Step by step setting up OpenVPN in debian with routing (tun) connection

Verify if TUN support is enabled on the system

#test ! -c /dev/net/tun && echo openvpn requires tun support || echo tun is available                                                       tun is available

Installing OpenVPN on the server

#apt-get install openvpn

Preparing to generate the keys

#mkdir /etc/openvpn/easy-rsa
#cp /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa

Generating the certificate authority (CA) which will be used to sign the server and client certificates.

#cd /etc/openvpn/easy-rsa
#source ./vars
#./clean-all
#./build-ca

Creating the server keys

#./build-key-server servername

Generating the diffie-hellman parameters which are used for key exchange between the client and server

#./build-dh

Creating some client keys which will be used to allow clients to authenticate with the server

#./build-key-pkcs12 client1

You will be asked for a password which the client will use to connect to the server

we need to configure the server. You need to make a decision here whether you want tun (routed) or tap (bridged) connections. The main difference is that tap will give the client a network address on the server network, whereas tun creates a private network managed by the server.

Configure openvpn using routing (tun) connection

Configuring the server

#vim /etc/openvpn/server.conf
(add the following lines)

port 443

proto udp

dev tun

ca /etc/openvpn/easy-rsa/keys/ca.crt

cert /etc/openvpn/easy-rsa/keys/vpnsarandi.crt

key /etc/openvpn/easy-rsa/keys/vpnsarandi.key

dh /etc/openvpn/easy-rsa/keys/dh1024.pem

ifconfig-pool-persist ipp.txt

server 10.1.0.0 255.255.255.0

client-config-dir ccd

route 192.168.1.0 255.255.255.0

route 192.168.2.0 255.255.255.0

client-to-client

push “route 192.168.1.0 255.255.255.0”

push “route 192.168.2.0 255.255.255.0”

keepalive 10 120

comp-lzo

persist-key

persist-tun

status /var/log/openvpn-status.log

verb 3

Making directory ccd:

#mkdir /etc/openvpn/ccd

Making  file client1 in ccd directory

#vim /etc/openvpn/ccd/clent1
(add the following lines)

iroute 192.168.1.0 255.255.255.0

Restart OpenVPN:

#/etc/init.d/openvpn restart

Setting up the windows client. First, download the OpenVPN client from here (at the time of writing, select 2.1 RC15). Install it, and create a file ‘client.conf’ in the config directory with the following parameters

client

dev tun

proto udp

remote x.x.x.x  443 # (replace with your server IP)

resolv-retry infinite

nobind

pkcs12 client1.p12 # (replace with the client name)

ns-cert-type server

comp-lzo

verb 3

#redirect-gateway

You can also add ‘redirect-gateway’ to the client configuration to pass all traffic down the VPN tunnel (rather than just traffic intended for the VPN itself).

copy the client1.p12 certificate file to the config directory on the client, start the gui, and connect.

If you need to create any clients in the future, do the following command:

#cd /etc/openvpn/easy-rsa
#source ./vars
#./build-key-pkcs12 clientx

Enable IP and TUN/TAP forwarding:

On  linux client

IP Forwarding

Check if IP Forwarding is enabled

#sysctl net.ipv4.ip_forward

net.ipv4.ip_forward = 0 

or

cat /proc/sys/net/ipv4/ip_forward

0 

As we can see in both the above examples this was disabled (as show by the value 0).

Enable IP Forwarding on the fly

#sysctl -w net.ipv4.ip_forward=1 

or

#echo 1 > /proc/sys/net/ipv4/ip_forward 

Permanent setting using /etc/sysctl.conf

#/etc/sysctl.conf:

net.ipv4.ip_forward = 1

#sysctl -p /etc/sysctl.conf

 

On RedHat based systems this is also enabled when restarting the network service:

#service network restart

 

and on Debian/Ubuntu systems this can be also done restarting the procps service:

#/etc/init.d/procps.sh restart 

Using distribution specific init scripts

Although the methods presented above should work just fine and you would not need any other method of doing this, I just wanted to note that there are also other methods to enable IP Forwarding specific to some Linux distributions.
For example Debian based distributions might use the setting:

 

#/etc/network/options:

ip_forward=no 

set it to yes and restart the network service.
Also RedHat distributions might set this using:

#/etc/sysconfig/network:

FORWARD_IPV4=true 

and again restart the network service.

Regardless the method you have used once you have completed this you can check it out using the same method shown above:

#sysctl net.ipv4.ip_forward

net.ipv4.ip_forward = 1 

#cat /proc/sys/net/ipv4/ip_forward

1 

If the result is 1 then the Linux system will start forwarding IP packets even if they are not destined to any of its own network interfaces.

TUN/TAP forwarding:

Allow TUN interface connections to OpenVPN server
# iptables -A INPUT -i tun+ -j ACCEPT

Allow TUN interface connections to be forwarded through other interfaces
# iptables -A FORWARD -i tun+ -j ACCEPT

Allow TAP interface connections to OpenVPN server
# iptables -A INPUT -i tap+ -j ACCEPT

Allow TAP interface connections to be forwarded through other interfaces
# iptables -A FORWARD -i tap+ -j ACCEPT

** rule iptables for  internet  sharing from eth1  to  eth0.

#iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

#iptables-save

Restart Networking and OpenVPN

#/etc/init.d/networking restart

#/etc/init.d/openvpn restart

On Windows client:

To enable TCP/IP forwarding, follow these steps:

Start Registry Editor (Regedit.exe).

In Registry Editor, locate the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

Set the following registry value:

Value Name: IPEnableRouter
Value type: REG_DWORD
Value Data: 1

A value of 1 enables TCP/IP forwarding for all network connections that are installed and used by this computer.

Quit Registry Editor.

Use IP address OpenVPN client as gateway on LAN . So that every workstation behind LAN Client  can communicate each others.

Installing OpenVPN

1. Installing OpenVPN on the server

#apt-get install openvpn

2. Preparing to generate the keys

#mkdir /etc/openvpn/easy-rsa
#cp /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa

3. Generating the certificate authority (CA) which will be used to sign the server and client certificates.

#cd /etc/openvpn/easy-rsa
#source ./vars
#./clean-all
#./build-ca

4. Creating the server keys

#./build-key-server servername

5. Generating the diffie-hellman parameters which are used for key exchange between the client and server

#./build-dh

6. Creating some client keys which will be used to allow clients to authenticate with the server

#./build-key-pkcs12 client1

You will be asked for a password which the client will use to connect to the server

we need to configure the server. You need to make a decision here whether you want tun (routed) or tap (bridged) connections. The main difference is that tap will give the client a network address on the server network, whereas tun creates a private network managed by the server.

Configure openvpn using routing (tun) connection

7. Configuring the server

#vim /etc/openvpn/server.conf
(add the following lines)

port 443

proto udp

dev tun

ca /etc/openvpn/easy-rsa/keys/ca.crt

cert /etc/openvpn/easy-rsa/keys/vpnsarandi.crt

key /etc/openvpn/easy-rsa/keys/vpnsarandi.key

dh /etc/openvpn/easy-rsa/keys/dh1024.pem

ifconfig-pool-persist ipp.txt

server 10.1.0.0 255.255.255.0

client-config-dir ccd

route 192.168.1.0 255.255.255.0

route 192.168.2.0 255.255.255.0

client-to-client

push “route 192.168.1.0 255.255.255.0”

push “route 192.168.2.0 255.255.255.0”

keepalive 10 120

comp-lzo

persist-key

persist-tun

status /var/log/openvpn-status.log

verb 3

8. Making directory ccd:

#mkdir /etc/openvpn/ccd

9. Making  file client1 in ccd directory

#vim /etc/openvpn/ccd/clent1
(add the following lines)

iroute 192.168.1.0 255.255.255.0

10. Restart OpenVPN:

#/etc/init.d/openvpn restart

Setting up the windows client. First, download the OpenVPN client from here (at the time of writing, select 2.1 RC15). Install it, and create a file ‘client.conf’ in the config directory with the following parameters

client

dev tun

proto udp

remote x.x.x.x  443 # (replace with your server IP)

resolv-retry infinite

nobind

pkcs12 client1.p12 # (replace with the client name)

ns-cert-type server

comp-lzo

verb 3

#redirect-gateway

You can also add ‘redirect-gateway’ to the client configuration to pass all traffic down the VPN tunnel (rather than just traffic intended for the VPN itself).

11. copy the client1.p12 certificate file to the config directory on the client, start the gui, and connect.

12. If you need to create any clients in the future, do the following command:

#cd /etc/openvpn/easy-rsa
#source ./vars
#./build-key-pkcs12 clientx

Enable IP and TUN/TAP forwarding:

On  linux client

IP Forwarding

15. Check if IP Forwarding is enabled

#sysctl net.ipv4.ip_forward

  net.ipv4.ip_forward = 0 

or

cat /proc/sys/net/ipv4/ip_forward

0 

As we can see in both the above examples this was disabled (as show by the value 0).

16. Enable IP Forwarding on the fly

#sysctl -w net.ipv4.ip_forward=1 

or

#echo 1 > /proc/sys/net/ipv4/ip_forward 

17. Permanent setting using /etc/sysctl.conf

#/etc/sysctl.conf:

  net.ipv4.ip_forward = 1

#sysctl -p /etc/sysctl.conf

 

On RedHat based systems this is also enabled when restarting the network service:

#service network restart

 

and on Debian/Ubuntu systems this can be also done restarting the procps service:

#/etc/init.d/procps.sh restart 

Using distribution specific init scripts

Although the methods presented above should work just fine and you would not need any other method of doing this, I just wanted to note that there are also other methods to enable IP Forwarding specific to some Linux distributions.
For example Debian based distributions might use the setting:

 

#/etc/network/options:

  ip_forward=no 

set it to yes and restart the network service.
Also RedHat distributions might set this using:

#/etc/sysconfig/network:

FORWARD_IPV4=true 

and again restart the network service.

Regardless the method you have used once you have completed this you can check it out using the same method shown above:

#sysctl net.ipv4.ip_forward

   net.ipv4.ip_forward = 1 

#cat /proc/sys/net/ipv4/ip_forward

   1 

If the result is 1 then the Linux system will start forwarding IP packets even if they are not destined to any of its own network interfaces.

TUN/TAP forwarding:

Allow TUN interface connections to OpenVPN server
# iptables -A INPUT -i tun+ -j ACCEPT

Allow TUN interface connections to be forwarded through other interfaces
# iptables -A FORWARD -i tun+ -j ACCEPT

Allow TAP interface connections to OpenVPN server
# iptables -A INPUT -i tap+ -j ACCEPT

Allow TAP interface connections to be forwarded through other interfaces
# iptables -A FORWARD -i tap+ -j ACCEPT

18. Restart Networking and OpenVPN

#/etc/init.d/networking restart

#/etc/init.d/openvpn restart

On Windows client:

To enable TCP/IP forwarding, follow these steps:

1. Start Registry Editor (Regedit.exe).

2. In Registry Editor, locate the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

3. Set the following registry value:

Value Name: IPEnableRouter
Value type: REG_DWORD
Value Data: 1

A value of 1 enables TCP/IP forwarding for all network connections that are installed and used by this computer.

4. Quit Registry Editor.

19. Use IP address OpenVPN client as gateway on LAN . So that every workstation behind LAN Client  can communicate each others.

16 April 2010 - Posted by Niki Nuryadin | Linux, Networking