wayno vpn from outside

Virtual Private Networks. They are useful, but they can also seem daunting. As I have learned more about VPN’S from my first post, some 2 years ago, I thought we should re-vist and update.

1. What’s the first thing we do? Why install openvpn of course!

REMOTE (HOST) Configuration


sudo apt-get install openvpn

2. Now we need to generate our secret key. This is used to authenticate a remote user trying to gain access. We will use openvpn itself to generate the secret key. NOTE: Debian by default, does NOT provide a path to /usr/sbin

You can fully qualify it: /usr/sbin/openvpn

temporarily add it to the PATH variable: export PATH=$PATH:/sbin:/usr/sbin:/usr/sbin

Or just add:

export PATH=$PATH:/sbin:/usr/sbin:/usr/sbin

to .bashrc

If you add it to .bashrc, you will need to logout and back in again, so it will re-read the file.

Let’s generate that key! (The key below is named homer for the host, it can be anything)


openvpn --genkey --secret homer.key

Simple, huh?

3. Let’s move some files, and create the configuration file for openvpn.

first, let’s move our secret key file:


sudo cp homer.key /etc/openvpn/.

The period at the end, is significant. It says copy the file, right here.

4. Next is the configuration file. Using your favourite editor (nano in my case) create the
/etc/openvpn/openvpn.conf file as follows: Most of the explanations of the parameters come from here.


# Sample openvpn configuration file
# jjs June 6, 2012 V1.0
#
# annotated by Wayno April 26, 2014
#
# remote specifies the address of the server

local 192.168.1.101 5001
#local 192.168.1.101 1194

# dev tun specifies that we are using a tunnel device

dev tun

# ifconfig tells ip address for the interface

ifconfig 192.168.224.253 192.168.224.254

# and the secret key name (in /etc/openvpn)

secret homer.key

# use port 5001 (default) to connect to the vpn. This may require
# you to add this in your router.

port 5001
#port 1194

# if you want data compression

comp-lzo

# ping every 10 seconds, if no ping in 120 seconds, other side dead

keepalive 10 120

# ping timer starts after it receives a connection

ping-timer-rem

# don't recreate a virtual net interface TUN after automatic restart

persist-tun

# Don't read pre-shared static key file again after auto restart

persist-key

# user and group

user nobody
group nogroup

# after initialization, run in the background as a daemon

daemon

# append the /etc/openvpn/openvpn.log

log-append openvpn.log

5. Restart openvpn


sudo service openvpn restart

If you check /etc/openvpn/openvpn.log you will get something like this:

sudo cat openvpn.log
Tue Jun 24 20:00:39 2014 OpenVPN 2.3.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Feb 4 2014
Tue Jun 24 20:00:39 2014 TUN/TAP device tun0 opened
Tue Jun 24 20:00:39 2014 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Tue Jun 24 20:00:39 2014 /sbin/ip link set dev tun0 up mtu 1500
Tue Jun 24 20:00:39 2014 /sbin/ip addr add dev tun0 local 192.168.224.253 peer 192.168.224.253
Tue Jun 24 20:00:39 2014 GID set to nogroup
Tue Jun 24 20:00:39 2014 UID set to nobody
Tue Jun 24 20:00:39 2014 UDPv4 link local (bound): [AF_INET]192.168.1.101:5001
Tue Jun 24 20:00:39 2014 UDPv4 link remote: [undef]
Tue Jun 24 20:00:44 2014 Peer Connection Initiated with [AF_INET]192.168.1.103:5001
Tue Jun 24 20:00:45 2014 Initialization Sequence Completed

6. Let’s see if it works?


ping -c 5 192.168.224.253

PING 192.168.224.253 (192.168.224.253) 56(84) bytes of data.
64 bytes from 192.168.224.253: icmp_req=1 ttl=64 time=0.033 ms
64 bytes from 192.168.224.253: icmp_req=2 ttl=64 time=0.041 ms
64 bytes from 192.168.224.253: icmp_req=3 ttl=64 time=0.030 ms
64 bytes from 192.168.224.253: icmp_req=4 ttl=64 time=0.041 ms
64 bytes from 192.168.224.253: icmp_req=5 ttl=64 time=0.040 ms

— 192.168.224.253 ping statistics —
5 packets transmitted, 5 received, 0% packet loss, time 3999ms
rtt min/avg/max/mdev = 0.030/0.037/0.041/0.004 ms

==================

1. Now the CLIENT configuration /etc/openvpn/client.conf:


#
# openvpn CLIENT configuration
#
# V1.0 by Wayno April 26, 2014

# remote specifies the ip address of the remote (host) openvpn

remote 192.168.1.101

# dev tun specifies that we are using a tunnel device

dev tun

# ifconfig tells ip address for the interface
# NOTE that the ifconfig ip's are BACKWARD from the host

ifconfig 192.168.224.254 192.168.224.253

# The name of the secret key we generated (it could be anyname)

secret homer.key

# use port 5001 (note you may need to open this up in your router
# and make sure it points to the remote (host))

port 5001

# if you want data compression

comp-lzo

# ping every 10 seconds, if no ping in 60 seconds, other side dead

keepalive 10 60

# ping timer starts after it receives a connection

ping-timer-rem

# don't recreate a virtual net interface TUN after automatic restart

persist-tun

# Don't read pre-shared static key file again after auto restart

persist-key

#user and group

user nobody
group nogroup

# after initialization, run in the background as a daemon

daemon

log-append openvpn.log

2. Ensure you copy the secret key over to the /etc/openvpn on the client side. This assumes the key is already in your home folder


sudo cp ~/homer.key .

Note that the period (.) at the end IS significant.

3. And your output should look something like this:

sudo cat openvpn.log
Tue Jun 24 20:20:27 2014 OpenVPN 2.2.1 x86_64-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Jun 18 2013
Tue Jun 24 20:20:27 2014 NOTE: OpenVPN 2.1 requires ‘–script-security 2’ or higher to call user-defined scripts or executables
Tue Jun 24 20:20:27 2014 LZO compression initialized
Tue Jun 24 20:20:27 2014 TUN/TAP device tun0 opened
Tue Jun 24 20:20:27 2014 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Tue Jun 24 20:20:27 2014 /sbin/ifconfig tun0 192.168.224.254 pointopoint 192.168.224.253 mtu 1500
Tue Jun 24 20:20:27 2014 GID set to nogroup
Tue Jun 24 20:20:27 2014 UID set to nobody
Tue Jun 24 20:20:27 2014 UDPv4 link local (bound): [undef]
Tue Jun 24 20:20:27 2014 UDPv4 link remote: [AF_INET]192.168.1.101:5001
Tue Jun 24 20:20:27 2014 Peer Connection Initiated with [AF_INET]192.168.1.101:5001
Tue Jun 24 20:20:28 2014 Initialization Sequence Completed

3. ssh into the vpn

nwayno@Willy:~$ ssh 192.168.224.253
nwayno@192.168.224.253’s password:
Welcome to Ubuntu 14.04 LTS (GNU/Linux 3.13.0-29-generic x86_64)

* Documentation: https://help.ubuntu.com/

Last login: Tue Jun 24 20:40:04 2014 from 192.168.224.253
nwayno@Homer:~$