Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In with OpenID
Advertise on LowEndTalk.com

In this Discussion

OpenVPN setup tutorial?

OpenVPN setup tutorial?

WilliamWilliam Member
edited April 2012 in Tutorials

Hello Guys & Gals :)

Since today Austrias (whole EU in fact) home ISPs implemented the notorious "Vorratsdatenspeicherung" (Data retention) i'm setting up a VPN in our Swiss location for my usage.

I thought first about using PPTP which is easy to setup but also slower (IIRC) - I'm looking to be able to push 50-100Mbit Down and 5-10Mbit up.

So does anyone have a tutorial for that? Looking for: Key auth (no passwords) Static IP for every client (based on Username for the VPN maybe? or the MAC of the client?) Not too high encryption, just basic - Prefer Speed over Security

Anyone knows how to do this? Rewarding a year of EDIS KVM Micro in any location of your choice for a fully working solution :)

William

Opinions/Posts are to be assumed my own/personal and not company related unless obvious
Working @ EDIS and owning some others (and/or parts of) | Available for consulting | http://as198412.net | https://william.si

Tagged:

Comments

  • I followed the Linode library and its probably the easiest to understand.

    The Original Daniel.

  • DanielMDanielM Disabled

    Just install openvpn-AS. It only takes 2 commands.

    Thanked by 1William
  • nabonabo Member
    edited April 2012

    @William said: ince today Austrias (whole EU in fact) home ISPs implemented the notorious "Vorratsdatenspeicherung" (Data retention) i'm setting up a VPN in our Swiss location for my usage.

    So your decision was not wise. Switzerland has a data retention act since 2002. Which is btw controlled by one of the Swiss Counter Intelligence Agencies. Germany is the only country in the EU that does not have a data retention as it is against the German constitution.

    "Kids, you tried your best and failed miserably. The lesson learned is: never try."

  • Interesting, Openvpn-AS works fine but i'm too dumb to assign users static external IPs - Any idea? I just selected "Layer 2 (ethernet bridging)" at the VPN Mode without specifing a bridge and assigned the user a static external IP in his user settings which is not bound to any interface on the KVM im running on. Doesn't work.

    Do i need to create a bridge manually or assign the IP to eth0?

    Opinions/Posts are to be assumed my own/personal and not company related unless obvious
    Working @ EDIS and owning some others (and/or parts of) | Available for consulting | http://as198412.net | https://william.si

  • @nabo said: Which is btw controlled by one of the Swiss Counter Intelligence Agencies

    I trust the Swiss guys more than our own.

    @nabo said: Germany is the only country in the EU that does not have a data retention as it is against the German constitution.

    It is against ours also, Germany WILL have to implement it or they will have to drop out of the EU or pay high fees for every day they don't (like we had to). Besides this, Germany has other laws which are not prefferable for anyone and other restrictions which are annoying like blocked youtube and other video sites.

    After all this is just a demo setup, i also have servers in other countries i can use - Ukraine, Russia, Liechtenstein, Norway and the Isle of Man to name a few.

    Opinions/Posts are to be assumed my own/personal and not company related unless obvious
    Working @ EDIS and owning some others (and/or parts of) | Available for consulting | http://as198412.net | https://william.si

  • DanielMDanielM Disabled

    @William said: I just selected "Layer 2 (ethernet bridging)"

    I use NAT its easier to setup

  • gsrdgrdghdgsrdgrdghd Member without signature

    @William said: Liechtenstein

    Now that would be interesting

  • @liam said: @William I haven't used openvpn for a while... it wasn't clear if you trying to assign users their own unique ip or a select few users the same ip. Could you clarify?

    i want each user to use his own, external (thus public), static, IPv4 IP instead of the usual "shared" Host IPv4. Clear enough? ;)

    @DanielM said: I use NAT its easier to setup

    Certainly, but for usability reasons i can't use that.

    @gsrdgrdghd said: Now that would be interesting

    Yes, if traffic would not be so expensive :(

    Opinions/Posts are to be assumed my own/personal and not company related unless obvious
    Working @ EDIS and owning some others (and/or parts of) | Available for consulting | http://as198412.net | https://william.si

  • AmfyAmfy Member

    @William said: Yes, if traffic would not be so expensive :(

    At which provider have you looked? Server.lu offers 1TB for 10€ that's really ok.

  • gsrdgrdghdgsrdgrdghd Member without signature

    @Amfy said: At which provider have you looked? Server.lu offers 1TB for 10€ that's really ok.

    Luxemburg != Liechtenstein ;-)

  • AmfyAmfy Member

    Damn, sorry

  • DanielMDanielM Disabled

    @Amfy said: Server.lu offers 1TB for 10€ that's really ok.

    Ovh offers 1TB for 89p (Around $1.40)

  • dnomdnom Member

    @William said: i want each user to use his own, external (thus public), static, IPv4 IP instead of the usual "shared" Host IPv4.

    I did this a while back following this tutorial: http://forums.openvpn.net/topic8559.html

    "To put the example into practical terms, it would mean that you could login to the VPN and visit http://www.whatismyip.com to see your WAN ip. Then you could log out, and in to the VPN as a new user, and visit http://www.whatismyip.com again. This time the reported WAN ip will be different, depending on the user you have logged into the VPN as."

  • AsimAsim Member

    How to resolve this?

    WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.

  • Isn't Netherlands the best for that?

  • DanielMDanielM Disabled

    @Asim said: How to resolve this?

    Where is this error?

    Thanked by 1Asim
  • AsimAsim Member

    I get stuck at

    Mon Apr 02 20:17:34 2012 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct 1 2006 Mon Apr 02 20:17:36 2012 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port. Mon Apr 02 20:17:36 2012 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. Mon Apr 02 20:17:36 2012 LZO compression initialized Mon Apr 02 20:17:36 2012 Control Channel MTU parms [ L:1576 D:140 EF:40 EB:0 ET:0 EL:0 ] Mon Apr 02 20:17:36 2012 Data Channel MTU parms [ L:1576 D:1450 EF:44 EB:135 ET:32 EL:0 AF:3/1 ] Mon Apr 02 20:17:36 2012 Local Options hash (VER=V4): '31fdf004' Mon Apr 02 20:17:36 2012 Expected Remote Options hash (VER=V4): '3e6d1056' Mon Apr 02 20:17:36 2012 Attempting to establish TCP connection with xxx.xxx.xxx.xxx:1194 Mon Apr 02 20:17:38 2012 TCP: connect to xxx.xxx.xxx.xxx:1194 failed, will try again in 5 seconds

  • AsimAsim Member
    edited April 2012

    My configuration is

    remote xxx.xxx.xxx.xxx 1194 proto tcp auth-user-pass ca ca.crt cert asim.crt key asim.key comp-lzo verb 3 mute 20 resolv-retry infinite nobind client dev tap persist-key persist-tun

  • DanielMDanielM Disabled

    Are you using access server or normal openvpn?

  • AsimAsim Member

    I modified the default OpenVPN Windows GUI file to the same sample as /usr/share/doc/openvpn/examples/sample-config-files/client.conf now, I dont get the error message or the user/pass prompt but it does not connect either :(

    Mon Apr 02 20:33:16 2012 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct 1 2006 Mon Apr 02 20:33:16 2012 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port. Mon Apr 02 20:33:16 2012 LZO compression initialized Mon Apr 02 20:33:16 2012 Control Channel MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ] Mon Apr 02 20:33:16 2012 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ] Mon Apr 02 20:33:16 2012 Local Options hash (VER=V4): 'd79ca330' Mon Apr 02 20:33:16 2012 Expected Remote Options hash (VER=V4): 'f7df56b8' Mon Apr 02 20:33:16 2012 UDPv4 link local: [undef] Mon Apr 02 20:33:16 2012 UDPv4 link remote: 199.167.30.47:1194 Mon Apr 02 20:34:15 2012 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Mon Apr 02 20:34:15 2012 TLS Error: TLS handshake failed Mon Apr 02 20:34:15 2012 TCP/UDP: Closing socket

  • AsimAsim Member

    Note for newbies @ VPN (like me), look at /var/log/daemon.log. It looks like tun/tap is not available on my container. Opened a ticket with my VPS provider, this will fix the problem for sure

    root@vpn:/var/log# tail daemon.log Apr 2 20:53:20 vpn ovpn-server[1863]: OpenVPN 2.1.0 i486-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [MH] [PF_INET6] [eurephia] built on Jul 20 2010 Apr 2 20:53:20 vpn ovpn-server[1863]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Apr 2 20:53:20 vpn ovpn-server[1863]: Diffie-Hellman initialized with 1024 bit key Apr 2 20:53:21 vpn ovpn-server[1863]: /usr/bin/openssl-vulnkey -q -b 1024 -m Apr 2 20:53:21 vpn ovpn-server[1863]: TLS-Auth MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ] Apr 2 20:53:21 vpn ovpn-server[1863]: ROUTE: default_gateway=UNDEF Apr 2 20:53:21 vpn ovpn-server[1863]: Note: Cannot open TUN/TAP dev /dev/net/tun: No such file or directory (errno=2) Apr 2 20:53:21 vpn ovpn-server[1863]: Note: Attempting fallback to kernel 2.2 TUN/TAP interface Apr 2 20:53:21 vpn ovpn-server[1863]: Cannot allocate TUN/TAP dev dynamically Apr 2 20:53:21 vpn ovpn-server[1863]: Exiting

  • DanielMDanielM Disabled

    @Asim said: Note for newbies @ VPN (like me), look at /var/log/daemon.log. It looks like tun/tap is not available on my container. Opened a ticket with my VPS provider, this will fix the problem for sure

    If ur running AS, make sure they enable the extra firewall rules otherwise AS will not start

  • MrAndroidMrAndroid Member
    edited April 2012

    I gotta admit, I just tried OpenVPN-AS and found it much easier to setup then doing keys manually all the time.

    Also the fact that it plugs into PAM is cooool.

    The Original Daniel.

    Thanked by 1Asim
  • OpenVPN-AS 's page seems to be outdate (updated for ubuntu 10 only) is it still alive the project?

  • DanielMDanielM Disabled
    edited September 2012

    @kossel said: OpenVPN-AS 's page seems to be outdate (updated for ubuntu 10 only) is it still alive the project?

    Dudee this thread is 5 Months old! wtf, dont revive old threads to gain post posts.

  • @kossel said: OpenVPN-AS 's page seems to be outdate (updated for ubuntu 10 only) is it still alive the project?

    Yes it is still alive, and thanks for revieving ... I had no idea that the data retention shit had happened over here in Austria.

    VPN on ...

  • @William said: Anyone knows how to do this?

    I can help you with the configuration if you can provide me a KVM and some unused static Internet IP.

Sign In or Register to comment.