OpenVPN over Virtual Private Server (VPS)
I have been trying to learn Asterisk and as many of you know about that main Service Povider has blocked the voice ports in Pakistan. Therefore, we cannot connect to asterisk servers through xlite, 3cx or through any other softphone.
Since, I have done couple of very basic projects to setup asterisk servers for my clients. Therefore, I need to have some sort of setup to connect to their asterisk servers.
So, one theoretical concept that came in my mind that I can purchase a Virtual Private Server-VPS (Which obviously very cheap $20/month) and install a VPN server and connect to my machine (laptop) to that VPN server. Through that server, I will be the part of their network and then I would be to connect my softphone to any VoIP/Asterisk server
Environment:
Virtual Private Server (VPS)
- Purchased from: http://vpslink.com/
- OS: CentOS
- IP Address: 64.79.205.xxx
- Virtualization Platform: OpenVZ
- VPN Server: OpenVPN
My fresh server ip configuration
# ifconfig
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:34 errors:0 dropped:0 overruns:0 frame:0
TX packets:34 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:3101 (3.0 KiB) TX bytes:3101 (3.0 KiB)
venet0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-0000-00
inet addr:127.0.0.1 P-t-P:127.0.0.1 Bcast:0.0.0.0 Mask:255.255.255.255
UP BROADCAST POINTOPOINT RUNNING NOARP MTU:1500 Metric:1
RX packets:30678 errors:0 dropped:0 overruns:0 frame:0
TX packets:29616 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:3556848 (3.3 MiB) TX bytes:4822295 (4.5 MiB)
venet0:0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:64.79.205.xx P-t-P:64.79.205.xx Bcast:64.79.205.xx Mask:255.255.255.255
UP BROADCAST POINTOPOINT RUNNING NOARP MTU:1500 Metric:1
Client Machine:
- Laptop
- OS: Windows Vista Business
- VPN Client: OpenVPN client for Windows
Scenario:
Server IP Address: 64.79.205.xxx
Server Network: 192.168.100.x/24
Client Network: 192.168.1.x/24
Tunnel: 10.8.0.0/30
Installation of OpenVPN server
# wget <http://openvpn.net/release/openvpn-2.1_rc20.tar.gz>
# tar xzf openvpn-2.1_rc20.tar.gz
# cd openvpn-2.1_rc20
# yum install openssl ## Install openssl if it is not installes
# ./configure --disable-lzo
# make && make install
# cd openvpn
You will find easy-rsa in openvpn extracted distribution. What I did, I created a directory openvpn in /etc and copied all files from openvpn-[version]/easy-rsa to /etc/openvpn
# mkdir /etc/openvpn
# cp -r /[path]/openvpn-[version]/easy-rsa/* /etc/openvpn
then I executed following from /etc/openvpn
# cd /etc/openvpn
# . ./vars
# ./clean-all
# ./build-ca
Generating a 1024 bit RSA private key
............++++++
...........++++++
writing new private key to 'ca.key' -----
You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
-—-
Country Name (2 letter code) [KG]:
State or Province Name (full name) [NA]:
Locality Name (eg, city) [BISHKEK]:
Organization Name (eg, company) [OpenVPN-TEST]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server’s hostname) []:LINUX-ANGELS
Email Address [me@myhost.mydomain]:saifurab@gmail.com.
Note that in the above sequence, most queried parameters were defaulted to the values set in the vars. The only parameter which must be explicitly entered is the Common Name. In the example above, I used “LINUX-ANGELS”.
Generate certificate & key for server
Next, we will generate a certificate and private key for the server.
./build-key-server server
As in the previous step, most parameters can be defaulted. When the Common Name is queried, enter “server”.
Two other queries require positive responses,
“Sign the certificate? [y/n]”
and “1 out of 1 certificate requests certified, commit? [y/n]”.
Generate certificates & keys for 3 clients
Generating client certificates is very similar to the previous step.
./build-key client1
./build-key client2
./build-key client3
Remember that for each client, make sure to type the appropriate Common Name when prompted, i.e. “client1”, “client2”, or “client3”. Always use a unique common name for each client.
Generate Diffie Hellman parameters
Diffie Hellman parameters must be generated for the OpenVPN server. On Linux/BSD/Unix:
./build-dh
Output:
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
……………..+…………………………………….
……………….+………….+……………..+………
………………………………..
Key Files
Now we will find our newly-generated keys and certificates in the /etc/openvpn/keys subdirectory. Here is an explanation of the relevant files:
ca.crt, ca.key, dh{n}.pem, server.crt, server.key, client1.crt,client1.key, client2.crt,
client2.key, client3.crt, client3.key
After key generation find sample-config-files in distribution files and copy server.conf to /etc/openvpn
Server Configuration File
grep -v # /etc/openvpn/server.conf | grep -v ^$
port 1194
proto udp
dev tun
ca keys/ca.crt
cert keys/server.crt
dh keys/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push “route 192.168.100.0 255.255.255.0”
client-config-dir ccd
push “redirect-gateway def1 bypass-dhcp”
push “dhcp-option DNS 64.79.200.111”
push “dhcp-option DNS 64.79.200.113”
client-to-client
keepalive 10 120
persist-key
persist-tun
status openvpn-status.log
verb 3
Client Configuration
Download openVPN client for windows through google search and install it on your vista machine. Suppose we are setting up client for client1 certificates.
Assume that we are on vista machine for client1
copy ca.crt, client1.crt, client1.csr, client1.key in [Drivr]:Program FilesOpenVPNconfig
And configure client.ovpn file. See sample file
client
dev tun
proto udp
remote VPN Server IP 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
verb 3
FEW MORE THINGS ON SERVER:
-
We have to create virtual interface for private IPs. In my case I assigned 192.168.100.100 IP to my server. And I have created a copy of ifcfg-venet0:0 as ifcfg-venet0:1,
# cat /etc/sysconfig/network-scripts/ifcfg-venet0:1
DEVICE=venet0:1IPADDR=192.168.100.100
NETMASK=255.255.255.0 -
When I tried to rung openvpn server on my openVZ platform then I got this error
Note: Cannot open TUN/TAP dev /dev/net/tun: Permission denied (errno=13)
Note: Attempting fallback to kernel 2.2 TUN/TAP interface
Cannot open TUN/TAP dev /dev/tun0: No such file or directory (errno=2)
Solution
- Enter mkdir -p /dev/net
- Enter mknod /dev/net/tun c 10 200
- Enter chmod 600 /dev/net/tun
- Enter cat /dev/net/tun to test whether the TUN/TAP device is available:
- If you receive the message cat: /dev/net/tun: File descriptor in bad state your TUN/TAP device is ready for use
- If you receive the message cat: /dev/net/tun: No such device the TUN/TAP device was not successfully created
- We have to enable ip_forwarding and enable NAT by the command below. Masquerade will not work in VPS
# iptables -t nat -A POSTROUTING -j SNAT –to 64.79.205.xx
Run OpenVPN server
# openvpn server.conf
Fri Nov 27 10:10:28 2009 OpenVPN 2.1_rc20 i686-pc-linux-gnu [SSL] [EPOLL] built on Nov 11 2009
Fri Nov 27 10:10:28 2009 NOTE: OpenVPN 2.1 requires ‘–script-security 2’ or higher to call user-defined scripts or executables
Fri Nov 27 10:10:31 2009 Diffie-Hellman initialized with 1024 bit key
Fri Nov 27 10:10:32 2009 TLS-Auth MTU parms [ L:1541 D:138 EF:38 EB:0 ET:0 EL:0 ]
Fri Nov 27 10:10:32 2009 ROUTE default_gateway=191.255.255.1
Fri Nov 27 10:10:32 2009 TUN/TAP device tun0 opened
Fri Nov 27 10:10:32 2009 Note: Cannot set tx queue length on tun0: Operation not permitted (errno=1)
Fri Nov 27 10:10:32 2009 /sbin/ifconfig tun0 10.8.0.1 pointopoint 10.8.0.2 mtu 1500
Fri Nov 27 10:10:32 2009 /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.2
Fri Nov 27 10:10:32 2009 Data Channel MTU parms [ L:1541 D:1450 EF:41 EB:4 ET:0 EL:0 ]
Fri Nov 27 10:10:32 2009 Socket Buffers: R=[135168->131072] S=[135168->131072]
Fri Nov 27 10:10:32 2009 UDPv4 link local (bound): [undef]:1194
Fri Nov 27 10:10:32 2009 UDPv4 link remote: [undef]
Fri Nov 27 10:10:32 2009 MULTI: multi_init called, r=256 v=256
Fri Nov 27 10:10:32 2009 IFCONFIG POOL: base=10.8.0.4 size=62
Fri Nov 27 10:10:32 2009 IFCONFIG POOL LIST
Fri Nov 27 10:10:32 2009 LINUX-ANGELS,10.8.0.4
Fri Nov 27 10:10:32 2009 LINUX-ANGELS,10.8.0.8
Fri Nov 27 10:10:32 2009 Initialization Sequence Completed
Run OpenVPN Client in windows Vista
- Execute openVPN GUI as administrator.
- You will see an icon on tray. Right click it and click Connect
Now observe client and server
See ifconfig at server
# ifconfig
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:34 errors:0 dropped:0 overruns:0 frame:0
TX packets:34 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:3101 (3.0 KiB) TX bytes:3101 (3.0 KiB)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:11 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:924 (924.0 b) TX bytes:0 (0.0 b)
venet0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:127.0.0.1 P-t-P:127.0.0.1 Bcast:0.0.0.0 Mask:255.255.255.255
UP BROADCAST POINTOPOINT RUNNING NOARP MTU:1500 Metric:1
RX packets:31319 errors:0 dropped:0 overruns:0 frame:0
TX packets:30110 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:3608634 (3.4 MiB) TX bytes:4883925 (4.6 MiB)
venet0:0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:64.79.205.xx P-t-P:64.79.205.xx Bcast:64.79.205.xx Mask:255.255.255.255
UP BROADCAST POINTOPOINT RUNNING NOARP MTU:1500 Metric:1
venet0:1 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:192.168.100.100 P-t-P:192.168.100.100 Bcast:192.168.100.255 Mask:255.255.255.0
UP BROADCAST POINTOPOINT RUNNING NOARP MTU:1500 Metric:1
See different outputs at Client
Ping_ _tun0
C:UsersAdmin>ping 10.8.0.1
Pinging 10.8.0.1 with 32 bytes of data:
Reply from 10.8.0.1: bytes=32 time=363ms TTL=64
Reply from 10.8.0.1: bytes=32 time=363ms TTL=64
Reply from 10.8.0.1: bytes=32 time=363ms TTL=64
Reply from 10.8.0.1: bytes=32 time=363ms TTL=64
Ping statistics for 10.8.0.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 363ms, Maximum = 363ms, Average = 363ms
Ping OpenVPN server private IP
C:UsersAdmin>ping 192.168.100.100
Pinging 192.168.100.100 with 32 bytes of data:
Reply from 192.168.100.100: bytes=32 time=363ms TTL=64
Reply from 192.168.100.100: bytes=32 time=362ms TTL=64
Reply from 192.168.100.100: bytes=32 time=366ms TTL=64
Reply from 192.168.100.100: bytes=32 time=364ms TTL=64
Ping statistics for 192.168.100.100:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 362ms, Maximum = 366ms, Average = 363ms
C:UsersAdmin>tracert yahoo.com
Tracing route to yahoo.com [69.147.114.224]
over a maximum of 30 hops:
1 331 ms 331 ms 330 ms 10.8.0.1
2 330 ms 330 ms 330 ms vpsl1-026.vpslink.com [66.249.15.63]
3 331 ms 331 ms 331 ms po1-br0-tuk.wa.spry.com [64.79.223.1]
4 332 ms 331 ms 331 ms cr1-tuk-g1-24.bb.spectrumnet.us [216.243.28.129]
5 331 ms 331 ms 331 ms cr2-sea-B-pc1.bb.spectrumnet.us [208.76.184.69]
6 331 ms 331 ms 331 ms six.yahoo.com [206.81.80.98]
7 424 ms 423 ms 422 ms so-2-1-0.pat1.dce.yahoo.com [216.115.96.29]
8 425 ms 459 ms 445 ms ae2-p140.msr1.re1.yahoo.com [216.115.108.57]
9 425 ms 426 ms 431 ms gi1-22.bas-a1.re3.yahoo.com [68.142.238.65]
10 423 ms 424 ms 423 ms b1.www.vip.re3.yahoo.com [69.147.114.224]
Trace complete.
This output clearly shows that now my gateway is 10.8.0.1. After testing I have connected X-Lite for it gets connected through VPN which couldn’t connect without VPN.
May be this is helpful for you
Saif ur Rab http://saifurab.blogspot.com