Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


OpenVPN setup tutorial?
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

OpenVPN setup tutorial?

WilliamWilliam Member
edited April 2012 in Tutorials

Hello Guys & Gals :)

Since today Austrias (whole EU in fact) home ISPs implemented the notorious "Vorratsdatenspeicherung" (Data retention) i'm setting up a VPN in our Swiss location for my usage.

I thought first about using PPTP which is easy to setup but also slower (IIRC) - I'm looking to be able to push 50-100Mbit Down and 5-10Mbit up.

So does anyone have a tutorial for that?
Looking for:
Key auth (no passwords)
Static IP for every client (based on Username for the VPN maybe? or the MAC of the client?)
Not too high encryption, just basic - Prefer Speed over Security

Anyone knows how to do this? Rewarding a year of EDIS KVM Micro in any location of your choice for a fully working solution :)

William

Comments

  • I followed the Linode library and its probably the easiest to understand.

  • Just install openvpn-AS. It only takes 2 commands.

    Thanked by 1William
  • nabonabo Member
    edited April 2012

    @William said: ince today Austrias (whole EU in fact) home ISPs implemented the notorious "Vorratsdatenspeicherung" (Data retention) i'm setting up a VPN in our Swiss location for my usage.

    So your decision was not wise. Switzerland has a data retention act since 2002. Which is btw controlled by one of the Swiss Counter Intelligence Agencies. Germany is the only country in the EU that does not have a data retention as it is against the German constitution.

  • Interesting, Openvpn-AS works fine but i'm too dumb to assign users static external IPs - Any idea?
    I just selected "Layer 2 (ethernet bridging)" at the VPN Mode without specifing a bridge and assigned the user a static external IP in his user settings which is not bound to any interface on the KVM im running on.
    Doesn't work.

    Do i need to create a bridge manually or assign the IP to eth0?

  • @nabo said: Which is btw controlled by one of the Swiss Counter Intelligence Agencies

    I trust the Swiss guys more than our own.

    @nabo said: Germany is the only country in the EU that does not have a data retention as it is against the German constitution.

    It is against ours also, Germany WILL have to implement it or they will have to drop out of the EU or pay high fees for every day they don't (like we had to).
    Besides this, Germany has other laws which are not prefferable for anyone and other restrictions which are annoying like blocked youtube and other video sites.

    After all this is just a demo setup, i also have servers in other countries i can use - Ukraine, Russia, Liechtenstein, Norway and the Isle of Man to name a few.

  • @William said: I just selected "Layer 2 (ethernet bridging)"

    I use NAT its easier to setup

  • @William said: Liechtenstein

    Now that would be interesting

  • @liam said: @William I haven't used openvpn for a while... it wasn't clear if you trying to assign users their own unique ip or a select few users the same ip. Could you clarify?

    i want each user to use his own, external (thus public), static, IPv4 IP instead of the usual "shared" Host IPv4.
    Clear enough? ;)

    @DanielM said: I use NAT its easier to setup

    Certainly, but for usability reasons i can't use that.

    @gsrdgrdghd said: Now that would be interesting

    Yes, if traffic would not be so expensive :(

  • AmfyAmfy Member

    @William said: Yes, if traffic would not be so expensive :(

    At which provider have you looked? Server.lu offers 1TB for 10€ that's really ok.

  • @Amfy said: At which provider have you looked? Server.lu offers 1TB for 10€ that's really ok.

    Luxemburg != Liechtenstein ;-)

  • AmfyAmfy Member

    Damn, sorry

  • @Amfy said: Server.lu offers 1TB for 10€ that's really ok.

    Ovh offers 1TB for 89p (Around $1.40)

  • dnomdnom Member

    @William said: i want each user to use his own, external (thus public), static, IPv4 IP instead of the usual "shared" Host IPv4.

    I did this a while back following this tutorial:
    http://forums.openvpn.net/topic8559.html

    "To put the example into practical terms, it would mean that you could login to the VPN and visit http://www.whatismyip.com to see your WAN ip. Then you could log out, and in to the VPN as a new user, and visit http://www.whatismyip.com again. This time the reported WAN ip will be different, depending on the user you have logged into the VPN as."

  • AsimAsim Member

    How to resolve this?

    WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.

  • netomxnetomx Moderator, Veteran

    Isn't Netherlands the best for that?

  • @Asim said: How to resolve this?

    Where is this error?

    Thanked by 1Asim
  • AsimAsim Member

    I get stuck at

    Mon Apr 02 20:17:34 2012 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct 1 2006
    Mon Apr 02 20:17:36 2012 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
    Mon Apr 02 20:17:36 2012 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
    Mon Apr 02 20:17:36 2012 LZO compression initialized
    Mon Apr 02 20:17:36 2012 Control Channel MTU parms [ L:1576 D:140 EF:40 EB:0 ET:0 EL:0 ]
    Mon Apr 02 20:17:36 2012 Data Channel MTU parms [ L:1576 D:1450 EF:44 EB:135 ET:32 EL:0 AF:3/1 ]
    Mon Apr 02 20:17:36 2012 Local Options hash (VER=V4): '31fdf004'
    Mon Apr 02 20:17:36 2012 Expected Remote Options hash (VER=V4): '3e6d1056'
    Mon Apr 02 20:17:36 2012 Attempting to establish TCP connection with xxx.xxx.xxx.xxx:1194
    Mon Apr 02 20:17:38 2012 TCP: connect to xxx.xxx.xxx.xxx:1194 failed, will try again in 5 seconds

  • AsimAsim Member
    edited April 2012

    My configuration is

    remote xxx.xxx.xxx.xxx 1194
    proto tcp
    auth-user-pass
    ca ca.crt
    cert asim.crt
    key asim.key
    comp-lzo
    verb 3
    mute 20
    resolv-retry infinite
    nobind
    client
    dev tap
    persist-key
    persist-tun

  • Are you using access server or normal openvpn?

  • AsimAsim Member

    I modified the default OpenVPN Windows GUI file to the same sample as /usr/share/doc/openvpn/examples/sample-config-files/client.conf now, I dont get the error message or the user/pass prompt but it does not connect either :(

    Mon Apr 02 20:33:16 2012 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct 1 2006
    Mon Apr 02 20:33:16 2012 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
    Mon Apr 02 20:33:16 2012 LZO compression initialized
    Mon Apr 02 20:33:16 2012 Control Channel MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
    Mon Apr 02 20:33:16 2012 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
    Mon Apr 02 20:33:16 2012 Local Options hash (VER=V4): 'd79ca330'
    Mon Apr 02 20:33:16 2012 Expected Remote Options hash (VER=V4): 'f7df56b8'
    Mon Apr 02 20:33:16 2012 UDPv4 link local: [undef]
    Mon Apr 02 20:33:16 2012 UDPv4 link remote: 199.167.30.47:1194
    Mon Apr 02 20:34:15 2012 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    Mon Apr 02 20:34:15 2012 TLS Error: TLS handshake failed
    Mon Apr 02 20:34:15 2012 TCP/UDP: Closing socket

  • AsimAsim Member

    Note for newbies @ VPN (like me), look at /var/log/daemon.log. It looks like tun/tap is not available on my container. Opened a ticket with my VPS provider, this will fix the problem for sure

    root@vpn:/var/log# tail daemon.log
    Apr 2 20:53:20 vpn ovpn-server[1863]: OpenVPN 2.1.0 i486-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [MH] [PF_INET6] [eurephia] built on Jul 20 2010
    Apr 2 20:53:20 vpn ovpn-server[1863]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Apr 2 20:53:20 vpn ovpn-server[1863]: Diffie-Hellman initialized with 1024 bit key
    Apr 2 20:53:21 vpn ovpn-server[1863]: /usr/bin/openssl-vulnkey -q -b 1024 -m
    Apr 2 20:53:21 vpn ovpn-server[1863]: TLS-Auth MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ]
    Apr 2 20:53:21 vpn ovpn-server[1863]: ROUTE: default_gateway=UNDEF
    Apr 2 20:53:21 vpn ovpn-server[1863]: Note: Cannot open TUN/TAP dev /dev/net/tun: No such file or directory (errno=2)
    Apr 2 20:53:21 vpn ovpn-server[1863]: Note: Attempting fallback to kernel 2.2 TUN/TAP interface
    Apr 2 20:53:21 vpn ovpn-server[1863]: Cannot allocate TUN/TAP dev dynamically
    Apr 2 20:53:21 vpn ovpn-server[1863]: Exiting

  • @Asim said: Note for newbies @ VPN (like me), look at /var/log/daemon.log. It looks like tun/tap is not available on my container. Opened a ticket with my VPS provider, this will fix the problem for sure

    If ur running AS, make sure they enable the extra firewall rules otherwise AS will not start

  • MrAndroidMrAndroid Member
    edited April 2012

    I gotta admit, I just tried OpenVPN-AS and found it much easier to setup then doing keys manually all the time.

    Also the fact that it plugs into PAM is cooool.

    Thanked by 1Asim
  • OpenVPN-AS 's page seems to be outdate (updated for ubuntu 10 only) is it still alive the project?

  • DanielMDanielM Member
    edited September 2012

    @kossel said: OpenVPN-AS 's page seems to be outdate (updated for ubuntu 10 only) is it still alive the project?

    Dudee this thread is 5 Months old! wtf, dont revive old threads to gain post posts.

  • @kossel said: OpenVPN-AS 's page seems to be outdate (updated for ubuntu 10 only) is it still alive the project?

    Yes it is still alive, and thanks for revieving ... I had no idea that the data retention shit had happened over here in Austria.

    VPN on ...

  • @William said: Anyone knows how to do this?

    I can help you with the configuration if you can provide me a KVM and some unused static Internet IP.

Sign In or Register to comment.