easy rsa

You are currently browsing articles tagged easy rsa.

Below is an unfinished post as I eventually gave up as I could not get bridging (tap) to work.  Instead I resorted to going back to Windows 7 and discuss it more here


My latest adventure in setting up my media server is to get a VPN server going so that I can watch my movies outside of my home network without opening up my dlna ports to the world. After reading about VPN servers it was pretty clear that OpenVPN is the preferred method due to its strength over PPTP and L2TP.  However, with the issues that I ran into with installing and getting OpenVPN up and running it seems the simplicity of PPTP is attractive.  I just have to keep telling myself that this is a one time setup. Once I decided that I’d go with OpenVPN I got swirled around for a while before I discovered the http://openvpn.net/ website hosts the Open Source Project version, called the Community OpenVPN, and a commercial not-free version, called VPN Solution.  Prior to knowing this it seemed the VPN solution was the way to go.  I installed it and was working with the configurations when I noticed that I was only allowed 2 licnesnes and was required to buy more if needed.  From what I say the VPN solution had a nice web interface, but I want to use the Open Source Project version and not me limited to 2 licenses or have to make a purchase.

Installing OpenVPN

At first it seemed that this might be straight forward as there are two applications through quantal universe packages that appeared to do want I wanted: openvpn and network-manager-openvpn.  After installing these with an ‘apt-get install’ I discovered that this is for maintaining the client side of OpenVPN. It turns out that most blogs, forums, how-tos are about setting up the client and very few are about setting up a OpenVPN server (maybe this will help someone in the future) So onto the Community OpenVpn.net site about getting a OpenVPN server up and running.   Well the How-To documentations makes installing OpenVPN to be pretty easy:

  1. Download the tarball
  2. Expand the .tar.gz file:    tar xfz openvpn-[version].tar.gz
  3. cd to the top-level directory
  4. And type:
make install

Getting and opening the tarball is easy, but I ran into several issues with the ./configure First issue was

error: configure: error: ssl is required but missing

After several Google searches I found this forumn post which informed me to run:

apt-get install libcurl4-openssl-dev

 Second issue was

configure: error: lzo enabled but missing

A few more Google searches directed me to the LZO download page, http://www.oberhumer.com/opensource/lzo/download/,  where I downloaded latest version 2.06.  I dide the untar, configure, make, and make istall with no issues.  I don’t know if the original files are needed after the isntall so I moved the untar’d version to /sbin/lzo* just in case. The third issue was

configure: error: libpam required but missing

Again more Google searches which lead me to install a libpam version: apt-get install libpam0g-dev Well after 3 issues the ./configure worked, followed by the make and the make install.

 Installing Easy-RSA

The How-TO documentation then directs me to use the Easy-RSA for creating certificates. This site also has some good directions about using Easy-RSA.   The fun part about this as it doesn’t really go into how to get Easy-RSA.    Easy-RSA is in a git hub, so by following the directions from a nice document I started to installing Git: apt-get install git and then doing the directions for a first time install. Now it is time to get the easy-rsa files.  I went to the /usr/share directory and then typed sudo git clone https://github.com/OpenVPN/easy-rsa.git (Note after doing all of the above, I later realized that the OpenVPN installation placed Easy-RSA in the /usr/share/doc/openvpn/examples folder.)  From reading the configure.ac file it seems that a program called autoconf is needed.  So I setout to get that going with apt-get install autoconf but after more poking around I think everything is ready to go in the easy-rsa/2.0 folder.  At the command prompt I followed the directions and typed:

. ./vars

/usr/share/easy-rsa/easy-rsa/2.0$ . ./vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /usr/share/easy-rsa/easy-rsa/2.0/keys


/usr/share/easy-rsa/easy-rsa/2.0$ ./clean-all
mkdir: cannot create directory `/usr/share/easy-rsa/easy-rsa/2.0/keys': Permission denied
/usr/share/easy-rsa/easy-rsa/2.0$ sudo ./clean-all
Please source the vars script first (i.e. "source ./vars")

It took me quite some time to figure out why I was running into this error.  I read through the vars and clean-all files and everything seemed good.  In the end the error is a pretty basic one, the permissions were wrong.  When I used the ‘git source’  the folder permissions belonged to root as 755.  With a sudo chmod 777 -R easy-rsa the permissions were fixed and the scripts worked as advertised

Server certificates and keys


./build-key-server server

When you run the build scripts the fields are pre-populated with the information edited from the vars file.  Simply press enter through the prompts.

Client certificates and keys

The directions then go to create client keys with the ./build-key.  I’m a fan of of password protecting the client keys so I used the ./build-key-pass script to create my keys

Other items

I’m not too sure what these do and didn’t spend the time researching it, I simply ran them. I created then Diffie Hellman parameters with:


From the wiki site and the Hardening OpenVPN Security section I created the HMAC  with

openvpn –genkey –secret /keys/ta.key

 Configuring OpenVPN Server

The How-TO directions continue with setting up the configuration files.  The documentation does not provide any directions where all these files should go, but after poking around the openvpn.init file in the sample scripts (/usr/share/doc/openvpn/examples/sample-scripts) the script will look for the configuration files in the /etc/openvpn/ folder. I started with the sample server.conf and made changes as needed.  I changed the following:

  • For the ca, cert, key, and dh lines I added the full path name /etc/openvpn/server_keys/ as recommended in the wiki  . Additionally for these files, I did the following:
    • created a server_keys folder to keep the folders organized.
    • changed the permissions on the files so that they can be moved.moved all the keys, certs, etc files with exception to the client files and the ca.key file to this folder
      • The client files went to another location to be shared as needed
      • The ca.key file went to a different computer as recommended
  • Uncommented the client-t0-client line to allow my VPN clients
  • Uncommented the HMAC line, tls-auth, and changed the path to the server_keys folder
  • Changed the crpytographic cipher to, cipher AES-256-CBC, rather than any of the 3 listed options in the file for stronger security.  I’ve also read that this has little impact to the throughout of the VPN network too.
  • Enabled and changed the max clients to 10.  This is for a small home network and really 10 is too much too.
  • Enabled ‘user nobody’ and ‘group nogroup’ lines.  Note the example file has nogroup rather than nobody as noted in the How-to and wiki for the group option.
  • Enabled log-append.  I don’t expect too many logons so this file shouldn’t grow to a massive size.
  • TODO: write about lof file and other permission erorrs
    • created a log folder and changed the log paths to point to it as I was getting an error

:/usr/sbin$ openvpn –config /etc/openvpn/server.confTue Mar 19 14:02:02 2013 Warning: Error redirecting stdout/stderr to –log file: openvpn.log: Permission denied (errno=13)Options error: –dh fails with ‘/etc/openvpn/server_keys/dh1024.pem’: No such file or directoryOptions error: –ca fails with ‘/etc/openvpn/server_keys2/ca.crt’: No such file or directoryOptions error: –key fails with ‘/etc/openvpn/server_keys/M1730_server.key’: Permission deniedOptions error: –status fails with ‘openvpn-status.log’: Permission deniedOptions error: Please correct these errors.

Next I made copied the client.conf file from the examples and made the changes below.  The wiki seemed pretty clear for this, but once I started into it I realized that the file is specific to each client crt/key combo.  Since I made several client keys during the Easy-RSA section I had to create a client.conf file for each client key combo and then named the file appropriately.

  • created a client_keys folder to keep the folders organized.
    • note the ca.crt and ta.key files are shared and I left them in the server_keys folder
  • update the ‘remote’ line for my specific IP address and ports
  • Enable the user and group lines.  Again the group has the nogroup option rather than the nobody.
  • Enabled the ‘mute-replay-warnings’ as I plan to use the VPN for laptops and my android phone
  • Updated the ca, cert, key, and tls-auth lines to point to the files.  Again I used the full filepath /etc/openvpn/client_keys/ as suggested by the wiki
  • Changed the crpytographic cipher to, cipher AES-256-CBC


Other Things

My VPN server is behind a router that uses dd-wrt.  In order to expose the VPN ports to the world I went to the NAT/QoS -> Port Forwards tab and added my VPN server to the list of port forwards.  I also have the VPN server set to have a static IP address which is configured on Services -> Services tab.


Running and Troubleshooting


ERROR: Cannot ioctl TUNSETIFF tun: Operation not permitted (errno=1)

run to fix permission problem: sudo openvpn –config /etc/openvpn/server.conf


OpenVPN on Android

One thing I want to be able to do is get to my home network from my phone, Samsung Note 2, so I used OpenVPN on Android for my VPN client.  The setup is pretty straight foward.  The only catch that I found was that:

  • Select ‘Certificates’ for the type in the ‘Basic tab
  • For each file selected tap on it then tap the ‘select’ button at the bottom
  • For the Encryption cipher I had to use all lower case (my phone capitalized the first character) for ‘aes-256-cbc’.
  • Change the TLS Authentication direction to 1, rather than the default of no direction
Authenticate/Decrypt packet error: packet HMAC authentication failed
Tue Mar 19 15:53:51 2013 us=248361 TLS Error: incoming packet authentication failed from [AF_INET]

check to see if openvpn is running (change port # as needed)


Other links and tools that I was using

#netstat -ltnup | grep 1194


samba shares not seen.  Added IP address to interfaces line in /etc/samba/smb.conf file per http://serverfault.com/questions/137933/howto-access-samba-share-over-vpn-tunnel

https://help.ubuntu.com/10.04/serverguide/openvpn.html   OpenVPN for Andriod https://play.google.com/store/apps/details?id=de.blinkt.openvpn&hl=en http://openvpn.net/index.php/open-source/documentation/howto.html#install


Bridge setup (Never got this to work)

get the openvpn bridge scripts from the sample-scripts folder

modify the bridge-start script

in the command prompt type ifconfig and get the information of the IP, netmask, and broadcast addresses

change the /etc/interfaces file to add

iptables -A INPUT -i tap0 -j ACCEPT
iptables -A INPUT -i br0 -j ACCEPT
iptables -A FORWARD -i br0 -j ACCEPT

create a symboloc link to creat the bridge at startup before openvpn

/etc/rc0.d$ sudo ln -s /etc/openvpn/bridge-start K79openvpn-bridge

create a symbolic link to remove the bridge at shutdown

/etc/rc6.d$ sudo ln -s /etc/openvpn/bridge-stop K99openvpn-bridge

Tags: , , , , , , , , , ,