need help installing openVPN

Ok I am going to take the plunge and try installing openVPN and try
getting it to work. If anybody can help me along I would really appreciate
it. I printed out the HOW-TO install guide from http://openvpn.net and
will do my best. A little hand-holding would be appreciate, I know enought
to be dangerous. I use Mandriva LE2005, been using Linux for several
years. As I use wifi with my laptop out and about at cafes, I want to set
up a VPN between my wifi laptop and a home PC running a VPN server program.

I have urpmi setup, so I am first going to try installing openVPN on both
my laptop and Desktop (to serve VPN).

Proteus wrote:
> Ok I am going to take the plunge and try installing openVPN and try
> getting it to work. If anybody can help me along I would really appreciate
> it. I printed out the HOW-TO install guide from http://openvpn.net and
> will do my best. A little hand-holding would be appreciate, I know enought
> to be dangerous. I use Mandriva LE2005, been using Linux for several
> years. As I use wifi with my laptop out and about at cafes, I want to set
> up a VPN between my wifi laptop and a home PC running a VPN server program.
>
> I have urpmi setup, so I am first going to try installing openVPN on both
> my laptop and Desktop (to serve VPN).

There are many different ways of setting up OpenVPN.

My recommendation is:

- tunneling at network layer (use tun0, not tap0),
- a separate RFC1918 subnet for the VPN (e.g. 192.168.x.y)
- UDP transport on the standard port (1194),
- SSL encryption and key exchange

An option to public-key SSL is to use pre-shared keys.

The details are in OpenVPN documentation.

HTH

--

Tauno Voipio
tauno voipio (at) iki fi

On Wed, 23 Nov 2005 20:57:00 +0000, Tauno Voipio wrote:
....
> There are many different ways of setting up OpenVPN.
> My recommendation is:
> - tunneling at network layer (use tun0, not tap0),

ok i will be sure to go with tun0

> - a separate RFC1918 subnet for the VPN (e.g. 192.168.x.y)

Not sure what that is, but my router has been set up as 192.168.1.1 as
gateway, 255.255.255.0 subnet mask, and thus my main PC is 192.168.1.100
-- so I hope that is ok to go with for now? (see below)

> - UDP transport on the standard port (1194),

yes I will go with UPD and 1194

> - SSL encryption and key exchange
...

Ok I got openvpn installed using urpmi, it was quite easy, now for the
hard part, configuring it. It looks do-able though, I am actually rather
excited to get it installed!

Can I still leave my home cable router home PC LAN setting as
192.168.1.1 as the local address (gateway) with 255.255.255.0 subnet mask
(so that my main PC is 192.169.1.100, etc)-- or do I need to change my
router LAN network to something else? In the openVPN documentation
on setting it up, it talks about "Numbering Private subnets", where
10.0.0.0 / 10.255.255.255.255 (10/8 prefix, whatever that means) is
reserved block of IP address space for private interent protocols. The doc
says "The best solution is to avoid using 10.0.0.0/24 or 192.168.0.0/24
LAB network addresses. Instead, use something that has a lower probability
of being used in a Wifi cafe, etc. The best candidates are subnets in the
middle of the vast 10.0.0.0/8 netblcok (for example 10.66.77.0/24)" I
want to have my router set up correctly first, then I think I will be able
to configure the config files with a little help.

Proteus <proteus@uselessemail.net> wrote in
news:pan.2005.11.23.21.14.48.136311@uselessemail.n et:

> On Wed, 23 Nov 2005 20:57:00 +0000, Tauno Voipio wrote:
> ...
>> There are many different ways of setting up OpenVPN.
>> My recommendation is:
>> - tunneling at network layer (use tun0, not tap0),
>
> ok i will be sure to go with tun0
>
>> - a separate RFC1918 subnet for the VPN (e.g. 192.168.x.y)
>
> Not sure what that is, but my router has been set up as 192.168.1.1 as
> gateway, 255.255.255.0 subnet mask, and thus my main PC is 192.168.1.100
> -- so I hope that is ok to go with for now? (see below)

The subnet for the VPN must not conflict with the subnet being used for
ethX to talk to your your router or any other local subnets. The VPN uses
tun0 as though it were a real interface. Think of it as a "wire" running
between tun0 on one PC to the tun0 on the other. Each end of the "wire"
needs an ip address on the same subnet so you can route packets over the
tunnel. These are usually set up as a private RFC subnet but must not
conflict with any other private RFC subnets you are using. The Open VPN
Server can supply the address to the client as part of the process of
bringing up the tunnel which is actually established via ethX's ip
address. e.g you could have:


tun0 of the server could be 192.168.250.1/24
tun0 at the client gets assigned 192.168.250.x where x not= 1

You can route other subnets over the VPN tunnel via pushroutes in the
OpenVPN config or just add the routes after the VPN is established.

>
>> - UDP transport on the standard port (1194),
>
> yes I will go with UPD and 1194
>
>> - SSL encryption and key exchange
> ..
>
> Ok I got openvpn installed using urpmi, it was quite easy, now for the
> hard part, configuring it. It looks do-able though, I am actually rather
> excited to get it installed!
>
> Can I still leave my home cable router home PC LAN setting as
> 192.168.1.1 as the local address (gateway) with 255.255.255.0 subnet
> mask (so that my main PC is 192.169.1.100, etc)-- or do I need to change
> my router LAN network to something else?

Leave your PC lan and router setup alone. Just choose the VPN subnet so it
doesn't conflict with anything you already have.

> In the openVPN documentation
> on setting it up, it talks about "Numbering Private subnets", where
> 10.0.0.0 / 10.255.255.255.255 (10/8 prefix, whatever that means) is
> reserved block of IP address space for private interent protocols. The
> doc says "The best solution is to avoid using 10.0.0.0/24 or
> 192.168.0.0/24 LAB network addresses. Instead, use something that has a
> lower probability of being used in a Wifi cafe, etc. The best candidates
> are subnets in the middle of the vast 10.0.0.0/8 netblcok (for example
> 10.66.77.0/24)" I want to have my router set up correctly first, then I
> think I will be able to configure the config files with a little help.

Again, don't touch your router config. As long as normal internet access
is working, leave it alone. The only thing is if the router has a firewall
on it - you will have to make sure udp port 1194 is allowed through to get
the VPN tunnel established. The traffic actually carried over the VPN just
looks like udp port 1194 packets containing gobbledegook (because the real
data packets are encrypted and packeged up inside the UDP 1194 packets).

Klazmon

On Thu, 24 Nov 2005 17:17:29 +1300, Llanzlan Klazmon wrote:
....
> Again, don't touch your router config. As long as normal internet access
> is working, leave it alone. The only thing is if the router has a firewall
> on it - you will have to make sure udp port 1194 is allowed through to get
> the VPN tunnel established. The traffic actually carried over the VPN just
> looks like udp port 1194 packets containing gobbledegook (because the real
> data packets are encrypted and packeged up inside the UDP 1194 packets).


Thank you Klazmon for the clarification, this is all strange to me, but I
am feeling like I WILL get it working, and then I can help others how to
do it too in the future. Ok I am only going to set up the UDP port and
port forwarding and such on my hardware router, I will not alter my
router's LAN and subnet mask settings. Thanksgiving today, so I will work
more on setting up the VPN later today and tomorrow. Thanks all for the
help thus far!

Llanzlan Klazmon <Klazmon@llurdiaxorb.govt> wrote:
> The subnet for the VPN must not conflict with the subnet being used for
> ethX to talk to your your router or any other local subnets.

I tend to use OpenVPN as a point to point link, like this (with
pre-shared keys), and add exactly the routes I want. I re-use the IP
address of the internal network on the tun interface (no need for a
different one).

My local network is 172.16.x.y, the remote network is 172.17.x.y and this
connects the two gateway machines together.

vpnX.conf ------------------------------------------------------------
#
# OpenVPN configuration file
# using a pre-shared static key.
#

# Use a fixed name tun device.
dev tun-X

# remote end - comment this out if the other end is dynamic IP
#remote 1.2.3.4

# local, remote IPs of the tunnel
ifconfig 172.16.0.1 172.17.0.1

# Start routes
up ./vpnX.up

# Our pre-shared static key
secret vpnX.key

# Port number to use
port 12221

# Compress
comp-lzo

# Send a UDP ping to remote once every N seconds to keep stateful
# firewall connection alive. iptables has a 3 minute timeout on UDP
# by default so 1 minute should be adequate here
; ping 60

# Verbosity level.
# 0 -- quiet except for fatal errors.
# 1 -- mostly quiet.
# 5 -- medium output, good for normal operation.
# 8 -- verbose, good for troubleshooting
verb 5

# VOIP
passtos
------------------------------------------------------------

vpnX.up ------------------------------------------------------------
#!/bin/bash
route add -net 172.17.0.0 netmask 255.255.0.0 gw $5
------------------------------------------------------------

I've found OpenVPN to be by far the most reliable and easy to setup VPN!
--
Nick Craig-Wood <nick@craig-wood.com> -- http://www.craig-wood.com/nick