OpenVPN setup on Slicehost VPS

April 27th, 2010Ubuntu 12 Comments

Today, my VPS on slicehost has been setup as virtual private network server via OpenVPN. As I have mentioned at Google said goodbye to Chinese, the google.cn has been disabled and restricted by IP. So I have to find a way to setup the VPN server so that I can visit Google.com in China. Well, my story is over. Let’s start the VPN server tutorial right now!

Step 1: Install OpenVpn to your slice(VPS on the SliceHost)!

As usual, we can install it either source or binary. I have installed it with binary via aptitude the built-in dpkg of the Ubuntu(well, I installed the image Ubuntu 8.04.2 LTS – hardy on my VPS).

install openvpn via dpkg
aptitude install openvpn
install openvpn via source
cd ~/sources #or your favor places to put source files always
wget http://openvpn.net/release/openvpn-2.0.5.tar.gz
tar -jxv -f openvpn-2.0.5.tar.gz
cd ./openvpn-2.0.5
./configure --with-lzo-headers=/usr/local/include --with-lzo-lib=/usr/local/lib --with-ssl-headers=/usr/local/include/openssl --with-ssl-lib=/usr/local/lib # please install lzo and openssl first
make
make check
make install

Step 2: PKI Configure and Keys Generated


cp -R /usr/share/doc/openvpn/examples/easy-rsa /etc/open/vpn
sudo -i #if you are not login as root but have sudo permitted as root
cd /etc/openvpn/easy-rsa/2.0
./vars #if it doesn't work, try [sh ./vars] or use the export command
./clean-all
./build-ca
./build-key-server server #change server to yours
./build-key username #set username here
./build-dh
openvpn --genkey --secret ta.key #find more about this comment in sample file server.conf
exit

You needn’t and shouldn’t to run clean-all and build-ca at the next time when you wanna add more user or server.

Step 3: Config the server.conf for OpenVPN


sudo cp /usr/share/doc/openvpn/example/sample-config-files/server.conf /etc/openvpn/
sudo vim /etc/openvpn/server.conf

It’s a good idea to read the comment in the server.conf. We have to uncomment the following settings.

port 1194
proto udp
dev tun
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
server x.x.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway"
push "dhcp-option DNS x.x.x.x" #try to find it via comment cat /etc/resolv.conf
keepalive 10 120
tls-auth /etc/openvpn/easy-rsa/2.0/keys/ta.key 0
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3

Step 4: iptable if you have set firewall


sudo vim /etc/iptables.test.rules
# then add the following lines into your test rules
*nat
-t nat -A POSTROUTING -s x.x.0.0/24 -o eth0 -j MASQUERADE # x.x.0.0 should be identical with the one in your server.conf file
COMMIT
*filter #it may have already
-A INPUT -i tun+ -j ACCEPT
-A FORWARD -i tun+ -j ACCEPT
-A FORWARD -o tun+ -j ACCEPT
-A INPUT -p udp --dport 1194 -j ACCEPT
.....
your origin chains
....
COMMIT
sudo iptables-restore < /etc/iptables.test.rules
sudo iptables -L
#.....output for your review
sudo -i
iptables-save > /etc/iptables.up.rules
exit

Step 5: VPN Client

Install OpenVPN on your local computer as well basically.
Copy the files ca.crt、ta.key、username.crt、username.key, they are lying in the folder /etc/openvpn/keys/. Please be aware of that the copy should in the ssh tunnel to keep it’s secret. Execute [sudo cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/]. The finally setting client file as following:

client
dev tun
proto udp
remote yourserver 1194 #the public IP of your slice
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert username.crt
key username.key
ns-cert-type server
tls-auth ta.key 1
comp-lzo
verb 3

Step 6: Forward isn’t ready yet, enable Router

Till now, we can connect the VPN server. However, we are failed to access internet once the connection created. That’s because the ROUTER on the slice isn’t enabled yet. Try type [sudo sysctl -a | grep for]. We will see net.ipv4.ip_forward = 0 etc. Use command [sudo sysctl -w net.ipv4.ip_forward=1] to adjust the value of forward. The finally displaying after your run [sudo sysctl -a | grep for] as follow.

kernel.sched_domain.cpu0.domain0.forkexec_idx = 1
kernel.sched_domain.cpu1.domain0.forkexec_idx = 1
kernel.sched_domain.cpu2.domain0.forkexec_idx = 1
kernel.sched_domain.cpu3.domain0.forkexec_idx = 1
net.ipv4.ip_forward = 1
net.ipv4.conf.lo.forwarding = 1
net.ipv4.conf.lo.mc_forwarding = 0
net.ipv4.conf.lo.force_igmp_version = 0
net.ipv4.conf.all.forwarding = 1
net.ipv4.conf.all.mc_forwarding = 0
net.ipv4.conf.all.force_igmp_version = 0
net.ipv4.conf.default.forwarding = 1
net.ipv4.conf.default.mc_forwarding = 0
net.ipv4.conf.default.force_igmp_version = 0
net.ipv4.conf.eth0.forwarding = 1
net.ipv4.conf.eth0.mc_forwarding = 0
net.ipv4.conf.eth0.force_igmp_version = 0
net.ipv4.conf.eth1.forwarding = 1
net.ipv4.conf.eth1.mc_forwarding = 0
net.ipv4.conf.eth1.force_igmp_version = 0
net.ipv4.conf.tun0.forwarding = 1
net.ipv4.conf.tun0.mc_forwarding = 0
net.ipv4.conf.tun0.force_igmp_version = 0
net.ipv6.conf.lo.forwarding = 0
net.ipv6.conf.lo.force_mld_version = 0
net.ipv6.conf.eth0.forwarding = 0
net.ipv6.conf.eth0.force_mld_version = 0
net.ipv6.conf.eth1.forwarding = 0
net.ipv6.conf.eth1.force_mld_version = 0
net.ipv6.conf.all.forwarding = 0
net.ipv6.conf.all.force_mld_version = 0
net.ipv6.conf.default.forwarding = 0
net.ipv6.conf.default.force_mld_version = 0
net.ipv6.conf.tun0.forwarding = 0
net.ipv6.conf.tun0.force_mld_version = 0

Alernately, you can modify the file /etc/sysctl.conf. There is an comment line[net.ipv4.ip_forward=1]. And run sudo sysctl -p to flush the modification. I have read some guides which use the command [echo "1" > /proc/sys/net/ipv4/ip_forward] to enable simple built-in router of kernel. It’s works. But it will be disabled once you reboot the computer. So try to add it to file /etc/rc.d/rc.local.

Step 7: Start Your VPN Server and try to use it


sudo /etc/init.d/openvps start

OR
append the command [/usr/local/sbin/openvpn --config /etc/openvpn/server.conf > dev/null 2>&1 &] to /etc/rc.local].
This is a tutorial based upon Ubuntu. You may need adjust the command to run if you wanna setup OpenVPN server in other unix-like system. If you wanna use OpenVPN on the Windows, I recommend GUI OpenVPN for windows.
Thanks for your reading!

12 Responses to “OpenVPN setup on Slicehost VPS”

  1. Glorat May 1st, 2010 at 2:13 pm

    Very useful guide! I’m also a slicehost customer trying to set up the same thing. So far, I have my VPN server working and my client connecting but no traffic is routing.

    Would you mind posting a link to your complete server.conf? In particular, I’m wondering if there is an important push “route” command I’m needing

    Thanks!

  2. admin May 1st, 2010 at 3:19 pm

    Hi Glorat,
    I do post my setting of server.conf on the STEP 3 above.
    If your VPN client can’t route through your VPN server. Have you followed the STEP 6? You should enable the router as I mentioned on step6. It’s the simple route that built in linux kernel:) It’s not the thing coming with OpenVPN IMO.
    Try to open it. then connect your VPN server again!

    If you have already followed all of the above steps. Welcome to diccuss furture:)

    Thanks for your comment!

  3. orange80 June 13th, 2010 at 4:43 pm

    Hi,
    Nice guide :) I’m trying to set up OpenVPN on Slicehost too (using Ubuntu Server 10.04 64-bit).

    Can you tell me, what should I put on the “server” line in Step 3 where it says “x.x.0.0″? Do I actually put “x” or something specific to my server? Is it just my public facing IP address?

    Thanks for posting your guide!!

    Jamie

  4. admin June 13th, 2010 at 10:15 pm

    @orange80, it should be a given ip. In other words, replace x with numbers in the case. As of the IP, it uses to specif a sub private network/pool as a virtual Ethernet bridge. If you copy or move the sample config file. You may see there are comment line [#server 10.8.0.0 255.255.255.0]. There are the expiation above the each uncomment/comment command, so please read it for understanding. Don’t just follow the guide to do step by step. We should try to understand its behind. I am writing the guide for memory:) Thanks for your reading and comments!

  5. Josh July 3rd, 2010 at 5:50 pm

    I’m having problems, I can’t seem to find any of the folders your talking about..
    I have installed it from the package.
    cp -R /usr/share/doc/openvpn/examples/easy-rsa /etc/open/vpn
    cp: cannot create directory `/etc/open/vpn’: No such file or directory

    any ideas why?

  6. admin September 26th, 2010 at 1:43 am

    Sorry for the dealy…Try to use the following comment to located the folder based upon your installation.whereis openvpn or locate openvpn. For more information, just man whereis or man locate. Thanks for your visiting!

  7. Derek October 6th, 2010 at 12:06 am

    cp -R /usr/share/doc/openvpn/examples/easy-rsa /etc/open/vpn

    should it not be /etc/openvpn at the end of the line?

  8. admin October 6th, 2010 at 2:26 am

    based upon the location of the openvpn you installed.

  9. Alan December 27th, 2010 at 1:55 pm

    I have setup the openvpn server based on your instructions in the slice host account. And , it worked . But the default gateway is not changed, still my client computer’s eth0 gateway address.

    my server.conf

    port 1194
    proto udp
    dev tun
    ca ca.crt
    cert server.crt
    key server.key
    dh /etc/openvpn/dh1024.pem

    server 10.8.0.0 255.255.255.0
    ifconfig-pool-persist ipp.txt
    push “redirect-gateway def1″
    push “route-gateway ”
    push “dhcp-option DNS 8.8.8.8″
    keepalive 10 120
    tls-auth ta.key 0
    comp-lzo
    user nobody
    group nogroup
    persist-key
    persist-tun
    status openvpn-status.log
    verb 3

    This is the message I am recieving..

    OPTIONS IMPORT: timers and/or timeouts modified
    OPTIONS IMPORT: –ifconfig/up options modified
    OPTIONS IMPORT: route options modified
    OPTIONS IMPORT: route-related options modified
    OPTIONS IMPORT: –ip-win32 and/or –dhcp-option options modified
    ROUTE default_gateway=192.168.1.254 ( Instead I’m supposed to receive the gateway of slice host)
    TAP-WIN32 device [Local Area Connection 2] opened: \\.\Global\{0E7C216A-8AB4-4147-9EAF-3CF625415AD2}.tap
    TAP-Win32 Driver Version 9.7
    TAP-Win32 MTU=1500
    Set TAP-Win32 TUN subnet mode network/local/netmask = 10.8.0.0/10.8.0.2/255.255.255.0 [SUCCEEDED]

    I’m able to receive an IP, but not able to redirect all traffic through slice host account.

    Please help!

  10. Alan December 27th, 2010 at 1:57 pm

    And I forget to mention, I enable kernel level routing, and set the IPtables for postrouting.But still not able to get the default gw address.

    Thanks in advance.Please help!

  11. admin December 28th, 2010 at 1:58 am

    @Alan, to be honest! I didn’t use the VPN at the moment! Even I have uninstalled the OPENVPN application on my client side completely. So I have no ability to debug and work the solution out here! And I think you maybe need some tweaking on your client side! The matter may doesn’t be caused by your OPENVPN server confirm:) Let me know your successful!

  12. admin December 28th, 2010 at 1:59 am

    @Josh, let us know your OS! You known, the above confimation are all based upon the Ubuntu…

Leave a Reply

«
@ 2009 - GGIN.Com
Entries RSS Comments RSS Log in