ubuntu-openvpn-combologo

Installing OpenVPN on Ubuntu Server 12.04

This article will guide you in the basics of OpenVPN installations on an Ubuntu server running 12.04.


OpenVPN is configurable to support various scenarios to accommodate your specific needs.
For connection types, you can use:


For Authentication, you can use:

 

Road Warrior VPN with TAP or TUN

A ‘Road Warrior’ is slang for any remote end user device that could connect from anywhere in the world such as a laptop at a coffee shop, a PC in a home office, or a mobile device on a Cellular data network. The end user may need access to only the hosts on your private network, or they may want to encrypt all traffic over the VPN. These are questions you need to ask when planning on the OpenVPN configuration.

I get asked alot about the differences between TAP and TUN in the OpenVPN server config and which is better to use. Neither one is necessarily ‘better’ than the other as both can get the job done. However, one style may fit your needs better the other.


Road Warrior with TAP

TAP uses a ‘bridged interface’ so that VPN clients have a directly connected subnet to your internal hosts. So if you use 192.168.1.0/24 on your internal network, you might give the VPN clients IPs in the range of 192.168.1.200-210 so that it appears all internal and VPN systems share the same, single subnet. You would like this type of setup if you want to run a single subnet, if you use a service that has strict subnet control in security groups (like a could service provider), or don’t have a router/gateway device that supports static routes. You don’t want to use TAP if you need to support Android devices (Android does not support TAP based tunnels), have more than 1 internal subnet, or want to easily control source/destination.

Here is the HOW TO for a TAP based Road Warrior Setup


Road Warrior with TUN

TUN is a routed solution where the VPN clients are allocated IPs from a separate subnet. So if you use 192.168.1.0/24 on your internal network, the VPN clients
might be given IPs in the 192.168.2.0/24 subnet. Your hosts in 192.168.1.0 would see traffic coming from 192.168.2.0. This is the default way to setup a Road Warrior. This method requires that you have a default gateway in your internal LAN that supports the use of static routes or you are prepared to add individual static routes to every internal host. Use a TUN solution if you have multiple internal subnets on your private LAN and already have a routed solution in place to control traffic. In addition, TUN is the mode supported by Android devices.

Here is the HOW TO for a TUN based Road Warrior Setup


Site to Site

Site to Site means setting up an encrypted tunnel connecting two remote networks. Office-A and Office-B can security send data to and from each other over the VPN tunnel. This type of solution is ideal for 2 locations that you want to have connected 24/7 (or close to that anyway).

“I promise to have a site to site example up here soon”


Authentication

Obviously, you want to control who can access your VPN. OpenVPN gives you several ways to do this using either Certificates, user-credentials, or a combination of the two. There are many ways to implement those types of auth, of course, but these are the basic examples.

Site to Site uses a static.key file which is generated from the Command line and is used just like a pre-shared key. The same static.key must be used on each side of the VPN in order for the tunnel to build properly. The Site to Site HOW TO shows this type of setup.

Certificates can be used in the Road Warrior setups. Certs are generated on the OpenVPN server and distributed to your end-user devices. The cert is used to establish the tunnel without any user input. Certs can be revoked at the server level which cuts off access (i.e. in case you lose a device with a cert). The Road Warrior examples above show how to set this up.

ID and Password auth can be setup to use the local user list on the OpenVPN host, or for more advanced setups, you can back-end it into Radius or LDAP.

Two factor uses both an issued certificate and an ID/PW. This is by far the most secure since you need to have a valid cert and a valid id/pw combo. A stolen cert is useless without the id/pw, and the id/pw is useless without the cert.

Here is the HOW TO on using ID/PW or Two factor Authentication in a Road Warrior Setup.

Donate Dogecoins: D8cse6yuR7EQU3whx5S7uJVoR4FipLfBH2 Whats This?

20 thoughts on “Installing OpenVPN on Ubuntu Server 12.04”

  1. Hi Mike, I followed your tutorial. Everything was done but when I want to connent my client to the server. I can’t. My client is using windows 7, installed OpenVPN version 2.2. Could you give me any help?

    1. Start with the log files. When your PC attempts the connection, the logs will show *something*. So inspect the syslog during or after a connection attempt and start from there.

  2. Hi Mike, excellent tutorial. I followed your guide. I have managed to connect to the vpn server from my client. However, when connected, i cannot ping anything other than the vpn server? Cannot connect to anything other than the vpn server?

    Any help or guidance would be gladly appreciated.

    Thanks

  3. ok, i have managed to find a solution to my problem. It was the esxi server at fault, not any configuration issues with openvpn on a vm instance.

    The ESXi virtual switch drops promiscuous packets by default.

    To fix it, open the vSphere Client, click on the ESXi host on the left side, click on the “Configuration” tab on the right, click “Networking” in the Hardware box, click on “Properties…” at the top-right of your “Virtual Switch: vSwitch#” graphic. Now on the “Tools” tab of this popup window, select the “vSwitch” and click the “Edit…” button. In this popup, click on the “Security” tab and change “Promiscuous Mode” from “Reject” to “Accept”. Click “OK” then “Close” and it will now be possible to vpn and route correctly.

    Source: http://www.jeremycole.com/blog/2010/03/11/openvpn-bridge-under-vmware-esxi

  4. hello
    I manage to connect to my server with a lot of warning ,hoping you can help me diagnose the warnings:

    *WARNING: No server certificate verification method has been enabled.
    *UDPv4 link local: [undef]
    *WARNING: –remote address [192.168.254.27] conflicts with –ifconfig subnet [192.168.254.50, 255.255.255.0] — local and remote addresses cannot be inside of the –ifconfig subnet. (silence this warning with –ifconfig-nowarn)

  5. Hey great post but i have a problem, i did all on the guide but the server dindt listen for any other port than usual

    1. Do you mean you want OpenVPN to listen on a non-standard port, or that OpenVPN isn’t listening at all?

      “netstat -lanp | grep LIST” will list out the listening ports and the owner of the process.

  6. Hi,
    Great tutorial but I’m missing some detail, such that traffic from the client end can’t get anywhere useful except the server machine. I can get the vpn “up” but the routing table on the client is not right. I’m using the bridged tap interface method. It would be extremely helpful if you would post a *working* example, instead of one with “fix this for your situation”, since it’s unclear to me what the right answers are in that case. I would like to have one client machine connect to a Linux server machine, that is behind an ordinary consumer grade router/firewall, and have the client machine be able to see the entire internet via the server’s gateway (i.e. the server’s router/firewall). The server’s lan is 192.168.27.x, the client’s is typically something else, like 192.168.1.x or 10.x.x.x, depending on what coffee shop or hotel I’m in. Thanks for the tutorial.

    1. If you are hosting OpenVPN on a linux server, you should be able to find documentation in that distro’s community forum. OpenVPN is a well-known and well-used software. As far as the routing goes, the local IP of the client (on the network that you are VPN’d into) should be the same as the server hosting OpenVPN. I believe the only way to get around this is the use the enterprise or commercial version of OpenVPN. The community version only allows one access point (i.e. the coffeeshop router) to connect with an outbound connection (as if it were the server accessing the internet). In other words, when you access the VPN remotely, it is as if you are “sharing” the IP of the server hosting the VPN. Hope that helps.

  7. Hi,
    I want to install Openvpn on my server for access form outside of the lan.
    My server has two eth adapters eth0 89.122.232.122, eth1 192.168.1.1
    What is the configuration ip in the server.conf file in this situation?
    What is the difference between dev tun and dev tap?
    Thank you.
    Bogdan

  8. I followed the instructions exactly. I installed the latest stable version of OpenVPN GUI on a Windows 8 machine. I placed my four certs in the /config directory on that win8 machine and modified the client.conf (located in the /sample-configs directory) to match the server settings. I then moved that client.conf to the /config directory and tried to connect. The connection fails and here is the log output:

    Thu Aug 01 12:12:58 2013 OpenVPN 2.3.2 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [eurephia] [IPv6] built on Jun 3 2013
    Thu Aug 01 12:12:58 2013 ERROR: could not not read Management password from stdin
    Thu Aug 01 12:12:58 2013 Exiting due to fatal error

    Any ideas? OpenVPN Server is installed on a Ubuntu 12.04.2 LTS virtual machine. I made sure to follow the instructions about commenting the lines in the /etc/network/interfaces file for use in virtual machines.

    1. Sounds like the client was not properly installed to the client machine or there is another issue with SSL on that PC. I’ve not used the openvpn client on a win 8 pc yet… however, I have found other issues with win 8 that would give me pause. (i.e. win 8 wifi would not work with Cisco Wireless controllers until recently).

  9. Hi,

    I have my own linux ubuntu server. i want to install openvpn access server. anybody help me pls. email me salmankor at live.com

  10. Great article and I like the explanations on Tun/Tap as it is so often asked about. I also wrote a guide on Installing OpenVPN but instead using Webmin + the OpenVPN module. This is a very easy way to do it for those maybe a little less Linux savvy. A unexperienced Linux user can be up and running in less than 15 minutes. The config file generation and download is point and click which is really nice.

    For those that want to try out this way you can see the guide at http://www.ioflare.com/portal/knowledgebase/3/Install-Webmin-And-OpenVPN-On-Your-Ubuntu-Cloud-Server.html

Leave a Reply

Your email address will not be published. Required fields are marked *


six + = 13

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>