Linux Horizon

A brief HOWTO for openvpn.

Hacker Emblem

For more (the best) documentation check the OpenVPN developer site at http://openvpn.net/examples.html.

Now, if you're running on debian sarge just do:
apt-get install openvpn
for installing the VPN software. If you don't have this linux distribution, download, install or compile the version that is good for your distro. The tar.gz archive is good for all linux distros and can be found here. It is possible to need other packages (check dependencies).

If you use the tar.gz file and compile yourself the sources, make the device node and load it:
mknod /dev/net/tun c 10 200
modprobe tun

OK! I just install it! What's next?

Let's presume that you want to have a tunnel between two linux routers (router A and router B).

The simples way (without encryption) to do that is shown below.
On router A do:
openvpn --remote x.x.x.x --dev tun0 --ifconfig a.a.a.a a.a.a.b --port yyyy

On the other router do:
openvpn --remote y.y.y.y --dev tun0 --ifconfig a.a.a.b a.a.a.a --port yyyy

Where:
x.x.x.x - your public IP on router B
y.y.y.y - your public IP on router A
a.a.a.a - your local IP for tunnel interface (ex.: 192.168.1.1)
a.a.a.b - the other IP of your tunnel (the remote one, ex.: 192.168.1.2)
yyyy - the UDP connection port

Wait 2-10 seconds for establishing the connection, check if your tun (tun0 in my example) interface is up and if it is try ping a.a.a.b (if your are connected to router A) or ping a.a.a.a (if your on the router B).
For a verbose output try --verb 5 option as follow (but will generate a lot output):
openvpn --remote y.y.y.y --dev tun0 --ifconfig a.a.a.b a.a.a.a \
--port yyyy --verb 5

This example is working without tunnel encryption. If you want to use encryption, the easy way is to generate a key:
openvpn --genkey --secret key
The "key" file must be on both router. Do not try to generate the "key" on each routers !!! Generate it on one router and then copy it on the other.

Now the command will change as follow:
openvpn --remote x.x.x.x --dev tun0 --ifconfig a.a.a.a a.a.a.b \
--port yyyy --secret key
(for router A) and
openvpn --remote y.y.y.y --dev tun0 --ifconfig a.a.a.b a.a.a.a \
--port yyyy --secret key
(for router B)

If you want to change your gateway and to move all your traffic to the tunnel do:
openvpn --remote x.x.x.x --dev tun0 --ifconfig a.a.a.a a.a.a.b \
--port yyyy --redirect gateway --secret key

and also, if you want to use your own DNS server or just want to send packets to other route, you can insert an additional route:
openvpn --remote x.x.x.x --dev tun0 --ifconfig a.a.a.a a.a.a.b \
--port yyyy --redirect gateway \
--route 10.5.5.0 255.255.255.0 10.5.5.1 --secret key

where:
10.5.5.0 - is your (local) network
255.255.255.0 - the network mask
10.5.5.1 - the gateway for the 10.5.5.0 route
Now all your packets will go to tunnel except the packet that have the 10.5.5.0/24 as destination network will go directly to 10.5.5.1 gateway.

What about firewall???


Oh, yeahh...the firewall...

If you don't manage the firewall check for an open port on it and if you can pass it (the hping tool can be useful) use it with the --port x option. The port UDP 1194 is the default port for openvpn.

I strongly recommend to read and learn about iptables until you'll play with fire !!! :-)

If all what you want is to link two routers you must use only INPUT and OUTPUT iptables chains for ethX interfaces and FORWARD for your tunX interface.

A basic iptables rules looks like this:
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -A INPUT -i eth0 -p udp -s ip_addr_of_the_other_router --sport 1194 --dport 1194 -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp -d ip_addr_of_the_other_router --dport 1194 --sport 1194 -j ACCEPT
iptables -A INPUT -i tun0 -j ACCEPT
iptables -A OUTPUT -o tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -j ACCEPT

There are other ways to set up a VPN connection using openvpn and my advice is to read all the documentation and examples that you find on the OpenVPN page.

Note:
All the examples above use UDP ports. For TCP ports check the documentation.

That's it...

If you need additional infos or Q&A please go to Contact Page for our e-mail addresses...


LiNUX Horizon it is a NetXpert Partner

LiNUX Horizon Main Page | LiNUX Horizon Online Shop | LiNUX Horizon Forum


No Banana Union - No Software Patents Say NO to software patents!

Valid XHTML 1.0! Valid CSS! Viewable With Any Browser