Jul 13, 2011

OpenVPN and PPTP Server Setup

I wrote this awhile ago trying to figure out how to set up a vpn server to connect to while on unsecure networks (e.g., hotels, coffee shops, etc.). Essentially, using openvpn will connect you and route all traffic through an encrypted connection to the server.

Most of the server setup came from here and the config file and routing setup came from here.

This setup has been tested on Ubuntu 8.04, but should work for most debian-based linux distros. For redhat or other linux distros, substitute yum for apt-get. This tutorial uses the 10.44.77.0 network for openvpn and the 10.44.78.0 network for pptp. Any private network should work as long as the same subnet is not in use on the server or client's existing networks.

OPENVPN SERVER SETUP:

1. Install OpenVPN on the server:
$ apt-get install openvpn openssl
2. Set up OpenVPN:
$ cp /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/
$ cd /etc/openvpn/
$ mkdir keys
3. Create keys:
$ nano vars (edit the last section)
$ source ./vars
$ ./clean-all
$ ./build-ca
$ ./build-key-server server
$ ./build-key client
$ ./build-dh
4. Repeat the $ ./build-key [client name] line to create additional client keys

5. Create Server Config File:
$ nano server.conf
Insert the following text in server.conf:
dev tun
proto tcp
port 1194
ca /etc/openvpn/keys/ca.crt # Path of ca.crt file you generated
cert /etc/openvpn/keys/server.crt # Path of certificate you generated
key /etc/openvpn/keys/server.key # Path of key file you generated
dh /etc/openvpn/keys/dh1024.pem # Path of dh file you generated
user nobody
group nogroup
server 10.44.77.0 255.255.255.0 # Any private subnet not currently in use
persist-key
persist-tun
#status openvpn-status.log
verb 3
client-to-client
push "dhcp-option DOMAIN ###.###.###.###" # Server public IP or domain name
push "dhcp-option DNS 208.67.222.222" # Primary dns server (opendns shown)
push "dhcp-option DNS 208.67.220.220" # Secondary dns server (opendns shown)
push "redirect-gateway" # Directs all traffic through your VPN
#log-append /var/log/openvpn
#comp-lzo
6. Make OpenVPN start automatically (debian-based instructions only):
$ nano /etc/default/openvpn
Uncomment or add the following line:
AUTOSTART="all"
7. Set the server to route all VPN traffic to eth0:
$ iptables -t nat -A POSTROUTING -s 10.44.77.0/24 -o eth0 -j MASQUERADE
8. Allow IP Forwarding:
Edit the file /etc/sysctl.conf
$ nano proc/sys/net/ipv4/ip_forward
Uncomment the following line:
net.ipv4.ip_forward = 1
9. Restart OpenVPN and Networking:
$ /etc/init.d/networking restart
$ /etc/init.d/openvpn restart

OPENVPN CLIENT SETUP:
1. Copy the ca.crt and the client key and cert files to the client computer.
2. Create a client config file with the extension '.conf':
3. Insert the following text: (Note: for windows clients, the paths will look like "C:\Program Files\OpenVPN\Config\ca.crt")
client
dev tun
proto tcp
remote ###.###.###.### 1194 # Server IP address or domain name
remote-cert-tls server
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
ca /etc/openvpn/keys/ca.crt # Path of ca.crt you generated
cert /etc/openvpn/keys/client.crt # Path of client certificate you generated
key /etc/openvpn/keys/client.key # Path of client key you generated
#comp-lzo
verb 3

4. Start OpenVPN using the client software of your choice:
If you're using an Ubuntu client:
Place your *.conf file and keys in "/etc/openvpn/" and run
$ /etc/init.d/openvpn start
If you're using a windows client.
Place your *.conf and keys in "C:\Program Files\OpenVPN\Config".
Start OpenVPN in windows services.

IPOD/IPHONE VPN SETUP (PPTPD)
1. Install pptpd:
$ apt-get install pptpd

2. Edit /etc/pptpd.conf and change the following lines as shown:
localip 10.44.78.1
remoteip 10.44.78.2-100
3. Edit /etc/ppp/chap-secrets and add new users as follows:
# Secrets for authentication using CHAP
# client server secret IP addresses
username1 pptpd password1 10.44.78.2
username2 pptpd password2 10.44.78.3
4. Set the server to route all VPN traffic to eth0:
$ iptables -t nat -A POSTROUTING -s 10.44.78.0/24 -o eth0 -j MASQUERADE
5. To allow dns routing, edit /etc/ppp/pptpd-options and uncomment/edit the following lines (the DNS addresses can be whatever you want - opendns shown):
ms-dns 208.67.222.222
ms-dns 208.67.220.220

CHECK NEW VPN SERVER
To check your VPN connection, open a web browser and navigate to http://whatismyip.com or http://getip.com. Your IP address should be the same as the VPN server.