Quick Linux and Windows OpenVPN HOWTO and tutorial, including VPN routing

OpenVPN is a popular Windows/Linux VPN Server/Client pair. I think there’s a separate GUI available for it if you’re so minded. This howto will cover command line usage only.

I’ll provide example configuration based on a Linux server and a Windows client, however the same applies pretty easily if you wanted to mix and match.

On debian, apt-get install openvpn. On any other linux distro, use your own package manager or alternatively download from source and compile.

I create my config /etc/openvpn/myvpn.conf and enter the following:

dev tun
proto udp
ifconfig 10.8.0.1 10.8.0.2
secret /etc/openvpn/static.key
comp-lzo
keepalive 10 60
daemon

In short, I’m specifying that we’ll use the ‘tun’ interface as opposed to ‘tap’, and that we’ll communicate over UDP. Next I specify that this machine’s tun0 interface will have IP 10.8.0.1 and the client will be given 10.8.0.2. My secret key is stored in /etc/openvpn/static.key which you can generate with openvpn –genkey –secret static.key. I’d like to use comp-lzo for compression and also specify a keepalive time to prevent problems on those networks that terminate idle connections. We’ll also have openvpn daemonize.
For the client:

remote XX.XXX.124.95 ;server IP address
dev tun
ifconfig 10.8.0.2 10.8.0.1
secret static.key
comp-lzo
keepalive 10 60

This configure is mostly identical to the server’s above.

Now copy the static.key that you generated on the server, to the client. Then just run ‘openvpn config.conf’ it’ll print the relevant debug messages and you’ll be there. At this point, you should be able to ping 10.8.0.1from your client and 10.8.0.2 from your server. If you can, all is good.

On your server, you’ll now need to allow routing so your client is able to route it’s traffic through the VPN:

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
iptables -A FORWARD -i tun0 -s 10.8.0.0/24 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o tun0 -m state –state ESTABLISHED,RELATED -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward

…Or similar to suit your needs.

On your windows client, you’ll now need to change your default gateway:

Use route print and find out your current default gateway, then, assuming your current local default gateway is: 192.168.1.1 and server’s IP address is XX.XXX.124.95, issue the following commands:

route DELETE 0.0.0.0
route ADD XX.XXX.124.95 MASK 255.255.255.255 192.168.1.1
route ADD 0.0.0.0 MASK 0.0.0.0 10.8.0.1

The first ADD command is used to tell your client how to access the ‘new default gateway’. Without specifying your real default gateway, the client machine would have no idea how to reach your VPN server. You can specify 10.8.0.1 as your default gateway, as it is now virtually on the same LAN as your 10.8.0.2 adapter, but without the additional route to XX.XXX.124.95, your connection to the server would have to terminate and you’d lose your tun interface.

Now try and ping something – it should be successful. If not, get onto the server and run tcpdump -n tun0. If the server is seeing your traffic but not forwarding it to the outside world, chances are your iptables and masquerading is set up incorrectly. If the server isn’t even seeing any traffic from you, then chances are your windows routing setup is incorrect.

Discuss this page here

Hope this was useful! Comments and feedback are welcome as always.

Tagged with: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,
Posted in Internetworking & Routing, Linux, Technology
2 Comments » for Quick Linux and Windows OpenVPN HOWTO and tutorial, including VPN routing
  1. Octavian says:

    Tried 10 different How To tutorials until your tutorial made it possible to properly connect my Windows XP desktop to my VPS server by OpenVPN.

    Thanks

    Octavian

  2. Pijush says:

    I could connect to my vpn server (debian) through remote windows xp client. I can ping the local interface of my vpn server from windows client. But I can’t ping or access other local IP’s/ resources from my windows client. can you please suggest what can I do in my vpn server?? I know I have to set a route in my vpn server but a little bit confused how..

    My vpn server External IP: 121.200.x.x
    My vpn server internal IP: 10.0.10.4
    Tunnel IP (server end): 10.8.0.1
    Tunnel IP (remote end): 10.8.0.6
    Client IP (remote): 202.84.X.X

    Looking forward for your reply….

1 Pings/Trackbacks for "Quick Linux and Windows OpenVPN HOWTO and tutorial, including VPN routing"
  1. [...] Well that may be because VPN technology is not that easy… OK the OpenVPN docs are probably a bit too long, but there are plenty of easy step by step explanations on how top set it up available on the net. Did you try one of these? Like this one or this one or this one [...]

Leave a Reply