Technical Diary - With Andrii Grytsenko

We have two host which have to be connected by VPN connection. For our connect I am going to use OpenVPN software.

You can download it here. If you are going to look at OpenVPN more deeply than this post I would like to advice you get information from this source.

There is two machines:

• host node1 server side with debian on board (10.0.2.2)
• host node2 client side with centos (without visible for node1 IP address )

First, install and setting up server side:

node1# apt-get install openvpn
node1# cd /usr/share/doc/openvpn/examples/easy-rsa/2.0
node1# . ./vars

On next step you will be prompted to ask on simple question before your certificates be generated.

node1# ./build-ca

Next generate certificate for server :

node1# ./build-key-server node1

I left password request line empty.

Next generate certificate for client:

node1# ./build-key node2

The same actions as for previous step exclude “Common name”. Its should be the same to you hostname.

Now generate Diffie Hellman parameters

node1# ./build-dh

Here is table about where should be stored certificates and keys files. Which was got by me from official documentation.

!!! According to this make sure that all you files located at properly place.

Copy sample config file into the /etc/openvpn:

node1:# cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
node1:# cd /etc/openvpn/
node1:# gunzip server.conf.gz

Also keys and certificates should be copied too:

node1:# cp /usr/share/doc/openvpn/examples/easy-rsa/2.0/keys/ca.* .
node1:# cp /usr/share/doc/openvpn/examples/easy-rsa/2.0/keys/dh1024.pem .
node1:# cp /usr/share/doc/openvpn/examples/easy-rsa/2.0/keys/node1* .

Comment out or change value for next lines:

local 10.0.2.2
cert node1.crt
key node1.key
user nobody
group nogroup
log /var/log/openvpn.log # in this case openvpn doesn't use syslog daemon for logging

Now it’s time to start our daemon.

node1:# /etc/init.d/openvpn start
Starting virtual private network daemon: server.

If no errors occurred. Check whether interface is up:

node1:# /sbin/ifconfig tun0
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.1  P-t-P:10.8.0.2  Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

Also it’s a good idea to check /var/log/openvpn.

Don’t forget to put daemon start into the boot:

node1:# update-rc.d openvpn defaults

Looks like good for server side. Go to the client.

Before you start to install openvpn make sure that next software have been already installed at your box.

1. openssl
2. lzo
3. pam

In my CentOS repository I could not find lzo package :( . Therefore I had to compile it from sources:

[root@node2]#  wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.03.tar.gz
[root@node2]# tar -xzvf lzo-2.03.tar.gz
[root@node2]# ./configure --enable-shared
[root@node2]# make
[root@node2]# make install

Now add new path to library’s paths:

[root@node2]# echo "/usr/local/lib" > /etc/ld.so.conf.d/lzo.conf
[root@node2]# ldconfig

Get latest openvpn version from site :

[root@node2]# wget http://dag.wieers.com/rpm/packages/openvpn/openvpn-2.0.9-1.el5.rf.i386.rpm
[root@node2]# rpm -Uhv --nodeps openvpn-2.0.9-1.el5.rf.i386.rpm

After this copy config file and edit it:

[root@node2]# cp /usr/share/doc/openvpn-2.0.9/sample-config-files/client.conf /etc/openvpn/

copy clients cert and key from server:

[root@node2]cd /etc/openvpn/
[root@node2]# scp root@node1:/usr/share/doc/openvpn/examples/easy-rsa/2.0/keys/node2* .

Next lines should be edited:

remote 10.0.2.2 1194
user nobody
group nobody
cert node2.crt
key node2.key

Now system is ready to start:

[root@node2]# /etc/init.d/openvpn start
Starting openvpn:                                          [  OK  ]

To check is everithing works fine. Identify ip address of virtual interface:

[root@node2]# ifconfig tun0
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.6  P-t-P:10.8.0.5  Mask:255.255.255.255
< skipped >

As you can see it’s 10.8.0.6. Now try to ping it from server side :

node1:# ping 10.8.0.6
PING 10.8.0.6 (10.8.0.6) 56(84) bytes of data.
64 bytes from 10.8.0.6: icmp_seq=1 ttl=64 time=0.692 ms

If you all checks done successful than put script into the autoload:

[root@node2]# chkconfig --level 35 openvpn on

To double check it reboot both systems and check that connection is established.

UPDATE:

Sometimes you face with the problem when your server located at client side(yes, it’s really happens time to time) . Therefore you should have some mechanism to keep your connection alive all time. I use next script to do this(please pay attention on red parts – they must be changed to your conditions):

#!/bin/bash

function start_vpn {
        cd /path/where/client.conf/is/located
        sudo /usr/sbin/openvpn --config client.conf &>/dev/null &
        echo "vpn was started at `date +%H:%M:%S' '%d/%m/%y`" >> /var/log/vpn.log
}

server_ext_ip=/you server external ip/
server_int_ip=/you server internal ip/
avaib=$(nc -w 5 -z $server_ext_ip 80 &>/dev/null; echo $?)

if [ $avaib -eq 0 ] && [ ! ping -c 5 $server_int_ip &>/dev/null ]; then
    if ! ps uax | grep -v grep| grep openvpn &>/dev/null; then
        start_vpn
    else
        pid=$(ps uax | grep -v grep| grep openvpn| awk '{print $2}')
        sudo kill $pid
        start_vpn
    fi
fi

Please make sure that this line is commented out in your /etc/sudoers:

#Defaults    requiretty

It’s makes your sudo works without tty(mean from crontab).

And add new entry to your crontab to run check every minutes.

crontab -l
*/1 * * * *     /path/to/open.sh