====== OpenVPN ====== ===== Server side ===== Install OpenVPN, and prepare the configuration directory of the server. <code> apt-get install openvpn liblzo2-2 cp -R /usr/share/doc/openvpn/examples/easy-rsa /etc/openvpn/easy-rsa touch /etc/openvpn/ipp.txt ln -s /etc/openvpn/easy-rsa/keys /etc/openvpn/keys zcat /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz > /etc/openvpn/server.conf vim /etc/openvpn/server.conf </code> As you see from the above, I started out with the sample configuration, and after I had a working test-setup, I shortened the config down ((:%g/^[;|#].*$/d then :%g/^$/d and finally added comments :P))to: <code> # Shortened OpenVP Server config. # # Use routed VPN instead of bridged VPN. # Simpler setup, as long as we do not need to tunnel # a network _behind_ a client through the VPN. dev tun # OpenVPN communication runs over the standard # proto/port spec: UDP port 1194. proto udp port 1194 # Set up the location of certificate files and # data. These will be generated using easy-rsa. ca /etc/openvpn/keys/ca.crt cert /etc/openvpn/keys/server.crt key /etc/openvpn/keys/server.key dh /etc/openvpn/keys/dh1024.pem # This OpenVPN server runs with a class C private-range # address scope different from the stock config: server 172.19.1.0 255.255.255.0 # Predictabillity is key... Thus: persistant data. ifconfig-pool-persist ipp.txt persist-key persist-tun # The following makes the client send all its data # through the VPN. We could have set up split tunnelling, # defining only certain routes to go though VPN, but # in this setup, a default-route VPN is just what I am # looking for. push "redirect-gateway" push "dhcp-option DNS 128.39.32.2" # Allow VPN clients to communicate directly. client-to-client # Set up a _short_ timeout spec during implementation/test keepalive 10 30 # Compress all data going through the VPN using LZO. This # makes the VPN a nice feature when surfing over 3G :P comp-lzo user nobody group nogroup status openvpn-status.log verb 3 </code> This setup requires that NAT'ing is configured for traffic coming in over the tunnel interface: <code> iptables --flush iptables --flush nat iptables --delete-chain iptables --table nat --delete-chain iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE iptables -A INPUT -i tun+ -j ACCEPT iptables -A FORWARD -i tun+ -j ACCEPT </code> <code> cd /etc/openvpn/easy-rsa . ./vars ./clean-all ./build-ca ./build-key-server server ./build-dh </code> Finally, the server is run manually during testing: <code> openvpn /etc/openvpn/server.conf </code> ===== Client side TEST ===== Create a client key/certificate on the server for the first test. <code> cd /etc/openvpn/easy-rsa . ./vars ./build-key client1 </code> Use a secure medium to transfer a client certificate and the CA-certificate to the client. I will assume that you place these files as ~/.openvpn/ca.crt and ~/.openvpn/client.crt Using Network Manager on Ubuntu Intrepid Ibex: * Network manager * VPN Connections - Configure VPN * Add -> OpenVPN -> Create * Connection name: Any name you like... * Gateway: hostname or IP of your VPN server * Type: Certificates (TLS) * User Certificate: select ~/.openvpn/client.crt * CA Certificate: select ~/.openvpn/ca.crt * Pricate key: select ~/.openvpn/client.key * Click Advanced * Use LZO compression * Click OK * Go to the tab "IPv4 Settings" * Click on Routes... * __Select__ "Ignore automatically assigned routes" ((Confusing and mind-numbing: "automatically assigned" in this case means "Assigned by someone other than the VPN" here, not what it seems to mean (stuff OpenVPN tries to tell us) )) * Click OK * Click OK * Close * Network Manager * VPN Connections * Select the name you just added. Basically, this "just worked" for me, after quite a few hours huntung down the reason why default routing was not working. Turned out default routing did not work because Network Manager does not honor default routes from VPN by default, and the checkbox to enable it is labeled opposide of what it really does... The NM-Gnome team calls this an "essential feature"... Figures. Once I get from "testing" to "production", I will add screenshots of the process.