User avatar
Thijxx
Posts: 86
Joined: Mon Oct 22, 2012 1:25 pm
Location: The Netherlands

Re: OpenVPN tutorial

Thu May 09, 2013 8:09 am

rblockmon wrote:Honestly, the tutorial needs to be cleaned up, because if someone was going to try and do this - they will only get confused because they are bouncing from tutorial to comment and back again. Just trying to help out.
It's updated, thanks for your feedback!

Didn't put it in the WiKi, I do not understand WiKi's. But I was able to edit my original post! :P
Mimi: Where'd you come from?
Doyle: My mom and the authorities are still trying to figure that out.

szopler
Posts: 2
Joined: Sat Jul 27, 2013 9:12 pm

Re: OpenVPN tutorial

Sat Jul 27, 2013 9:50 pm

Now please write down how to set bridge mode client at RaspberryPi and how to add routing.

User avatar
Thijxx
Posts: 86
Joined: Mon Oct 22, 2012 1:25 pm
Location: The Netherlands

Re: OpenVPN tutorial

Sun Jul 28, 2013 7:19 pm

szopler wrote:Now please write down how to set bridge mode client at RaspberryPi and how to add routing.
Hi Szopler,

I did not implement this myself so I can't write it down for you. But I searched the forum (just for you!) and found some stuff.

WARNING - THIS IS NOT TESTED (yet)

First you need to edit /etc/sysctl.conf and uncomment this line:
net.ipv4.ip_forward = 1

Then add this line to OpenVPN config file to change the default route on connect:
redirect-gateway

And maybe some DNS stuff, not sure, when I figure it out it will be written down by me here. To bypass possible DNS problems, use the google.com IP address to test it.
That will be: 173.194.75.147

:ugeek: stay cool
Mimi: Where'd you come from?
Doyle: My mom and the authorities are still trying to figure that out.

jago25_98
Posts: 25
Joined: Wed Aug 22, 2012 6:05 pm

Re: OpenVPN tutorial

Thu Aug 08, 2013 12:15 pm

It's good practice to merge all the keys and config into one single .ovpn file. Anyone know how to do that - an example with the right syntax.

By the way, ICSOpenVPN (OpenVPN for Android, not to be confused with OpenVPN Connect) gives false parsing error (see bug 177) in the config GUI so watch out.

PerthPi
Posts: 1
Joined: Tue Aug 20, 2013 12:06 pm

Re: OpenVPN tutorial

Tue Aug 20, 2013 12:09 pm

Hi there,

I've got OpenVPN working on my Pi with 1 x client certificate
How do I go about creating additional client certificates.
I'm not sure if running the following code will wipe by existing server / client keys

Code: Select all

./clean-all 
./build-ca
Also can't get the pkitool to run
-bash: pkitool: command not found
Thanks

User avatar
Thijxx
Posts: 86
Joined: Mon Oct 22, 2012 1:25 pm
Location: The Netherlands

Re: OpenVPN tutorial

Mon Sep 16, 2013 7:37 pm

PerthPi wrote:Hi there,

I've got OpenVPN working on my Pi with 1 x client certificate
How do I go about creating additional client certificates.
I'm not sure if running the following code will wipe by existing server / client keys

Code: Select all

./clean-all 
./build-ca
Also can't get the pkitool to run
-bash: pkitool: command not found
Thanks
Hi,

To add a client you should locate the 'easy-rsa' directory, run 'source ./vars' to load the client settings and then run './build-key <name>' where <name> is the name of your new client.
For great information, take a look at the Arch Linux WiKi pages here: https://wiki.archlinux.org/index.php/Cr ... sa_Scripts. I also LOVE that distribution, a much better way to learn Linux than Debian is if you ask me. Arch is so minimalistic it really forces you to built a whole environment from the ground up.

Good luck!

Thijs
Mimi: Where'd you come from?
Doyle: My mom and the authorities are still trying to figure that out.

leke
Posts: 53
Joined: Tue Oct 25, 2011 11:06 am
Location: Finland

Re: OpenVPN tutorial

Sun Oct 06, 2013 8:08 pm

Hi, Thanks for the tutorial. I'm getting this error when trying ./build-key-server sever
root@raspberrypi:/etc/openvpn/easy-rsa/2.0# ./build-key-server sever
Please edit the vars script to reflect your configuration,
then source it with "source ./vars".
Next, to start with a fresh PKI configuration and to delete any
previous certificates and keys, run "./clean-all".
Finally, you can run this tool (pkitool) to build certificates/keys.
and I had already tried
sudo /bin/bash
. ./vars
./clean-all
./build-ca
Up until that point everything seemed to go ok.

Any advice?

Thanks again :)

User avatar
Thijxx
Posts: 86
Joined: Mon Oct 22, 2012 1:25 pm
Location: The Netherlands

Re: OpenVPN tutorial

Sun Oct 06, 2013 8:19 pm

leke wrote:Hi, Thanks for the tutorial. I'm getting this error when trying ./build-key-server sever
root@raspberrypi:/etc/openvpn/easy-rsa/2.0# ./build-key-server sever
Please edit the vars script to reflect your configuration,
then source it with "source ./vars".
Next, to start with a fresh PKI configuration and to delete any
previous certificates and keys, run "./clean-all".
Finally, you can run this tool (pkitool) to build certificates/keys.
and I had already tried
sudo /bin/bash
. ./vars
./clean-all
./build-ca
Up until that point everything seemed to go ok.

Any advice?

Thanks again :)

Hi there leke, did you edit the 'vars' with something like 'nano vars' ?
That's where you set the encryption size for example, the 1024 or 2048 bit.
This page explains it really well; https://wiki.archlinux.org/index.php/Cr ... sa_Scripts

Thijs
Mimi: Where'd you come from?
Doyle: My mom and the authorities are still trying to figure that out.

leke
Posts: 53
Joined: Tue Oct 25, 2011 11:06 am
Location: Finland

Re: OpenVPN tutorial

Sun Oct 06, 2013 9:25 pm

Thijxx wrote: Hi there leke, did you edit the 'vars' with something like 'nano vars' ?
That's where you set the encryption size for example, the 1024 or 2048 bit.
This page explains it really well; https://wiki.archlinux.org/index.php/Cr ... sa_Scripts

Thijs
Hi, There is a chance did
sudo /bin/bash
./clean-all
./build-ca
missing . ./vars for some reason. Reading the link you sent, I also did "source ./vars" as well, but my spidey sense is telling me it's the same as ". ./vars"
Anyway, it seems to have gone smoothly and I've started the server, but I will test it tomorrow because it's late and I need to get up early tomorrow (or today now I guess). :roll:

Thanks for your help.

leke
Posts: 53
Joined: Tue Oct 25, 2011 11:06 am
Location: Finland

Re: OpenVPN tutorial

Tue Oct 08, 2013 4:48 am

Edit: Facepalm, just realised they are in /etc/openvpn/easy-rsa/2.0/keys

Please ignore the rest :oops:

Hi, me again :)
I was just wondering about this...
The client connection is based on a couple of files and those files are all named in the client.conf file. ...
Copy the following files to your wannabe OpenVPN Client:

client.crt
client.key
ca.crt
If you did this...
./build-key-server server
wouldn't you get this?
server.crt
server.key
ca.crt
because this is what I have in /etc/openvpn. It seems logical, but then perhaps I did something wrong.

Thanks.

rsperson
Posts: 8
Joined: Thu Sep 26, 2013 10:39 pm

Re: OpenVPN tutorial

Mon Oct 14, 2013 5:31 pm

on first command - failures?
sudo apt-get install openvpn
...
Err http://mirrordirector.raspbian.org/raspbian/ wheezy/main openvpn armhf 2.2.1-8+deb7u1 404 Not Found
Failed to fetch http://mirrordirector.raspbian.org/rasp ... _armhf.deb 404 Not Found
...
did a
sudo apt-get autoremove
to cleanup

rsperson
Posts: 8
Joined: Thu Sep 26, 2013 10:39 pm

Re: OpenVPN tutorial

Tue Oct 15, 2013 2:45 am

ran apt-get update on about Oct 11th and tried install Oct 14th.

Seems the Update of source.list happened on Oct 12th

Re-ran apt-get update and no errors

doveman
Posts: 174
Joined: Wed Dec 07, 2011 11:52 am

Re: OpenVPN tutorial

Fri Nov 29, 2013 5:47 pm

There still doesn't appear to be an OpenVPN tutorial on the wiki though, only a PPTP one. http://elinux.org/RPi_Tutorials

I'm trying to setup an OpenVPN server but followed a couple of different guides

A) http://raspberrypi-hacks.com/29/turn-yo ... pn-server/
B) http://raspberrypihelp.net/tutorials/1- ... r-tutorial

There doesn't appear to be any need to copy the keys from /easy-rsa/keys (that's the location in the above guides) as long as the openvpn.conf points to the files in that location.

I followed guide B) and just referred to A) to confirm that it appeared to be correct. However, the two guides differ in some respects, such as at step eleven in B) it tells you to do some stuff with crontab, which A) doesn't refer to at all. Then A) tells you to add these lines to /etc/rc.local, which B) doesn't.

iptables -t nat -A INPUT -i eth0 -p udp -m udp --dport 1194 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source RASPBERRY.PI.IP.ADRESS

and B) says to do this
sudo iptables -t nat -A POSTROUTING -s 10.0.0.0/8 ! -d 10.0.0.0/8 -o eth0 -j MASQUERADE

whereas A) says this

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to [ipadres rpi]

So I'm not really sure if I've got it setup right and I also need to make sure that it's purely for allowing remote clients to connect through to the Internet when using unsafe WiFi hotspots and that it doesn't allow access to any of my PCs on my LAN.

I also wonder if this is necessary for those of us who are using Dynamic IP services (probably most of us I imagine) and if so, maybe it could be incorporated into any tutorial someone might be working on, with a better explanation of exactly what files need to be edited, etc as it's not that clear http://openvpn.net/index.php/open-sourc ... namic.html

SoSo
Posts: 2
Joined: Sat Nov 30, 2013 6:53 pm

Re: OpenVPN tutorial

Sat Nov 30, 2013 8:19 pm

Great tutorial! I have been able to setup the VPN server and successfully connect my computer to it using Tunnelblick. Now I've setup the OpenVPN App for my iPhone and after installing the certificates (same with my computer) it works unless I try to connect both with my Pi. Obviously I need to generate more keys for each devices. But how can I generate additional keys without having to remove the previously (and working) generated client1 keys?

When I enter: ./build-key client2

It states:

Please edit the vars script to reflect your configuration,
then source it with "source ./vars".
Next, to start with a fresh PKI configuration and to delete any
previous certificates and keys, run "./clean-all".
Finally, you can run this tool (pkitool) to build certificates/keys.

Sorry for this noob question, but this whole Linux thing is still new to me...

SoSo
Posts: 2
Joined: Sat Nov 30, 2013 6:53 pm

Re: OpenVPN tutorial

Sat Nov 30, 2013 10:41 pm

Okay I've got it. Re-running it as root did the trick :)

User avatar
Thijxx
Posts: 86
Joined: Mon Oct 22, 2012 1:25 pm
Location: The Netherlands

Re: OpenVPN tutorial

Thu Dec 05, 2013 9:10 am

SoSo wrote:Okay I've got it. Re-running it as root did the trick :)
Great! I will add the 'extra clients' part to the tutorial.
Mimi: Where'd you come from?
Doyle: My mom and the authorities are still trying to figure that out.

georgeb2014
Posts: 9
Joined: Sat Feb 01, 2014 3:22 pm

Re: OpenVPN tutorial

Sat Feb 01, 2014 3:34 pm

I have looked at a number of posts regarding the use of the Raspberry Pi in a VPN arrangement with Windows systems. Unfortunately all seem to be using the Pi as the VPN server which is normal. I have a situation where I need the Pi to be the VPN Client and connect to a Windows 7 Home Premium system because of the network configuration at the Pi's location. I cannot receive incoming connections of any kind, but can make outgoing connections at all times. In addition, the Windows 7 VPN server may not always be available, so the PI will have to monitor the VPN and attempt to restore it's connection on a user defined basis.

Is anyone aware of a How-To or other discussion that might help me to solving this problem ? Again Pi must be VPN Client only, Server will always be Windows 7, Server may not be up continuously and Pi should try to reconnect on a user defined schedule/interval.

If by chance this has been solved already, I would appreciate a pointer to same. And feel free to admonish me for asking. I willingly accept the abuse in return for a solution or pointer to a solution.

Thanks in advance for any assistance you can offer.

Respectfully,

georgeb2014

User avatar
Thijxx
Posts: 86
Joined: Mon Oct 22, 2012 1:25 pm
Location: The Netherlands

Re: OpenVPN tutorial

Sat Feb 01, 2014 5:00 pm

georgeb2014 wrote:I have looked at a number of posts regarding the use of the Raspberry Pi in a VPN arrangement with Windows systems. Unfortunately all seem to be using the Pi as the VPN server which is normal. I have a situation where I need the Pi to be the VPN Client and connect to a Windows 7 Home Premium system because of the network configuration at the Pi's location. I cannot receive incoming connections of any kind, but can make outgoing connections at all times. In addition, the Windows 7 VPN server may not always be available, so the PI will have to monitor the VPN and attempt to restore it's connection on a user defined basis.

Is anyone aware of a How-To or other discussion that might help me to solving this problem ? Again Pi must be VPN Client only, Server will always be Windows 7, Server may not be up continuously and Pi should try to reconnect on a user defined schedule/interval.

If by chance this has been solved already, I would appreciate a pointer to same. And feel free to admonish me for asking. I willingly accept the abuse in return for a solution or pointer to a solution.

Thanks in advance for any assistance you can offer.

Respectfully,

georgeb2014
Hi George,

This is in fact offtopic. Shame on you ;)

Now, the answer is this: install openvpn (it's client and sever in one) and use this line of code to connect, should be self-explanatory.

Code: Select all

openvpn --remote SERVER_IP --dev tun1 --ifconfig 10.9.8.2 10.9.8.1 --tls-client --ca /etc/openvpn/easy-rsa/keys/ca.crt --cert /etc/openvpn/easy-rsa/keys/clientname.crt --key /etc/openvpn/easy-rsa/keys/clientname.key --reneg-sec 60 --verb 5
found that here https://wiki.debian.org/OpenVPN

If you put this code in a script and schedule the script for every 5 minutes, you should have a solution. To find out how, look for CHRON job manuals.
Found something here http://www.cyberciti.biz/faq/how-do-i-a ... unix-oses/
Mimi: Where'd you come from?
Doyle: My mom and the authorities are still trying to figure that out.

Mabs11
Posts: 1
Joined: Fri Feb 07, 2014 2:00 am

Re: OpenVPN tutorial

Fri Feb 07, 2014 2:11 am

Is there any chance of installing some kind of web admin user interface?
Some way to check user connections, or look the OpenVPN log or disconnect a client or backup config... all this admin stuff, from a GUI?
Something like "OpenVPN Access Server", is there something similar for the Raspberry?

Thx for your contribution here. Great tutorial.

User avatar
Thijxx
Posts: 86
Joined: Mon Oct 22, 2012 1:25 pm
Location: The Netherlands

Re: OpenVPN tutorial

Fri Feb 07, 2014 6:37 am

Mabs11 wrote:Is there any chance of installing some kind of web admin user interface?
Some way to check user connections, or look the OpenVPN log or disconnect a client or backup config... all this admin stuff, from a GUI?
Something like "OpenVPN Access Server", is there something similar for the Raspberry?

Thx for your contribution here. Great tutorial.
Hi there, and thanks.
The log file you seek is openvpn-status.log. You can activate that in the server.conf. more info here: https://openvpn.net/howto.html

The OpenVPN AS is not free :( and I'm also looking for a nice GUI admin...
This may be a good place to start: https://community.openvpn.net/openvpn/w ... edProjects

If you find/test anything, let me know and I'll try to help if needed and add it to this tutorial :)

Thijs
Mimi: Where'd you come from?
Doyle: My mom and the authorities are still trying to figure that out.

nemo096
Posts: 26
Joined: Wed Dec 26, 2012 10:54 am

Re: OpenVPN tutorial

Fri Feb 07, 2014 10:32 pm

Hi

I followed your tutorial o the letter but when i go to run openvpn at the end it says

Code: Select all

[FAIL] Starting virtual private network daemon: openvpn server failed!
Anyone know where the obvious places of error are or the common fixes?

Thanks

User avatar
Thijxx
Posts: 86
Joined: Mon Oct 22, 2012 1:25 pm
Location: The Netherlands

Re: OpenVPN tutorial

Sat Feb 08, 2014 4:27 pm

nemo096 wrote:Hi

I followed your tutorial o the letter but when i go to run openvpn at the end it says

Code: Select all

[FAIL] Starting virtual private network daemon: openvpn server failed!
Anyone know where the obvious places of error are or the common fixes?

Thanks
Hi nemo096,

I noticed that sometimes the server.conf is missing in the /etc/openvpn directory. Or there is an error in that file.
Also possible, as always, is that you did not start it as root or the init scrips (/etc/init.d/openvpn) has a non-existing user.

To better help you, I need to know where and when you got the error message.
There should be more details about WHY it fails, you can enable debug logging in the server.conf and then try to start it again.

Cheers
Mimi: Where'd you come from?
Doyle: My mom and the authorities are still trying to figure that out.

kees777
Posts: 1
Joined: Fri Mar 07, 2014 11:25 am

Re: OpenVPN tutorial

Fri Mar 07, 2014 11:31 am

Hello,

You mentioned that you will post the manual on http://elinux.org/RPi_Tutorials

However I cannot find it there. Can you post the exact URL?

Thanks!

JK

User avatar
Thijxx
Posts: 86
Joined: Mon Oct 22, 2012 1:25 pm
Location: The Netherlands

Re: OpenVPN tutorial

Fri Mar 07, 2014 7:55 pm

kees777 wrote:Hello,

You mentioned that you will post the manual on http://elinux.org/RPi_Tutorials

However I cannot find it there. Can you post the exact URL?

Thanks!

JK
Hi Kees,

That was the plan but it didn't work out between me and that wiki so this is it.
Feel free to copy all my information and set it up yourself.

Cheerio!

- Thijs
Mimi: Where'd you come from?
Doyle: My mom and the authorities are still trying to figure that out.

loadbang
Posts: 36
Joined: Mon Aug 13, 2012 4:56 pm

Re: OpenVPN tutorial

Thu Jun 05, 2014 7:56 pm

I'm a little lost when copying the config:

cp: cannot stat ‘/usr/share/doc/openvpn/examples/easy-rsa’: No such file or directory

This is what I get when running locate

# locate easy-rsa
/etc/openvpn/easy-rsa
/usr/share/doc/easy-rsa
/usr/share/doc/easy-rsa/changelog.Debian.gz
/usr/share/doc/easy-rsa/copyright
/usr/share/doc/easy-rsa/README-2.0.gz
/usr/share/doc/easy-rsa/README.Debian
/usr/share/easy-rsa
/usr/share/easy-rsa/build-ca
/usr/share/easy-rsa/build-dh
/usr/share/easy-rsa/build-inter
/usr/share/easy-rsa/build-key
/usr/share/easy-rsa/build-key-pass
/usr/share/easy-rsa/build-key-pkcs12
/usr/share/easy-rsa/build-key-server
/usr/share/easy-rsa/build-req
/usr/share/easy-rsa/build-req-pass
/usr/share/easy-rsa/clean-all
/usr/share/easy-rsa/inherit-inter
/usr/share/easy-rsa/list-crl
/usr/share/easy-rsa/openssl-0.9.6.cnf
/usr/share/easy-rsa/openssl-0.9.8.cnf
/usr/share/easy-rsa/openssl-1.0.0.cnf
/usr/share/easy-rsa/pkitool
/usr/share/easy-rsa/revoke-full
/usr/share/easy-rsa/sign-req
/usr/share/easy-rsa/vars
/usr/share/easy-rsa/whichopensslcnf
/var/cache/apt/archives/easy-rsa_2.2.2-1_all.deb
/var/lib/dpkg/info/easy-rsa.list
/var/lib/dpkg/info/easy-rsa.md5sums

Return to “Networking and servers”