Step by step setting up OpenVPN in debian with routing (tun) connection
Verify if TUN support is enabled on the system
#test ! -c /dev/net/tun && echo openvpn requires tun support || echo tun is available                                                      tun is available
Installing OpenVPN on the server
#apt-get install openvpn
Preparing to generate the keys
#mkdir /etc/openvpn/easy-rsa
#cp /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa
Generating the certificate authority (CA) which will be used to sign the server and client certificates.
#cd /etc/openvpn/easy-rsa
#source ./vars
#./clean-all
#./build-ca
Creating the server keys
#./build-key-server servername
Generating the diffie-hellman parameters which are used for key exchange between the client and server
#./build-dh
Creating some client keys which will be used to allow clients to authenticate with the server
#./build-key-pkcs12 client1
You will be asked for a password which the client will use to connect to the server
we need to configure the server. You need to make a decision here whether you want tun (routed) or tap (bridged) connections. The main difference is that tap will give the client a network address on the server network, whereas tun creates a private network managed by the server.
Configure openvpn using routing (tun) connection
Configuring the server
#vim /etc/openvpn/server.conf
(add the following lines)
port 443
proto udp
dev tun
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/vpnsarandi.crt
key /etc/openvpn/easy-rsa/keys/vpnsarandi.key
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
ifconfig-pool-persist ipp.txt
server 10.1.0.0 255.255.255.0
client-config-dir ccd
route 192.168.1.0 255.255.255.0
route 192.168.2.0 255.255.255.0
client-to-client
push “route 192.168.1.0 255.255.255.0”
push “route 192.168.2.0 255.255.255.0”
keepalive 10 120
comp-lzo
persist-key
persist-tun
status /var/log/openvpn-status.log
verb 3
Making directory ccd:
#mkdir /etc/openvpn/ccd
Making file client1 in ccd directory
#vim /etc/openvpn/ccd/clent1
(add the following lines)
iroute 192.168.1.0 255.255.255.0
Restart OpenVPN:
#/etc/init.d/openvpn restart
Setting up the windows client. First, download the OpenVPN client from here (at the time of writing, select 2.1 RC15). Install it, and create a file ‘client.conf’ in the config directory with the following parameters
client
dev tun
proto udp
remote x.x.x.x 443 # (replace with your server IP)
resolv-retry infinite
nobind
pkcs12 client1.p12 # (replace with the client name)
ns-cert-type server
comp-lzo
verb 3
#redirect-gateway
You can also add ‘redirect-gateway’ to the client configuration to pass all traffic down the VPN tunnel (rather than just traffic intended for the VPN itself).
copy the client1.p12 certificate file to the config directory on the client, start the gui, and connect.
If you need to create any clients in the future, do the following command:
#cd /etc/openvpn/easy-rsa
#source ./vars
#./build-key-pkcs12 clientx
Enable IP and TUN/TAP forwarding:
On linux client
IP Forwarding
Check if IP Forwarding is enabled
#sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 0
Â
or
cat /proc/sys/net/ipv4/ip_forward
0
Â
As we can see in both the above examples this was disabled (as show by the value 0).
Enable IP Forwarding on the fly
#sysctl -w net.ipv4.ip_forward=1
Â
or
#echo 1 > /proc/sys/net/ipv4/ip_forward
Â
Permanent setting using /etc/sysctl.conf
#/etc/sysctl.conf:
net.ipv4.ip_forward = 1
#sysctl -p /etc/sysctl.conf
Â
On RedHat based systems this is also enabled when restarting the network service:
#service network restart
Â
and on Debian/Ubuntu systems this can be also done restarting the procps service:
#/etc/init.d/procps.sh restart
Â
Using distribution specific init scripts
Although the methods presented above should work just fine and you would not need any other method of doing this, I just wanted to note that there are also other methods to enable IP Forwarding specific to some Linux distributions.
For example Debian based distributions might use the setting:
Â
#/etc/network/options:
ip_forward=no
Â
set it to yes and restart the network service.
Also RedHat distributions might set this using:
#/etc/sysconfig/network:
FORWARD_IPV4=true
Â
and again restart the network service.
Regardless the method you have used once you have completed this you can check it out using the same method shown above:
#sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1
Â
#cat /proc/sys/net/ipv4/ip_forward
1
Â
If the result is 1 then the Linux system will start forwarding IP packets even if they are not destined to any of its own network interfaces.
TUN/TAP forwarding:
Allow TUN interface connections to OpenVPN server
# iptables -A INPUT -i tun+ -j ACCEPT
Allow TUN interface connections to be forwarded through other interfaces
# iptables -A FORWARD -i tun+ -j ACCEPT
Allow TAP interface connections to OpenVPN server
# iptables -A INPUT -i tap+ -j ACCEPT
Allow TAP interface connections to be forwarded through other interfaces
# iptables -A FORWARD -i tap+ -j ACCEPT
** rule iptables for internet sharing from eth1 to eth0.
#iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
#iptables-save
Restart Networking and OpenVPN
#/etc/init.d/networking restart
#/etc/init.d/openvpn restart
On Windows client:
To enable TCP/IP forwarding, follow these steps:
Start Registry Editor (Regedit.exe).
In Registry Editor, locate the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Set the following registry value:
Value Name: IPEnableRouter
Value type: REG_DWORD
Value Data: 1
A value of 1 enables TCP/IP forwarding for all network connections that are installed and used by this computer.
Quit Registry Editor.
Use IP address OpenVPN client as gateway on LAN . So that every workstation behind LAN Client  can communicate each others.
Installing OpenVPN
1. Installing OpenVPN on the server
#apt-get install openvpn
2. Preparing to generate the keys
#mkdir /etc/openvpn/easy-rsa
#cp /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa
3. Generating the certificate authority (CA) which will be used to sign the server and client certificates.
#cd /etc/openvpn/easy-rsa
#source ./vars
#./clean-all
#./build-ca
4. Creating the server keys
#./build-key-server servername
5. Generating the diffie-hellman parameters which are used for key exchange between the client and server
#./build-dh
6. Creating some client keys which will be used to allow clients to authenticate with the server
#./build-key-pkcs12 client1
You will be asked for a password which the client will use to connect to the server
we need to configure the server. You need to make a decision here whether you want tun (routed) or tap (bridged) connections. The main difference is that tap will give the client a network address on the server network, whereas tun creates a private network managed by the server.
Configure openvpn using routing (tun) connection
7. Configuring the server
#vim /etc/openvpn/server.conf
(add the following lines)
port 443
proto udp
dev tun
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/vpnsarandi.crt
key /etc/openvpn/easy-rsa/keys/vpnsarandi.key
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
ifconfig-pool-persist ipp.txt
server 10.1.0.0 255.255.255.0
client-config-dir ccd
route 192.168.1.0 255.255.255.0
route 192.168.2.0 255.255.255.0
client-to-client
push “route 192.168.1.0 255.255.255.0”
push “route 192.168.2.0 255.255.255.0”
keepalive 10 120
comp-lzo
persist-key
persist-tun
status /var/log/openvpn-status.log
verb 3
8. Making directory ccd:
#mkdir /etc/openvpn/ccd
9. Making file client1 in ccd directory
#vim /etc/openvpn/ccd/clent1
(add the following lines)
iroute 192.168.1.0 255.255.255.0
10. Restart OpenVPN:
#/etc/init.d/openvpn restart
Setting up the windows client. First, download the OpenVPN client from here (at the time of writing, select 2.1 RC15). Install it, and create a file ‘client.conf’ in the config directory with the following parameters
client
dev tun
proto udp
remote x.x.x.x 443 # (replace with your server IP)
resolv-retry infinite
nobind
pkcs12 client1.p12 # (replace with the client name)
ns-cert-type server
comp-lzo
verb 3
#redirect-gateway
You can also add ‘redirect-gateway’ to the client configuration to pass all traffic down the VPN tunnel (rather than just traffic intended for the VPN itself).
11. copy the client1.p12 certificate file to the config directory on the client, start the gui, and connect.
12. If you need to create any clients in the future, do the following command:
#cd /etc/openvpn/easy-rsa
#source ./vars
#./build-key-pkcs12 clientx
Enable IP and TUN/TAP forwarding:
On linux client
IP Forwarding
15. Check if IP Forwarding is enabled
#sysctl net.ipv4.ip_forward
 net.ipv4.ip_forward = 0
Â
or
cat /proc/sys/net/ipv4/ip_forward
0
Â
As we can see in both the above examples this was disabled (as show by the value 0).
16. Enable IP Forwarding on the fly
#sysctl -w net.ipv4.ip_forward=1
Â
or
#echo 1 > /proc/sys/net/ipv4/ip_forward
Â
17. Permanent setting using /etc/sysctl.conf
#/etc/sysctl.conf:
 net.ipv4.ip_forward = 1
#sysctl -p /etc/sysctl.conf
Â
On RedHat based systems this is also enabled when restarting the network service:
#service network restart
Â
and on Debian/Ubuntu systems this can be also done restarting the procps service:
#/etc/init.d/procps.sh restart
Â
Using distribution specific init scripts
Although the methods presented above should work just fine and you would not need any other method of doing this, I just wanted to note that there are also other methods to enable IP Forwarding specific to some Linux distributions.
For example Debian based distributions might use the setting:
Â
#/etc/network/options:
 ip_forward=no
Â
set it to yes and restart the network service.
Also RedHat distributions might set this using:
#/etc/sysconfig/network:
FORWARD_IPV4=true
Â
and again restart the network service.
Regardless the method you have used once you have completed this you can check it out using the same method shown above:
#sysctl net.ipv4.ip_forward
  net.ipv4.ip_forward = 1
Â
#cat /proc/sys/net/ipv4/ip_forward
  1
Â
If the result is 1 then the Linux system will start forwarding IP packets even if they are not destined to any of its own network interfaces.
TUN/TAP forwarding:
Allow TUN interface connections to OpenVPN server
# iptables -A INPUT -i tun+ -j ACCEPT
Allow TUN interface connections to be forwarded through other interfaces
# iptables -A FORWARD -i tun+ -j ACCEPT
Allow TAP interface connections to OpenVPN server
# iptables -A INPUT -i tap+ -j ACCEPT
Allow TAP interface connections to be forwarded through other interfaces
# iptables -A FORWARD -i tap+ -j ACCEPT
18. Restart Networking and OpenVPN
#/etc/init.d/networking restart
#/etc/init.d/openvpn restart
On Windows client:
To enable TCP/IP forwarding, follow these steps:
1. Start Registry Editor (Regedit.exe).
2. In Registry Editor, locate the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
3. Set the following registry value:
Value Name: IPEnableRouter
Value type: REG_DWORD
Value Data: 1
A value of 1 enables TCP/IP forwarding for all network connections that are installed and used by this computer.
4. Quit Registry Editor.
19. Use IP address OpenVPN client as gateway on LAN . So that every workstation behind LAN Client  can communicate each others.
22 Komentar »
Tinggalkan komentar
-
Terkini
- Aptana Studio 3 SFTP Key Exchange
- Setting Domain At Ubuntu 12.04
- Remote access MySQL database
- Solution for missing apostrophe in php
- Fix Android USB driver on Ubuntu
- Installing the Android SDK
- Ubuntu error saat update dan install
- ssh without password
- Can’t connect to local MySQL server through socket ‘/var/run/mysqld/mysqld.sock’ (2)
- MySQL Tip
- Konfirm ok/cancel link PHP dengan javascript
- Solution ./start_navicat returns bash error in Linux
-
Tautan
-
Arsip
- Mei 2015 (1)
- Desember 2014 (1)
- Maret 2014 (1)
- Februari 2014 (1)
- Februari 2013 (2)
- April 2012 (1)
- September 2011 (2)
- Agustus 2011 (1)
- Juni 2011 (2)
- April 2011 (1)
- Januari 2011 (2)
- Desember 2010 (1)
-
Kategori
-
RSS
Entries RSS
Comments RSS
thanks for this detail tutorial 🙂
how to setting up vpn client for IM2/T.FLAS/Speedy? is the setting needed or automatically approved?
Komentar oleh MasEDI Belajar Ngeblog | 29 Juni 2010 |
salam,
untuk jalankan Openvpn dalam LAN yang same dalam Asterisk server, perlukan 2 NIC.?
Komentar oleh nolee | 3 November 2010 |
Salam
Cukup pake 1 NIC, IP subnetnya di push route di konfigurasi openvpn server.
Komentar oleh Niki Nuryadin | 4 November 2010 |
pls say details.
Komentar oleh Md.Ali Reza Khan. | 6 September 2012
OpenVPN dalam LAN yang same dengan Asterisk server,
gune (tun) ataupun (tap) ?
server-bridge untuk (tap) ?
Komentar oleh nolee | 5 November 2010 |
Hi
Can you please explain why we would need these ones in the server conf?
”
route 192.168.1.0 255.255.255.0
route 192.168.2.0 255.255.255.0
client-to-client
push “route 192.168.1.0 255.255.255.0″
push “route 192.168.2.0 255.255.255.0″
route 192.168.1.0 255.255.255.0
route 192.168.2.0 255.255.255.0
client-to-client
push “route 192.168.1.0 255.255.255.0″
push “route 192.168.2.0 255.255.255.0″
And what is ipp.txt?
thanks
Komentar oleh kuram | 6 September 2011 |
1. Let assume that 192.168.1.0 is LAN IP address for branch office in ‘x’ city and 192.168.2.0 is LAN IP address for other branch office in ‘y’ city. All computers at both LAN IP addresses can be accessed and communicate with only one computer that has connection to VPN server.
2. VPN client will get IP address at the first time successfully connected to VPN server. VPN server will keep IP address for that client at ipp.txt .So if VPN client make reconnection will get the same IP.
Komentar oleh Niki Nuryadin | 6 September 2011 |
This article is stolen from my website at http://www.serverflux.com
Komentar oleh James | 13 September 2011 |
Sorry I didn’t mean to do bad thing. I just want to share my experience. if this article is belong to you and you feel objection. I will delete it.
But if your article is this one http://serverflux.com/networking/how-to-install-openvpn-on-debian-with-iptables/, I don’t see exactly same and you posted this article on January 14th, 2011. I posted this article on April 2010.
Komentar oleh Niki Nuryadin | 16 September 2011 |
Hello Niki Nuryadin, I am mr.Khan from Bangladesh.I need more question about open vpn on debian.Have you any skype/msn/yahoo massanger? then i can talk with you.
Khan.
Komentar oleh Md.Ali Reza Khan. | 6 September 2012 |
Hi we can buy 5 ips account from vpn company. they can provide us public ips/default ip/dns. How can i set on open vpn & need to put voip device & send traffic. pls say details.
Khan.
Komentar oleh Md.Ali Reza Khan. | 6 September 2012 |
hello are you there?
Komentar oleh Md.Ali Reza Khan. | 6 September 2012 |
I just finish setup my vpn server. good info ty.
Komentar oleh Terry | 13 November 2012 |
Thank you, I’ve just been looking for info approximately this topic for a while and yours is the greatest I’ve came upon till now.
But, what about the bottom line? Are you positive in regards to the supply?
Komentar oleh Lilia | 27 Maret 2013 |
I read this article fully on the topic of the difference of most up-to-date and earlier technologies,
it’s remarkable article.
Komentar oleh buy a car online | 24 Mei 2013 |
I’m not sure where you’re getting your info, but great
topic. I needs to spend some time learning more or understanding
more. Thanks for wonderful info I was looking for this information for my mission.
Komentar oleh shenke.net | 30 Mei 2013 |
Thanks for finally writing about >Step by step setting up OpenVPN in debian with routing (tun)
connection « Niki Nuryadin <Liked it!
Komentar oleh www.yelp.com | 16 Juli 2013 |
I need to configure openvpn with 3 servers…
openvpn server and client and third as bridge of two.
If we connect from first server it will return 3rd server ip.
54.234.156.64 —first Instance
23.20.136.17— Second Instance
23.20.151.40 —Third instance
when you run the below command on 54.234.156.64
wget -qO- ifconfig.me/ip
it will return the ip address of third instance– 23.20.151.40
regards
sg
Komentar oleh sg | 17 Juli 2013 |
Hi,
Can you lease suggest rule on windows to route traffic over tap interface through the eth0(physical interface connected with internet). similar to the following,
#iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE
I add this rule in linux to rewrite the source IP in the ethernet frame for whose dst IP is not in local LAN.
I am using tap interface standalone, i.e. not using with openvpn server and client.
Komentar oleh Ronex | 18 Juli 2013 |
Thank you, now I can use my VPN connection even with my WP8 Phone via WLAN 🙂
But for VPN forwarding, I use
#iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
Komentar oleh Gonzo | 7 September 2013 |
Great blog! Is your theme custom made or did you download it from somewhere?
A theme like yours with a few simple tweeks would really make my blog shine.
Please let me know where you got your design. Cheers
Komentar oleh works | 6 Oktober 2014 |
That is Andreas04 theme from wordpress template…thank you
Komentar oleh Niki Nuryadin | 6 Oktober 2014 |