[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

[Openvpn-users] Success story (and some small complaints about the HOWTO)

  • Subject: [Openvpn-users] Success story (and some small complaints about the HOWTO)
  • From: Johannes Schindelin <Johannes.Schindelin@xxxxxx>
  • Date: Sat, 21 Jul 2007 19:52:13 +0100 (BST)


it was not really easy for me to find the right setup.  Probably I am just 
a moron, but I really did not find the HOWTO very helpful.  I wasted 
several weeks until I had it figured out.

It is correct that I did not have too much knowledge about how to set up 
iptables rules, and I did not have the idea to listen on all involved 
devices with tcpdump right away.  But that is what I expect from a HOWTO, 
that it tells me which commands to use.  I will not blindly use them 
without understanding them, but I have to know _where_ to look first.

So here is what I will tell people asking _me_ how to set up OpenVPN 
between two Linux machines, where one machine is behind a restrictive 
firewall and needs to route _all_ internet traffic via the other:

- you _need_ root access on both sides.  Perhaps there is a way to 
  allow other users to set up a tun device, but to allow that you'd need
  root access anyway.

- make sure openvpn is installed on both sides (yes, it is dumb, I know, 
  but this is a HOWTO!  Not that it bit _me_).

- create the secret key (it is not the best method to have a secure 
  connection, but to get started it is the easiest):

	$ openvpn --genkey --secret secret.key

- on the server side, set up the forwarding rules (as root):

	$ echo 1 > /proc/sys/net/ipv4/ip_forward
        $ iptables -A INPUT -i tun0 -j ACCEPT
        $ iptables -A FORWARD -i tun0 -j ACCEPT
        $ iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

  If you do not know what this is all about, it might be a good idea to 
  google for it first.  (Yeah, I know this is lame, but I am just 
  outlining what a HOWTO should contain from my POV.)

  If the OpenVPN connection does not work, these settings are most likely 
  wrong or incomplete.

- Set up the server configuration on a port that your restricted box can 
  connect to (such as 80 (HTTP), or 443 (HTTPS)):

	cat > server.conf << EOF
	proto tcp-server
	port 443
	dev tun
	secret secret.key

  The addresses and are private point-to-point 
  addresses.  To avoid confusion, use two similar IPs, and keep in mind 
  that the first address is the server address.  Also pick them from the 
  range 192.168.x.x or 10.x.x.x, since those ranges are guaranteed to be 
  unrouted in the internet.

- Start the server (on the server machine...):

	$ openvpn --config server.conf

- Set up the client configuration:

	cat > client.conf << EOF
	remote 123.456.789.012 443
	proto tcp-client
	dev tun
	secret my.key

  Note that the point-to-point addresses are swapped, compared to the 
  server.conf.  Also make sure that you have the correct remote IP 
  address, and do use a numerical IP address.

- Start the client (on the client machine...):

	$ openvpn --config client.conf --redirect-gateway

- Troubleshooting.  Since this is a delicate setup with many moving parts, 
  a couple of things can go wrong.  For example, on many machines it is 
  not easy (unless you are an expert, and do not need this HOWTO to begin 
  with) to find the log of the firewall to see what is happening.

  The easiest method to shoot troubles I could think of is to try "ping" from the client first.

  If that does not work, the port is probably blocked.  You might get away  
  with setting up an ssh tunnel:

	$ ssh -L 443:localhost:443 <the-remote-machine>

  Of course, you have to adjust the IP in the client.conf to point to then!

  If it still does not work, you can find out where the flow stops 
  by starting tcpdump on the client box, interface tun0:

	$ tcpdump -i tun0

  Then work your way through client/eth0, server/eth0, server/tun0 (or 
  whatever interfaces your network traffic goes through normally).

  Usually you find out that somewhere either ip forwarding is disabled, or 
  there is a firewall blocking.

  Once you successfully pinged the server, you should try to ping a 
  known-to-be-pingable ip from the client (or if there is none, you can 
  try "telnet <ip> 80" with the IP of a known webserver;  this method 
  has the disadvantage that you have to start the command everytime you 
  changed the configuration, and the output might get lost easily in the 
  other network traffic).

There were some (to me) very annoying parts in the HOWTO:

- "push redirect-gateway def1" did not work for me at all.

- The information was scattered across.  Much uninteresting info in 
  between that nobody needs to know who wants to just friggin' use the 

- It took me quite a while to realise that many parts were actually 
  working, but I needed to _masquerade_ the client.  AFAICT this was not 
  mentioned anywhere, and I felt like a complete moron that the QuickStart 
  did not work for me.

- IMHO it is wrong to start with UDP, since that is much more likely 
  blocked than anything else.  That happened to me, too.

- There are attempts to explain things in the QuickStart, which are 
  utterly uninteresting to somebody wanting a quick start, such as 
  "advantages and disadvantages of static keys".  Other parts that are 
  extremely interesting are missing, or linked to, such as how to set up 
  the static keys, or that UDP is likely blocked.

Since it works I am happy.


Openvpn-users mailing list