The following are notes from a configuration that Sparks and I set up.
Contents |
- Extremely simple to configure.
- Key distribution is your problem.
- For some reason, the server could not connect to services running on the client. This needs further investigation in that it may have been caused by the client's Apache service.
- One client only.
- Both the client and the server are able to load the tun module (try 'modprobe tun', followed by 'lsmod|grep tun').
- For the purposes of discussion, this is a peer-to-peer configuration in that "mode p2p" is default in OpenVPN.
- You're not duplicating IP or MAC addresses on both networks if you're going to use the TAP adapter and/or use this as a gateway. (This is only a simple configuration. Try the fancy stuff later!)
In our tests, the client was able to connect to a web server and Asterisk (via IAX) on the server.
1) Decide which system is going to be the server and which system is going to be the client. If the server resides behind a NAT router, the router must forward UPD port 1194 to the actual (internal) address of the server.
2) One of you must generate a key (certificate) and share it with the other. The key can be generated via:
openvpn --genkey --secret simple.key
3) On the server end, create a file called /etc/openvpn/joat.conf (call it whatever you want) and put the following in it:
user nobody group nobody daemon dev tun ifconfig 10.8.0.1 10.8.0.2 secret /etc/openvpn/simple.key keepalive 10 60 ping-timer-rem persist-tun persist-key
Notice that the above is a bit more than what's in the mini-howto. I'm only combining steps here.
The first three lines in the above configuration tells OpenVPN to run as a service with a UID and GID of "nobody".
'dev tun' tells OpenVPN to use the TUN adapter (vice the TAP adapter). 'tun' encapsulates traffic at Layer 3 (IP4 or IP6 traffic), 'tap' encapsulates traffic at Layer 2 (Ethernet traffic).
'ifconfig 10.8.0.1 10.8.0.2' sets the TUN or TAP adapter parameters. The first IP address is the local address. The second is either an address (for TUN) or address range (for TAP) for the remote end. Please note that these addresses are reversed in the client configuration.
'secret /etc/openvpn/static.key' tells OpenVPN where to find the pre-shared key for this configuration.
'keepalive 10 60' tells OpenVPN to use ping to keep the session alive (see the man page for more details)
'ping-timer-rem' tells OpenVPN to only use the ping restart timer when a client is connected. This saves CPU cycles and prevents a number of complaints in the log files when there's no client connected. You need this if you're running OpenVPN in daemon mode.
'persist-tun' tells OpenVPN to not close and restart the TUN (or TAP) adapter (i.e., "keep it running"). You need this in association with the 'keepalive' and 'ping-timer-rem' commands.
'persist-key' prevents an issue where the daemon can't re-load the key if the client drops off and returns. Remember, you start OpenVPN as root. The key is loaded before the daemon switches to the UID/GID of "nobody". After that, the file permissions prevent the key from being re-read when the client re-connects.
4) On the client end, the following should go in /etc/openvpn/client.conf:
remote REALWORLDIP 1194 dev tun secret /etc/openvpn/simple.key ifconfig 10.8.0.2 10.8.0.1 keepalive 10 60 ping-timer-rem persist-tun persist-key
where 'remote REALWORLDIP 1194' tells OpenVPN to connect to the server on port 1194 at "REALWORLDIP" (change this to an IP address or hostname). The explanations for the rest of the config file are the same as above. Note that the addresses in the 'ifconfig' line are reversed.
5) On the server end, run:
openvpn --config joat.conf
or whatever it was that you called the conf file.
6) On the client end, run:
openvpn
(Note: you can call the config file (on the client end) anything you want. "/etc/openvpn/client.conf" is assumed by OpenVPN (as a default).)
7) Wait a few seconds (hint: watch your /var/log/messages file) and then try to ping each other.
I recommend reading the documentation at the OpenVPN site and/or getting a good book on the topic. (Anyone know of one? Sparks has a few choice words for the book that he picked up.)