Ubuntu – Need help setting up OpenVPN on an Ubuntu server

EDIT:

OK, thanks to all of your help I've made some progress. I fixed the connectivity issues with the bridge by manually setting up the bridge in the interfaces file and editing the bridge-start and bridge-stop scripts to only add/take-down the tap interface (See bellow for the current versions of these files.)

Now I can connect to the server, but the connection keeps getting dropped. Is this a key issue? I've tried regenerating the keys to no avail.

The log from Tunnelbrick when trying to connect to my server:

2010-09-19 10:08:05 *Tunnelblick: OS X 10.6.4; Tunnelblick 3.0 (build 1437); OpenVPN 2.1.1
2010-09-19 10:08:07 *Tunnelblick: Attempting connection with evan's apartment.conf; Set nameserver = 1; monitoring connection
2010-09-19 10:08:07 *Tunnelblick: /Applications/Tunnelblick.app/Contents/Resources/openvpnstart start evan's\ apartment.conf 1338 1 0 0 0
2010-09-19 10:08:07 *Tunnelblick: /Applications/Tunnelblick.app/Contents/Resources/openvpn --management-query-passwords --cd /Users/evan/Library/Application Support/Tunnelblick/Configurations --daemon --management-hold --management 127.0.0.1 1338 --config /Users/evan/Library/Application Support/Tunnelblick/Configurations/evan's apartment.conf --script-security 2 --up "/Applications/Tunnelblick.app/Contents/Resources/client.up.osx.sh" --down "/Applications/Tunnelblick.app/Contents/Resources/client.down.osx.sh" --up-restart
2010-09-19 10:08:07 SUCCESS: pid=2376
2010-09-19 10:08:07 SUCCESS: real-time state notification set to ON
2010-09-19 10:08:07 SUCCESS: real-time log notification set to ON
2010-09-19 10:08:07 OpenVPN 2.1.1 i386-apple-darwin10.2.0 [SSL] [LZO2] [PKCS11] built on Feb 24 2010
2010-09-19 10:08:07 MANAGEMENT: TCP Socket listening on 127.0.0.1:1338
2010-09-19 10:08:07  waiting...
2010-09-19 10:08:07 MANAGEMENT: Client connected from 127.0.0.1:1338
2010-09-19 10:08:07 MANAGEMENT: CMD 'pid'
2010-09-19 10:08:07 MANAGEMENT: CMD 'state on'
2010-09-19 10:08:07 MANAGEMENT: CMD 'log on all'
2010-09-19 10:08:07 END
2010-09-19 10:08:07 MANAGEMENT: CMD 'hold release'
2010-09-19 10:08:07 SUCCESS: hold release succeeded
2010-09-19 10:08:07 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2010-09-19 10:08:07 Control Channel Authentication: using '/Users/evan/VPN/ta.key' as a OpenVPN static key file
2010-09-19 10:08:07 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2010-09-19 10:08:07 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2010-09-19 10:08:07 LZO compression initialized
2010-09-19 10:08:07 Control Channel MTU parms [ L:1576 D:168 EF:68 EB:0 ET:0 EL:0 ]
2010-09-19 10:08:07 Data Channel MTU parms [ L:1576 D:1450 EF:44 EB:135 ET:32 EL:0 AF:3/1 ]
2010-09-19 10:08:07 Local Options hash (VER=V4): 'e39a3273'
2010-09-19 10:08:07 Expected Remote Options hash (VER=V4): '3c14feac'
2010-09-19 10:08:07  or --up-delay
2010-09-19 10:08:07 Attempting to establish TCP connection with 192.168.0.2:1194 [nonblock]
2010-09-19 10:08:07 
2010-09-19 10:08:08 TCP connection established with 192.168.0.2:1194
2010-09-19 10:08:08 Socket Buffers: R=[525624->65536] S=[131768->65536]
2010-09-19 10:08:08 TCPv4_CLIENT link local: [undef]
2010-09-19 10:08:08 TCPv4_CLIENT link remote: 192.168.0.2:1194
2010-09-19 10:08:08 
2010-09-19 10:08:08  restarting [0]
2010-09-19 10:08:08 TCP/UDP: Closing socket
2010-09-19 10:08:08  process restarting
2010-09-19 10:08:08 
2010-09-19 10:08:08 MANAGEMENT: CMD 'hold release'
2010-09-19 10:08:08 SUCCESS: hold release succeeded
2010-09-19 10:08:08 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2010-09-19 10:08:08 Re-using SSL/TLS context
2010-09-19 10:08:08 LZO compression initialized
2010-09-19 10:08:08 Control Channel MTU parms [ L:1576 D:168 EF:68 EB:0 ET:0 EL:0 ]
2010-09-19 10:08:08 Data Channel MTU parms [ L:1576 D:1450 EF:44 EB:135 ET:32 EL:0 AF:3/1 ]
2010-09-19 10:08:08 Local Options hash (VER=V4): 'e39a3273'
2010-09-19 10:08:08 Expected Remote Options hash (VER=V4): '3c14feac'
2010-09-19 10:08:08 Attempting to establish TCP connection with 192.168.0.2:1194 [nonblock]
2010-09-19 10:08:08 
2010-09-19 10:08:09 TCP connection established with 192.168.0.2:1194
2010-09-19 10:08:09 Socket Buffers: R=[525624->65536] S=[131768->65536]
2010-09-19 10:08:09 TCPv4_CLIENT link local: [undef]
2010-09-19 10:08:09 TCPv4_CLIENT link remote: 192.168.0.2:1194
2010-09-19 10:08:09 
2010-09-19 10:08:09  restarting [0] ... (just keeps repeating from here)

Here are the updated files that I've changed:

interfaces

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto eth0
iface eth0 inet static
address 192.168.0.2
netmask 255.255.255.0
gateway 192.168.0.1

# Bridge for OpenVPN
auto br0
iface br0 inet static
address 192.168.0.2
netmask 255.255.255.0
gateway 192.168.0.1
bridge_ports eth0

bridge-start

#!/bin/bash

#################################
# Set up Ethernet bridge on Linux
# Requires: bridge-utils
#################################

# Define Bridge Interface
br="br0"

# Define list of TAP interfaces to be bridged,
# for example tap="tap0 tap1 tap2".
tap="tap0"

# Define physical ethernet interface to be bridged
# with TAP interface(s) above.
eth="eth0"
eth_ip="192.168.0.2"
eth_netmask="255.255.255.0"
eth_broadcast="192.168.0.255"
eth_gateway="192.168.0.1"
eth_network="192.168.0.0"

for t in $tap; do
    openvpn --mktun --dev $t
done

#brctl addbr $br
#brctl addif $br $eth

for t in $tap; do
    brctl addif $br $t
done

for t in $tap; do
    ifconfig $t 0.0.0.0 promisc up
done

ifconfig $eth 0.0.0.0 promisc up

#ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast gateway $eth_gateway

bridge-stop

#!/bin/bash

####################################
# Tear Down Ethernet bridge on Linux
####################################

# Define Bridge Interface
br="br0"

# Define list of TAP interfaces to be bridged together
tap="tap0"

#ifconfig $br down
#brctl delbr $br

for t in $tap; do
    openvpn --rmtun --dev $t
done

My server.conf file look like the one aleroot suggested.

Thanks for all of your help so far, I think I'm close now :).

ORIGINAL QUESTION:

I'm trying to get my Ubuntu 10.04 server to act as an OpenVPN server so I can eventually samba mount my data on my labtop while I'm at work. I've followed the instructions here a few times now with no luck.

I'm fairly certain the problem has to do with setting up the bridges and the tap interface. The reason I think that is because once I set up the bridge (using these scripts – http openvpn.net/index.php/open-source/documentation/miscellaneous/76-ethernetbridging.html#linuxscript – sorry I can only make one link at the moment :)) and start the server (which starts with no errors) I'm loosing my eth0 connection ( and when I run ifconfig, only the new br0 has an IP address). Also after enabling the bridges I can no longer ssh to my server which starts working again when I stop the openvpn server and run the bridge-stop script.

I think I'm confused about which IP address goes where.

My router has public IP address, lets say it's 25.25.25.25 and my Ubuntu server has a static ip address of 192.168.0.2 (the port forwarding and everything works correctly, I can ssh in from anywhere, until I run the bridge scripts or try :)). Here are the values I've been using in the files specified above, do they look right?

From bridge-start (link to full file above)

# Define physical ethernet interface to be bridged
# with TAP interface(s) above.
eth="eth0"
eth_ip="192.168.0.2"
eth_netmask="255.255.255.0"
eth_broadcast="192.168.0.255"

From server.conf

local 192.168.0.2
dev tap0
up "/etc/openvpn/up.sh br0"
down "/etc/openvpn/down.sh br0"
;server 10.8.0.0 255.255.255.0
server-bridge 192.168.0.2 255.255.255.0 192.168.0.50 192.168.100
push "route 192.168.0.2 255.255.255.0"
push "dhcp-option DNS 192.168.0.1"
;push "dhcp-option DOMAIN example.com" <- commented not sure what i should use, the value is resolve.conf?
tls-auth ta.key 0 # This file is secret
user nobody
group nogroup

Thanks for your help!!

Best Answer

Can't really offer much on the configuration above, but I can suggest a couple of alternatives:

You might want to consider installing OpenVPN-AS Server -- we run it on Ubuntu and it's great. It installs quickly and painlessly, and has an intuitive web interface for configuration and monitoring. It handles setting up the interfaces transparently and even configures appropriate iptables rules for you. Up to 2 concurrent users are free, and more are cheap ($5/user/yr). Clients can download a pre-configured, customized config file (*.nix) or setup package (Windows) from the web interface.

Alternatively, you could run pfSense in a VM (runs great under KVM in Ubuntu) or put it on a separate box (it doesn't need much for hardware) and take advantage of the L2TP, OpenVPN, or PPTP VPN servers built in. Again, this would take some of the pain out of the configuration and setup, though you would need to set up KVM if you went that route.

Best Answer

Related Solutions

Linux – Understanding an OpenVPN bridge from iptable’s point of view

OpenVPN client on a windows 7, packets not routed

Related Topic