Note to Self

This is how I setup a routing (tun) OpenVPN server on Ubuntu 11.10 which supports username/password instead of 1 unique cert / user. I also chose to use TCP for this server as it’s more firewall friendly than the previous UDP version.

Install the needed programs and then create the certificates:
Note: You can make better certificates if you want, I only make the basic as I want my OpenVPN to be fast.
[bash]
apt-get install openvpn openssl bind9
mkdir /etc/openvpn/easy-rsa/
mkdir /var/lib/dhcp3/
#These are for my setup, replace with eth0 if you only have 1 network card
touch /var/lib/dhcp3/dhclient.eth1.leases
touch /var/lib/dhcp3/dhclient.eth2.leases
cp /usr/share/doc/openvpn/examples/easy-rsa/1.0/* /etc/openvpn/easy-rsa/
cd /etc/openvpn/easy-rsa/
vim vars
#Change the values at the end of the file to what suits you
export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="SanFrancisco"
export KEY_ORG="Fort-Funston"
export KEY_EMAIL="me@myhost.mydomain"
#Now we need to make the keys
. ./vars
./clean-all
#Note: Common name should match the servername
./build-ca
#Note: Just press return when it asks for password at the end
#and y for the rest of the questions
#we don’t want a password protected cert
#common name should be: server
./build-key-server server
source ./vars
./build-dh
openvpn –genkey –secret ta.key
cp ta.key ../
cp keys/ca.crt ../
cp keys/server.crt ../
cp keys/server.key ../
cp keys/dh1024.pem ../
[/bash]

To understand my server.conf file I need to explain how my servers routing looks like:
The external interface of the Ubuntu server is 77.66.55.44 (faked).
The server has two network card as it works as an office router:
eth1 = 77.66.55.44
eth2 = 192.168.30.1

I want the OpenVPN to give me access to the 192.168.30.0/24 network.

Ok, now to create the server config file (filename can be whatever as long as it ends with .conf)
[bash]
local 77.66.55.44
proto tcp
port 1194
dev tun0
server 192.168.31.0 255.255.255.0
push "dhcp-option DNS 192.168.31.1"
push "redirect-gateway def1"
ifconfig-pool-persist ipp.txt
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
user nobody
group nogroup

#Server keys
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
tls-auth ta.key 0

#Encryption (fastest)
cipher BF-CBC

#This is for allow userlogin
client-cert-not-required
username-as-common-name
auth-user-pass-verify /etc/openvpn/verify.php via-file
[/bash]

We now need to create the verify.php file, this is a simple script which I chose to code with PHP. You need php5-cli for it to work.
[bash]
apt-get install php5-cli
vim /etc/openvpn/verify.php
#Now add this code into the file
#!/usr/bin/php
<?
$userArray = file(‘/etc/openvpn/users’);
$tmpFile = file($argv[1]);
#userArray should be in the form of
#username:password
foreach ($userArray as $line) {
$newArray = preg_split("/[:]+/", $line);
if(trim($newArray[0]) == trim($tmpFile[0]) AND trim($newArray[1]) == trim($tmpFile[1]))
exit(0); #Found a match
}
exit(1); #No match
?>
[/bash]

The /etc/openvpn/users file is just a file with username:password format.

Don’t forget to set permissions

[bash]
echo "myfirstuser:password123" > /etc/openvpn/users
chmod +x /etc/openvpn/verify.php
chown -R nobody:nogroup /etc/openvpn/
[/bash]

Now just start the OpenVPN server and you should see the tun0 adapter with ifconfig.

What we need now is to setup the routing, I tried making this setup work with Shorewall but I failed. I instead wen’t with routing directly with iptables via webmin.

So:
[bash]
wget http://prdownloads.sourceforge.net/webadmin/webmin_1.570_all.deb
dpkg -i webmin_1.570_all.deb
apt-get -f install
[/bash]

Now webmin should be installed, but before you surf to the webpage and go under Linux Firewall we need to create the iptables.up.rules file:
Note: remember that this file represents my setup which I explained above.
[bash]
vim /etc/iptables.up.rules
*nat
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 192.168.31.0/24 -j MASQUERADE
-A POSTROUTING -s 192.168.30.0/24 -j MASQUERADE
COMMIT
*mangle
:PREROUTING ACCEPT [578786:725594831]
:INPUT ACCEPT [578785:725594486]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [94171:30015242]
:POSTROUTING ACCEPT [94197:30019450]
COMMIT
*filter
:FORWARD DROP [0:0]
:INPUT DROP [0:0]
:OUTPUT ACCEPT [0:0]
:LOCAL – [0:0]
-A INPUT -j LOCAL
-A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -m state -s 192.168.30.0/24 –state NEW -j ACCEPT
-A INPUT -m state -s 192.168.31.0/24 –state NEW -j ACCEPT
-A OUTPUT -j LOCAL
-A LOCAL -o lo -j ACCEPT
-A LOCAL -i lo -j ACCEPT
-A INPUT -p tcp –dport 1194 -j ACCEPT
-A FORWARD -i eth2 -j ACCEPT
-A FORWARD -i tun0 -j ACCEPT
-A FORWARD -i eth1 -j ACCEPT
#If you want to be able to access this firewall from outside you need this:
-A INPUT -p tcp -m tcp -m state -s your.ip.nu.mber/32 –state NEW -j ACCEPT
COMMIT
[/bash]

Now surf into http://77.66.55.44:10000 and go under Linux Firewall. You should see all the values filled in. All you have to do is press Apply (and also activate at boot).

BUT! The routing of the internal network still wont work! This is because you need to activate ip-forwarding (took me forever to remember this):
[bash]
echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
[/bash]

As we push the DNS to the OpenVPN server we need Bind9 to handle the resolving for us.
[bash]
#uncomment the last row: include "/etc/bind/zones.rfc1918";
vim /etc/bind/named.conf.local
#Then we need to allow our network to make DNS resolving through the server
vim /etc/bind/named.conf.options
//forwarders { your.servers.dns; }; #if you want to use their DNS
allow-query { localhost; 192.168.30.0/24; 192.168.31.0/24; };
#now just restart it and see that it says "server reload successful"
rndc reload
[/bash]

You also need to have an OpenVPN client, I like this one: http://openvpn.net/index.php/open-source/downloads.html

This is how the openvpn files should look like (place them in the OpenVPN/config folder):
Note: you need to copy ta.key, ca.crt, username.crt, username.key from your server for this to work.
my_openvpn.ovpn
[bash]
client
dev tun
resolv-retry infinite
remote 77.66.55.44 1194
proto tcp
nobind
persist-key
persist-tun
ca ca.crt
auth-user-pass
verb 3
route-method exe
route-delay 5
redirect-gateway def1
ns-cert-type server
cipher BF-CBC
reneg-sec 0
tls-auth ta.key 1
[/bash]

Now restart your server and the firewall/routing/openvpn should work, you can make configurations easily via Webmin (don’t forget to protect it with an ACL).