Windows to Linux VPN
Related documents: Roll out custom Windows OpenVPN clients
On build machine
This may be skipped if you already have a built RPM of OpenVPN or sourced it from yum. From FC3 openvpn is available in the extras repositories.
# yum install lzo lzo-devel openssl-devel pam-devel # rpmbuild -tb openvpn-2.0.5.tar.gz # scp /usr/src/redhat/RPMS/i386/openvpn-2.0.5-1.i386.rpm ccc@192.168.1.85:
On the server
# yum install lzo # rpm -Uvh openvpn-2.0.5-1.i386.rpm
OR
Just do this instead of doing all above steps. This will install openvpn package and its dependencies to ur computer.
# yum install openvpn # cd /usr/share/openvpn/easy-rsa/2.0 # vi vars
Edit the variables KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, KEY_EMAIL to the appropriate value.
# . ./vars
You will need to delete all keys out of the Open VPN database.
# ./clean-all
Generate the Certificate Authority keys
# ./build-ca
It will ask a series of questions. The only field you need to fill in is the Common Name.
# ./build-key-server server
Again, some more questions. Only need to fill in the Common Name and answer 'y' to "Sign the certificate?" and "1 out of 1 certificate requests certified, commit?"
# ./build-dh
This will build the Diffie-Hellman key exchange settings. It will take a while.
# vi /etc/openvpn/openvpn.conf (create this file)
The config of openvpn.conf will included something similar to the following options:
dev tap proto udp port 1194 server 192.168.128.0 255.255.255.0 ifconfig 192.168.128.1 255.255.255.0 tls-server ca /usr/share/openvpn/easy-rsa/2.0/keys/ca.crt cert /usr/share/openvpn/easy-rsa/2.0/keys/servername.crt key /usr/share/openvpn/easy-rsa/2.0/keys/servername.key dh /usr/share/openvpn/easy-rsa/2.0/keys/dh1024.pem mute 10 verb 3 ping 10 keepalive 0 0 status /var/log/openvpn/openvpn-status.log log-append /var/log/openvpn/openvpn.log ip-win32 ipapi
Note: servername is the name of the computer
ip-win32 used to be not there. but we have problems with windows 10. other options
for it are ip-win32 manual and ip-win32 netshIf multiple customers are going to be connecting to a single server, like in the situation of an ASP. Multiple keys can be setup, along with multiple configuration files, but a different port must be setup for each customer/configuration.
Do not forget to start openpn service
Building key and crt for client to connect vpn
Server side
On the VPN server, run:
# cd /usr/share/openvpn/easy-rsa/2.0 # source vars # ./build-key <client>
It will then ask you a series of questions, similar to the ones asked by the ./build-key-server script. You should only need to answer the "Common Name" field, "Sign the certificate?" and "1 out of 1 certificate requests certified, commit?"
In the keys directory under current a configuration file config.ovpn similar to openvpn.conf must be created.
Note: Instead of using openvpn.conf give a meaningful name like name of the computer or person using that vpn. (eg kim.conf)
# Configuration for connecting into Creative computing internal network tls-client dev tap proto udp remote creativecomputing.com.au 1194 resolv-retry infinite nobind ifconfig 192.168.128.x 255.255.255.0 # This line is client dependent. (x means choose the ip address to use for client) ca ca.crt cert <client>.crt key <client>.key verb 3 mute 10
Then zip all these file you just created ( .crt, .key,.opvn and etc may be 6 or so files)
#zip filename.zip filenames dh1024.pem ca.crt
#scp to our muppets at /var/www/html/companyname (company name is folder you will create before copying to muppet)
On the client, install the latest version ofOpenVPN GUI for Windows, applying all the default options.
Or you can download this openvpn for client from our website
www.creativecomputing.com.au/openvpn ( run it in client machine)
Then
Copy zip folder from our website ( www.creativecomputing.com.au/companyname)
Copy the files /usr/share/openvpn/easy-rsa/2.0/keys/<client>.* /usr/share/openvpn/easy-rsa/2.0/ca.crt and /usr/share/openvpn/easy-rsa/2.0/dh1024.pem from the server to the C:\Program Files\OpenVPN\config folder on the client.
On the lower right hand side two red computer icons should apper, right click and connect to vpn server.
Note: Do not forget to port forward in their router ( port start and port end udp 1194 , portmap 1194)
There should be a script on muppets in /etc/openvpn/easy-rsa/email_keys. It takes two arguments: the client name and the email address. It should automatically create the keys for you and email them to the specified address. If any of the steps above change. The script will also need to be changed.
On a network with NAT, port1194with protocolUDPmust be forwarded to server's local IP address.Roll Your Own OpenVPN Windows Installation Package. Windows clients are known to time out, if OpenVPN is run as a service (non GUI) the following commands from RestartVPN.bat can quickly restart the service.
net stop "openvpn service" net start "openvpn service"
To have OpenVPN automatically connect at startup, edit the reigstry KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\openvpn_gui to the following value:
C:\Program Files\OpenVPN\bin\openvpn-gui.exe --connect <OVPN file>
How to tell if port forward is done.
need to test and see if can connect to their udp 1194 on the server
1, stop their openvpn service first
service openvpn stop
2, star to listen on udp 1194 on the the server
nc -l -u 1194
3, on sam try to connect to it using our local vpn(which should be working)
nc -u <customer code> 1194
then type something on sam the same char should be showing on the server.
this prove that the server can receive request and respond to UDP 1194
4, now close the client running on sam and the nc on customer server by control c.
restart the uc on ther server
nc -l -u 1194
try to connect to server through their public ip
nc -u xxx.xxx.xxx.xxx 1194
then type something from the client and see if anything comes up on the server side,
if something comeup which mean their router is doing port forwarding.
if nothing comeup which mean UDP 1194 was not frowarded to theserver.
4.2, if port is up but openvpn still refuse to connect,
then maybe something wrong the the TAP device on their host.
first go to the openvpn menu from start and check to see if there is a option to add tap virtual adaptor
then goest to device manager network and delete all TAP, then add a new TAP device using the option from openvpn.
5, remember to restart the openvpn service
service openvpn start
6, in conclution, the test show that , if we directlly talk to the server in the crecom subnet it can connect to UDP 1194
but if we connect to the public ip, which is the router's ip, and nothing happen at the server, that mean the router is not passing the package to the server.