{"id":575,"date":"2014-09-25T21:40:36","date_gmt":"2014-09-26T04:40:36","guid":{"rendered":"http:\/\/blt.homenet.org\/wordpress\/?p=575"},"modified":"2014-09-25T21:40:36","modified_gmt":"2014-09-26T04:40:36","slug":"vpn-server-setup-on-ubuntu","status":"publish","type":"post","link":"https:\/\/bt.beerprojects.com\/wordpress\/?p=575","title":{"rendered":"VPN Server Setup on Ubuntu"},"content":{"rendered":"

Below is an unfinished post as I eventually gave up as I could not get bridging (tap) to work. \u00a0Instead I resorted to going back to Windows 7 and discuss it more here<\/a><\/p>\n

 <\/p>\n

My latest adventure in setting up my media server is to get a VPN server going so that I can watch my movies outside of my home network without opening up my dlna ports to the world. After reading about VPN servers it was pretty clear that OpenVPN is the preferred method due to its strength over PPTP and L2TP. \u00a0However, with the issues that I ran into with installing and getting OpenVPN up and running it seems the simplicity of PPTP is attractive. \u00a0I just have to keep telling myself that this is a one time setup. Once I decided that I’d go with OpenVPN I got swirled around for a while before I discovered the http:\/\/openvpn.net\/<\/a> website hosts the Open Source Project version, called the Community OpenVPN, and a commercial not-free version, called VPN Solution. \u00a0Prior to\u00a0knowing\u00a0this it seemed the VPN solution was the way to go. \u00a0I installed it and was working with the configurations when I noticed that I was only allowed 2 licnesnes and was required to buy more if needed. \u00a0From what I say the VPN solution had a nice web interface, but I want to use the Open Source Project version and not me limited to 2 licenses or have to make a purchase.<\/p>\n

Installing OpenVPN<\/h2>\n

At first it seemed that this might be straight forward as there are two applications through quantal universe packages that appeared to do want I wanted: openvpn and network-manager-openvpn<\/a>. \u00a0After installing these with an ‘apt-get install’ I discovered that this is for maintaining the client side of OpenVPN. It turns out that most blogs, forums, how-tos are about setting up the client and very few are about setting up a OpenVPN server (maybe this will help someone in the future) So onto the Community OpenVpn.net site about getting a OpenVPN server up and running. \u00a0 Well the How-To documentations makes installing OpenVPN to be pretty easy:<\/p>\n

    \n
  1. Download the tarball<\/a><\/li>\n
  2. Expand the .tar.gz file: \u00a0 \u00a0tar xfz openvpn-[version].tar.gz<\/strong><\/li>\n
  3. cd to the top-level directory<\/li>\n
  4. And type:<\/li>\n<\/ol>\n
    \n
    .\/configure\r\nmake\r\nmake install<\/strong><\/pre>\n<\/blockquote>\n
    Getting and opening the tarball is easy, but I ran into several issues with the .\/configure First issue was<\/p>\n
    error:\u00a0configure: error: ssl is required but missing<\/pre>\n
    After several Google searches I found this forumn post<\/a> which informed me to run:<\/p>\n
    apt-get install libcurl4-openssl-dev<\/strong><\/p>\n
    \u00a0Second issue was<\/p>\n
    configure: error: lzo enabled but missing<\/pre>\n
    A few more Google searches directed me to the LZO download page,\u00a0http:\/\/www.oberhumer.com\/opensource\/lzo\/download\/<\/a>, \u00a0where I downloaded latest version 2.06. \u00a0I dide the untar, configure, make, and make istall with no issues. \u00a0I don’t know if the original files are needed after the isntall so I moved the untar’d version to \/sbin\/lzo* just in case. The third issue was<\/p>\n
    configure: error: libpam required but missing<\/pre>\n
    Again more Google searches which lead me to install a libpam version: apt-get install libpam0g-dev<\/strong> Well after 3 issues the .\/configure worked, followed by the make and the make install.<\/p>\n
    \u00a0Installing Easy-RSA<\/h2>\n
    The How-TO documentation<\/a> then directs me to use the Easy-RSA for creating certificates. This site<\/a> also has some good directions about using Easy-RSA. \u00a0 The fun part about this as it doesn’t really go into how to get Easy-RSA. \u00a0 \u00a0Easy-RSA is in a git hub, so by following the directions from a nice document<\/a> I started to installing Git:\u00a0apt-get install git\u00a0<\/strong>and then doing the directions for a first time install<\/a>. Now it is time to get the easy-rsa files. \u00a0I went to the \/usr\/share directory and then typed sudo git clone https:\/\/github.com\/OpenVPN\/easy-rsa.git<\/strong> (Note after doing all of the above, I later realized that the OpenVPN installation placed Easy-RSA in the \/usr\/share\/doc\/openvpn\/examples folder.) \u00a0From reading the configure.ac file it seems that a program called autoconf is needed. \u00a0So I setout to get that going with apt-get install autoconf\u00a0<\/strong>but after more poking around I think everything is ready to go in the easy-rsa\/2.0 folder. \u00a0At the command prompt I followed the directions and typed:<\/p>\n
    . .\/vars<\/strong><\/p>\n
    \/usr\/share\/easy-rsa\/easy-rsa\/2.0$ . .\/vars\r\nNOTE: If you run .\/clean-all, I will be doing a rm -rf on \/usr\/share\/easy-rsa\/easy-rsa\/2.0\/keys<\/pre>\n
    .\/clean-all<\/strong><\/p>\n
    \/usr\/share\/easy-rsa\/easy-rsa\/2.0$ .\/clean-all\r\nmkdir: cannot create directory `\/usr\/share\/easy-rsa\/easy-rsa\/2.0\/keys': Permission denied\r\n\/usr\/share\/easy-rsa\/easy-rsa\/2.0$ sudo .\/clean-all\r\nPlease source the vars script first (i.e. \"source .\/vars\")<\/pre>\n
    It took me quite some time to figure out why I was running into this error. \u00a0I read through the vars and clean-all files and everything seemed good. \u00a0In the end the error is a pretty basic one, the\u00a0permissions\u00a0were wrong. \u00a0When I used the ‘git source’ \u00a0the folder permissions belonged to root as 755. \u00a0With a sudo chmod 777 -R easy-rsa<\/strong> the permissions were fixed and the scripts worked as advertised<\/p>\n
    Server certificates and keys<\/h3>\n
    .\/build-ca<\/strong><\/p>\n
    .\/build-key-server server<\/strong><\/p>\n
    When you run the build scripts the fields are pre-populated with the information edited from the vars file. \u00a0Simply press enter through the prompts.<\/p>\n
    Client certificates and keys<\/h3>\n
    The directions then go to create client keys with the\u00a0.\/build-key<\/strong>. \u00a0I’m a fan of of password protecting the client keys so I used the .\/build-key-pass\u00a0<\/strong>script to create my keys<\/p>\n
    Other items<\/h3>\n
    I’m not too sure what these do and didn’t spend the time researching it, I simply ran them. I created then\u00a0Diffie Hellman<\/a>\u00a0parameters with:<\/p>\n
    \u00a0.\/build-dh\u00a0<\/strong><\/p>\n
    From the wiki site<\/a> and the Hardening OpenVPN Security<\/a> section I created the HMAC \u00a0with<\/p>\n
    openvpn –genkey –secret \/keys\/ta.key<\/strong><\/p>\n
    \u00a0Configuring OpenVPN Server<\/h2>\n
    The How-TO directions continue with setting up the configuration files. \u00a0The documentation does not provide any directions where all these files should go, but after poking around the openvpn.init file in the sample scripts (\/usr\/share\/doc\/openvpn\/examples\/sample-scripts) the script will look for the configuration files in the \/etc\/openvpn\/ folder. I started with the sample server.conf and made changes as needed. \u00a0I changed the following:<\/p>\n