Meet OpenVPN

Connecting road warriors with a full-blown open-source VPN solution.
Testing

Once you have installed OpenVPN, it is time to test it. Make sure the server process is started with service openvpn [re]start. You should see the TUN device with ifconfig. With my config, it shows:


Link: encap:Point-to-Point Protocol 
Inet addr:192.168.100.1 P-t-P 192.168.100.2.

Now, start up the client OpenVPN service. A file found at D:/Program Files/Openvpn/*.log contains debugging information. With the verb setting, you can elaborate the logging. When you start the client service, the icon in your tray shouts it is connected. Ipconfig /all in a DOSBox shows an IP address on the tap interface, for instance, 192.168.100.10


Ethernet adapter Local Area Connection 8:

	Connection-specific DNS Suffix  . : 
	Description . . . . . . . . . . . : TAP-Win32 Adapter V8
	Physical Address. . . . . . . . . : 00-FF-CF-10-9F-A6
	DHCP Enabled. . . . . . . . . . . : Yes
	Autoconfiguration Enabled . . . . : Yes
	IP Address. . . . . . . . . . . . : 192.168.100.10
	Subnet Mask . . . . . . . . . . . : 255.255.255.252
	Default Gateway . . . . . . . . . : 
	DHCP Server . . . . . . . . . . . : 192.168.100.5

print route gives you some routes:


192.168.100.1  255.255.255.255    192.168.100.9               4	  1
192.168.100.8  255.255.255.252   192.168.100.10               4	  1
192.168.100.10  255.255.255.255    127.0.0.1       127.0.0.1	  1
192.168.100.255  255.255.255.255   192.168.100.10               4	

Although this all may look quite odd, it works. You now can ping 192.168.100.1; if that succeeds the tunnel is okay. On the server you can see the pings coming in with tcpdump -nlpi tun0. Also, tail -f /var/log/messages supplies some information.

The routes on the server look something like this (netstat -rn) kernel IP routing table:


Destination  	Gateway     Genmask          Flags   MSS Window  irtt Iface
192.168.100.2 	0.0.0.0     255.255.255.255  UH        0 0         0  tun0
192.168.100.0	0.0.0.0     255.255.255.0    U         0 0         0  tun0
65.66.45.2    	0.0.0.0     255.255.255.0    U         0 0         0  eth1
172.16.1.0    	0.0.0.0     255.255.255.0    U         0 0         0  eth0
127.0.0.0     	0.0.0.0     255.0.0.0        U         0 0         0  lo
0.0.0.0      	65.66.45.1  0.0.0.0          UG        0 0         0  eth1

If all goes well, your connection should be there. If not, check the server routing table and tcpdump the TUN interfaces. You also can use the iptables debug rules.

Conclusion

In this article I have shown a simple setup for a OpenVPN. In real life, the setup will not be much more complex. Although the security implications of any VPN should be well thought-out, setting up OpenVPN turned out to be rather easy. If you do get into trouble, plenty of helping hands can be found on the mailing lists.

OpenVPN is a serious VPN product. It can contend with IPsec in many ways. It certainly is cheap--try buying a Cisco concentrator--easy to install and, in the open-source tradition, tinkerable.

If OpenVPN has a disadvantage, it might be latency. However, no real-life data exists yet to back up that claim.

Hans-Cees Speel (hanscees@hanscees.com) is a security consultant for Tunix Firewall Support. He spends his spare time building a Web guide for North European trees.

______________________

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Latest OpenVPN release has many new features

Mark Colred's picture

The latest 2.1.4 release just came out about 1 week ago and has support for many new features. IP version 6 support is now available as part of the TUN driver. Random port binding is also now avalable using the --lport 0 parameter. We upgraded last week and had no issues.

I use open VPN from ibVPN I

Anelly's picture

I use open VPN from ibVPN
I think open VPN is faster and more secure then PPTP.

OpenVPN-AS

marky's picture

Any possible thing to login on default administrator account password for open vpn web base instead of using our root user and password?
because I encounter a problem in during log-in on web based admin access on openvpn https://15.15.20.1:943/admin when it required to type username and password and that would be my root as my username and {password} as my password in root but it keeps saying "Invalid Login" for some couple of times i keep re-typing my correct root password but it still keep saying "Invalid Login", and i try to uninstall the openvpn rpm package and reinstalled it back to my linux server....after rpm package installed and trying to login in web base admin and typing root as user and {password} for my root password but still got the same problem?

Questions:

1. Is their a default administrator account andd password for openvpn to use for web admin login?
2. How to add username and password account in open vpn?

A comparison of advantages of

KeepNetOpen's picture

A comparison of advantages of OpenVPN to L2TP over IPSec would be a great article. I use VyprVPN and they just rolled out L2TP as a third protocol.
https://www.goldenfrog.com/vyprvpn/vpn-service-provider

L2TP seems to have some of the advantages of OpenVPN, but you can use it on more devices, like your iPhone.

Open VPN

SuperVPN's picture

Open VPN is great free software which allow you incredible 2048 bits encryption. I tried many vpn software's but this one is the best so far.

I need help

Joe Graham's picture

I can't get by client software to connect on the local LAN. I have stopped iptables (just in case there was port blocking) and restarted the network service, but still no luck. I can't get to the web login either (port 7505). Here is the log file from my failed login attempt (I'll post later)

Thanks in advance for your help

Server log

Joe Graham's picture

2009-12-25 10:59:40-0500 [-] OVPN-PP 0 OUT: 'Fri Dec 25 10:59:40 2009 MULTI: multi_create_instance called'
2009-12-25 10:59:40-0500 [-] OVPN-PP 0 OUT: 'Fri Dec 25 10:59:40 2009 Re-using SSL/TLS context'
2009-12-25 10:59:40-0500 [-] OVPN-PP 0 OUT: 'Fri Dec 25 10:59:40 2009 LZO compression initialized'
2009-12-25 10:59:40-0500 [-] OVPN-PP 0 OUT: 'Fri Dec 25 10:59:40 2009 Control Channel MTU parms [ L:1544 D:168 EF:68 EB:0 ET:0 EL:0 ]'
2009-12-25 10:59:40-0500 [-] OVPN-PP 0 OUT: 'Fri Dec 25 10:59:40 2009 Data Channel MTU parms [ L:1544 D:1350 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]'
2009-12-25 10:59:40-0500 [-] OVPN-PP 0 OUT: 'Fri Dec 25 10:59:40 2009 Local Options hash (VER=V4): 'bd577cd1''
2009-12-25 10:59:40-0500 [-] OVPN-PP 0 OUT: 'Fri Dec 25 10:59:40 2009 Expected Remote Options hash (VER=V4): 'ee93268d''
2009-12-25 10:59:40-0500 [-] OVPN-PP 0 OUT: 'Fri Dec 25 10:59:40 2009 TCP connection established with 192.168.1.104:53098'
2009-12-25 10:59:40-0500 [-] OVPN-PP 0 OUT: 'Fri Dec 25 10:59:40 2009 Socket Buffers: R=[131072->131072] S=[131072->131072]'
2009-12-25 10:59:40-0500 [-] OVPN-PP 0 OUT: 'Fri Dec 25 10:59:40 2009 Socket flags: TCP_NODELAY=1 succeeded'
2009-12-25 10:59:40-0500 [-] OVPN-PP 0 OUT: 'Fri Dec 25 10:59:40 2009 TCPv4_SERVER link local: [undef]'
2009-12-25 10:59:40-0500 [-] OVPN-PP 0 OUT: 'Fri Dec 25 10:59:40 2009 TCPv4_SERVER link remote: 192.168.1.104:53098'
2009-12-25 10:59:40-0500 [-] OVPN-PP 0 OUT: 'Fri Dec 25 10:59:40 2009 192.168.1.104:53098 Non-OpenVPN client protocol detected'
2009-12-25 10:59:40-0500 [-] OVPN-PP 0 OUT: 'Fri Dec 25 10:59:40 2009 192.168.1.104:53098 SIGTERM[soft,port-share-redirect] received, client-instance exiting'
2009-12-25 10:59:40-0500 [-] OVPN-PP 0 OUT: 'Fri Dec 25 10:59:40 2009 TCP/UDP: Closing socket'
2009-12-25 10:59:40-0500 [-] WEB-PP OUT: '2009-12-25 10:59:40-0500 [pyovpn.web.webbase.MySiteBase] Connection from IPv4Address(TCP, '127.0.0.1', 45843)'
2009-12-25 10:59:40-0500 [-] OVPN-PP 0 OUT: 'Fri Dec 25 10:59:40 2009 MULTI: multi_create_instance called'
2009-12-25 10:59:40-0500 [-] OVPN-PP 0 OUT: 'Fri Dec 25 10:59:40 2009 Re-using SSL/TLS context'
2009-12-25 10:59:40-0500 [-] OVPN-PP 0 OUT: 'Fri Dec 25 10:59:40 2009 LZO compression initialized'
2009-12-25 10:59:40-0500 [-] OVPN-PP 0 OUT: 'Fri Dec 25 10:59:40 2009 Control Channel MTU parms [ L:1544 D:168 EF:68 EB:0 ET:0 EL:0 ]'
2009-12-25 10:59:40-0500 [-] OVPN-PP 0 OUT: 'Fri Dec 25 10:59:40 2009 Data Channel MTU parms [ L:1544 D:1350 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]'
2009-12-25 10:59:40-0500 [-] OVPN-PP 0 OUT: 'Fri Dec 25 10:59:40 2009 Local Options hash (VER=V4): 'bd577cd1''
2009-12-25 10:59:40-0500 [-] OVPN-PP 0 OUT: 'Fri Dec 25 10:59:40 2009 Expected Remote Options hash (VER=V4): 'ee93268d''
2009-12-25 10:59:40-0500 [-] OVPN-PP 0 OUT: 'Fri Dec 25 10:59:40 2009 TCP connection established with 192.168.1.104:53099'
2009-12-25 10:59:40-0500 [-] OVPN-PP 0 OUT: 'Fri Dec 25 10:59:40 2009 Socket Buffers: R=[131072->131072] S=[131072->131072]'
2009-12-25 10:59:40-0500 [-] OVPN-PP 0 OUT: 'Fri Dec 25 10:59:40 2009 Socket flags: TCP_NODELAY=1 succeeded'
2009-12-25 10:59:40-0500 [-] OVPN-PP 0 OUT: 'Fri Dec 25 10:59:40 2009 TCPv4_SERVER link local: [undef]'
2009-12-25 10:59:40-0500 [-] OVPN-PP 0 OUT: 'Fri Dec 25 10:59:40 2009 TCPv4_SERVER link remote: 192.168.1.104:53099'
2009-12-25 10:59:40-0500 [-] OVPN-PP 0 OUT: 'Fri Dec 25 10:59:40 2009 192.168.1.104:53099 Non-OpenVPN client protocol detected'
2009-12-25 10:59:40-0500 [-] OVPN-PP 0 OUT: 'Fri Dec 25 10:59:40 2009 192.168.1.104:53099 SIGTERM[soft,port-share-redirect] received, client-instance exiting'
2009-12-25 10:59:40-0500 [-] OVPN-PP 0 OUT: 'Fri Dec 25 10:59:40 2009 TCP/UDP: Closing socket'
2009-12-25 10:59:40-0500 [-] WEB-PP OUT: '2009-12-25 10:59:40-0500 [pyovpn.web.webbase.MySiteBase] Connection from IPv4Address(TCP, '127.0.0.1', 45844)'
2009-12-25 10:59:43-0500 [-] OVPN-PP 0 OUT: 'Fri Dec 25 10:59:43 2009 MULTI: multi_create_instance called'
2009-12-25 10:59:43-0500 [-] OVPN-PP 0 OUT: 'Fri Dec 25 10:59:43 2009 Re-using SSL/TLS context'
2009-12-25 10:59:43-0500 [-] OVPN-PP 0 OUT: 'Fri Dec 25 10:59:43 2009 LZO compression initialized'
2009-12-25 10:59:43-0500 [-] OVPN-PP 0 OUT: 'Fri Dec 25 10:59:43 2009 Control Channel MTU parms [ L:1544 D:168 EF:68 EB:0 ET:0 EL:0 ]'
2009-12-25 10:59:43-0500 [-] OVPN-PP 0 OUT: 'Fri Dec 25 10:59:43 2009 Data Channel MTU parms [ L:1544 D:1350 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]'
2009-12-25 10:59:43-0500 [-] OVPN-PP 0 OUT: 'Fri Dec 25 10:59:43 2009 Local Options hash (VER=V4): 'bd577cd1''
2009-12-25 10:59:43-0500 [-] OVPN-PP 0 OUT: 'Fri Dec 25 10:59:43 2009 Expected Remote Options hash (VER=V4): 'ee93268d''
2009-12-25 10:59:43-0500 [-] OVPN-PP 0 OUT: 'Fri Dec 25 10:59:43 2009 TCP connection established with 192.168.1.104:53100'
2009-12-25 10:59:43-0500 [-] OVPN-PP 0 OUT: 'Fri Dec 25 10:59:43 2009 Socket Buffers: R=[131072->131072] S=[131072->131072]'
2009-12-25 10:59:43-0500 [-] OVPN-PP 0 OUT: 'Fri Dec 25 10:59:43 2009 Socket flags: TCP_NODELAY=1 succeeded'
2009-12-25 10:59:43-0500 [-] OVPN-PP 0 OUT: 'Fri Dec 25 10:59:43 2009 TCPv4_SERVER link local: [undef]'
2009-12-25 10:59:43-0500 [-] OVPN-PP 0 OUT: 'Fri Dec 25 10:59:43 2009 TCPv4_SERVER link remote: 192.168.1.104:53100'
2009-12-25 10:59:43-0500 [-] OVPN-PP 0 OUT: 'Fri Dec 25 10:59:43 2009 192.168.1.104:53100 Non-OpenVPN client protocol detected'
2009-12-25 10:59:43-0500 [-] OVPN-PP 0 OUT: 'Fri Dec 25 10:59:43 2009 192.168.1.104:53100 SIGTERM[soft,port-share-redirect] received, client-instance exiting'
2009-12-25 10:59:43-0500 [-] OVPN-PP 0 OUT: 'Fri Dec 25 10:59:43 2009 TCP/UDP: Closing socket'
2009-12-25 10:59:43-0500 [-] WEB-PP OUT: '2009-12-25 10:59:43-0500 [pyovpn.web.webbase.MySiteBase] Connection from IPv4Address(TCP, '127.0.0.1', 45845)'
2009-12-25 10:59:48-0500 [-] WEB-PP OUT: '2009-12-25 10:59:48-0500 [pyovpn.web.webbase.MySiteBase] Connection from IPv4Address(TCP, '192.168.1.104', 56876)'
2009-12-25 10:59:48-0500 [-] WEB-PP OUT: '2009-12-25 10:59:48-0500 [pyovpn.web.webbase.MySiteBase] Connection from IPv4Address(TCP, '192.168.1.104', 56877)'
2009-12-25 10:59:51-0500 [-] WEB-PP OUT: '2009-12-25 10:59:51-0500 [pyovpn.web.webbase.MySiteBase] Connection from IPv4Address(TCP, '192.168.1.104', 56878)'

NeoRouter - the zero-config VPN solution

Anonymous's picture

I found a better VPN solution - NeoRouter (www.neorouter.com). It's much simpler to setup than OpenVPN and does better job than OpenVPN. It can create unlimited nodes in a virtual network and it uses P2P technology as well. It support not only Linux, Window, but also router firmwares like OpenWrt and Tomato.

Highly suggest GUI version of OpenVPN

Anonymous's picture

I love OpenVPN, with my VPN provider http://www.strongvpn.com they offered it to me since the regular VPN account they sold me the port was blocked. I installed the non GUI version of OpenVPN and I didn't like the way it would disconnect when I closed the window. The lastest GUI window one is sweet, and makes it easy to reconnect. I went to Openvpn.net and made a donation, please help the developers improve it!

I think anonymous vpn, i

anonymous vpn's picture

I think anonymous vpn, i mean pptp vpn, is simply for regular user then openvpn setup for anonymous surfing.

This article doesn't

smartcgi's picture

This article doesn't describe one problem. Sometimes DHCP is disabled on PC and OpenVPN fails to get IP.

You'll see "Requesting IP address" running constantly on this OpenVPN connection.

Solution was taken from http://av5.com/docs/running_openvpn_client_on_windows_xp.html and shown below:

open "Control Panel / Administrative Tools / Services", make sure that the "DHCP Client Service" is started.

This is Linux Journal

Anonymous's picture

This is Linux Journal, there's no mention of a linux side GUI client or how to set this up on a Linux client side.
Do you expect me to read something and then use a command line?

Linux GUI

Anonymous's picture

haha right. its about setting up a server, reinstall windows and go home to mommy.

openvpn ikey

D. rodic's picture

How do i setup an OpenVPN connection using smartcard (ikey) features?

Openvpn as a way to secure domain logins over internet

Anonymous's picture

I'm interested in openvpn as a service on a win2k/xp client machine. I would like the vpn to connect before/during the user trying to login to a windows domain account while traveling(their domain login's are not cached).
Is this a capability of openvpn ? Any resouces you can point me at ?
Thanks

Yes, There are many sources

Hank Freid's picture

Yes, There are many sources from where you can use this openvpn, also many certifications available for this at TestKing and VCP-310.

the howto mentioned above: h

Anonymous's picture

the howto mentioned above:
http://sme.swerts-knudsen.dk/index.html?frame=http%3A//sme.swerts-knudse...
does something like that. But I am not sure what you mean exactly. The vpn is a service under windows.

Cool Article

Freak's picture

Thanks for a cool article!
Discussion about OpenVPN @ OpenVPN-Forum.de

Web layout

Anonymous's picture

On my browser and monitor (Firefox, all defaults) the first line of this story is 141 characters.

People read text best at a width of 40-60 characters.

Even if you don't have to horizontal scroll, this layout is ridiculously hard to read.

The article was excellent - w

Anonymous's picture

The article was excellent - why don't you chill with your comment on web settings?

Wow! What's this business

Anonymous's picture

Wow!

What's this business with "why don't you chill with your comment on web settings?"?

Are you referring to the comments about line width? Man, that kind of stuff needs to be fixed--it's just a royal pain trying to read articles like that.

For RoadWarrior there's a goo

Anonymous's picture

For RoadWarrior there's a good option you put in clients. It's the
redirect-gateway option.


# man openvpn
...
--redirect-gateway
Automatically execute routing commands to cause all outgoing
IP traffic to be redirected over the VPN. Currently imple-
mented only on Linux and Windows.
This option performs three steps:
(1) Create a static route for the --remote address which for-
wards to the pre-existing default gateway. This is done so
that (3) will not create a routing loop.
(2) Delete the default gateway route.
(3) Set the new default gateway to be the VPN endpoint address
(derived either from --route-gateway or the second parameter
to --ifconfig when --dev tun is specified).
When the tunnel is torn down, all of the above steps are re-
versed so that the original default route is restored.
...

How well does this scale for multiple road-warriors?

SwedishChef's picture

Thanks for your excellent article. It's always a pleasure to see something that is well documented and complete. However, I have a question about scaling clients that wasn't covered in the article.

I have implemented openVPN for a local organization that has offices in other nearby towns. Each office has access to bandwidth; one via DSL and the other via FTTH (fiber-to-the-home). I configured two separate openVPN servers on the home office router because I couldn't see - from the documentation - whether one openVPN server can monitor two ports; and two separate connections. So I built one server to watch port 5000 and another to watch port 5001 and used shared keys. The other end of both networks is another Linux box that is an openVPN client routing the entire complement of machines in to the home office. Interestingly enough, both client machines are behind a NAT router yet both connect to the VPN well. The openVPN server is the router/firewall (Shorewall) at the central office. Routing to the Internet is accomplished through a separate firewall in both cases.

So I guess my main question is: "How would two (or more) road warriors access your VPN?" I notice that you have a range of IP addresses in the server config file. Does this work for multiple remote clients?

I might add that I have also configured open-VPN in bridging mode for a client who had an IPX network running across a T-1 routed by two Livingston routers. This was all implemented on an old Novel 3x system that the client was reluctant to change but the $700-per-month T-1 costs were killing him. He had a FTTH connection at his main office and connected a DSL connection to his remote office. I installed two Linux boxes running openVPN in bridging mode; one client on the DSL and the one server at the other end on the fiber. The latency was incredible! IPX apparently broadcasts so much packet traffic that the DSL link was buried under it. However, even when we implemented a TCP Novell system as a test, the DSL was not capable of handling the traffic (although DSL in that same town does handle the SMB traffic of the network I described earlier). We ended up using a wireless connection to a location in the remote town that did have FTTH and then simply creating a VLAN to route traffic back to the home office. So the availability of bandwidth for some protocols is critical.

OpenVPN 2.0, which is in beta

Anonymous's picture

OpenVPN 2.0, which is in beta does not require a separate port for each connection such as the 1.x branch did. The article above is specific to 2.0 and only requires port 1194 for multiple remote connections.

Thanks for such a well-writte

Anonymous's picture

Thanks for such a well-written article!

One problem though: in the server config file, you have two route-up lines. The route-up lines are not stackable, i.e. the second will wipe out the first. Why not just use the "route" option?

In my setup a wring route app

hanscees's picture

In my setup a wring route appeared automagically. The first line deltes that.

vpen in ubuntu festy 7.04

krax's picture

hello masters
great deaads have encountered to set a vpn connection to INERNET with UBUNTU desktop ver 7.04 festy but any result was out-come.
plz help me t set up this vpn on debian base genome UBUNTU festy 7.04
Email me at kraxadmin[@]gmail.com
waiting with possible awaite
bon rester
thatnks

White Paper
Linux Management with Red Hat Satellite: Measuring Business Impact and ROI

Linux has become a key foundation for supporting today's rapidly growing IT environments. Linux is being used to deploy business applications and databases, trading on its reputation as a low-cost operating environment. For many IT organizations, Linux is a mainstay for deploying Web servers and has evolved from handling basic file, print, and utility workloads to running mission-critical applications and databases, physically, virtually, and in the cloud. As Linux grows in importance in terms of value to the business, managing Linux environments to high standards of service quality — availability, security, and performance — becomes an essential requirement for business success.

Learn More

Sponsored by Red Hat

White Paper
Private PaaS for the Agile Enterprise

If you already use virtualized infrastructure, you are well on your way to leveraging the power of the cloud. Virtualization offers the promise of limitless resources, but how do you manage that scalability when your DevOps team doesn’t scale? In today’s hypercompetitive markets, fast results can make a difference between leading the pack vs. obsolescence. Organizations need more benefits from cloud computing than just raw resources. They need agility, flexibility, convenience, ROI, and control.

Stackato private Platform-as-a-Service technology from ActiveState extends your private cloud infrastructure by creating a private PaaS to provide on-demand availability, flexibility, control, and ultimately, faster time-to-market for your enterprise.

Learn More

Sponsored by ActiveState