Using OpenVPN to build a VPN server for Remote Users


Have you ever wanted to be able to access your systems remotely? Are you running a business where you have employees on the road that need access to internal system resources? Want a secure, functional, scalable, free solution that will rival that of the top manufacturers on the market?

I thought you’d say yes! Come along, we’re going to stand up a free VPN server that is easy to manage and works with Mac OS X, Linux and Windows!

As I stated before, we’re going to reference back to a Blog I wrote a while back. We need a clean Debian Server install to do what we’re going to do. So, please, start with building a Minimal Install of Debian Server and then come back here when you’re done 🙂

… 

… 

Glad to see you’re back! So lets get going on this OpenVPN project.

 

So you’ve got a fresh install of Debian Server 6 (Squeeze). The first thing we need to do here is get some software installed.

sudo apt-get install openvpn

 

Now I wish I could say it was that easy, but if it were, I wouldn’t be writing this blog. From here we start our configuration. OpenVPN works based on Certificates, so we need to put together a Public Key Infrastructure (PKI) in order for this to work. According to OpenVPN’s website, The PKI consists of:

  • a separate certificate (also known as a public key) and private key for the server and each client, and
  • a master Certificate Authority (CA) certificate and key which is used to sign each of the server and client certificates.

OpenVPN supports bidirectional authentication based on certificates, meaning that the client must authenticate the server certificate and the server must authenticate the client certificate before mutual trust is established. You can read more about this at the OpenVPN website. For now lets just continue on.

 

What I did is just make a full copy of all the files in the “/usr/share/doc/openvpn” directory into the “/etc/openvpn/” directory.

sudo cp -R /usr/share/doc/openvpn/ /etc/openvpn/

 
Next I made a copy of the easy RSA directory, which really is redundant to the last step, but makes life easier.

sudo cp -R /etc/openvpn/openvpn/examples/easy-rsa/2.0 /etc/openvpn/easy-rsa/

 

Now go ahead and go into your “/etc/openvpn/easy-rsa/2.0” directory and become root:

cd /etc/openvpn/easy-rsa/2.0
su root

 
From here, we need to build the PKI infrastructure. And now that we have all our files in place, we can do that like this:

. ./vars
./clean-all
./build-ca

 
Note that the command : “. ./vars” is very important. It’s called file sourcing, and what it just did when you ran that command was pull in a bunch of variables that were used durring the “./build-ca” script that you also just ran.

 

Here is a long listing of files you should have in your current working directory:

steve @ debian ~ :( ᛤ>   su root
Password:
root@debian:/etc/openvpn/easy-rsa/2.0# . ./vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/2.0/keys
root@debian:/etc/openvpn/easy-rsa/2.0# ./clean-all
root@debian:/etc/openvpn/easy-rsa/2.0# ./build-ca
Generating a 2048 bit RSA private key
.......................................+++
.......+++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [OH]:
Locality Name (eg, city) [Concord]:
Organization Name (eg, company) [Erdmanor]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [Erdmanor CA]:
Name []:Steve Erdman
Email Address [openvpn@erdmanor.com]:
root@debian:/etc/openvpn/easy-rsa/2.0#

 

Now that we have the certificates built for the PKI environment, now we need Server Certificates:

root@debian:/etc/openvpn/easy-rsa/2.0# ./build-key-server server
Generating a 2048 bit RSA private key
...............................+++
............+++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:^C
root@debian:/etc/openvpn/easy-rsa/2.0# ./build-key-server debian
Generating a 2048 bit RSA private key
............+++
.........................................+++
writing new private key to 'debian.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [OH]:
Locality Name (eg, city) [Concord]:
Organization Name (eg, company) [Erdmanor]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [debian]:
Name []:
Email Address [openvpn@erdmanor.com]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:{strong-passwd-here}
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'US'
stateOrProvinceName   :PRINTABLE:'OH'
localityName          :PRINTABLE:'Concord'
organizationName      :PRINTABLE:'Erdmanor'
commonName            :PRINTABLE:'debian'
emailAddress          :IA5STRING:'openvpn@erdmanor.com'
Certificate is to be certified until Dec 16 18:57:19 2022 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
root@debian:/etc/openvpn/easy-rsa/2.0#

 

Assuming that all went to plan and you had no hiccups, now we need to build some client access keys.
This is pretty easy to accomplish by just running this commands:
#Keep in mind that you need to create keys for every person that will have access to your VPN server and they MUST have unique Common Names!

./build-key client1
./build-key client2
./build-key client3
./build-key mary
./build-key steve

 

Remember that for each client key, make sure to enter the appropriate Common Name when prompted, i.e. “Mary”, “John”, or “Steve”. ALWAYS use a unique common name for each client key.

Here is the output from that command:

root@debian:/etc/openvpn/easy-rsa/2.0# ./build-key steve
Generating a 2048 bit RSA private key
...........................................................................................................................................................+++
...............+++
writing new private key to 'steve.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [OH]:
Locality Name (eg, city) [Concord]:
Organization Name (eg, company) [Erdmanor]:
Organizational Unit Name (eg, section) []:.
Common Name (eg, your name or your server's hostname) [steve]:
Name []:steve
Email Address [openvpn@erdmanor.com]:steve@erdmanor.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:StrongPassword
An optional company name []:erdmanor
Using configuration from /etc/openvpn/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'US'
stateOrProvinceName   :PRINTABLE:'OH'
localityName          :PRINTABLE:'Concord'
organizationName      :PRINTABLE:'Erdmanor'
commonName            :PRINTABLE:'steve'
name                  :PRINTABLE:'steve'
emailAddress          :IA5STRING:'steve@erdmanor.com'
Certificate is to be certified until Dec 16 21:30:01 2022 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

 

Now that you’ve created at least a couple client keys, we need to generate Diffie Hellman parameters. If you want more information, please visit RSA’s webiste that talks about Diffie Hellman.

In order to build the Diffie Hellman keys, just issue the “./build-dh” command like this… It takes a couple minutes, so be patient!

root@debian:/etc/openvpn/easy-rsa/2.0# ./build-dh
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
.......................+........................................................................................
..........................................+....+................................................................
.............................+..................................................................................
................................................................................................................
................................................................................................................
................................................................................................................
...........+.................................+..................................................................
...........................................+...................................................................
...................................................+...............................................+............
......................................+.........................................................................
................................................................................................................
......................+.........................................................................................
............................................+...................+.....................................+.........
................................................................................................................
........................................+............................................................+..........
................................................................................................................
.......................................+.......................................................................
................................................................................................................
.................+..............................................................................................
................................................................................................................
.................................................................................................++*++*
root@debian:/etc/openvpn/easy-rsa/2.0#

 

Alright, so we’re at the half way point here. Now is where we have to start generating some configs for our end users and the server.
What I did here is just take the sample server config from the “/etc/openvpn/openvpn/examples/sample-config-files” directory
and modify that. It makes it pretty easy. Once I was done modifying that I saved it in “/etc/openvpn/”.

 

So here’s my example for you:

root@debian:/etc/openvpn# cat server.conf
# Which local IP address should OpenVPN listen on?
local 192.168.86.13

# Which TCP/UDP port should OpenVPN listen on?
port 443

# TCP or UDP server?
proto tcp

# "dev tun" will create a routed IP tunnel,
dev tun

#Certificates
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/debian.crt
key /etc/openvpn/easy-rsa/2.0/keys/debian.key

# Diffie hellman parameters.
dh /etc/openvpn/easy-rsa/2.0/keys/dh2048.pem

# Configure server mode and supply a VPN subnet for OpenVPN to draw client addresses from.
server 192.168.100.0 255.255.255.0

# Maintain a record of client <-> virtual IP address associations in this file.  If OpenVPN goes down or
# is restarted, reconnecting clients can be assigned the same virtual IP address from the pool.
ifconfig-pool-persist ipp.txt

# Push routes to the client to allow it to reach other private subnets behind the server.
push "route 172.25.87.0 255.255.255.0"
push "route 172.16.78.0 255.255.255.0"

# Certain Windows-specific network settings can be pushed to clients, such as DNS.
push "dhcp-option DNS 172.25.87.5"
;push "dhcp-option DNS 172.25.87.12"

# Uncomment this directive to allow different clients to be able to "see" each other.
;client-to-client

# The keepalive directive causes ping-like messages to be sent back and forth to keep the connection alive
keepalive 10 120

# Select a cryptographic cipher.This config item must be copied to the client config file as well.
cipher AES-128-CBC   # AES

# Enable compression on the VPN link.If you enable it here, you must also enable it in the client config file.
comp-lzo

# The maximum number of concurrently connected clients we want to allow.
max-clients 10

# It's a good idea to reduce the OpenVPN daemon's privileges after initialization.
user nobody
group nogroup

# The persist options will try to avoid accessing certain resources on restart
# that may no longer be accessible because of the privilege downgrade.
persist-key
persist-tun

# Output a short status file showing current connections, truncated and rewritten every minute.
status openvpn-status.log

# By default, log messages will go to the syslog
log-append  openvpn.log

# Set the appropriate level of log file verbosity.
# 0 is silent, except for fatal errors
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 5

# Silence repeating messages.  At most 20 sequential messages of the same message category will be output to the log.
mute 10

 

Now we need to create a client compatible configuration file. Here is a copy of mine. Again, I started with the sample and modified it.

root@debian:/etc/openvpn# cat client.conf
# Specify that we are a client and that we will be pulling certain config file directives from the server.
client

# Use the same setting as you are using on the server.
dev tun

# Are we connecting to a TCP or UDP server?
proto tcp

# The hostname/IP and port of the server.
remote 108.227.33.121 443

# Most clients don't need to bind to a specific local port number.
nobind

# Try to preserve some state across restarts.
persist-key
persist-tun

# Wireless networks often produce a lot of duplicate packets.  Set this flag to silence duplicate packet warnings.
mute-replay-warnings

# SSL/TLS parms.
# See the server config file for more
# description.  It's best to use
# a separate .crt/.key file pair
# for each client.  A single ca
# file can be used for all clients.
ca /etc/openvpn/ca.crt
cert /etc/openvpn/steve.crt
key /etc/openvpn/steve.key

# To use this feature, you will need to generate your server certificates with the nsCertType
# field set to "server".  The build-key-server script in the easy-rsa folder will do this.
ns-cert-type server


# Select a cryptographic cipher.
cipher AES-128-CBC

# Enable compression on the VPN link.
comp-lzo

# Set log file verbosity.
verb 4

# Silence repeating messages
mute 10

 

Alright, so we’ve got some config files now, along with all of our certificates. Let’s get some testing done.

To do that, you’re going to have to get your computer or virtual machine on a different network. What I did was
I put my laptop out in my DMZ and then I created an inbound NAT through my Firewall to allow my OpenVPN server
to communicate with traffic from the internet over TCP port 443.

 

To start your OpenVPN Server, issue this command:

root@debian:/etc/openvpn# openvpn /etc/openvpn/server.conf &

 

You’ll notice that running this command: “openvpn /etc/openvpn/server.conf &” with the ampersand (&) at the end will
start the program in the background so that you can still control the keyboard.

 

If the server doesn’t start properly, you’ll need to check the log file and figure out where it’s failing. The log
file is located here: “/etc/openvpn/openvpn.log”

 

My log file looked like this after I was able to start the OpenVPN server:

Tue Dec 18 15:32:42 2012 us=353858 Current Parameter Settings:
Tue Dec 18 15:32:42 2012 us=353900   config = '/etc/openvpn/server.conf'
Tue Dec 18 15:32:42 2012 us=353907   mode = 1
Tue Dec 18 15:32:42 2012 us=353912   persist_config = DISABLED
Tue Dec 18 15:32:42 2012 us=353918   persist_mode = 1
Tue Dec 18 15:32:42 2012 us=353923   show_ciphers = DISABLED
Tue Dec 18 15:32:42 2012 us=353928   show_digests = DISABLED
Tue Dec 18 15:32:42 2012 us=353933   show_engines = DISABLED
Tue Dec 18 15:32:42 2012 us=353938   genkey = DISABLED
Tue Dec 18 15:32:42 2012 us=353943   key_pass_file = '[UNDEF]'
Tue Dec 18 15:32:42 2012 us=353948 NOTE: --mute triggered...
Tue Dec 18 15:32:42 2012 us=353961 259 variation(s) on previous 10 message(s) suppressed by --mute
Tue Dec 18 15:32:42 2012 us=353986 OpenVPN 2.1.3 x86_64-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [MH] [PF_INET6] [eurephia] built on Feb 21 2012
Tue Dec 18 15:32:42 2012 us=354119 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Tue Dec 18 15:32:42 2012 us=365278 Diffie-Hellman initialized with 2048 bit key
Tue Dec 18 15:32:42 2012 us=365826 /usr/bin/openssl-vulnkey -q -b 2048 -m <modulus omitted>
Tue Dec 18 15:32:42 2012 us=441140 TLS-Auth MTU parms [ L:1560 D:140 EF:40 EB:0 ET:0 EL:0 ]
Tue Dec 18 15:32:42 2012 us=441251 Socket Buffers: R=[87380->131072] S=[16384->131072]
Tue Dec 18 15:32:42 2012 us=441375 ROUTE default_gateway=InternalDFG
Tue Dec 18 15:32:42 2012 us=445215 TUN/TAP device tun0 opened
Tue Dec 18 15:32:42 2012 us=445239 TUN/TAP TX queue length set to 100
Tue Dec 18 15:32:42 2012 us=445269 /sbin/ifconfig tun0 192.168.100.1 pointopoint 192.168.100.2 mtu 1500
Tue Dec 18 15:32:42 2012 us=446314 /sbin/route add -net 192.168.100.0 netmask 255.255.255.0 gw 192.168.100.2
Tue Dec 18 15:32:42 2012 us=447801 Data Channel MTU parms [ L:1560 D:1450 EF:60 EB:135 ET:0 EL:0 AF:3/1 ]
Tue Dec 18 15:32:42 2012 us=447971 GID set to nogroup
Tue Dec 18 15:32:42 2012 us=447971 UID set to nobody
Tue Dec 18 15:32:42 2012 us=447971 Listening for incoming TCP connection on [AF_INET]InternalIPAddress:443
Tue Dec 18 15:32:42 2012 us=447971 TCPv4_SERVER link local (bound): [AF_INET]InternalIP:443
Tue Dec 18 15:32:42 2012 us=447971 TCPv4_SERVER link remote: [undef]
Tue Dec 18 15:32:42 2012 us=447971 MULTI: multi_init called, r=256 v=256
Tue Dec 18 15:32:42 2012 us=448557 IFCONFIG POOL: base=192.168.100.4 size=62
Tue Dec 18 15:32:42 2012 us=448622 IFCONFIG POOL LIST
Tue Dec 18 15:32:42 2012 us=448648 MULTI: TCP INIT maxclients=10 maxevents=14
Tue Dec 18 15:32:42 2012 us=448678 Initialization Sequence Completed

 
 

So now that our server is started, let’s get our client connected and test that out…
You need to compress some files up into a tar.gz file and move it over to your client.
You need to be super careful on what files you move though! I got this list from OpenVPN’s
website.

Filename    Needed By                Purpose                    Secret
ca.crt          server + all clients         Root CA certificate    NO
ca.key          key signing machine only     Root CA key            YES
dh{n}.pem   server only                  Diffie Hellman parameters  NO
server.crt  server only                  Server Certificate     NO
server.key  server only                  Server Key             YES
steve.crt   steve only               steve Certificate          NO
steve.key   steve only               steve Key                  YES
mary.crt    mary only                mary    Certificate    NO
mary.key    mary only                mary   Key             YES
john.crt    john only                john   Certificate     NO
john.key    john only                john   Key             YES

 

From the table above, I need to move the “ca.crt”, “steve.crt”, “steve.key” and the “/etc/openvpn/client.conf”
files over to my virtual machine on my laptop. The easiest way to do that is like this:

root@debian:/etc/openvpn# cd easy-rsa/2.0/keys/
root@debian:/etc/openvpn/easy-rsa/2.0/keys# ls -alh
total 72K
drwx------ 2 root root 4.0K Dec 18 15:49 .
drwxr-xr-x 3 root root 4.0K Dec 18 13:42 ..
-rw-r--r-- 1 root root 5.3K Dec 18 13:57 01.pem
-rw-r--r-- 1 root root 1.7K Dec 18 13:42 ca.crt
-rw------- 1 root root 1.7K Dec 18 13:42 ca.key
-rw-r--r-- 1 root root 3.2K Dec 18 15:49 certs.tar.gz
-rw-r--r-- 1 root root 5.3K Dec 18 13:57 debian.crt
-rw-r--r-- 1 root root 1.1K Dec 18 13:57 debian.csr
-rw------- 1 root root 1.7K Dec 18 13:57 debian.key
-rw-r--r-- 1 root root  424 Dec 18 14:10 dh2048.pem
-rw-r--r-- 1 root root  105 Dec 18 13:57 index.txt
-rw-r--r-- 1 root root   21 Dec 18 13:57 index.txt.attr
-rw-r--r-- 1 root root    0 Dec 18 13:42 index.txt.old
-rw-r--r-- 1 root root    3 Dec 18 13:57 serial
-rw-r--r-- 1 root root    3 Dec 18 13:42 serial.old
-rw-r--r-- 1 root root    0 Dec 18 13:56 server.key
-rw-r--r-- 1 root root    0 Dec 18 14:05 steve.crt
-rw-r--r-- 1 root root 1.1K Dec 18 14:05 steve.csr
-rw-r--r-- 1 root root 1.7K Dec 18 14:05 steve.key



root@debian:/etc/openvpn/easy-rsa/2.0/keys# tar -czvf certs.tar.gz ca.crt steve.key steve.csr steve.crt
ca.crt
steve.key
steve.csr
steve.crt
root@debian:/etc/openvpn/easy-rsa/2.0/keys# scp certs.tar.gz steve@laptopvm:
steve@172.25.87.41's password:
certs.tar.gz                                                                                                           100% 3209     3.1KB/s   00:00    
root@debian:/etc/openvpn/easy-rsa/2.0/keys# cd ../../..
root@debian:/etc/openvpn# scp client.conf steve@laptopvm:
steve@laptopvm's password:
client.conf                                                                                                            100% 1396     1.4KB/s   00:00    
root@debian:/etc/openvpn#

 

So now we’ve got the files moved over let’s extract them to our remote laptop/vm and try connecting!

sudo apt-get install openvpn
steve @ mint13-vmtestSte ~ :) ᛤ>   sudo mv Downloads/ovpn/client.conf /etc/openvpn/
steve @ mint13-vmtestSte ~ :) ᛤ>   sudo mv Downloads/ovpn/certs.tar.gz /etc/openvpn/
steve @ mint13-vmtestSte ~ :) ᛤ>   cd /etc/openvpn/
steve @ mint13-vmtestSte ~ :) ᛤ>   sudo tar -zxvf certs.tar.gz
ca.crt
steve.key
steve.csr
steve.crt
steve @ mint13-vmtestSte ~ :) ᛤ>   ls -alh
total 40K
drwxr-xr-x   2 root  root  4.0K Dec 18 16:10 .
drwxr-xr-x 165 root  root   12K Dec 18 13:04 ..
-rw-r--r--   1 root  root  1.7K Dec 18 13:42 ca.crt
-rw-r--r--   1 steve steve 3.2K Dec 18 16:06 certs.tar.gz
-rw-r--r--   1 steve steve 1.4K Dec 18 16:06 client.conf
-rw-r--r--   1 root  root     0 Dec 18 14:05 steve.crt
-rw-r--r--   1 root  root  1.1K Dec 18 14:05 steve.csr
-rw-r--r--   1 root  root  1.7K Dec 18 14:05 steve.key
-rwxr-xr-x   1 root  root  1.4K Mar 30  2012 update-resolv-conf

 
 

Perfect, so now we have all the files we need over on our client machine. Let’s fire up the OpenVPN client and connect!

sudo openvpn --config /etc/openvpn/client.conf

 
 

And Here we go!

steve @ mint13-vmtestSte ~ :( ᛤ>   sudo openvpn client.conf
Tue Dec 18 16:39:01 2012 us=954779 Current Parameter Settings:
Tue Dec 18 16:39:01 2012 us=954857   config = 'client.conf'
Tue Dec 18 16:39:01 2012 us=954871   mode = 0
Tue Dec 18 16:39:01 2012 us=954882   persist_config = DISABLED
Tue Dec 18 16:39:01 2012 us=954892   persist_mode = 1
Tue Dec 18 16:39:01 2012 us=954902   show_ciphers = DISABLED
Tue Dec 18 16:39:01 2012 us=954911   show_digests = DISABLED
Tue Dec 18 16:39:01 2012 us=954941   show_engines = DISABLED
Tue Dec 18 16:39:01 2012 us=954951   genkey = DISABLED
Tue Dec 18 16:39:01 2012 us=954968   key_pass_file = '[UNDEF]'
Tue Dec 18 16:39:01 2012 us=954977 NOTE: --mute triggered...
Tue Dec 18 16:39:01 2012 us=955003 263 variation(s) on previous 10 message(s) suppressed by --mute
Tue Dec 18 16:39:01 2012 us=955016 OpenVPN 2.2.1 x86_64-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Mar 30 2012
Tue Dec 18 16:39:01 2012 us=955090 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Tue Dec 18 16:39:01 2012 us=955786 LZO compression initialized
Tue Dec 18 16:39:01 2012 us=955879 Control Channel MTU parms [ L:1560 D:140 EF:40 EB:0 ET:0 EL:0 ]
Tue Dec 18 16:39:01 2012 us=955915 Socket Buffers: R=[87380->131072] S=[16384->131072]
Tue Dec 18 16:39:01 2012 us=955963 Data Channel MTU parms [ L:1560 D:1450 EF:60 EB:135 ET:0 EL:0 AF:3/1 ]
Tue Dec 18 16:39:01 2012 us=955982 Local Options String: 'V4,dev-type tun,link-mtu 1560,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Tue Dec 18 16:39:01 2012 us=955996 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1560,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Tue Dec 18 16:39:01 2012 us=956015 Local Options hash (VER=V4): 'bc07730e'
Tue Dec 18 16:39:01 2012 us=956032 Expected Remote Options hash (VER=V4): 'b695cb4a'
Tue Dec 18 16:39:01 2012 us=956055 Attempting to establish TCP connection with [AF_INET]108.227.33.121:443 [nonblock]
Tue Dec 18 16:39:02 2012 us=956413 TCP connection established with [AF_INET]108.227.33.121:443
Tue Dec 18 16:39:02 2012 us=956506 TCPv4_CLIENT link local: [undef]
Tue Dec 18 16:39:02 2012 us=956519 TCPv4_CLIENT link remote: [AF_INET]108.227.33.121:443
Tue Dec 18 16:39:02 2012 us=958717 TLS: Initial packet from [AF_INET]108.227.33.121:443, sid=08875880 47d8cd8a
Tue Dec 18 16:39:03 2012 us=41294 VERIFY OK: depth=1, /C=US/ST=OH/L=Concord/O=Erdmanor/CN=Erdmanor_CA/name=Steve_Erdman/emailAddress=openvpn@erdmanor.com
Tue Dec 18 16:39:03 2012 us=41466 VERIFY OK: nsCertType=SERVER
Tue Dec 18 16:39:03 2012 us=41477 VERIFY OK: depth=0, /C=US/ST=OH/L=Concord/O=Erdmanor/CN=debian/emailAddress=openvpn@erdmanor.com
Tue Dec 18 16:39:03 2012 us=159315 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Tue Dec 18 16:39:03 2012 us=159359 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Dec 18 16:39:03 2012 us=159371 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Tue Dec 18 16:39:03 2012 us=159382 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Dec 18 16:39:03 2012 us=159454 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Tue Dec 18 16:39:03 2012 us=159483 [debian] Peer Connection Initiated with [AF_INET]108.227.33.121:443
Tue Dec 18 16:39:05 2012 us=374495 SENT CONTROL [debian]: 'PUSH_REQUEST' (status=1)
Tue Dec 18 16:39:05 2012 us=377566 PUSH: Received control message: 'PUSH_REPLY,route internal 255.255.255.0,route dmz 255.255.255.0,dhcp-option DNS server1,route dfg,topology net30,ping 10,ping-restart 120,ifconfig 192.168.100.6 192.168.100.5'
Tue Dec 18 16:39:05 2012 us=377633 OPTIONS IMPORT: timers and/or timeouts modified
Tue Dec 18 16:39:05 2012 us=377642 OPTIONS IMPORT: --ifconfig/up options modified
Tue Dec 18 16:39:05 2012 us=377648 OPTIONS IMPORT: route options modified
Tue Dec 18 16:39:05 2012 us=377653 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Tue Dec 18 16:39:05 2012 us=377778 ROUTE default_gateway=vmware-dfg
Tue Dec 18 16:39:05 2012 us=379161 TUN/TAP device tun0 opened
Tue Dec 18 16:39:05 2012 us=379182 TUN/TAP TX queue length set to 100
Tue Dec 18 16:39:05 2012 us=379196 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Tue Dec 18 16:39:05 2012 us=379216 /sbin/ifconfig tun0 192.168.100.6 pointopoint 192.168.100.5 mtu 1500
Tue Dec 18 16:39:05 2012 us=395491 /sbin/route add -net internal-net netmask 255.255.255.0 gw 192.168.100.5
Tue Dec 18 16:39:05 2012 us=489456 /sbin/route add -net DMZ-NET netmask 255.255.255.0 gw 192.168.100.5
Tue Dec 18 16:39:05 2012 us=490170 /sbin/route add -net 192.168.100.1 netmask 255.255.255.255 gw 192.168.100.5
Tue Dec 18 16:39:05 2012 us=491006 Initialization Sequence Completed
^Z
[1]+  Stopped                 sudo openvpn client.conf
steve @ mint13-vmtestSte ~ :( ᛤ>   bg 1
[1]+ sudo openvpn client.conf &

 

And to verify, lets try this:

steve @ mint13-vmtestSte ~ :) ᛤ>   ifconfig
eth0      Link encap:Ethernet  HWaddr 00:0c:29:9f:f2:de  
          inet addr:192.168.79.165  Bcast:192.168.79.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:fe9f:f2de/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:49466 errors:0 dropped:0 overruns:0 frame:0
          TX packets:44263 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:20440249 (20.4 MB)  TX bytes:9473862 (9.4 MB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:3587 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3587 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:368980 (368.9 KB)  TX bytes:368980 (368.9 KB)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:192.168.100.6  P-t-P:192.168.100.5  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

 
 

We can see the Tunnel Adapter is up. Lets verify internal Connectivity:

 

 

 

 

 

 

BRIDGE MODE

 

Okay, but you’re saying, I dont want to use Routed mode. I want to use Bridged mode. Alright then!

 

So from this point, you’ve got about 95% of the work done if you’ve been following along thus far. Lets make sure we have “bridge-utilities” installed ON THE SERVER.

sudo apt-get install bridge-utils

 

As soon as that is complete, shutdown the Virtual Machine. We need to add a network adapter. But dont fret! It’s a virtual adapter, so it’s easy.
After the VM is shutdown, open up your VM VirtualBox Manager and make sure the VM is powered off.

Right click on your Virtual Machine, then click settings.

Click on the Network Tab in the left hand column.

Then click on the Adapter 2 tab in the main window.

Check the box to Enable Network Adapter, and then change the “Attach To” drop down menu to “Bridged Adapter”.

Then click “Ok” and go ahead and start that VM back up.

After the machine is started, SSH back into it and issue the “/sbin/ifconfig -a” command and verify that your adapter is working.

steve @ debian ~ :) ᛤ>   /sbin/ifconfig -a
eth2      Link encap:Ethernet  HWaddr 08:00:27:2c:c6:0f  
          inet addr:172.25.87.13  Bcast:192.168.86.255  Mask:255.255.255.0
          inet6 addr: fe80::a00:27ff:fe2c:c60f/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:236 errors:0 dropped:0 overruns:0 frame:0
          TX packets:141 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:23050 (22.5 KiB)  TX bytes:18903 (18.4 KiB)

eth3      Link encap:Ethernet  HWaddr 08:00:27:aa:1a:2f  
          BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:8 errors:0 dropped:0 overruns:0 frame:0
          TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:560 (560.0 B)  TX bytes:560 (560.0 B)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:192.168.100.1  P-t-P:192.168.100.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

 

Alright, looking good here. Let’s go back and edit our /etc/network/interfaces file and add in that eth3 adapter.

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
#allow-hotplug eth2
auto eth2
iface eth2 inet static
        address 172.25.87.13
        netmask 255.255.255.0
        network 172.25.87.0
        broadcast 172.25.87.255
        gateway 172.25.87.1

# The primary network interface
#allow-hotplug eth3
auto eth3
iface eth3 inet static
        address 172.25.87.14
        netmask 255.255.255.0
        network 172.25.87.0
        broadcast 172.25.87.255
        gateway 172.25.87.1

Also, If you have IPTABLES running on your box, Which, by default, Debian 6 does, you’ll want to modify IPTABLES to allow traffic from the Bridge Interface:

iptables -A INPUT -i tap0 -j ACCEPT
iptables -A INPUT -i br0 -j ACCEPT
iptables -A FORWARD -i br0 -j ACCEPT

OKAY! SO, now, Open back up your /etc/openvpn/server.conf file and edit a few lines.

For Starters, we need to take the TUN interface out and replace it with “tap0”.

Then we need to modify the server line to accomodate our new bridge interface.

Here is my config file:

steve @ debian ~ :) ᛤ>   cat /etc/openvpn/server.conf
# Which local IP address should OpenVPN listen on?
local 172.25.87.13

# Which TCP/UDP port should OpenVPN listen on?
port 443

# TCP or UDP server?
proto tcp

# "dev tun" will create a routed IP tunnel,
dev tap0

#Certificates
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/debian.crt
key /etc/openvpn/easy-rsa/2.0/keys/debian.key

# Diffie hellman parameters.
dh /etc/openvpn/easy-rsa/2.0/keys/dh2048.pem

# Configure server mode and supply a VPN subnet for OpenVPN to draw client addresses from.
server-bridge 172.25.87.13 255.255.255.0 172.25.87.160 172.25.87.180

# Maintain a record of client <-> virtual IP address associations in this file.  If OpenVPN goes down or
# is restarted, reconnecting clients can be assigned the same virtual IP address from the pool.
ifconfig-pool-persist ipp.txt

# Push routes to the client to allow it to reach other private subnets behind the server.
push "route 172.25.87.0 255.255.255.0"

# Certain Windows-specific network settings can be pushed to clients, such as DNS.
push "dhcp-option DNS 172.25.87.34"
push "dhcp-option DNS 172.25.87.19"

# Uncomment this directive to allow different clients to be able to "see" each other.
;client-to-client

# The keepalive directive causes ping-like messages to be sent back and forth to keep the connection alive
keepalive 10 120

# Select a cryptographic cipher.This config item must be copied to the client config file as well.
cipher AES-128-CBC   # AES

# Enable compression on the VPN link.If you enable it here, you must also enable it in the client config file.
comp-lzo

# The maximum number of concurrently connected clients we want to allow.
max-clients 10

# It's a good idea to reduce the OpenVPN daemon's privileges after initialization.
user nobody
group nogroup

# The persist options will try to avoid accessing certain resources on restart
# that may no longer be accessible because of the privilege downgrade.
persist-key
persist-tun

# Output a short status file showing current connections, truncated and rewritten every minute.
status openvpn-status.log

# By default, log messages will go to the syslog
log-append  openvpn.log

# Set the appropriate level of log file verbosity.
# 0 is silent, except for fatal errors
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 5

# Silence repeating messages.  At most 20 sequential messages of the same message category will be output to the log.
mute 10

 

 

Alright… So now, go to your OpenVPN directory:

cd /etc/openvpn

and perform this command:

sudo nano bridge-start

This Code came from OpenVPN’s website, but I’m sure they wont mind us using it. Paste in your code, and then update the interface information as pertains to your INTERNAL network.

#!/bin/bash

#################################
# Set up Ethernet bridge on Linux
# Requires: bridge-utils
#################################

# Define Bridge Interface
br="br0"

# Define list of TAP interfaces to be bridged,
# for example tap="tap0 tap1 tap2".
tap="tap0"

# Define physical ethernet interface to be bridged
# with TAP interface(s) above.
eth="eth2"
eth_ip="172.25.87.13"
eth_netmask="255.255.255.0"
eth_broadcast="172.25.87.255"

for t in $tap; do
    openvpn --mktun --dev $t
done

brctl addbr $br
brctl addif $br $eth

for t in $tap; do
    brctl addif $br $t
done

for t in $tap; do
    ifconfig $t 0.0.0.0 promisc up
done

ifconfig $eth 0.0.0.0 promisc up

ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast

 

Save that file, and then lets build your stop script:

sudo nano bridge-stop

 

Again, this script came right from OpenVPN, so I cant take credit for it. There is no modification needed here, just save it.

#!/bin/bash

####################################
# Tear Down Ethernet bridge on Linux
####################################

# Define Bridge Interface
br="br0"

# Define list of TAP interfaces to be bridged together
tap="tap0"

ifconfig $br down
brctl delbr $br

for t in $tap; do
    openvpn --rmtun --dev $t
done

 

Alright, now we need to make these files execute so let’s add the execute bit to them:

sudo chmod a+x bridge-st*

 

Perfect, now run the start script, then we can start the server.

sudo ./bridge-start
sudo openvpn server.conf

Perfect, after checking the log file, it looks like everything started up just fine:

Thu Dec 20 18:39:24 2012 us=47382 Linux ip addr del failed: external program exited with error status: 255
Thu Dec 20 18:39:24 2012 us=304419 SIGTERM[hard,] received, process exiting
Thu Dec 20 19:17:00 2012 us=583398 Current Parameter Settings:
Thu Dec 20 19:17:00 2012 us=583462   config = 'server.conf'
Thu Dec 20 19:17:00 2012 us=583474   mode = 1
Thu Dec 20 19:17:00 2012 us=583483   persist_config = DISABLED
Thu Dec 20 19:17:00 2012 us=583491   persist_mode = 1
Thu Dec 20 19:17:00 2012 us=583499   show_ciphers = DISABLED
Thu Dec 20 19:17:00 2012 us=583507   show_digests = DISABLED
Thu Dec 20 19:17:00 2012 us=583515   show_engines = DISABLED
Thu Dec 20 19:17:00 2012 us=583524   genkey = DISABLED
Thu Dec 20 19:17:00 2012 us=583532   key_pass_file = '[UNDEF]'
Thu Dec 20 19:17:00 2012 us=583540 NOTE: --mute triggered...
Thu Dec 20 19:17:00 2012 us=583558 256 variation(s) on previous 10 message(s) suppressed by --mute
Thu Dec 20 19:17:00 2012 us=583595 OpenVPN 2.1.3 x86_64-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [MH] [PF_INET6] [eurephia] built on Feb 21 2012
Thu Dec 20 19:17:00 2012 us=583682 NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on$
Thu Dec 20 19:17:00 2012 us=583772 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Thu Dec 20 19:17:00 2012 us=599856 Diffie-Hellman initialized with 2048 bit key
Thu Dec 20 19:17:00 2012 us=600349 /usr/bin/openssl-vulnkey -q -b 2048 -m <modulus omitted>
Thu Dec 20 19:17:00 2012 us=662446 TLS-Auth MTU parms [ L:1592 D:140 EF:40 EB:0 ET:0 EL:0 ]
Thu Dec 20 19:17:00 2012 us=662499 Socket Buffers: R=[87380->131072] S=[16384->131072]
Thu Dec 20 19:17:00 2012 us=662541 TUN/TAP device tap0 opened
Thu Dec 20 19:17:00 2012 us=662558 TUN/TAP TX queue length set to 100
Thu Dec 20 19:17:00 2012 us=662592 Data Channel MTU parms [ L:1592 D:1450 EF:60 EB:135 ET:32 EL:0 AF:3/1 ]
Thu Dec 20 19:17:00 2012 us=662871 GID set to nogroup
Thu Dec 20 19:17:00 2012 us=662891 UID set to nobody
Thu Dec 20 19:17:00 2012 us=662906 Listening for incoming TCP connection on [AF_INET]192.168.86.13:443
Thu Dec 20 19:17:00 2012 us=662925 TCPv4_SERVER link local (bound): [AF_INET]172.25.87.13:443
Thu Dec 20 19:17:00 2012 us=662935 TCPv4_SERVER link remote: [undef]
Thu Dec 20 19:17:00 2012 us=662948 MULTI: multi_init called, r=256 v=256
Thu Dec 20 19:17:00 2012 us=662976 IFCONFIG POOL: base=172.25.87.160 size=21
Thu Dec 20 19:17:00 2012 us=662996 IFCONFIG POOL LIST
Thu Dec 20 19:17:00 2012 us=663012 MULTI: TCP INIT maxclients=10 maxevents=14
Thu Dec 20 19:17:00 2012 us=663030 Initialization Sequence Completed

 

Now, let’s get our client to connect!

sudo openvpn /etc/openvpn/client.conf

 

And if you look at the output on your screen you should see that the connection sequence is complete! 🙂

steve @ mintdebiandbd ~ :) ᛤ>   sudo openvpn client.conf
[sudo] password for steve:
Thu Dec 20 20:42:16 2012 us=304282 Current Parameter Settings:
Thu Dec 20 20:42:16 2012 us=304379   config = 'client.conf'
Thu Dec 20 20:42:16 2012 us=304392   mode = 0
Thu Dec 20 20:42:16 2012 us=304402   persist_config = DISABLED
Thu Dec 20 20:42:16 2012 us=304446   persist_mode = 1
Thu Dec 20 20:42:16 2012 us=304458   show_ciphers = DISABLED
Thu Dec 20 20:42:16 2012 us=304467   show_digests = DISABLED
Thu Dec 20 20:42:16 2012 us=304484   show_engines = DISABLED
Thu Dec 20 20:42:16 2012 us=304494   genkey = DISABLED
Thu Dec 20 20:42:16 2012 us=304510   key_pass_file = '[UNDEF]'
Thu Dec 20 20:42:16 2012 us=304519 NOTE: --mute triggered...
Thu Dec 20 20:42:16 2012 us=304539 263 variation(s) on previous 10 message(s) suppressed by --mute
Thu Dec 20 20:42:16 2012 us=304576 OpenVPN 2.2.1 x86_64-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Mar 23 2012
Thu Dec 20 20:42:16 2012 us=304737 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Thu Dec 20 20:42:16 2012 us=305998 LZO compression initialized
Thu Dec 20 20:42:16 2012 us=306111 Control Channel MTU parms [ L:1592 D:140 EF:40 EB:0 ET:0 EL:0 ]
Thu Dec 20 20:42:16 2012 us=306788 Socket Buffers: R=[87380->131072] S=[16384->131072]
Thu Dec 20 20:42:16 2012 us=306822 Data Channel MTU parms [ L:1592 D:1450 EF:60 EB:135 ET:32 EL:0 AF:3/1 ]
Thu Dec 20 20:42:16 2012 us=306842 Local Options String: 'V4,dev-type tap,link-mtu 1592,tun-mtu 1532,proto TCPv4_CLIENT,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Thu Dec 20 20:42:16 2012 us=306852 Expected Remote Options String: 'V4,dev-type tap,link-mtu 1592,tun-mtu 1532,proto TCPv4_SERVER,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Thu Dec 20 20:42:16 2012 us=306871 Local Options hash (VER=V4): '39ac68d4'
Thu Dec 20 20:42:16 2012 us=306884 Expected Remote Options hash (VER=V4): 'de0ebdfe'
Thu Dec 20 20:42:16 2012 us=306931 Attempting to establish TCP connection with [AF_INET]108.227.33.121:443 [nonblock]
Thu Dec 20 20:42:17 2012 us=307383 TCP connection established with [AF_INET]108.227.33.121:443
Thu Dec 20 20:42:17 2012 us=307421 TCPv4_CLIENT link local: [undef]
Thu Dec 20 20:42:17 2012 us=307428 TCPv4_CLIENT link remote: [AF_INET]108.227.33.121:443
Thu Dec 20 20:42:17 2012 us=309254 TLS: Initial packet from [AF_INET]108.227.33.121:443, sid=70410825 7d5b0fe1
Thu Dec 20 20:42:17 2012 us=414568 VERIFY OK: depth=1, /C=US/ST=OH/L=Concord/O=Erdmanor/CN=Erdmanor_CA/name=Steve_Erdman/emailAddress=openvpn@erdmanor.com
Thu Dec 20 20:42:17 2012 us=414771 VERIFY OK: nsCertType=SERVER
Thu Dec 20 20:42:17 2012 us=414781 VERIFY OK: depth=0, /C=US/ST=OH/L=Concord/O=Erdmanor/CN=debian/emailAddress=openvpn@erdmanor.com
Thu Dec 20 20:42:17 2012 us=635769 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Thu Dec 20 20:42:17 2012 us=635817 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Dec 20 20:42:17 2012 us=635825 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Thu Dec 20 20:42:17 2012 us=635832 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Dec 20 20:42:17 2012 us=635944 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Thu Dec 20 20:42:17 2012 us=635966 [debian] Peer Connection Initiated with [AF_INET]108.227.33.121:443
Thu Dec 20 20:42:19 2012 us=671837 SENT CONTROL [debian]: 'PUSH_REQUEST' (status=1)
Thu Dec 20 20:42:19 2012 us=711313 PUSH: Received control message: 'PUSH_REPLY,route 172.25.87.0 255.255.255.0,dhcp-option DNS 172.25.87.5,dhcp-option DNS 172.25.87.12,route-gateway 172.25.87.14,ping 10,ping-restart 120,ifconfig 172.25.87.160 255.255.255.0'
Thu Dec 20 20:42:19 2012 us=711475 OPTIONS IMPORT: timers and/or timeouts modified
Thu Dec 20 20:42:19 2012 us=711486 OPTIONS IMPORT: --ifconfig/up options modified
Thu Dec 20 20:42:19 2012 us=711491 OPTIONS IMPORT: route options modified
Thu Dec 20 20:42:19 2012 us=711495 OPTIONS IMPORT: route-related options modified
Thu Dec 20 20:42:19 2012 us=711500 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Thu Dec 20 20:42:19 2012 us=711627 ROUTE default_gateway=172.16.0.1
Thu Dec 20 20:42:19 2012 us=713091 TUN/TAP device tap0 opened
Thu Dec 20 20:42:19 2012 us=713110 TUN/TAP TX queue length set to 100
Thu Dec 20 20:42:19 2012 us=713122 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Thu Dec 20 20:42:19 2012 us=713141 /sbin/ifconfig tap0 172.25.87.160 netmask 255.255.255.0 mtu 1500 broadcast 172.25.87.255
Thu Dec 20 20:42:19 2012 us=725485 /sbin/route add -net 172.25.87.0 netmask 255.255.255.0 gw 172.25.87.14
Thu Dec 20 20:42:19 2012 us=735322 Initialization Sequence Completed
^Z
[1]+  Stopped                 sudo openvpn client.conf
steve @ mintdebiandbd ~ :( ᛤ>   bg 1
[1]+ sudo openvpn client.conf &
steve @ mintdebiandbd ~ :) ᛤ>   /sbin/ifconfig
eth0      Link encap:Ethernet  HWaddr 00:0c:29:61:a6:93  
          inet addr:172.16.1.36  Bcast:172.16.255.255  Mask:255.255.0.0
          inet6 addr: fe80::20c:29ff:fe61:a693/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:254421 errors:0 dropped:0 overruns:0 frame:0
          TX packets:175752 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:208616856 (198.9 MiB)  TX bytes:44974301 (42.8 MiB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:834 errors:0 dropped:0 overruns:0 frame:0
          TX packets:834 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:67668 (66.0 KiB)  TX bytes:67668 (66.0 KiB)

tap0      Link encap:Ethernet  HWaddr fe:fd:f6:ea:f1:97  
          inet addr:172.25.87.160  Bcast:192.168.86.255  Mask:255.255.255.0
          inet6 addr: fe80::fcfd:f6ff:feea:f197/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:634 errors:0 dropped:0 overruns:0 frame:0
          TX packets:77 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:70700 (69.0 KiB)  TX bytes:10970 (10.7 KiB)

 

Fantastic, Success! 🙂

 
 

 
 
 

 

References for this blog can be found here:
http://openvpn.net/index.php/open-source/documentation/howto.html
http://openvpn.net/index.php/open-source/documentation/miscellaneous/76-ethernet-bridging.html
http://openvpn.net/index.php/open-source/faq/79-client/255-qconnection-initiated-with-xxxxq-but-i-cannot-ping-the-server-through-the-vpn.html
http://openvpn.net/index.php/open-source/faq/77-server/285-everything-seems-to-be-configured-correctly-but-i-cant-ping-across-the-tunnel.html
http://openvpn.net/index.php/open-source/faq/77-server/265-how-do-i-enable-ip-forwarding.html
http://openvpn.net/index.php/open-source/faq/77-server/263-openvpn-can-ping-both-peers-but-i-cant-reach-any-of-the-other-machines-on-the-remote-subnet.html
http://openvpn.net/index.php/open-source/documentation/howto.html#scope
http://openvpn.net/index.php/open-source/faq/77-server/325-openvpn-as-a–forking-tcp-server-which-can-service-multiple-clients-over-a-single-tcp-port.html
https://help.ubuntu.com/11.10/serverguide/openvpn.html
http://openvpn.net/index.php/open-source/documentation/howto.html#security
https://help.ubuntu.com/community/OpenVPN

VN:F [1.9.22_1171]
Rating: 5.0/5 (1 vote cast)
VN:F [1.9.22_1171]
Rating: +1 (from 1 vote)