Differences between revisions 3 and 38 (spanning 35 versions)
Revision 3 as of 2006-05-19 04:23:25
Size: 2095
Editor: rowlf
Comment:
Revision 38 as of 2023-12-28 04:41:58
Size: 7633
Editor: KafuWong
Comment:
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
= Windows to Linux VPN =
Related documents: Roll out custom [[OpenVPNRollOut|Windows OpenVPN clients]]
Line 2: Line 5:
This may be '''skipped''' if you already have a built RPM of OpenVPN or sourced it from {{{yum}}}}. From FC3 {{{openvpn}}} is available in the extras repositories.

{{{
yum install lzo lzo-devel openssl-devel pam-devel
rpmbuild -tb openvpn-2.0.5.tar.gz
scp /usr/src/redhat/RPMS/i386/openvpn-2.0.5-1.i386.rpm ccc@192.168.1.85:		 This may be '''skipped''' if you already have a built RPM of OpenVPN or sourced it from {{{yum}}}. From FC3 {{{openvpn}}} is available in the extras repositories.

{{{
# yum install lzo lzo-devel openssl-devel pam-devel
# rpmbuild -tb openvpn-2.0.5.tar.gz
# scp /usr/src/redhat/RPMS/i386/openvpn-2.0.5-1.i386.rpm ccc@192.168.1.85:
Line 11: Line 14:
yum install lzo
rpm -Uvh openvpn-2.0.5-1.i386.rpm
cd /etc/openvpn
/usr/sbin/openvpn --genkey --secret key
vi openvpn.conf}}}		 # yum install lzo
# rpm -Uvh openvpn-2.0.5-1.i386.rpm
}}}
OR

== Just do this instead of doing all above steps. This will install openvpn package and its dependencies to ur computer. ==
{{{
# yum install openvpn
# cd /usr/share/openvpn/easy-rsa/2.0
# vi vars
}}}
Edit the variables KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, KEY_EMAIL to the appropriate value.

{{{
# . ./vars
}}}
You will need to delete all keys out of the Open VPN database.

{{{
# ./clean-all
}}}
Generate the Certificate Authority keys

{{{
# ./build-ca
}}}
It will ask a series of questions. The only field you need to fill in is the Common Name.

{{{
# ./build-key-server server
}}}
Again, some more questions. Only need to fill in the Common Name and answer 'y' to "Sign the certificate?" and "1 out of 1 certificate requests certified, commit?"

{{{
# ./build-dh
}}}
This will build the Diffie-Hellman key exchange settings. It will take a while.

{{{
     # vi /etc/openvpn/openvpn.conf (create this file)
}}}
Line 20: Line 59:
ifconfig 10.3.0.1 255.255.255.0
secret key		 proto udp
port 1194
server 192.168.128.0 255.255.255.0
ifconfig 192.168.128.1 255.255.255.0
tls-server
ca /usr/share/openvpn/easy-rsa/2.0/keys/ca.crt
cert /usr/share/openvpn/easy-rsa/2.0/keys/servername.crt
key /usr/share/openvpn/easy-rsa/2.0/keys/servername.key
dh /usr/share/openvpn/easy-rsa/2.0/keys/dh1024.pem
mute 10
verb 3
Line 23: Line 71:
verb 3
mute 10}}}		 keepalive 0 0
status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log
ip-win32 ipapi
}}}
{{{
Note: servername is the name of the computer
      ip-win32 used to be not there. but we have problems with windows 10. other options
      for it are ip-win32 manual and ip-win32 netsh
}}}
Line 27: Line 83:
== Windows Clients ==
Install the latest version of[http://openvpn.se/ OpenVPN GUI for Windows], applying all the default options. The file{{{key}}}generated on the server must be copied into the configuration directory of OpenVPN.
In that same directory a configuration file{{{config.ovpn}}}similar to{{{openvpn.conf}}}must be created.
{{{
remote 666.666.666.666 # Servers external static IP		 '''Do not forget to start openpn service'''

== Building key and crt for client to connect vpn ==
Server side

On the VPN server, run:

{{{
# cd /usr/share/openvpn/easy-rsa/2.0
# source vars
# ./build-key <client>
}}}
It will then ask you a series of questions, similar to the ones asked by the ./build-key-server script. You should only need to answer the "Common Name" field, "Sign the certificate?" and "1 out of 1 certificate requests certified, commit?"

In the __keys__ directory under current a configuration file {{{config.ovpn}}} similar to {{{openvpn.conf}}} must be created.

Note: Instead of using openvpn.conf give a meaningful name like name of the computer or person using that vpn. (eg kim.conf)

{{{
# Configuration for connecting into Creative computing internal network
tls-client
Line 33: Line 105:
ifconfig 10.3.0.2 255.255.255.0
secret key
ping 10		 proto udp
remote creativecomputing.com.au 1194
resolv-retry infinite
nobind
ifconfig 192.168.128.x 255.255.255.0 # This line is client dependent. (x means choose the ip address to use for client)
ca ca.crt
cert <client>.crt
key <client>.key
Line 39: Line 116:
On a network with NAT, port {{{1194}}} with protocol {{{UDP}}} must be forwarded to 192.168.1.85. [http://openvpn.se/files/howto/openvpn-howto_roll_your_own_installation_package-Rev1.1.html Roll Your Own OpenVPN Windows Installation Package]

= Creative Staff Client Configuration =
{{{
# Configuration for connecting into Creative computing internal network
dev tap
proto udp
remote muppets.crecom.com.au 1194
resolv-retry infinite
nobind
secret cc.key
ifconfig 192.168.128.x 255.255.255.0 # This line is client dependent.
route 192.168.127.0 255.255.255.0 192.168.128.1
dhcp-option DOMAIN crecom.com.au
dhcp-option DNS 192.168.128.1
}}}		 Then zip all these file you just created ( .crt, .key,.opvn and etc may be 6 or so files)

{{{
#zip filename.zip filenames dh1024.pem ca.crt
}}}
#scp to our muppets at /var/www/html/companyname (company name is folder you will create before copying to muppet)

On the client, install the latest version of[[http://openvpn.se/|OpenVPN GUI for Windows]], applying all the default options.

'''Or you can download this openvpn for client from our website'''

[[http://www.creativecomputing.com.au/openvpn|www.creativecomputing.com.au/openvpn]] ( run it in client machine)

'''Then'''

Copy zip folder from our website ( [[http://www.creativecomputing.com.au/companyname|www.creativecomputing.com.au/companyname]])

Copy the files /usr/share/openvpn/easy-rsa/2.0/keys/<client>.* /usr/share/openvpn/easy-rsa/2.0/ca.crt and /usr/share/openvpn/easy-rsa/2.0/dh1024.pem from the server to the C:\Program Files\OpenVPN\config folder on the client.

On the lower right hand side two red computer icons should apper, right click and connect to vpn server.

'''Note: Do not forget to port forward in their router ( port start and port end udp 1194 , portmap 1194)'''

There should be a script on muppets in /etc/openvpn/easy-rsa/email_keys. It takes two arguments: the client name and the email address. It should automatically create the keys for you and email them to the specified address. If any of the steps above change. The script will also need to be changed.

On a network with NAT, port{{{1194}}}with protocol{{{UDP}}}must be forwarded to server's local IP address.[[http://openvpn.se/files/howto/openvpn-howto_roll_your_own_installation_package-Rev1.1.html|Roll Your Own OpenVPN Windows Installation Package]]. Windows clients are known to time out, if OpenVPN is run as a service (non GUI) the following commands from [[attachment:RestartVPN.bat]] can quickly restart the service.

{{{
net stop "openvpn service"
net start "openvpn service"
}}}
To have OpenVPN automatically connect at startup, edit the reigstry {{{ KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\openvpn_gui }}} to the following value:

{{{
C:\Program Files\OpenVPN\bin\openvpn-gui.exe --connect <OVPN file>
}}}
= How to tell if port forward is done. =
need to test and see if can connect to their udp 1194 on the server

1, stop their openvpn service first

service openvpn stop

2, star to listen on udp 1194 on the the server

nc -l -u 1194

3, on sam try to connect to it using our local vpn(which should be working)

nc -u <customer code> 1194

then type something on sam the same char should be showing on the server.

this prove that the server can receive request and respond to UDP 1194

4, now close the client running on sam and the nc on customer server by control c.

restart the uc on ther server

nc -l -u 1194

try to connect to server through their public ip

nc -u xxx.xxx.xxx.xxx 1194

then type something from the client and see if anything comes up on the server side,

if something comeup which mean their router is doing port forwarding.

if nothing comeup which mean UDP 1194 was not frowarded to theserver.

4.2, if port is up but openvpn still refuse to connect,

then maybe something wrong the the TAP device on their host.

first go to the openvpn menu from start and check to see if there is a option to add tap virtual adaptor

then goest to device manager network and delete all TAP, then add a new TAP device using the option from openvpn.

5, remember to restart the openvpn service

service openvpn start

6, in conclution, the test show that , if we directlly talk to the server in the crecom subnet it can connect to UDP 1194

but if we connect to the public ip, which is the router's ip, and nothing happen at the server, that mean the router is not passing the package to the server.

Windows to Linux VPN

Related documents: Roll out custom Windows OpenVPN clients

On build machine

This may be skipped if you already have a built RPM of OpenVPN or sourced it from yum. From FC3 openvpn is available in the extras repositories. 

# yum install lzo lzo-devel openssl-devel pam-devel
# rpmbuild -tb openvpn-2.0.5.tar.gz
# scp /usr/src/redhat/RPMS/i386/openvpn-2.0.5-1.i386.rpm ccc@192.168.1.85:

On the server

# yum install lzo
# rpm -Uvh openvpn-2.0.5-1.i386.rpm

OR

Just do this instead of doing all above steps. This will install openvpn package and its dependencies to ur computer.

# yum install openvpn
# cd /usr/share/openvpn/easy-rsa/2.0
# vi vars

Edit the variables KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, KEY_EMAIL to the appropriate value. 

# . ./vars

You will need to delete all keys out of the Open VPN database. 

# ./clean-all

Generate the Certificate Authority keys 

# ./build-ca

It will ask a series of questions. The only field you need to fill in is the Common Name. 

# ./build-key-server server

Again, some more questions. Only need to fill in the Common Name and answer 'y' to "Sign the certificate?" and "1 out of 1 certificate requests certified, commit?" 

# ./build-dh

This will build the Diffie-Hellman key exchange settings. It will take a while. 

     # vi /etc/openvpn/openvpn.conf (create this file)

The config of openvpn.conf will included something similar to the following options: 

dev tap
proto udp
port 1194
server 192.168.128.0 255.255.255.0
ifconfig 192.168.128.1 255.255.255.0
tls-server
ca /usr/share/openvpn/easy-rsa/2.0/keys/ca.crt
cert /usr/share/openvpn/easy-rsa/2.0/keys/servername.crt
key /usr/share/openvpn/easy-rsa/2.0/keys/servername.key
dh /usr/share/openvpn/easy-rsa/2.0/keys/dh1024.pem
mute 10
verb 3
ping 10
keepalive 0 0
status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log
ip-win32 ipapi

Note: servername is the name of the computer
      ip-win32 used to be not there. but we have problems with windows 10.  other options
      for it are ip-win32 manual and ip-win32 netsh

If multiple customers are going to be connecting to a single server, like in the situation of an ASP. Multiple keys can be setup, along with multiple configuration files, but a different port must be setup for each customer/configuration.

Do not forget to start openpn service

Building key and crt for client to connect vpn

Server side

On the VPN server, run: 

# cd /usr/share/openvpn/easy-rsa/2.0
# source vars
# ./build-key <client>

It will then ask you a series of questions, similar to the ones asked by the ./build-key-server script. You should only need to answer the "Common Name" field, "Sign the certificate?" and "1 out of 1 certificate requests certified, commit?"

In the keys directory under current a configuration file config.ovpn similar to openvpn.conf must be created.

Note: Instead of using openvpn.conf give a meaningful name like name of the computer or person using that vpn. (eg kim.conf) 

# Configuration for connecting into Creative computing internal network
tls-client
dev tap
proto udp
remote creativecomputing.com.au 1194
resolv-retry infinite
nobind
ifconfig 192.168.128.x 255.255.255.0                    # This line is client dependent. (x means choose the ip                                                           address to use for client)
ca ca.crt
cert <client>.crt
key <client>.key
verb 3
mute 10

Then zip all these file you just created ( .crt, .key,.opvn and etc may be 6 or so files) 

#zip filename.zip  filenames dh1024.pem ca.crt

#scp to our muppets at /var/www/html/companyname (company name is folder you will create before copying to muppet)

On the client, install the latest version ofOpenVPN GUI for Windows, applying all the default options.

Or you can download this openvpn for client from our website

www.creativecomputing.com.au/openvpn ( run it in client machine)

Then

Copy zip folder from our website ( www.creativecomputing.com.au/companyname)

Copy the files /usr/share/openvpn/easy-rsa/2.0/keys/<client>.* /usr/share/openvpn/easy-rsa/2.0/ca.crt and /usr/share/openvpn/easy-rsa/2.0/dh1024.pem from the server to the C:\Program Files\OpenVPN\config folder on the client.

On the lower right hand side two red computer icons should apper, right click and connect to vpn server.

Note: Do not forget to port forward in their router ( port start and port end udp 1194 , portmap 1194)

There should be a script on muppets in /etc/openvpn/easy-rsa/email_keys. It takes two arguments: the client name and the email address. It should automatically create the keys for you and email them to the specified address. If any of the steps above change. The script will also need to be changed.

On a network with NAT, port1194with protocolUDPmust be forwarded to server's local IP address.Roll Your Own OpenVPN Windows Installation Package. Windows clients are known to time out, if OpenVPN is run as a service (non GUI) the following commands from RestartVPN.bat can quickly restart the service. 

net stop "openvpn service"
net start "openvpn service"

To have OpenVPN automatically connect at startup, edit the reigstry  KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\openvpn_gui  to the following value: 

C:\Program Files\OpenVPN\bin\openvpn-gui.exe --connect <OVPN file>

How to tell if port forward is done.

need to test and see if can connect to their udp 1194 on the server

1, stop their openvpn service first

service openvpn stop

2, star to listen on udp 1194 on the the server

nc -l -u 1194

3, on sam try to connect to it using our local vpn(which should be working)

nc -u <customer code> 1194

then type something on sam the same char should be showing on the server.

this prove that the server can receive request and respond to UDP 1194

4, now close the client running on sam and the nc on customer server by control c.

restart the uc on ther server

nc -l -u 1194

try to connect to server through their public ip

nc -u xxx.xxx.xxx.xxx 1194

then type something from the client and see if anything comes up on the server side,

if something comeup which mean their router is doing port forwarding.

if nothing comeup which mean UDP 1194 was not frowarded to theserver.

4.2, if port is up but openvpn still refuse to connect,

then maybe something wrong the the TAP device on their host.

first go to the openvpn menu from start and check to see if there is a option to add tap virtual adaptor

then goest to device manager network and delete all TAP, then add a new TAP device using the option from openvpn.

5, remember to restart the openvpn service

service openvpn start

6, in conclution, the test show that , if we directlly talk to the server in the crecom subnet it can connect to UDP 1194

but if we connect to the public ip, which is the router's ip, and nothing happen at the server, that mean the router is not passing the package to the server.

OpenVPN (last edited 2023-12-28 04:41:58 by KafuWong)