OpenVPN over Virtual Private Server (VPS)

I have been trying to learn Asterisk and as many of you know about that main Service Povider has blocked the voice ports in Pakistan. Therefore, we cannot connect to asterisk servers through xlite, 3cx or through any other softphone.

Since, I have done couple of very basic projects to setup asterisk servers for my clients. Therefore, I need to have some sort of setup to connect to their asterisk servers.

So, one theoretical concept that came in my mind that I can purchase a Virtual Private Server-VPS (Which obviously very cheap $20/month) and install a VPN server and connect to my machine (laptop) to that VPN server. Through that server, I will be the part of their network and then I would be to connect my softphone to any VoIP/Asterisk server

Environment:

Virtual Private Server (VPS)

1. Purchased from: http://vpslink.com/
2. OS: CentOS
3. IP Address: 64.79.205.xxx
4. Virtualization Platform: OpenVZ
5. VPN Server: OpenVPN

My fresh server ip configuration

# ifconfig

lo Link encap:Local Loopback

inet addr:127.0.0.1 Mask:255.0.0.0

inet6 addr: ::1/128 Scope:Host

UP LOOPBACK RUNNING MTU:16436 Metric:1

RX packets:34 errors:0 dropped:0 overruns:0 frame:0

TX packets:34 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:0

RX bytes:3101 (3.0 KiB) TX bytes:3101 (3.0 KiB)

venet0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-0000-00

inet addr:127.0.0.1 P-t-P:127.0.0.1 Bcast:0.0.0.0 Mask:255.255.255.255

UP BROADCAST POINTOPOINT RUNNING NOARP MTU:1500 Metric:1

RX packets:30678 errors:0 dropped:0 overruns:0 frame:0

TX packets:29616 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:0

RX bytes:3556848 (3.3 MiB) TX bytes:4822295 (4.5 MiB)

venet0:0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00

inet addr:64.79.205.xx P-t-P:64.79.205.xx Bcast:64.79.205.xx Mask:255.255.255.255

UP BROADCAST POINTOPOINT RUNNING NOARP MTU:1500 Metric:1

Client Machine:

1. Laptop
2. OS: Windows Vista Business
3. VPN Client: OpenVPN client for Windows

Scenario:

Server IP Address: 64.79.205.xxx

Server Network: 192.168.100.x/24

Client Network: 192.168.1.x/24

Tunnel: 10.8.0.0/30

Installation of OpenVPN server

# wget <http://openvpn.net/release/openvpn-2.1_rc20.tar.gz>

# tar xzf openvpn-2.1_rc20.tar.gz

# cd openvpn-2.1_rc20

# yum install openssl  ## Install openssl if it is not installes

# ./configure --disable-lzo

# make && make install

# cd openvpn

You will find easy-rsa in openvpn extracted distribution. What I did, I created a directory openvpn in /etc and copied all files from openvpn-[version]/easy-rsa to /etc/openvpn

# mkdir /etc/openvpn  
# cp -r /[path]/openvpn-[version]/easy-rsa/* /etc/openvpn  

then I executed following from /etc/openvpn

# cd /etc/openvpn  
# . ./vars  
# ./clean-all  
# ./build-ca  

Generating a 1024 bit RSA private key  
............++++++  
...........++++++  
writing new private key to 'ca.key' -----

You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
-—-
Country Name (2 letter code) [KG]:
State or Province Name (full name) [NA]:
Locality Name (eg, city) [BISHKEK]:
Organization Name (eg, company) [OpenVPN-TEST]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server’s hostname) []:LINUX-ANGELS
Email Address [me@myhost.mydomain]:saifurab@gmail.com.

Note that in the above sequence, most queried parameters were defaulted to the values set in the vars. The only parameter which must be explicitly entered is the Common Name. In the example above, I used “LINUX-ANGELS”.

Generate certificate & key for server

Next, we will generate a certificate and private key for the server.

./build-key-server server

As in the previous step, most parameters can be defaulted. When the Common Name is queried, enter “server”.
Two other queries require positive responses,

“Sign the certificate? [y/n]”
and “1 out of 1 certificate requests certified, commit? [y/n]”.

Generate certificates & keys for 3 clients

Generating client certificates is very similar to the previous step.

./build-key client1

./build-key client2

./build-key client3

Remember that for each client, make sure to type the appropriate Common Name when prompted, i.e. “client1”, “client2”, or “client3”. Always use a unique common name for each client.

Generate Diffie Hellman parameters

Diffie Hellman parameters must be generated for the OpenVPN server. On Linux/BSD/Unix:

./build-dh

Output:

Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
……………..+…………………………………….
……………….+………….+……………..+………
………………………………..

Key Files

Now we will find our newly-generated keys and certificates in the /etc/openvpn/keys subdirectory. Here is an explanation of the relevant files:

ca.crt, ca.key, dh{n}.pem, server.crt, server.key, client1.crt,client1.key, client2.crt,
client2.key, client3.crt, client3.key

After key generation find sample-config-files in distribution files and copy server.conf to /etc/openvpn

Server Configuration File

grep -v # /etc/openvpn/server.conf | grep -v ^$

port 1194

proto udp

dev tun

ca keys/ca.crt

cert keys/server.crt

dh keys/dh1024.pem

server 10.8.0.0 255.255.255.0

ifconfig-pool-persist ipp.txt

push “route 192.168.100.0 255.255.255.0”

client-config-dir ccd

push “redirect-gateway def1 bypass-dhcp”

push “dhcp-option DNS 64.79.200.111”

push “dhcp-option DNS 64.79.200.113”

client-to-client

keepalive 10 120

persist-key

persist-tun

status openvpn-status.log

verb 3

Client Configuration

Download openVPN client for windows through google search and install it on your vista machine. Suppose we are setting up client for client1 certificates.

Assume that we are on vista machine for client1

copy ca.crt, client1.crt, client1.csr, client1.key in [Drivr]:Program FilesOpenVPNconfig

And configure client.ovpn file. See sample file

client
dev tun
proto udp
remote VPN Server IP 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
verb 3

FEW MORE THINGS ON SERVER:

1. We have to create virtual interface for private IPs. In my case I assigned 192.168.100.100 IP to my server. And I have created a copy of ifcfg-venet0:0 as ifcfg-venet0:1,

   # cat /etc/sysconfig/network-scripts/ifcfg-venet0:1
   DEVICE=venet0:1

   IPADDR=192.168.100.100
   NETMASK=255.255.255.0

2. When I tried to rung openvpn server on my openVZ platform then I got this error

Note: Cannot open TUN/TAP dev /dev/net/tun: Permission denied (errno=13)

Note: Attempting fallback to kernel 2.2 TUN/TAP interface

Cannot open TUN/TAP dev /dev/tun0: No such file or directory (errno=2)

Solution

1. Enter mkdir -p /dev/net
2. Enter mknod /dev/net/tun c 10 200
3. Enter chmod 600 /dev/net/tun
4. Enter cat /dev/net/tun to test whether the TUN/TAP device is available:
   1. If you receive the message cat: /dev/net/tun: File descriptor in bad state your TUN/TAP device is ready for use
   2. If you receive the message cat: /dev/net/tun: No such device the TUN/TAP device was not successfully created
   3. We have to enable ip_forwarding and enable NAT by the command below. Masquerade will not work in VPS

# iptables -t nat -A POSTROUTING -j SNAT –to 64.79.205.xx

Run OpenVPN server

# openvpn server.conf

Fri Nov 27 10:10:28 2009 OpenVPN 2.1_rc20 i686-pc-linux-gnu [SSL] [EPOLL] built on Nov 11 2009

Fri Nov 27 10:10:28 2009 NOTE: OpenVPN 2.1 requires ‘–script-security 2’ or higher to call user-defined scripts or executables

Fri Nov 27 10:10:31 2009 Diffie-Hellman initialized with 1024 bit key

Fri Nov 27 10:10:32 2009 TLS-Auth MTU parms [ L:1541 D:138 EF:38 EB:0 ET:0 EL:0 ]

Fri Nov 27 10:10:32 2009 ROUTE default_gateway=191.255.255.1

Fri Nov 27 10:10:32 2009 TUN/TAP device tun0 opened

Fri Nov 27 10:10:32 2009 Note: Cannot set tx queue length on tun0: Operation not permitted (errno=1)

Fri Nov 27 10:10:32 2009 /sbin/ifconfig tun0 10.8.0.1 pointopoint 10.8.0.2 mtu 1500

Fri Nov 27 10:10:32 2009 /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.2

Fri Nov 27 10:10:32 2009 Data Channel MTU parms [ L:1541 D:1450 EF:41 EB:4 ET:0 EL:0 ]

Fri Nov 27 10:10:32 2009 Socket Buffers: R=[135168->131072] S=[135168->131072]

Fri Nov 27 10:10:32 2009 UDPv4 link local (bound): [undef]:1194

Fri Nov 27 10:10:32 2009 UDPv4 link remote: [undef]

Fri Nov 27 10:10:32 2009 MULTI: multi_init called, r=256 v=256

Fri Nov 27 10:10:32 2009 IFCONFIG POOL: base=10.8.0.4 size=62

Fri Nov 27 10:10:32 2009 IFCONFIG POOL LIST

Fri Nov 27 10:10:32 2009 LINUX-ANGELS,10.8.0.4

Fri Nov 27 10:10:32 2009 LINUX-ANGELS,10.8.0.8

Fri Nov 27 10:10:32 2009 Initialization Sequence Completed

Run OpenVPN Client in windows Vista

1. Execute openVPN GUI as administrator.
2. You will see an icon on tray. Right click it and click Connect

Now observe client and server

See ifconfig at server

# ifconfig

lo Link encap:Local Loopback

inet addr:127.0.0.1 Mask:255.0.0.0

inet6 addr: ::1/128 Scope:Host

UP LOOPBACK RUNNING MTU:16436 Metric:1

RX packets:34 errors:0 dropped:0 overruns:0 frame:0

TX packets:34 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:0

RX bytes:3101 (3.0 KiB) TX bytes:3101 (3.0 KiB)

tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00

inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255

UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1

RX packets:11 errors:0 dropped:0 overruns:0 frame:0

TX packets:0 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:500

RX bytes:924 (924.0 b) TX bytes:0 (0.0 b)

venet0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00

inet addr:127.0.0.1 P-t-P:127.0.0.1 Bcast:0.0.0.0 Mask:255.255.255.255

UP BROADCAST POINTOPOINT RUNNING NOARP MTU:1500 Metric:1

RX packets:31319 errors:0 dropped:0 overruns:0 frame:0

TX packets:30110 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:0

RX bytes:3608634 (3.4 MiB) TX bytes:4883925 (4.6 MiB)

venet0:0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00

inet addr:64.79.205.xx P-t-P:64.79.205.xx Bcast:64.79.205.xx Mask:255.255.255.255

UP BROADCAST POINTOPOINT RUNNING NOARP MTU:1500 Metric:1

venet0:1 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00

inet addr:192.168.100.100 P-t-P:192.168.100.100 Bcast:192.168.100.255 Mask:255.255.255.0

UP BROADCAST POINTOPOINT RUNNING NOARP MTU:1500 Metric:1

See different outputs at Client

Ping_ _tun0

C:UsersAdmin>ping 10.8.0.1

Pinging 10.8.0.1 with 32 bytes of data:

Reply from 10.8.0.1: bytes=32 time=363ms TTL=64

Reply from 10.8.0.1: bytes=32 time=363ms TTL=64

Reply from 10.8.0.1: bytes=32 time=363ms TTL=64

Reply from 10.8.0.1: bytes=32 time=363ms TTL=64

Ping statistics for 10.8.0.1:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 363ms, Maximum = 363ms, Average = 363ms

Ping OpenVPN server private IP

C:UsersAdmin>ping 192.168.100.100

Pinging 192.168.100.100 with 32 bytes of data:

Reply from 192.168.100.100: bytes=32 time=363ms TTL=64

Reply from 192.168.100.100: bytes=32 time=362ms TTL=64

Reply from 192.168.100.100: bytes=32 time=366ms TTL=64

Reply from 192.168.100.100: bytes=32 time=364ms TTL=64

Ping statistics for 192.168.100.100:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 362ms, Maximum = 366ms, Average = 363ms

C:UsersAdmin>tracert yahoo.com

Tracing route to yahoo.com [69.147.114.224]

over a maximum of 30 hops:

1 331 ms 331 ms 330 ms 10.8.0.1

2 330 ms 330 ms 330 ms vpsl1-026.vpslink.com [66.249.15.63]

3 331 ms 331 ms 331 ms po1-br0-tuk.wa.spry.com [64.79.223.1]

4 332 ms 331 ms 331 ms cr1-tuk-g1-24.bb.spectrumnet.us [216.243.28.129]

5 331 ms 331 ms 331 ms cr2-sea-B-pc1.bb.spectrumnet.us [208.76.184.69]

6 331 ms 331 ms 331 ms six.yahoo.com [206.81.80.98]

7 424 ms 423 ms 422 ms so-2-1-0.pat1.dce.yahoo.com [216.115.96.29]

8 425 ms 459 ms 445 ms ae2-p140.msr1.re1.yahoo.com [216.115.108.57]

9 425 ms 426 ms 431 ms gi1-22.bas-a1.re3.yahoo.com [68.142.238.65]

10 423 ms 424 ms 423 ms b1.www.vip.re3.yahoo.com [69.147.114.224]

Trace complete.

This output clearly shows that now my gateway is 10.8.0.1. After testing I have connected X-Lite for it gets connected through VPN which couldn’t connect without VPN.

May be this is helpful for you

Saif ur Rab http://saifurab.blogspot.com