Loading
Meet OpenVPN
Connecting road warriors with a full-blown open-source VPN solution.
Once you have installed OpenVPN, it is time to test it. Make sure the server process is started with service openvpn [re]start. You should see the TUN device with ifconfig. With my config, it shows:
Link: encap:Point-to-Point Protocol Inet addr:192.168.100.1 P-t-P 192.168.100.2.
Now, start up the client OpenVPN service. A file found at D:/Program Files/Openvpn/*.log contains debugging information. With the verb setting, you can elaborate the logging. When you start the client service, the icon in your tray shouts it is connected. Ipconfig /all in a DOSBox shows an IP address on the tap interface, for instance, 192.168.100.10
Ethernet adapter Local Area Connection 8: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : TAP-Win32 Adapter V8 Physical Address. . . . . . . . . : 00-FF-CF-10-9F-A6 DHCP Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes IP Address. . . . . . . . . . . . : 192.168.100.10 Subnet Mask . . . . . . . . . . . : 255.255.255.252 Default Gateway . . . . . . . . . : DHCP Server . . . . . . . . . . . : 192.168.100.5
print route gives you some routes:
192.168.100.1 255.255.255.255 192.168.100.9 4 1 192.168.100.8 255.255.255.252 192.168.100.10 4 1 192.168.100.10 255.255.255.255 127.0.0.1 127.0.0.1 1 192.168.100.255 255.255.255.255 192.168.100.10 4
Although this all may look quite odd, it works. You now can ping 192.168.100.1; if that succeeds the tunnel is okay. On the server you can see the pings coming in with tcpdump -nlpi tun0. Also, tail -f /var/log/messages supplies some information.
The routes on the server look something like this (netstat -rn) kernel IP routing table:
Destination Gateway Genmask Flags MSS Window irtt Iface 192.168.100.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 192.168.100.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0 65.66.45.2 0.0.0.0 255.255.255.0 U 0 0 0 eth1 172.16.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo 0.0.0.0 65.66.45.1 0.0.0.0 UG 0 0 0 eth1
If all goes well, your connection should be there. If not, check the server routing table and tcpdump the TUN interfaces. You also can use the iptables debug rules.
In this article I have shown a simple setup for a OpenVPN. In real life, the setup will not be much more complex. Although the security implications of any VPN should be well thought-out, setting up OpenVPN turned out to be rather easy. If you do get into trouble, plenty of helping hands can be found on the mailing lists.
OpenVPN is a serious VPN product. It can contend with IPsec in many ways. It certainly is cheap--try buying a Cisco concentrator--easy to install and, in the open-source tradition, tinkerable.
If OpenVPN has a disadvantage, it might be latency. However, no real-life data exists yet to back up that claim.
- « first
- ‹ previous
- 1
- 2
- 3
______________________
Webcast
How to Build an Optimal Hadoop Cluster to Store and Maintain Unlimited Amounts of Data Using Microservers
Realizing the promise of Apache® Hadoop® requires the effective deployment of compute, memory, storage and networking to achieve optimal results. With its flexibility and multitude of options, it is easy to over or under provision the server infrastructure, resulting in poor performance and high TCO. Join us for an in depth, technical discussion with industry experts from leading Hadoop and server companies who will provide insights into the key considerations for designing and deploying an optimal Hadoop cluster.
Sponsored by AMD
White Paper
Red Hat White Paper: Using an Open Source Framework to Catch the Bad Guy
Built-in forensics, incident response, and security with Red Hat Enterprise Linux 6
Every security policy provides guidance and requirements for ensuring adequate protection of information and data, as well as high-level technical and administrative security requirements for a system in a given environment. Traditionally, providing security for a system focuses on the confidentiality of the information on it. However, protecting the data integrity and system and data availability is just as important. For example, when processing United States intelligence information, there are three attributes that require protection: confidentiality, integrity, and availability.
Learn more about catching the bad guy in this free white paper.
Sponsored by DLT Solutions
- Dynamic DNS—an Object Lesson in Problem Solving
- Making Linux and Android Get Along (It's Not as Hard as It Sounds)
- Using Salt Stack and Vagrant for Drupal Development
- New Products
- A Topic for Discussion - Open Source Feature-Richness?
- Drupal Is a Framework: Why Everyone Needs to Understand This
- RSS Feeds
- Validate an E-Mail Address with PHP, the Right Way
- Readers' Choice Awards
- Tech Tip: Really Simple HTTP Server with Python
- DynDNS
1 hour 9 min ago - Reply to comment | Linux Journal
1 hour 41 min ago - All the articles you talked
4 hours 5 min ago - All the articles you talked
4 hours 8 min ago - All the articles you talked
4 hours 9 min ago - myip
8 hours 34 min ago - Keeping track of IP address
10 hours 25 min ago - Roll your own dynamic dns
15 hours 38 min ago - Please correct the URL for Salt Stack's web site
18 hours 50 min ago - Android is Linux -- why no better inter-operation
21 hours 5 min ago
Enter to Win an Adafruit Pi Cobbler Breakout Kit for Raspberry Pi
It's Raspberry Pi month at Linux Journal. Each week in May, Adafruit will be giving away a Pi-related prize to a lucky, randomly drawn LJ reader. Winners will be announced weekly.
Fill out the fields below to enter to win this week's prize-- a Pi Cobbler Breakout Kit for Raspberry Pi.
Congratulations to our winners so far:
- 5-8-13, Pi Starter Pack: Jack Davis
- 5-15-13, Pi Model B 512MB RAM: Patrick Dunn
- 5-21-13, Prototyping Pi Plate Kit: Philip Kirby
- Next winner announced on 5-27-13!
Free Webinar: Hadoop
How to Build an Optimal Hadoop Cluster to Store and Maintain Unlimited Amounts of Data Using Microservers
Realizing the promise of Apache® Hadoop® requires the effective deployment of compute, memory, storage and networking to achieve optimal results. With its flexibility and multitude of options, it is easy to over or under provision the server infrastructure, resulting in poor performance and high TCO. Join us for an in depth, technical discussion with industry experts from leading Hadoop and server companies who will provide insights into the key considerations for designing and deploying an optimal Hadoop cluster.
Some of key questions to be discussed are:
- What is the “typical” Hadoop cluster and what should be installed on the different machine types?
- Why should you consider the typical workload patterns when making your hardware decisions?
- Are all microservers created equal for Hadoop deployments?
- How do I plan for expansion if I require more compute, memory, storage or networking?
Developer Poll
Comments
Latest OpenVPN release has many new features
The latest 2.1.4 release just came out about 1 week ago and has support for many new features. IP version 6 support is now available as part of the TUN driver. Random port binding is also now avalable using the --lport 0 parameter. We upgraded last week and had no issues.
I use open VPN from ibVPN I
I use open VPN from ibVPN
I think open VPN is faster and more secure then PPTP.
OpenVPN-AS
Any possible thing to login on default administrator account password for open vpn web base instead of using our root user and password?
because I encounter a problem in during log-in on web based admin access on openvpn https://15.15.20.1:943/admin when it required to type username and password and that would be my root as my username and {password} as my password in root but it keeps saying "Invalid Login" for some couple of times i keep re-typing my correct root password but it still keep saying "Invalid Login", and i try to uninstall the openvpn rpm package and reinstalled it back to my linux server....after rpm package installed and trying to login in web base admin and typing root as user and {password} for my root password but still got the same problem?
Questions:
1. Is their a default administrator account andd password for openvpn to use for web admin login?
2. How to add username and password account in open vpn?
A comparison of advantages of
A comparison of advantages of OpenVPN to L2TP over IPSec would be a great article. I use VyprVPN and they just rolled out L2TP as a third protocol.
https://www.goldenfrog.com/vyprvpn/vpn-service-provider
L2TP seems to have some of the advantages of OpenVPN, but you can use it on more devices, like your iPhone.
Open VPN
Open VPN is great free software which allow you incredible 2048 bits encryption. I tried many vpn software's but this one is the best so far.
I need help
I can't get by client software to connect on the local LAN. I have stopped iptables (just in case there was port blocking) and restarted the network service, but still no luck. I can't get to the web login either (port 7505). Here is the log file from my failed login attempt (I'll post later)
Thanks in advance for your help
Server log
2009-12-25 10:59:40-0500 [-] OVPN-PP 0 OUT: 'Fri Dec 25 10:59:40 2009 MULTI: multi_create_instance called'
2009-12-25 10:59:40-0500 [-] OVPN-PP 0 OUT: 'Fri Dec 25 10:59:40 2009 Re-using SSL/TLS context'
2009-12-25 10:59:40-0500 [-] OVPN-PP 0 OUT: 'Fri Dec 25 10:59:40 2009 LZO compression initialized'
2009-12-25 10:59:40-0500 [-] OVPN-PP 0 OUT: 'Fri Dec 25 10:59:40 2009 Control Channel MTU parms [ L:1544 D:168 EF:68 EB:0 ET:0 EL:0 ]'
2009-12-25 10:59:40-0500 [-] OVPN-PP 0 OUT: 'Fri Dec 25 10:59:40 2009 Data Channel MTU parms [ L:1544 D:1350 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]'
2009-12-25 10:59:40-0500 [-] OVPN-PP 0 OUT: 'Fri Dec 25 10:59:40 2009 Local Options hash (VER=V4): 'bd577cd1''
2009-12-25 10:59:40-0500 [-] OVPN-PP 0 OUT: 'Fri Dec 25 10:59:40 2009 Expected Remote Options hash (VER=V4): 'ee93268d''
2009-12-25 10:59:40-0500 [-] OVPN-PP 0 OUT: 'Fri Dec 25 10:59:40 2009 TCP connection established with 192.168.1.104:53098'
2009-12-25 10:59:40-0500 [-] OVPN-PP 0 OUT: 'Fri Dec 25 10:59:40 2009 Socket Buffers: R=[131072->131072] S=[131072->131072]'
2009-12-25 10:59:40-0500 [-] OVPN-PP 0 OUT: 'Fri Dec 25 10:59:40 2009 Socket flags: TCP_NODELAY=1 succeeded'
2009-12-25 10:59:40-0500 [-] OVPN-PP 0 OUT: 'Fri Dec 25 10:59:40 2009 TCPv4_SERVER link local: [undef]'
2009-12-25 10:59:40-0500 [-] OVPN-PP 0 OUT: 'Fri Dec 25 10:59:40 2009 TCPv4_SERVER link remote: 192.168.1.104:53098'
2009-12-25 10:59:40-0500 [-] OVPN-PP 0 OUT: 'Fri Dec 25 10:59:40 2009 192.168.1.104:53098 Non-OpenVPN client protocol detected'
2009-12-25 10:59:40-0500 [-] OVPN-PP 0 OUT: 'Fri Dec 25 10:59:40 2009 192.168.1.104:53098 SIGTERM[soft,port-share-redirect] received, client-instance exiting'
2009-12-25 10:59:40-0500 [-] OVPN-PP 0 OUT: 'Fri Dec 25 10:59:40 2009 TCP/UDP: Closing socket'
2009-12-25 10:59:40-0500 [-] WEB-PP OUT: '2009-12-25 10:59:40-0500 [pyovpn.web.webbase.MySiteBase] Connection from IPv4Address(TCP, '127.0.0.1', 45843)'
2009-12-25 10:59:40-0500 [-] OVPN-PP 0 OUT: 'Fri Dec 25 10:59:40 2009 MULTI: multi_create_instance called'
2009-12-25 10:59:40-0500 [-] OVPN-PP 0 OUT: 'Fri Dec 25 10:59:40 2009 Re-using SSL/TLS context'
2009-12-25 10:59:40-0500 [-] OVPN-PP 0 OUT: 'Fri Dec 25 10:59:40 2009 LZO compression initialized'
2009-12-25 10:59:40-0500 [-] OVPN-PP 0 OUT: 'Fri Dec 25 10:59:40 2009 Control Channel MTU parms [ L:1544 D:168 EF:68 EB:0 ET:0 EL:0 ]'
2009-12-25 10:59:40-0500 [-] OVPN-PP 0 OUT: 'Fri Dec 25 10:59:40 2009 Data Channel MTU parms [ L:1544 D:1350 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]'
2009-12-25 10:59:40-0500 [-] OVPN-PP 0 OUT: 'Fri Dec 25 10:59:40 2009 Local Options hash (VER=V4): 'bd577cd1''
2009-12-25 10:59:40-0500 [-] OVPN-PP 0 OUT: 'Fri Dec 25 10:59:40 2009 Expected Remote Options hash (VER=V4): 'ee93268d''
2009-12-25 10:59:40-0500 [-] OVPN-PP 0 OUT: 'Fri Dec 25 10:59:40 2009 TCP connection established with 192.168.1.104:53099'
2009-12-25 10:59:40-0500 [-] OVPN-PP 0 OUT: 'Fri Dec 25 10:59:40 2009 Socket Buffers: R=[131072->131072] S=[131072->131072]'
2009-12-25 10:59:40-0500 [-] OVPN-PP 0 OUT: 'Fri Dec 25 10:59:40 2009 Socket flags: TCP_NODELAY=1 succeeded'
2009-12-25 10:59:40-0500 [-] OVPN-PP 0 OUT: 'Fri Dec 25 10:59:40 2009 TCPv4_SERVER link local: [undef]'
2009-12-25 10:59:40-0500 [-] OVPN-PP 0 OUT: 'Fri Dec 25 10:59:40 2009 TCPv4_SERVER link remote: 192.168.1.104:53099'
2009-12-25 10:59:40-0500 [-] OVPN-PP 0 OUT: 'Fri Dec 25 10:59:40 2009 192.168.1.104:53099 Non-OpenVPN client protocol detected'
2009-12-25 10:59:40-0500 [-] OVPN-PP 0 OUT: 'Fri Dec 25 10:59:40 2009 192.168.1.104:53099 SIGTERM[soft,port-share-redirect] received, client-instance exiting'
2009-12-25 10:59:40-0500 [-] OVPN-PP 0 OUT: 'Fri Dec 25 10:59:40 2009 TCP/UDP: Closing socket'
2009-12-25 10:59:40-0500 [-] WEB-PP OUT: '2009-12-25 10:59:40-0500 [pyovpn.web.webbase.MySiteBase] Connection from IPv4Address(TCP, '127.0.0.1', 45844)'
2009-12-25 10:59:43-0500 [-] OVPN-PP 0 OUT: 'Fri Dec 25 10:59:43 2009 MULTI: multi_create_instance called'
2009-12-25 10:59:43-0500 [-] OVPN-PP 0 OUT: 'Fri Dec 25 10:59:43 2009 Re-using SSL/TLS context'
2009-12-25 10:59:43-0500 [-] OVPN-PP 0 OUT: 'Fri Dec 25 10:59:43 2009 LZO compression initialized'
2009-12-25 10:59:43-0500 [-] OVPN-PP 0 OUT: 'Fri Dec 25 10:59:43 2009 Control Channel MTU parms [ L:1544 D:168 EF:68 EB:0 ET:0 EL:0 ]'
2009-12-25 10:59:43-0500 [-] OVPN-PP 0 OUT: 'Fri Dec 25 10:59:43 2009 Data Channel MTU parms [ L:1544 D:1350 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]'
2009-12-25 10:59:43-0500 [-] OVPN-PP 0 OUT: 'Fri Dec 25 10:59:43 2009 Local Options hash (VER=V4): 'bd577cd1''
2009-12-25 10:59:43-0500 [-] OVPN-PP 0 OUT: 'Fri Dec 25 10:59:43 2009 Expected Remote Options hash (VER=V4): 'ee93268d''
2009-12-25 10:59:43-0500 [-] OVPN-PP 0 OUT: 'Fri Dec 25 10:59:43 2009 TCP connection established with 192.168.1.104:53100'
2009-12-25 10:59:43-0500 [-] OVPN-PP 0 OUT: 'Fri Dec 25 10:59:43 2009 Socket Buffers: R=[131072->131072] S=[131072->131072]'
2009-12-25 10:59:43-0500 [-] OVPN-PP 0 OUT: 'Fri Dec 25 10:59:43 2009 Socket flags: TCP_NODELAY=1 succeeded'
2009-12-25 10:59:43-0500 [-] OVPN-PP 0 OUT: 'Fri Dec 25 10:59:43 2009 TCPv4_SERVER link local: [undef]'
2009-12-25 10:59:43-0500 [-] OVPN-PP 0 OUT: 'Fri Dec 25 10:59:43 2009 TCPv4_SERVER link remote: 192.168.1.104:53100'
2009-12-25 10:59:43-0500 [-] OVPN-PP 0 OUT: 'Fri Dec 25 10:59:43 2009 192.168.1.104:53100 Non-OpenVPN client protocol detected'
2009-12-25 10:59:43-0500 [-] OVPN-PP 0 OUT: 'Fri Dec 25 10:59:43 2009 192.168.1.104:53100 SIGTERM[soft,port-share-redirect] received, client-instance exiting'
2009-12-25 10:59:43-0500 [-] OVPN-PP 0 OUT: 'Fri Dec 25 10:59:43 2009 TCP/UDP: Closing socket'
2009-12-25 10:59:43-0500 [-] WEB-PP OUT: '2009-12-25 10:59:43-0500 [pyovpn.web.webbase.MySiteBase] Connection from IPv4Address(TCP, '127.0.0.1', 45845)'
2009-12-25 10:59:48-0500 [-] WEB-PP OUT: '2009-12-25 10:59:48-0500 [pyovpn.web.webbase.MySiteBase] Connection from IPv4Address(TCP, '192.168.1.104', 56876)'
2009-12-25 10:59:48-0500 [-] WEB-PP OUT: '2009-12-25 10:59:48-0500 [pyovpn.web.webbase.MySiteBase] Connection from IPv4Address(TCP, '192.168.1.104', 56877)'
2009-12-25 10:59:51-0500 [-] WEB-PP OUT: '2009-12-25 10:59:51-0500 [pyovpn.web.webbase.MySiteBase] Connection from IPv4Address(TCP, '192.168.1.104', 56878)'
NeoRouter - the zero-config VPN solution
I found a better VPN solution - NeoRouter (www.neorouter.com). It's much simpler to setup than OpenVPN and does better job than OpenVPN. It can create unlimited nodes in a virtual network and it uses P2P technology as well. It support not only Linux, Window, but also router firmwares like OpenWrt and Tomato.
Highly suggest GUI version of OpenVPN
I love OpenVPN, with my VPN provider http://www.strongvpn.com they offered it to me since the regular VPN account they sold me the port was blocked. I installed the non GUI version of OpenVPN and I didn't like the way it would disconnect when I closed the window. The lastest GUI window one is sweet, and makes it easy to reconnect. I went to Openvpn.net and made a donation, please help the developers improve it!
I think anonymous vpn, i
I think anonymous vpn, i mean pptp vpn, is simply for regular user then openvpn setup for anonymous surfing.
This article doesn't
This article doesn't describe one problem. Sometimes DHCP is disabled on PC and OpenVPN fails to get IP.
You'll see "Requesting IP address" running constantly on this OpenVPN connection.
Solution was taken from http://av5.com/docs/running_openvpn_client_on_windows_xp.html and shown below:
open "Control Panel / Administrative Tools / Services", make sure that the "DHCP Client Service" is started.
This is Linux Journal
This is Linux Journal, there's no mention of a linux side GUI client or how to set this up on a Linux client side.
Do you expect me to read something and then use a command line?
Linux GUI
haha right. its about setting up a server, reinstall windows and go home to mommy.
openvpn ikey
How do i setup an OpenVPN connection using smartcard (ikey) features?
Openvpn as a way to secure domain logins over internet
I'm interested in openvpn as a service on a win2k/xp client machine. I would like the vpn to connect before/during the user trying to login to a windows domain account while traveling(their domain login's are not cached).
Is this a capability of openvpn ? Any resouces you can point me at ?
Thanks
Yes, There are many sources
Yes, There are many sources from where you can use this openvpn, also many certifications available for this at TestKing and VCP-310.
the howto mentioned above: h
the howto mentioned above:
http://sme.swerts-knudsen.dk/index.html?frame=http%3A//sme.swerts-knudse...
does something like that. But I am not sure what you mean exactly. The vpn is a service under windows.
Cool Article
Thanks for a cool article!
Discussion about OpenVPN @ OpenVPN-Forum.de
Web layout
On my browser and monitor (Firefox, all defaults) the first line of this story is 141 characters.
People read text best at a width of 40-60 characters.
Even if you don't have to horizontal scroll, this layout is ridiculously hard to read.
The article was excellent - w
The article was excellent - why don't you chill with your comment on web settings?
Wow! What's this business
Wow!
What's this business with "why don't you chill with your comment on web settings?"?
Are you referring to the comments about line width? Man, that kind of stuff needs to be fixed--it's just a royal pain trying to read articles like that.
For RoadWarrior there's a goo
For RoadWarrior there's a good option you put in clients. It's the
redirect-gateway option.
# man openvpn
...
--redirect-gateway
Automatically execute routing commands to cause all outgoing
IP traffic to be redirected over the VPN. Currently imple-
mented only on Linux and Windows.
This option performs three steps:
(1) Create a static route for the --remote address which for-
wards to the pre-existing default gateway. This is done so
that (3) will not create a routing loop.
(2) Delete the default gateway route.
(3) Set the new default gateway to be the VPN endpoint address
(derived either from --route-gateway or the second parameter
to --ifconfig when --dev tun is specified).
When the tunnel is torn down, all of the above steps are re-
versed so that the original default route is restored.
...
How well does this scale for multiple road-warriors?
Thanks for your excellent article. It's always a pleasure to see something that is well documented and complete. However, I have a question about scaling clients that wasn't covered in the article.
I have implemented openVPN for a local organization that has offices in other nearby towns. Each office has access to bandwidth; one via DSL and the other via FTTH (fiber-to-the-home). I configured two separate openVPN servers on the home office router because I couldn't see - from the documentation - whether one openVPN server can monitor two ports; and two separate connections. So I built one server to watch port 5000 and another to watch port 5001 and used shared keys. The other end of both networks is another Linux box that is an openVPN client routing the entire complement of machines in to the home office. Interestingly enough, both client machines are behind a NAT router yet both connect to the VPN well. The openVPN server is the router/firewall (Shorewall) at the central office. Routing to the Internet is accomplished through a separate firewall in both cases.
So I guess my main question is: "How would two (or more) road warriors access your VPN?" I notice that you have a range of IP addresses in the server config file. Does this work for multiple remote clients?
I might add that I have also configured open-VPN in bridging mode for a client who had an IPX network running across a T-1 routed by two Livingston routers. This was all implemented on an old Novel 3x system that the client was reluctant to change but the $700-per-month T-1 costs were killing him. He had a FTTH connection at his main office and connected a DSL connection to his remote office. I installed two Linux boxes running openVPN in bridging mode; one client on the DSL and the one server at the other end on the fiber. The latency was incredible! IPX apparently broadcasts so much packet traffic that the DSL link was buried under it. However, even when we implemented a TCP Novell system as a test, the DSL was not capable of handling the traffic (although DSL in that same town does handle the SMB traffic of the network I described earlier). We ended up using a wireless connection to a location in the remote town that did have FTTH and then simply creating a VLAN to route traffic back to the home office. So the availability of bandwidth for some protocols is critical.
OpenVPN 2.0, which is in beta
OpenVPN 2.0, which is in beta does not require a separate port for each connection such as the 1.x branch did. The article above is specific to 2.0 and only requires port 1194 for multiple remote connections.
Thanks for such a well-writte
Thanks for such a well-written article!
One problem though: in the server config file, you have two route-up lines. The route-up lines are not stackable, i.e. the second will wipe out the first. Why not just use the "route" option?
In my setup a wring route app
In my setup a wring route appeared automagically. The first line deltes that.
vpen in ubuntu festy 7.04
hello masters
great deaads have encountered to set a vpn connection to INERNET with UBUNTU desktop ver 7.04 festy but any result was out-come.
plz help me t set up this vpn on debian base genome UBUNTU festy 7.04
Email me at kraxadmin[@]gmail.com
waiting with possible awaite
bon rester
thatnks