Guide to OpenVPN on Ubuntu 904 Jaunty Jackalope

If you want a simple VPN this is a quick and easy guide for OpenVPN on Ubuntu that will get you up and running with minimal configs. Note that with some persistance this is not hard to do and opens up a world of possibilities. Eg, Full encrypted access from remote locations to your home network, or if you really want to go nuts you can even do the ssh tunneling of openvpn over a http proxy using corkscrew.

This configuration works for a single client connecting to a single server.

[bash]
## Note Server Config (its tunnel interface will be 172.20.0.1 and eth0 is 192.168.1.10 and its Public IP is that of your router):

apt-get install openvpn
cd /etc/openvpn
openvpn –genkey –secret mystatickey.key

vi /etc/openvpn/openvpn.conf

=======snip===========
dev tun
ifconfig 172.20.0.1 172.20.0.2
secret mystatickey.key
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
======snip============

echo 1 > /proc/sys/net/ipv4/ip_forward

/etc/init.d/openvpn start[/bash]

The ifconfig command - should show a tun interface with an IP of 172.20.0.1

[bash]###Client Config (its tunnel interface will be 172.20.0.2):</strong>

apt-get install openvpn
cd /etc/openvpn
scp publicIPofyourRouter:/etc/openvpn/mystatickey.key .
vi /etc/openvpn/openvpn.conf

===== snip =============
remote publicIPofyourRouter
dev tun
ifconfig 172.20.0.2 172.20.0.1
secret mystatickey.key
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
===== snip =============

/etc/init.d/openvpn start[/bash]

ifconfig - should show a tun interface with an IP of 172.20.0.2

Now to test you should from your client be able to ping 172.20.0.1 (the server tunnel interface).

If ping works your tunnel is up and openvpn is running sweetly. :)

Now what you will probably need to do is an add a static route to your local router (server end) so that the route to 172.20.0.0 goes to your openvpn server and not out the gateway. Also the ip_forward line is required to allow your server to route traffic between interfaces.

Notes:
* Firewall and port forwarding are the first things to check. UDP 1194 must be open on the server.
* You can use no-ip.com or dyndns.org to get a home DNS entry if you are a dynamic IP. Then use this as your remote IP in the client config.
* You will need to forward UDP 1194 from your router to the interal host. This is configured on your router.
* If you only want to access local lan addresses at your server end and have your public traffic not go over the vpn from your client use routes on the client such as route add -net 192.168.1.0/24 gw 172.20.0.1

Extra Notes:
Now sometimes you want to do some funky things, like push your VPN tunnel through an ssh tunnel. This allows you to get full access to a remote LAN over a single open port (ssh).

Edit openvpn.conf on both client and server as below, note you are no longer using UDP and you also don’t need to forward UDP or TCP 1194 anymore as you everything is inside SSH.

Add to server:
proto tcp-server
Change remote line to:
remote localhost

Add to client:
proto tcp-client

Now on your client you want to port forward 1194 TCP to your local machine.

ssh -L 1194:127.0.0.1:1194 you@yourpublicip

Test by telnet to 127.0.0.1 1194 on client – you should get a connection. Break the connection and start openvpn on client.

/etc/init.d/openvpn start

Enjoy.