It's an old compression scheme that provides a low to medium level of compression (by modern standards).

As far as I know OpenVPN only supports one kind of compression, and this is it.


Alex, RAM Host

Offline

#4 12 Dec 2009 11:50:57 am

herbyscrub
Member
Registered: 12 Dec 2009
Posts: 9

Re: Debian/Ubuntu - Install OpenVPN

You can use the same client1.ovpn on multiple simultaneous guests if you add "duplicate-cn" to /etc/openvpn/openvpn.conf as well.  Otherwise, the clients will all end up with the same IP.

Offline

#5 12 Dec 2009 4:09:24 pm

ras0ir
Member
Registered: 12 Dec 2009
Posts: 2

Re: Debian/Ubuntu - Install OpenVPN

thanks for the tips
BTW,
"net.ipv4.ip_forward" should be 1. this can be set either doing:

echo "1" > /proc/sys/net/ipv4/ip_forward

OR

sysctl -w net.ipv4.ip_forward=1

Last edited by ras0ir (12 Dec 2009 4:27:54 pm)

Offline

#6 29 Dec 2009 8:17:07 am

wintersea
Member
Registered: 24 Dec 2009
Posts: 3

Re: Debian/Ubuntu - Install OpenVPN

Hi admin,

I'm a new Ramhost VPS user. I have been trying to install OpenVPN these days. I followed every step you described and everything looked good. On the server side I got similar result when I ran "# tail /var/log/syslog". On the client side I configured OpenVPN GUI and had it connected to my vpn. However when I tried to open any website in firefox nothing could show. It looked that DNS parsing doesn't work any more. I'm not sure if I missed anything or there's anything wrong on my computer. Would you please help?




Btw I'm using ADSL.

Look forward to your feedback. Thanks.

Last edited by wintersea (30 Dec 2009 7:40:54 am)

Offline

#7 29 Dec 2009 1:02:09 pm

ramnet
Moderator
From: USA
Registered: 15 Nov 2009
Posts: 582
Website

Re: Debian/Ubuntu - Install OpenVPN

"It looked that DNS parsing doesn't work any more."

Your ISP is blocking access to it's dns servers ("124.74.213.68 and 202.96.209.133") from outside it's network.

You will need to switch your DNS servers to use a public DNS server

A good list of such servers is here: http://theos.in/windows-xp/free-fast-pu … rver-list/

My preference is the 4.2.2.x group of servers.


Alex, RAM Host

Offline

#8 30 Dec 2009 7:41:08 am

wintersea
Member
Registered: 24 Dec 2009
Posts: 3

Re: Debian/Ubuntu - Install OpenVPN

It works!. Thanks a lot.

Offline

#9 02 Jan 2010 6:31:48 pm

SeanConnery
Member
Registered: 24 Dec 2009
Posts: 32

Re: Debian/Ubuntu - Install OpenVPN

Hi guys,

Got an obviously noob question here. Installed openvpn with the above-mentioned steps and it runs fine.. with a small but i.e.

1. When I do a test through Speedtest.net it detects me as somewhere in London, UK
2. When I run Google, it automatically transfers me to Google.fr which is in French
3. Running Hulu.com works though, it should automatically block non-US ip addresses right?

What's up, I am somewhat confused here. Is my server located in UK/Europe or US? My ip range is 173.208.128.XXX. By the way I am subscribing to Ramhost from Asia. Any ideas guys? Thanks.

Offline

#10 02 Jan 2010 6:34:41 pm

ramnet
Moderator
From: USA
Registered: 15 Nov 2009
Posts: 582
Website

Re: Debian/Ubuntu - Install OpenVPN

I suspect since the 173.208.x.x range was only allocated by ARIN in mid December that many of the GeoIP databases are incorrect or incomplete.

But running a traceroute will always confirm where the servers are located.

As for google, it tends to be way off the mark on commercial ip space - it thinks our backup server in Toronto is actually in Russia wink

As long as the sites you want to visit work for you I wouldn't worry about it.


Alex, RAM Host

Offline

#11 02 Jan 2010 7:24:58 pm

SeanConnery
Member
Registered: 24 Dec 2009
Posts: 32

Re: Debian/Ubuntu - Install OpenVPN

smile yup you are right. Many thanks for the quick response.

Offline

#12 13 Jan 2010 5:40:09 pm

spdricky
Member
Registered: 13 Jan 2010
Posts: 3

Re: Debian/Ubuntu - Install OpenVPN

are there any way to add the second user?
i get confused with the keys setup and user setup, is that different user should use different RSA key?

please link to some FAQ if possible.

Thanks

Offline

#13 13 Jan 2010 5:44:51 pm

ramnet
Moderator
From: USA
Registered: 15 Nov 2009
Posts: 582
Website

Re: Debian/Ubuntu - Install OpenVPN

spdricky wrote:

are there any way to add the second user?
i get confused with the keys setup and user setup, is that different user should use different RSA key?

please link to some FAQ if possible.

Thanks

Adding a 2nd Client to OpenVPN

# cd /etc/openvpn/easy-rsa/2.0
#./build-key client2

Download the following files for the 2nd client:

/etc/openvpn/easy-rsa/2.0/keys/ca.crt
/etc/openvpn/easy-rsa/2.0/keys/client2.crt
/etc/openvpn/easy-rsa/2.0/keys/client2.key

2nd Client Config:

client
dev tun
proto tcp

# The hostname/IP and port of the server.
# CHANGE THIS TO YOUR VPS IP ADDRESS
remote 208.110.73.134 1194

resolv-retry infinite
nobind

persist-key
persist-tun

ca ca.crt
cert client2.crt
key client2.key

comp-lzo
verb 3

I haven't tested that but it should work.


Alex, RAM Host

Offline

#14 17 Jan 2010 8:21:17 pm

SeanConnery
Member
Registered: 24 Dec 2009
Posts: 32

Re: Debian/Ubuntu - Install OpenVPN

Sorry guys, its me again.. with another noob question.

I have 2 OpenVPN servers installed one at KC and the other at ATL. The method I am using now to access either one is to delete the files in C:\Program Files\OpenVPN\config when I change locations, and then add the relevant files in config for the new location, and I do this every time I change servers. Is there any method to use the same config files to access both KC and ATL? My current method is kinda messy. Many thanks.

Last edited by SeanConnery (17 Jan 2010 8:25:10 pm)

Offline

#15 17 Jan 2010 8:24:48 pm

ramnet
Moderator
From: USA
Registered: 15 Nov 2009
Posts: 582
Website

Re: Debian/Ubuntu - Install OpenVPN

What I would suggest in your case, is keep the config files for each one in a seperate folder on your desktop, and when you want to connect, just open that folder, right-click the .ovpn config file, and it should give you an option "start openvpn on this config file"

not as streamlined as the usual method but it works without having to constantly copy/delete files.


Alex, RAM Host

Offline

#16 17 Jan 2010 8:30:51 pm

SeanConnery
Member
Registered: 24 Dec 2009
Posts: 32

Re: Debian/Ubuntu - Install OpenVPN

smile Almost instant reply from ramnet as usual, many thanks. Good stuff!

Offline

#17 31 Jan 2010 5:49:55 pm

zite
Member
Registered: 31 Jan 2010
Posts: 14

Re: Debian/Ubuntu - Install OpenVPN

Hi admin,
On my fresh debian VPS, I followed all the steps on the server very loyally (expect using port 443 instead of 1194 is blocked by the firewall) .
the tail /var/log/syslog command resulted in suitable results

Then I copied

ca.crt
client1.crt
client1.key


to my local ubuntu directory /etc/openvpn and ,,

copied openvpn.conf to /etc/openvpn/openvpn.conf

Then I run /etc/init.d/openvpn start on my local machine , and

Enter Auth Username:client1
Enter Auth Password: the_challenging_password_I_chosen_above

but then I get a [fail] message.

Can you help me to resolve the issue please?

Thanks

Last edited by zite (31 Jan 2010 6:04:25 pm)

Offline

#18 31 Jan 2010 6:07:10 pm

ramnet
Moderator
From: USA
Registered: 15 Nov 2009
Posts: 582
Website

Re: Debian/Ubuntu - Install OpenVPN

zite wrote:

Then I run /etc/init.d/openvpn start on my local machine , and

Enter Auth Username:client1
Enter Auth Password: the_password_I_chosen_on_server

You shouldn't be getting a password prompt of any kind - when it asks for a password when creating the certificates simply press enter.

I've emphasized that a bit more in the original howto.

zite wrote:

but then I get a [fail] message.

Send in a ticket with the exact fail message and we'll have someone check it.


Alex, RAM Host

Offline

#19 02 Feb 2010 12:33:55 am

ramnet
Moderator
From: USA
Registered: 15 Nov 2009
Posts: 582
Website

Re: Debian/Ubuntu - Install OpenVPN

zite wrote:

Could you please refer me to some detailed instruction about how to run openvpn client on Ubuntu?

Unfortunately, no.

However, we'll be making an OpenVPN client tutorial for Ubuntu/Debian clients shortly (to compliment this Debian/Ubuntu server tutorial).

Server is by far the hardest part - and it shouldn't be too difficult to adapt that config for Ubuntu.

zite wrote:

Could the problem be that the I should have used client1.ovpn instead of client.vpn?

Yes - you'll want to name the file /etc/openvpn/client1.conf (must have a .conf extension on linux - just like the server one has a .conf extension)

Only issue with that is the vpn will try to start when you boot your computer (you can rename the file to something like client1.off before you shutdown to keep that from happening and rename it back to client1.conf when you're ready to connect again).


Alex, RAM Host

Offline

#20 09 Feb 2010 12:21:52 am

ruanyf
Member
Registered: 09 Feb 2010
Posts: 1

Re: Debian/Ubuntu - Install OpenVPN

My client ip is on the 192.168.1.0/255 subnet. How do I configure OpenVPN so that it will cooperate with the existing DHCP server on the LAN? now it seems doesn't work.

Offline

#21 09 Feb 2010 12:32:14 am

ramnet
Moderator
From: USA
Registered: 15 Nov 2009
Posts: 582
Website

Re: Debian/Ubuntu - Install OpenVPN

ruanyf wrote:

My client ip is on the 192.168.1.0/255 subnet. How do I configure OpenVPN so that it will cooperate with the existing DHCP server on the LAN? now it seems doesn't work.

OpenVPN subnet in this tutorial is 10.8.0.0/255 - it should not interfere with your local area network nor the dhcp server you have running.


Alex, RAM Host

Offline

#22 15 Feb 2010 10:25:46 am

hemu
Member
From: Finland, Europe
Registered: 13 Jan 2010
Posts: 30

Re: Debian/Ubuntu - Install OpenVPN

Finally setted up my OpenVPN, thanks for the tutorial.

Just a note, wouldn't UDP be better than TCP on VPN usage?

Offline

#23 15 Feb 2010 11:06:46 am

ramnet
Moderator
From: USA
Registered: 15 Nov 2009
Posts: 582
Website

Re: Debian/Ubuntu - Install OpenVPN

hemu wrote:

Just a note, wouldn't UDP be better than TCP on VPN usage?

Yes, yes it would. Due to firewalls however it often doesn't work.

We're actually working on another VPN tutorial for that.


Alex, RAM Host

Offline

#24 15 Feb 2010 12:11:35 pm

zite
Member
Registered: 31 Jan 2010
Posts: 14

Re: Debian/Ubuntu - Install OpenVPN

Actually, after reinstalling the openvpn, I have encountered a weird problem. I can connect to the VPN through Windows but can not communicate any data. Have you any clue of the cause?

Offline

#25 15 Feb 2010 12:26:14 pm

ramnet
Moderator
From: USA
Registered: 15 Nov 2009
Posts: 582
Website

Re: Debian/Ubuntu - Install OpenVPN

zite wrote:

Actually, after reinstalling the openvpn, I have encountered a weird problem. I can connect to the VPN through Windows but can not communicate any data. Have you any clue of the cause?

fix your iptables rule for forwarding the connection from the vps to the internet

iptables -t nat -A POSTROUTING -s 10.0.0.0/8 -o venet0 -j SNAT --to 1.2.3.4

(replace 1.2.3.4 with your vps ip address)

Verify with:

iptables -L -t nat

if you have more than a single entry you'll need to clear iptables and do the above again:

iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X

If you have no idea what I just said send in a ticket and we'll have someone check this for you.


Alex, RAM Host

Offline

Board footer

Powered by FluxBB