LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 03-31-2017, 09:30 AM   #1
trumpforprez
Member
 
Registered: Nov 2016
Location: UK
Distribution: Debian Jessie
Posts: 154

Rep: Reputation: Disabled
Tutorial for OpenVPN


Does anyone know of a tutorial which allows you to install OpenVPN successfully?

I've tried one from digitalocean and a tutorial from Youtube.
Neither of these worked.

To be honest, I don't understand the difference between 'host' and 'client'.
Is it possible to have OpenVPN on a linux distro?

I have found somehow you need a compatible router. Is this correct?

Also, I registered with OpenVPN.net and opened a thread about difficulty installing the free version.
Some mod replied saying he could help if I paid for the service.
By the time I replied asking how much it would cost me, I found I was banned from the site!

I found maybe using a Raspberry Pi as a 'host' connected to my PC might work? Have I got that right?

I just don't understand why OpenVPN is so complicated and why there's a brick wall in finding help to use open source software.
I would be grateful if someone just explained this point at least.
 
Old 03-31-2017, 11:04 AM   #2
rtmistler
Moderator
 
Registered: Mar 2011
Location: USA
Distribution: MINT Debian, Angstrom, SUSE, Ubuntu, Debian
Posts: 9,318
Blog Entries: 13

Rep: Reputation: 4372Reputation: 4372Reputation: 4372Reputation: 4372Reputation: 4372Reputation: 4372Reputation: 4372Reputation: 4372Reputation: 4372Reputation: 4372Reputation: 4372
The host would be the server, which is a specific machine you've designated to provide services.

The client is a client machine which attaches to the server using a VPN session.

When you followed the guide from DigitalOcean, where did you have a problem? Also, what is different for your Linux distribution from the example used in that guide?
 
1 members found this post helpful.
Old 03-31-2017, 12:31 PM   #3
trumpforprez
Member
 
Registered: Nov 2016
Location: UK
Distribution: Debian Jessie
Posts: 154

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by rtmistler View Post
The host would be the server, which is a specific machine you've designated to provide services.

The client is a client machine which attaches to the server using a VPN session.
I see. So if I use a Pi as a host, I can then use my pc as a client.
The pc connects to the Pi, and the Pi as the host connects to the internet. Is that right?

Quote:
When you followed the guide from DigitalOcean, where did you have a problem? Also, what is different for your Linux distribution from the example used in that guide?
I'm pretty certain I followed it to the letter. But it didn't work.
However, I've just entered the last command on the tutorial, and I get this message:
Code:
/etc/init.d/openvpn restart
[ ok ] Restarting openvpn (via systemctl): openvpn.service.
Does this mean it's working?
Do I simply open FF browser and go to 'whatsmyip' to check?
Also, if it is working, what is the host and what is the client?
Sorry for all the dim questions.

Edit: I have just realised I've provided the wrong Digitalocean link. I used the tutorial for Debian 8 (and not Debian 6 - which is the link on the original post).

The Debian 8 link is much more long-winded and it doesn't have that last command to start OpenVPN.

Nonetheless, how do I know the vpn is working?

Last edited by trumpforprez; 03-31-2017 at 12:44 PM.
 
Old 03-31-2017, 12:55 PM   #4
rtmistler
Moderator
 
Registered: Mar 2011
Location: USA
Distribution: MINT Debian, Angstrom, SUSE, Ubuntu, Debian
Posts: 9,318
Blog Entries: 13

Rep: Reputation: 4372Reputation: 4372Reputation: 4372Reputation: 4372Reputation: 4372Reputation: 4372Reputation: 4372Reputation: 4372Reputation: 4372Reputation: 4372Reputation: 4372
For testing purposes, using your Pi as a host and your PC as a client is fine. Ultimately you need a server somewhere else on the Internet for it to be of any use.

The whole point of a VPN is that the client would be treated as if it was "on" the network where the server is, but these two systems would be separated by the Internet.

Say you work for a company. It is some distance from your home. While at work, your PC there would be on the work network, because it is plugged in, or attached to your company's private WIFI network. When at home, (say your PC is a laptop) your PC would not be attached to your work network because of distance. But you can establish a VPN (Virtual Private Network) which is the same thing as a network tunnel between your home, where your PC is a client, and your work. However at work you would need a server to host the VPN service so that you could attach to it from your home.

Doing it as you describe is fine for testing, and will establish a private network between your PC and your Raspberry Pi, however all equipment is local and besides the "A-Ha!" moment that you got it work, it is of no real use.

This means that your options then become:
  1. You find servers out there which you can attach to using your home PC, and they are useful to you
  2. You "host" a VPN using your Pi, which means that when you aren't home you can access your home network by attaching a VPN tunnel between your laptop computer and the Pi, which resides at your home location.
You either can benefit by being able to attach to your home network, or there is no real need or benefit.
 
1 members found this post helpful.
Old 03-31-2017, 01:07 PM   #5
Rickkkk
Senior Member
 
Registered: Dec 2014
Location: Montreal, Quebec and Dartmouth, Nova Scotia CANADA
Distribution: Arch
Posts: 1,253

Rep: Reputation: 467Reputation: 467Reputation: 467Reputation: 467Reputation: 467
Excellent explanation of the fundamental use for, and workings of, a vpn, by rtmistler in post #4.
 
Old 03-31-2017, 04:40 PM   #6
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 9,148
Blog Entries: 4

Rep: Reputation: 3232Reputation: 3232Reputation: 3232Reputation: 3232Reputation: 3232Reputation: 3232Reputation: 3232Reputation: 3232Reputation: 3232Reputation: 3232Reputation: 3232
Here are some basics:

OpenVPN in tunnel-mode fundamentally acts as a secure, software-implemented, "TCP/IP Router." It normally communicates with its peers using UDP port 1192. (Which is not a TCP/IP "socket" and which therefore doesn't show up on any scan.)

Your OpenVPN process must of course be able to receive traffic sent to it from the internet, so your [physical] router must provide "port forwarding" to send incoming UDP/1192 traffic to the OpenVPN machine on your network.

So, the first order of business is to make sure that the various machines can, in fact, send UDP packets to one another. You can't read the packets, of course, but you can see them coming and going. (Commands such as nc are great ... if you want to generate packets and listen for 'em, this tiny little tool is a great big help.)

- - -

Usually, "client" machines connect to a "server" which basically acts as "a common 'machine for everyone else to connect to.'"

- - -

The next order of business is the TCP/IP addresses that will be traveling into and out of this router. (This is fundamentally true for any router.)

OpenVPN reserves one range of addresses, usually 10.8.0.x for itself. The server machine, and every client machine that is directly connected to it, will be assigned an IP-address from this range (by OpenVPN itself), and if you are running a client yourself, traffic for your machine will use such an address. (Because your computer's physical address is being used to refer to your OpenVPN client.) Traffic originating from the server or from any other directly-connected client will also use this address pool. These packets will therefore be seen on your local network (subnet).

Meanwhile, if the server or any connected client exposes a subnet that you are entitled to address, the IP-address ranges used by other computers on that subnet may also show up on your local network.

The "gateway" that must be used by all of these addresses – in order for them to get back home – is the (physical) IP-address of your OpenVPN client. (Or, the other-client that serves your subnet.) Therefore, all such addresses and 10.8.0.x must somehow be directed back to your OpenVPN machine "as a gateway."

This is often accomplished simply by setting up static routes on your router, covering each of these address ranges and specifying your OpenVPN machine as the gateway. (For this reason, you set up the router to assign a known IP-address to your machine within your network.)

(Actually, I'm going to assume that your computers are not "exposing subnets behind themselves," which would necessitate a talk about "ccd files and iroute," and I see that your eyes have glazed-over already.)

- - -

traceroute is your best friend, along with a packet-sniffer like tcpdump or WireShark. You must see the encrypted packets going and coming. You must also verify, from each subnet, that there is a successful route to and back again from all other subnets. The routing at each location must be correct.

(If traceroute starts spitting "rows of asterisks," you're missing a return route at that "hop." The traffic gets there but can't get home.)

Both the client and the server will automatically take care of issuing route commands upon themselves, in order to cause traffic to be sent to the virtual tunx device which is the actual portal into the OpenVPN process. But they do not do anything about the rest of your network(s).

- - -

Security throughout should be by means of certificates. Do not(!) use "PSKs == Pre-Shared Keys == Passwords!"

The server's certificate should be marked as being a "server certificate."

You should also use tls-auth which allows your clients to give a recognition-signal to the server to cause it to reply to them. Any connection-request that does not bear this will be silently dropped. This makes your OpenVPN server invisible(!) to the prying public, and also saves system resources. (It takes almost nothing-at-all to "drop a packet.")

Yeah, it can be a little tricky at first to get the two sides to connect: look at the system logs on each side. (The two parties are designed to "give no help nor information whatsoever ... not one single miserable clue" to any invalid connection attempt.)

- - -

I have written additional and more-detailed posts here on LQ, as have others. Look on the Networking, Security, and Server forums – or just use Super Search.

Last edited by sundialsvcs; 03-31-2017 at 04:53 PM.
 
1 members found this post helpful.
Old 04-01-2017, 07:17 AM   #7
trumpforprez
Member
 
Registered: Nov 2016
Location: UK
Distribution: Debian Jessie
Posts: 154

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by rtmistler View Post
Doing it as you describe is fine for testing, and will establish a private network between your PC and your Raspberry Pi, however all equipment is local and besides the "A-Ha!" moment that you got it work, it is of no real use.
So OpenVPN is of 'no real use'?
I thought it would offer secure browsing for users.
 
Old 04-01-2017, 07:28 AM   #8
trumpforprez
Member
 
Registered: Nov 2016
Location: UK
Distribution: Debian Jessie
Posts: 154

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by sundialsvcs View Post
I have written additional and more-detailed posts here on LQ, as have others. Look on the Networking, Security, and Server forums or just use Super Search.
Thanks, I'll do that.

There are helpful tutorials out there for people to use OpenVPN. There's a short tutorial for Debian 6 and a long tutorial for Debian 8.
I tried the latter tutorial but it hasn't worked for me.
There's Youtube tutorials too.

You can get routers with OpenVPN pre-installed such DD-WRT.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
OPENVPN install using tutorial: every step is war for newbie - need advices msdosslave Linux - Newbie 20 03-12-2017 03:08 AM
Finding a tutorial to install openvpn trumpforprez Linux - Networking 3 11-22-2016 04:15 PM
[flash tutorial]install openvpn ahuray_mazdaa Debian 2 07-28-2007 05:31 AM
[flash tutorial]install openvpn ahuray_mazdaa Linux - Networking 0 07-27-2007 07:30 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 12:26 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration