Category Archives: OpenVPN

OpenVPN giving a client a static IP

Posted on by

To set up static IP for a client first set up client-config’s in server.conf

# EXAMPLE: Suppose the client
# having the certificate common name "Thelonious"
# also has a small subnet behind his connecting
# machine, such as 192.168.40.128/255.255.255.248.
# First, uncomment out these lines:
client-config-dir client-configs

Then create the directory “/etc/openvpn/client-configs
Then create a file with the name of the client that is connecting in this folder
(for instance “/etc/openvpn/client-configs/backup”)

#Give this machine 10.8.0.3 a a static ip
ifconfig-push 10.8.0.3 10.8.0.0

(Remember to replace with values that makes sense to you)

OpenVPN: TLS Error: reading acknowledgement record from packet

Posted on by

This error message (in my experince) most often means that one side (either the client or the server) is set up for TLS auth, but the other side is not.

Check both configs and fix this problem.

To add it to a client
Copy the file /etc/openvpn/ta.key from the server to the client
and then edit /etc/openvpn/myVpn.conf

# If a tls-auth key is used on the server
# then every client must also have the key.
tls-auth ta.key 1

Adding a OpenVPN client on ubuntu 10.04

Posted on by

First the certificate (key) should be created on the server.

cd /etc/openvpn/easy-rsa/
source vars
./pkitool hostname

Copy the certificate files to the client
* /etc/openvpn/ca.crt
* /etc/openvpn/easy-rsa/keys/hostname.crt
* /etc/openvpn/easy-rsa/keys/hostname.key

Then the client should be setup

apt-get install openvpn
cd /etc/openvpn
cp /usr/share/doc/openvpn/examples/sample-config/client.conf client.conf

Edit the client.conf file (edit all that you need to fit your config, the following are those I recommend):
The fix for Vista I add (commented out) since I am lazy and usually just copy a old config file to the next client

remote my.domain.com 1194
 
# a separate .crt/.key file pair
# for each client.  A single ca
# file can be used for all clients.
ca ca.crt
cert clientName.crt
key clientName.key
 
#fix for vista being stuid...
;route-method exe
;route-delay 2

Restart OpenVPN on the client:

 /etc/init.d/openvpn restart
 * Stopping virtual private network daemon(s)...                                
 *   No VPN is running.
 * Starting virtual private network daemon(s)...                                
 *   Autostarting VPN 'myVPN'                                         [ OK ]

Same as with the server, the above means that is went well, a [fail] means that the logs should be read for details.

A word of caution: [ OK ] only means that the OpenVPN was started ok – no errors in config etc.
There might still be issues with firewalls, wrong hostname (to the server) etc.
Check ifconfig and ping the server to make sure it is working.

Installing OpenVPN (server) on ubuntu 10.04

Posted on by

This is a quick note on how to install OpenVPN as a Ethernet tunnel (not a bridge) on ubuntu 10.04

install

sudo apt-get install openvpn

Server Certificates

First, copy the easy-rsa directory to /etc/openvpn.

sudo mkdir /etc/openvpn/easy-rsa/
sudo cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa/

You may also wish to adjust permissions in the easy-rsa directory to allow the current user permission to create files.

sudo chown -R $USER /etc/openvpn/easy-rsa/

Next, edit /etc/openvpn/easy-rsa/vars but make sure you adjust at least the following values to values make sense to you:

export KEY_COUNTRY="SE"
export KEY_PROVINCE="Blekinge"
export KEY_CITY="Karlskrona"
export KEY_ORG="My organization"
export KEY_EMAIL="vpnhelp@example.com"

Enter the following to create the server certificates:

cd /etc/openvpn/easy-rsa/
source vars
./clean-all
./build-dh
./pkitool --initca
./pkitool --server server
cd keys
openvpn --genkey --secret ta.key
sudo cp server.crt server.key ca.crt dh1024.pem ta.key /etc/openvpn/

Server Configuration
Lets start by copying the example config.

sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
sudo gunzip /etc/openvpn/server.conf.gz

Edit /etc/openvpn/server.conf changing (at least) the following options (change to values that make sense to you):

#Change the VPN subnet address to one that makes sense to you (and don't collide with any other net)
server 10.9.0.0 255.255.255.0
#If you wish the computers on the VPN to be able to connect to each other then uncomment
client-to-client
# You can uncomment this out on
# non-Windows systems.
user nobody
group nogroup
#If this is uncommented then a separate log will be written for OpenVPN (If both log lines are uncommented, then syslog is used)
log-append  openvpn.log
#To enable per client configurations uncomment:
client-config-dir client-configs

Restart the VPN:

/etc/init.d/openvpn restart

If the server failed to start:

/etc/init.d/openvpn restart
 * Stopping virtual private network daemon(s)...                                                                                                 
 *   No VPN is running.
 * Starting virtual private network daemon(s)...                                                                                                 
 *   Autostarting VPN 'server'                                                     [fail]

Then you should check out the log (either syslog or the log you set in the config file) and solve the issues.
It should look like this:

/etc/init.d/openvpn restart
 * Stopping virtual private network daemon(s)...                                                                                                 
 *   No VPN is running.
 * Starting virtual private network daemon(s)...                                                                                                 
 *   Autostarting VPN 'server'                                                     [ OK ]