Install OpenVPN services

Install OpenVPN services KCTang Wed, 11/04/2018 - 17:07
Back to top

Note

OpenVPN enables remote client computers and smartphones to access VPN server's files and structure, and optionally re-direct clients' IP traffic through the VPN server. (revised 11 April 2018)

Back to top

Install VPN server for accessing file server

Switch to root:

$ sudo -s

Install openvpn and easy-rsa:

$ apt-get install openvpn easy-rsa

Set up public key infrastructure:

$ mkdir /etc/openvpn/easy-rsa/
$ cp -r /usr/share/easy-rsa/* /etc/openvpn/easy-rsa/
$ gedit /etc/openvpn/easy-rsa/vars

Define in vars:

export KEY_COUNTRY="CN"
export KEY_PROVINCE="HK"
export KEY_CITY="HongKong"
export KEY_ORG="K C Tang Consultants Ltd"
export KEY_EMAIL="kctang@kctang.com.hk"
export KEY_OU=kctclVPN
export KEY_NAME=kctclVPN
# next line added to avoid error when building the certificate and key 
export KEY_ALTNAMES=kctclVPN

Generate master Certificate Authority (CA) certificate and key:

$ cd /etc/openvpn/easy-rsa/
$ source vars
$ ./clean-all
$ ./build-ca

Generate a certificate and private key for the server:

$ ./build-key-server kctclVPN

Accept defaults for most parameters.

Answer “y” to:

  • "Sign the certificate? [y/n]"
  • "1 out of 1 certificate requests certified, commit? [y/n]"

Generate Diffie Hellman parameters:

$ ./build-dh

Copy certificates and keys generated in subdirectory keys/ to /etc/openvpn/:

$ cd keys/
$ cp kctclVPN.crt kctclVPN.key ca.crt dh2048.pem /etc/openvpn/

Generate a certificate and private key for the client user <client>:

$ cd /etc/openvpn/easy-rsa/
$ source vars
$ ./build-key <client>

Copy or move client's certificate and key to a Samba directory:

$ cp /etc/openvpn/ca.crt /<Samba directory>/
$ mv /etc/openvpn/easy-rsa/keys/<client>.crt /<Samba directory>/
$ mv /etc/openvpn/easy-rsa/keys/<client>.key /<Samba directory>/

Change the owners of the files:

$ cd /<Samba directory>
$ chown nobody:nogroup ca.crt <client>.crt <client>.key
$ chmod 644 ca.crt <client>.crt <client>.key

​E-mail the files to the client computer.

Remove the files:

$ rm ca.crt <client>.crt <client>.key

Config server.conf:

$ cd /
$ cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
$ gzip -d /etc/openvpn/server.conf.gz
$ gedit /etc/openvpn/server.conf

Define to point to the correct file location, or ignore </path to file/> if in the same directory as server.conf:

ca </path to file/>ca.crt
cert </path to file/>kctclVPN.crt
key </path to file/>kctclVPN.key
dh </path to file/>dh2048.pem

Also add the following at the end of the file: (added 30 December 2017)

cipher AES-256-CBC

Config sysctl.conf:

$ gedit /etc/sysctl.conf

Uncomment the following line to enable IP forwarding:

net.ipv4.ip_forward=1

Reload sysctl.conf:

$ sysctl -p /etc/sysctl.conf

Start the server:

$ systemctl start openvpn
or
$ service openvpn start

Check if OpenVPN created a tun0 interface:

$ ifconfig tun0

Check syslog if tun0 does not appear:

$ grep -i vpn /var/log/syslog

Exit from root:

$ exit

Set the internet router to re-direct OpenVPN connections to server port 1194.

Back to top

Extend to re-direct clients' IP traffic through VPN server

(section added 5 April 2018)

Define optionally in server.conf to re-direct clients' IP traffic such as web browsing and DNS lookups to go through the VPN server, i.e. the clients will appear to use the IP of the VPN server instead of the actual IP of the clients for internet traffic:

Config server.conf:

$ sudo gedit /etc/openvpn/server.conf

Define:

push "redirect-gateway def1 bypass-dhcp"

Instead of adding the following, which results in email server not working: (revised 10 April 2018)

push "dhcp-option DNS 10.8.0.1"

Uncomment as: (revised 10 April 2018)

push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"

Execute in conjunction with the last:

$ sudo systemctl restart openvpn

or

$ sudo service openvpn restart

and

$ sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

Note that the iptables configuration will be lost after reboot.

Store the current iptables configurations:

$ sudo sh -c "iptables-save > /etc/iptables.up.rules"

View and remove any configurations no longer applicable:

$ sudo gedit /etc/iptables.up.rules

Do the same whenever the iptables configurations have been changed.

Config file for use on reboot:

$ sudo gedit /etc/network/interfaces

Define to reuse the stored configurations:

auto lo
iface lo inet loopback
post-up iptables-restore < /etc/iptables.up.rules
Back to top

Install on Windows client computer

Download and install the latest OpenVPN Windows Installer.

Go to Microsoft Management Console: Start > Computer > Manage > Services and Applications > Services.

Start OpenVPN service.

Set it's startup type to automatic.

Save ca.crt <client>.crt <client>.key under C:\Program Files\OpenVPN\config\

Create C:\Program Files\OpenVPN\config\<client>.txt file and define it to contain:

client
dev tun
proto udp
remote kctang.com.hk 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert <\\path\\><client>.crt
key <\\path\\><client>.key
ns-cert-type server
comp-lzo
verb 3

Also add the following at the end of the file: (added 30 December 2017)

auth-nocache
cipher AES-256-CBC

Specify path in Windows format if ca.crt <client>.crt <client>.key are saved in a folder different from <client>.txt.

Change filename from <client>.txt to <client>.ovpn.

Back to top

Run on Windows client as a service

To start OpenVPN automatically as a service every time after rebooting:

  • Go to Microsoft Management Console: Start > Computer > Manage > Services and Applications > Services.
  • Right-click OpenVPN service > Properties > Start.
  • Change Startup type to Automatic.
  • Click OK.

However, running as a service has a bug that the connection may not be re-connected after the computer wakes up after sleep or hibernation.

If there is the case, connecting with the GUI will be the better choice.

Back to top

Run on Windows client using GUI

Start OpenVPN every time after rebooting:

  • Right-click OpenVPN GUI icon on Desktop.
  • Click Properties > Compatibility > Run this program as an administrator > OK.

Connect after starting or loss of connection after sleep or hibernation:

    • Click OpenVPN GUI icon on Desktop.
    • Click the icon on the system tray to connect or right-click the icon and click Connect.
    Back to top

    Map drive for quick access

    Define a drive to be listed in the file manager directory to represent the server:
    • Open file manager and enter \\10.8.0.1 to access the vpn server.
    • Right-click the desired folder.
    • Click Map network drive.
    • Choose a drive name to represent the folder.
    • Click Finish.
    Back to top