[SOLVED] Use OpenVPN to connect to home network ?

slacker_et · 04-14-2010, 10:44 PM

I have a network that consists of a few desktop machines, laptops, and two Internet connected linux servers. The Linux servers are the gateways, routers, and firewalls for my desktop and laptop machines.

Whenever I'm away from home; I can connect to my home machines over the Internet by first ssh'ng (technically I use Webmin; because my firewall on each Linux servers blocks ssh from the Internet.) to one of the linux servers and then ssh'ng to the desired machine on my home network.

This works fine for my home linux machines. But not my Windows machines.
I'd like to be able to rdp or rdesktop to my Windows machines.

Will OpenVPN allow me to accomplish this ?
Is there a simpler solution ?

Thanks;
ET

centosboy · 04-15-2010, 03:24 AM

Quote:

Originally Posted by slacker_et

I have a network that consists of a few desktop machines, laptops, and two Internet connected linux servers. The Linux servers are the gateways, routers, and firewalls for my desktop and laptop machines.

Whenever I'm away from home; I can connect to my home machines over the Internet by first ssh'ng (technically I use Webmin; because my firewall on each Linux servers blocks ssh from the Internet.) to one of the linux servers and then ssh'ng to the desired machine on my home network.

This works fine for my home linux machines. But not my Windows machines.
I'd like to be able to rdp or rdesktop to my Windows machines.

Will OpenVPN allow me to accomplish this ?
Is there a simpler solution ?

Thanks;
ET

you can accomplish what you desire using openvpn, yes.
but you can also accomplish it by using simple port forwarding on the gateway machine.

either iptables or pbnc which does the forwarding at network rather then kernel level.

out of the 2 methods, pbnc is probably easiest to get going

http://duncanthrax.net/pbnc/

deadeyes · 04-15-2010, 03:25 AM

You can also setup an ssh tunnel. So you can still get to your m$ windows machine.
However this is rather a clumsy solution.

OpenVPN can perfectly accomplish this.
Open port 1194 on your fw, forward it to your openvpn server and setup the client and server config.
Make sure you have the correct routes on your network.

In the end setting up openvpn is not that hard.

scheidel21 · 04-15-2010, 07:45 AM

If I may make a recommendation, I would open SSH on your gateways and close off Webmin as it is a greater security risk in most peoples eyes than SSH. That said, OpenVPN would work, it would provide you a means to make it look like you machine was on your local LAN or connected to your LAN by a direct router instead of over the Internet. This would let you access any resources like you were in your house. You can as someone mentioned though also accomplish this with SSH tunneling just have a tunnel setup so localhost:someport gets sent over the SSH connection to the remote machine windowsmachine:3984. Then you RDP to localhost:someport and get an encrypted connection to your windows machine. I have OpenVPN and SSH setup at my work and will use SSH tunneling to occasionally access a machine on a public machine because I only need putty.

slacker_et · 04-16-2010, 10:20 PM

Thanks everyone for the suggestions.
I've been trying to setup openvpn for the past two nights.
But it's failing miserably. I can't build a certificate.
The build-ca script (actually openssl) is failing with a common error.
BUT it's an error that no one appears to have a viable solution.

Running build-ca results in:

Code:

+ cd /usr/doc/openvpn-2.0.9/easy-rsa/keys
+ openssl req -days 3650 -nodes -new -x509 -keyout ca.key -out ca.crt -config /usr/doc/openvpn-2.0.9/easy-rsa/openssl.cnf
error on line 37 of /usr/doc/openvpn-2.0.9/easy-rsa/openssl.cnf
21561:error:0E065068:configuration file routines:STR_COPY:variable has no value:conf_def.c:629:line 37

I've searched through several pages of a Google search. And all the results either don't have any answers or they state to comment out the "pkcs11_section". And my openssl.cnf doesn't have a "pkcs11_section" or any section remotely resembling it.
And there's only one thread on linuxquestions about the same issue. And it's been unanswered for quite a while.

Time to try something else I guess

--ET

deadeyes · 04-17-2010, 06:08 AM

Did you do this first?
. ./vars

What's on line 37 in /usr/doc/openvpn-VERSION/easy-rsa/openssl.cnf?

Quote:

Time to try something else I guess

Well, as this is a very common piece of software I would believe it should work.
So I would try some more.

catkin · 04-17-2010, 06:21 AM

The files under /usr/doc are samples; the usual technique, following the HOWTO, is

Code:

cp -pR /usr/doc/openvpn-2.0.9/easy-rsa /etc/openvpn

Then edit /etc/openvpn/easy-rsa/vars, setting the following to suit your installation:
KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG and KEY_EMAIL. Then

Code:

. ./vars
./clean-all
./build-ca

The HOWTO is very good; the only thing I got wrong (apart from silly typos and forgetting to turn off the client's firewall for stage one testing) was choosing routed mode when bridged mode was better suited to the users.

deadeyes · 04-17-2010, 06:43 AM

Quote:

Originally Posted by catkin

The files under /usr/doc are samples; the usual technique, following the HOWTO, is

Code:

cp -pR /usr/doc/openvpn-2.0.9/easy-rsa /etc/openvpn

Then edit /etc/openvpn/easy-rsa/vars, setting the following to suit your installation:
KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG and KEY_EMAIL. Then

Code:

. ./vars
./clean-all
./build-ca

The HOWTO is very good; the only thing I got wrong (apart from silly typos and forgetting to turn off the client's firewall for stage one testing) was choosing routed mode when bridged mode was better suited to the users.

If I recall correctly using the clean-all script will delete the contents of the keys directory. So be careful with it.

The howto is indeed good.

Do note that in your case you should go with routed and not bridged (this would also sent the arp requests, ... over the tunnel). There are only some rare cases where this should be used.

slacker_et · 04-17-2010, 04:35 PM

Thanks all. I've managed to progress a little further.
Yes I did run ". ./vars". But I still had to define some of those variables in clean-all and build-ca.
I've managed to build all the keys and certs. And have copied them to /etc/openvpn/keys and /etc/openvpn/certs.
I'm now working on trying to get openvpn running. After a several failed attempts and fixes; here is my latest attempt:

Code:

Sat Apr 17 17:27:57 2010 OpenVPN 2.0.9 i486-slackware-linux [SSL] [LZO] [EPOLL] built on Jun 11 2007
Sat Apr 17 17:27:57 2010 WARNING: --keepalive option is missing from server config
Sat Apr 17 17:27:57 2010 Note: Cannot open TUN/TAP dev /dev/net/tun: No such file or directory (errno=2)
Sat Apr 17 17:27:57 2010 Note: Attempting fallback to kernel 2.2 TUN/TAP interface
Sat Apr 17 17:27:57 2010 Cannot allocate TUN/TAP dev dynamically
Sat Apr 17 17:27:57 2010 Exiting

--ET

deadeyes · 04-18-2010, 04:58 AM

Is tun support compiled into your kernel?
Normally it is a module called "tun".

I think this is what you need in your kernel config.
CONFIG_TUN=m

You can check the config in different ways.
Mostly the config is compiled into the running kernel.
zcat /proc/config.gz | grep CONFIG_TUN

slacker_et · 04-18-2010, 09:30 AM

No tun is not compiled into my kernel.
But loading the module solved that problem.
So I now have the openvpn server running.
Now I am working on getting a client to connect.
And it's failing.

When using UDP protocol; on the server I'm getting:

Code:

Sun Apr 18 10:02:08 2010 Authenticate/Decrypt packet error: packet HMAC authentication failed
Sun Apr 18 10:02:08 2010 TLS Error: incoming packet authentication failed from 10.0.0.101:51878

And when using TCP protocol; on the server I'm getting:

Code:

Sun Apr 18 10:16:33 2010 TCP connection established with 10.0.0.101:48414
Sun Apr 18 10:16:33 2010 TCPv4_SERVER link local: [undef]
Sun Apr 18 10:16:33 2010 TCPv4_SERVER link remote: 10.0.0.101:48414
Sun Apr 18 10:16:33 2010 10.0.0.101:48414 Authenticate/Decrypt packet error: packet HMAC authentication failed
Sun Apr 18 10:16:33 2010 10.0.0.101:48414 TLS Error: incoming packet authentication failed from 10.0.0.101:48414
Sun Apr 18 10:16:33 2010 10.0.0.101:48414 Fatal TLS error (check_tls_errors_co), restarting

The client's openvpn log file displays similar messages.

I'm assuming my keys and/or certs are messed up.
BUT the instructions have had me create so many keys and certs; I've lost track of what goes where.

--ET

slacker_et · 04-18-2010, 12:25 PM

Got it working; sort of.
I added these two lines to the end of the config files on both the server and client:

Code:

auth none
cipher none

The connection worked.
Next I tried restarting both server and client WITHOUT the "cipher none".
A connection then also worked.
Next I tried restarting both the server and client WITHOUT the "auth none".
Putting right back where I started.
BUT the connection STILL worked ! That doesn't make sense !

Anyways; now I'm at the point of configuring my firewall.

--ET

deadeyes · 04-18-2010, 01:51 PM

You can take this as an example client config:

Code:

proto udp
dev tun
remote yourserver.com # host to connect to

tls-client
ns-cert-type server
#tls-auth keys/ta.key 1
ca keys/ca.crt
cert keys/youruser.crt
key keys/youruser.key

pull # this will execute the "push" options shown in the server config.

port 1194
user root
group root

ping 15
verb 5
log-append /var/log/openvpn/openvpn.log
status /var/log/openvpn/status.log

#persist-key
#persist-tun
#comp-lzo

cipher AES256

So you need 3 file to start it.
You can also generate a diffie helman file and a tls-auth key.
This improves security.
I would go step by step until it works.

I would recommend using udp as it gives less overhead.

scheidel21 · 04-19-2010, 07:41 AM

If I recall you use webmin and there is an openVPN webmin module that you could use to ehlp administer it, it may help.

slacker_et · 04-19-2010, 12:33 PM

I'd like to say thanks to everyone for their suggestions, insights, and other help.
I eventually got the openvpn server running on one of my linux servers.
And I also setup a couple of the OS's my laptop to function as openvpn clients.

I think what originally threw my off was two things.
First; I had three different windows on the linux server when setting up openvpn.
One for reading the READMEs, one for editing files, and another for entering commands.
I'm wondering if I may have run a few commands (ie. . ./vars) in the wrong window.
Second; While following the README in the easy-rsa directory I created every key and cert it mentioned. And I probably mixed them up somewhere along the way.

I think in total I spent about 4 or 5 hours spread across three nights getting everything configured.
What I lack in efficiency I make up for in stubbornness.

--ET