OpenVPN on Deb 5 - help please

Hi everyone, brand-new Linode user here!

I'm hoping to set up OpenVPN to get SMB shares and all sorts of other cool stuff eventually working, but I'm having trouble following the guides I've found on the web (e.g. the one linked from the linode wiki).

Specifically, I can't apt-get install liblzo1 (couldn't find package), and I can't modprobe tun (command not found)… I'm pretty much a beginner, I've never installed OpenVPN before - I think I need a really comprehensive guide if anyone can point me at one that should work with our Debian boxes here?

[edit]This one looked like it could be really helpful, but I didn't get past the first couple of steps[/edit]

BTW great community and documentation, really pleased with my choice so far :)

3 Replies

@Daveo:

Specifically, I can't apt-get install liblzo1 (couldn't find package), and I can't modprobe tun (command not found)… I'm pretty much a beginner, I've never installed OpenVPN before - I think I need a really comprehensive guide if anyone can point me at one that should work with our Debian boxes here?
I suspect the guide you're looking at has older instructions which may no longer apply to current packaging.

Specifically, I believe the openvpn package will already declare the needed dependency on liblzo2-2, which is now at version 2 (which is why you probably can't find liblzo1. So I think that just doing a simple "apt-get install openvpn" should install everything you need.

And at least on Ubuntu, I didn't have to create the tun (well, tap in my case) device manually - so it might also not be needed on current Debian releases like Debian 5.

The package should install a bunch of docs/examples under /usr/share/doc/openvpn, so you can find a lot of information there. Of course, the primary documentation online at http://openvpn.net/index.php/open-sourc … ation.html">http://openvpn.net/index.php/open-source/documentation.html is also a good resource.

Your primary task after installing the package will be to adjust the sample configuration file to fit your needs. To be honest, on the server side very little absolutely needs changing other than putting in appropriate references to your certificates and keys.

Generating those certificates probably has the highest learning curve depending on your prior exposure to OpenSSL. But there are sample scripts (also in /usr/share/doc/openvpn) to help manage this without having to manually interact with OpenSSL. There are READMEs in those directories that should help.

Essentially you will need to:
* Generate Diffie-Hellman parameters (build-dh)

  • Build a certificate authority certificate and private key (build-ca)

  • Build a server certificate (signed by the CA) and private key (build-key-server)

  • Build certificates/private keys (signed by the CA) for any clients (build-key)
    All but the last step are one time only.

After that, dump the created files in /etc/openvpn along with your configuration. Then start up with /etc/init.d/openvpn start (which should run an openvpn for every *.conf file in /etc/openvpn).

Oh, and make sure that any filtering/firewall you may have leaves UDP port 1194 open, since that's how the traffic will arrive. Also, if you have general filtering rules in place, you will probably need to add allowances for traffic that will be arriving on the tap/tun interface with whatever private addresses you choose to assign to clients.

– David

Thank you David, that's awesome :) I'll give it a go now!

Yay, I think it's working!

I had to do some random stuff that wasn't in any of the basic tutorials (found it on a site about the eeePC):

(apt-get install module-init-tools) (I may have accidentally removed these)

(modprobe tun) (think I just got an error)

mkdir /dev/net

mknod /dev/net/tun c 10 200 (I have no idea!)

openvpn –mktun --dev tun0

Then my pretty basic configuration based on the Static Key Mini-HOWTO seems work - I can ping back and forth at least on the 10.8.0.x interfaces.

(yet another) Question: Can you see any problem with these iptables rules?

Chain INPUT (policy DROP 0 packets, 0 bytes)

pkts bytes target prot opt in out source destination

2 256 ACCEPT all – any any anywhere anywhere state RELATED,ESTABLISHED

0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:www

1 88 ACCEPT udp -- eth0 any anywhere anywhere udp dpt:8888

2 120 ACCEPT all -- tun+ any anywhere anywhere

0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:9999

Chain FORWARD (policy DROP 0 packets, 0 bytes)

pkts bytes target prot opt in out source destination

0 0 ACCEPT all -- tun+ any anywhere anywhere

Chain OUTPUT (policy ACCEPT 13 packets, 1536 bytes)

pkts bytes target prot opt in out source destination

(9999 being my ssh port and 8888 being the openvpn port)

Also, I guess it's a good idea to now allow ssh connections only over the vpn?

Thanks again!

Daveo

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct