Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: Tutorial - OpenVPN client the right way, one click with gopenvpn

  1. #1
    Join Date
    Dec 2008
    Beans
    5

    Tutorial - OpenVPN client the right way, one click with gopenvpn

    Last Updated: December 26th, 2008.

    My Setup:

    Tested Clients: Ubuntu Intrepid Ibex (8.10) 32bit & 64bit, running Gnome, gopenvn SVN revision 5, and OpenVPN v2.1 RC11. I have also tested similar setups on Hardy 32bit & 64bit.

    Tested OpenVPN Server(s) : Windows Server 2003 running OpenVPN v2.1, Linksys WRT54-GL router running DD-WRT v23 SP2 (09/15/06) vpn edition.

    Goal:

    In one click, use gopenvpn to logon to an OpenVPN server and access local & remote machines by both IP address & name!

    Preface:

    Network Manager is pretty nice for certain things, such as connecting/maintaining WiFi connections and profiles. However, the Network Manager OpenVPN plugins only expose a subset of OpenVPN's feature set. This design leads to connectivity issues and the need to execute additional commands to properly and fully bring up a client VPN connection.

    Instead of Network Manager we'll be using gopenvpn to manage and connect to OpenVPN servers. gopenvpn is a nice lightweight Gnome tray application that leverages the native OpenVPN configuration files, so that, unlike with the Network Manager OpenVPN plug-in, we'll have the full OpenVPN feature set available to us. gopenvpn can co-exist with Network Manager. In fact, in my setup, Network Manager is handling my WiFi, LAN & PPTP connections, while gopenvpn is handling my OpenVPN connections.

    Don't let the length of this guide deter you. I find it's better to have too much information than not enough, because of this I will probably get into more detail than you might need.


    Prerequisites

    • Properly configured OpenVPN server on a different subnet from the client subnet.


    Prerequisites To Be Able To Resolve Remote Hosts By Name

    • Remote and local networks configured with DNS suffix.
    • Query-able DNS server aware of remote computer host names and DNS suffixes.
    • OpenVPN server configured to provide OpenVPN clients with DNS suffix and server values.



    Recommendations

    • Comfort with the Ubuntu Terminal
    • Understanding of OpenVPN concepts
    • Understanding of networking concepts (IP addressing, subnets, DNS resolution, DNS suffixes, and VPN routing concepts).


    Part 1 - get gopenvpn build dependencies and source code

    1. Make sure you have a valid Internet connection
    2. Start a Terminal (Applications->Accessories->Terminal)
    3. To get the dependencies needed to build gopenvpn, execute the following commands (answer yes (Y) to any prompts):

      Code:
      sudo apt-get subversion
      sudo apt-get install libglib2.0-dev libgtk2.0-dev libglade2-dev libgnome-keyring-dev gksu gedit
      sudo apt-get install intltool
      sudo apt-get build-dep gtkpod
      sudo apt-get install automake1.9
    4. Execute the following to download the latest gopenvpn SVN source code:

      Code:
      svn co https://gopenvpn.svn.sourceforge.net/svnroot/gopenvpn gopenvpn



    Part 2 - modify gopenvpn source to support OpenVPN v2.1 rc7+

    Starting with OpenVPN v2.1 rc7, a new argument, --script-security has been added. The source code for gopenvpn needs to be modified so that it accounts for this breaking change by specifying --script-security 2. This is needed so gopenvpn can execute the up/down script calls defined in the .ovpn/.conf client connection configuration files. The up/down calls are needed to properly set connection specific IP addreses, domain search order, etc..., on client connection/disconnection.

    The "--script-security" switch is documented in the OpenVPN man page:
    0 -- Strictly no calling of external programs.

    1 -- (Default) Only call built-in executables such as ifconfig, ip, route, or netsh.

    2 -- Allow calling of built-in executables and user-defined scripts.

    3 -- Allow passwords to be passed to scripts via environmental variables (potentially unsafe).
    To accommodate for this change, two gopenvpn source code files (gopenvpn.c and gopenvpnstart.c) need to be modified. At the same Terminal, from part 1, execute:

    1. Code:
      cd gopenvpn/trunk/gopenvpn/
    2. Edit the first file by executing:

      Code:
      gedit ./src/gopenvpn.c
    3. This will open up a text editor, find the following block of code:
      Code:
      #ifdef USE_GKSU
      command = g_strdup_printf("%s --management-query-passwords --cd %s "
                                "--daemon --management-hold "
      			   "--management 127.0.0.1 %d --config %s",
      And change it to this:
      Code:
      #ifdef USE_GKSU
      command = g_strdup_printf("%s --management-query-passwords --cd %s "
                                "--daemon --management-hold "
      			   "--script-security 2 --management 127.0.0.1 %d --config %s",
    4. Save the changes (On the menu, File->Save) & Exit (File->Quit)

    5. Edit the second file by executing:

      Code:
      gedit ./src/gopenvpnstart.c
    6. This will open up a text editor, find the following block of code:
      Code:
      /* Execute OpenVPN */
      execl(OPENVPN_BINARY_PATH,
      	  OPENVPN_BINARY_PATH,
      	  "--management-query-passwords",
      	  "--cd",
      	  CONFIG_PATH,
      	  "--daemon",
      And change it to this:
      Code:
      /* Execute OpenVPN */
      execl(OPENVPN_BINARY_PATH,
      	  OPENVPN_BINARY_PATH,
      	  "--management-query-passwords",
      	  "--cd",
      	  CONFIG_PATH,
      	  "--daemon",
               "--script-security",
               "2",
    7. Save the changes (On the menu, File->Save) & Exit (File->Quit)


    Part 3 - Configure gopenvpn build


    1. Execute the following commands ("./autogen.sh" needs to be called twice because the first time it's called it will fail, this behavior is observed in Ubuntu Intrepid, but not Hardy):

      Code:
       
      ./autogen.sh
      autoheader
      ./autogen.sh
      intltoolize --force
      ./configure --with-gksu=no
    2. gopenvpn installs a setuid executable "gopenvpnstart" which is used to start VPN connections without entering a password to gain administrator privileges. We need to use this executable for our setup. The documentation indicates that if a "#define USE_GKSU" statement exists in "gopenvpn.c" then "gopenvpnstart" will not be used. However, this does not seem to be currently true. To get gopenvpn to use the "gopenvpnstart" executable you must go through the following procedure after executing the "/.configure" statement above.

      At the Terminal, execute:
      Code:
      gedit config.h
    3. This will open up a text editor, find the following line:

      Code:
      #define USE_GKSU 0
      And delete it. A value of 0 is not good enough, it has to be completely undefined.

    4. Save the changes (On the menu, File->Save) & Exit (File->Quit)



    Part 4 - Build/Install gopenvpn

    • Execute the following commands:

      Code:
      make
      sudo make install



    Running gopenvpn as root without password prompt

    We need the gopenvpn executible itself to run as root so that the "resolvconf" package (that we'll be installing later) can properly execute when called via the "update-resolv-conf" script (which is called by the client .ovpn configuration up/down statements).

    To get gopenvpn to run as root without a password prompt we'll be using the Sudoers file.

    (Optional) Setting gedit as editor of the sudoers file

    Personally I hate vim, for those that also hate VIM lets set gedit as the editor of the sudoers file.

    1. At the Terminal, execute:
      Code:
      gedit ~/.bashrc
    2. Add to bottom of the file:

      Code:
      export EDITOR=gedit
      alias visudo='sudo -E visudo'
    3. Save the changes (On the menu, File->Save) & Exit (File->Quit)

    4. Exit and restart the Terminal for the changes to take effect.


    Configuring a user to run gopenvpn without password prompt via the sudoers file

    1. At the Terminal execute:
      Code:
      visudo
    2. Add to bottom the file, add the following:

      Code:
      username ALL=NOPASSWD: /usr/local/bin/gopenvpn
      In the above statement replace "username" with your log in name. The above sets the account specified, running under any hostname, to not need to provide a password when run under the root account (sudo/gksudo) for the /usr/local/bin/gopenvpn executible.

    3. Save the changes (On the menu, File->Save) & Exit (File->Quit)



    Setting gopenvpn to run at Gnome startup

    Note: We use gksudo since gopenvpn is a graphical app that needs to run as root.

    In Gnome go to the:
    1. System->Preferences->"Sessions" menu item.

    2. Go to "Startup Programs" tab and press the "+Add" button

    3. Set the following values:

      Name: gopenvpn
      Command: gksudo /usr/local/bin/gopenvpn
      Comment: OpenVPN Tray Client

    4. Press the "OK" button

    5. Press the "Close" button.


    DNS Suffix - The Key to Resolving VPN Hosts By Name

    Short Version: Both sides of the connection should have unique DNS suffix assigned, and a querable DNS server aware of the suffix.

    Long version:

    Basic VPN logic dictates that both sides of the VPN connection should originate from different subnets. It would be problematic if a computer on both the remote and local networks had the same IP address. Lets say a local computer tried to access a remote computer (on the other side of the VPN) with an IP address of 192.168.1.3 and local computer existed with the same IP address, then, depending on how your connection is configured communication could only occur with either the remote or local computer, but not both.

    Similarly to gaurantee unique host names and the ability of the OpenVPN client to query the correct DNS server for the host being requested, both sides of the connection should have a unique DNS suffix assigned. This also allows us to have a computer with the name on both sides of the VPN connection since their full DNS names would be unique (eg computer1.apple.corp & computer1.microsoft.corp).

    If your local network doesn't already have a DNS suffix configured, it's pretty easy to assign statically or via DHCP (If you're using DD-WRT v23 SP2 as your DHCP server it's the "LAN Domain" setting under the Administration->Services menu). Just pick a DNS suffix name out of the air, familyname.localhost, or companyname.corp are common choices, however don't choose .local to avoid possible problems.


    Configuring the OpenVPN client configuration to automagically update your local DNS search order

    At the bottom of your .conf/.ovpn client configuration file make sure you have the following two statements.

    Code:
    up /etc/openvpn/update-resolv-conf
    down /etc/openvpn/update-resolv-conf
    These statements call the update-resolv-conf script on client connection/disconnection. The update-resolv-conf script will then call resolvconf (we'll be installing this package later in the tutorial) to update the /etc/resolv.conf with the VPN server's search domains (DNS sufix). The script can handle multiple concurrent OpenVPN connections and will only add/remove the DNS suffixes for the connection going up/down.


    Installing dnsmasq

    dnsmasq is a DNS server package. We'll be installing and configuring dnsmasq by telling it which DNS servers to use for specific search domains.

    To install dnsmasq, at the Terminal, execute the following:
    Code:
    sudo apt-get install dnsmasq
    Configuring dnsmasq

    1. To edit the dnsmasq configuration file, at the Terminal, execute:

      Code:
      gedit /etc/dnsmasq.conf
    2. Find the section:
      Code:
      #server=/localnet/192.168.0.1
    3. Add entries for local and remote search domains/DNS Server IP addresses, for example:
      Code:
      server=/myhome.localnet/192.168.1.1
      server=/mywork.corp/10.51.1.2


    Installing resolvconf

    resolvconf will be called via the "/etc/openvpn/update-resolv-conf" script to update the client's search domain (DNS suffix) on client connection/disconnection.

    To install this package, at the Terminal, execute the following:

    Code:
    sudo apt-get install resolvconf
    A reboot will be required for this package to properly initialize, so I recommend rebooting the computer at this point.

    You're done!

    Tips/Tricks:

    Flusing the local DNS cache:


    Removing the OpenVPN client private key password when using a private key file/x509:

    If you would like to configure a client connection with no password prompts, or you would like to troubleshoot possible private key password issues then you may wish to remove the private key password from the private key file. To do this, at the terminal execute the following with values matching your client conifguration:

    Code:
    openssl rsa|dsa -in private.key -out privatekey-without-passphrase.key
    In the above command either specify rsa OR dsa, depending on the type of private key used.

    Restarting the dnsmasq daemon

    This is usefull so that any configuration changes you make can take effect, at the Terminal execute:
    Code:
    sudo /etc/init.d/dnsmasq restart
    More info on dnsmasq can be found here:
    https://blueimp.net/linux/howto/dnsmasq.html
    https://help.ubuntu.com/community/Dnsmasq

    Checking client search domains configuration after OpenVPN client connection/disconnection

    Execute the following at the Terminal:
    Code:
    cat /etc/resolv.conf
    Sample client .ovpn file

    .ovpn/.conf files should be placed in the "/etc/openvpn" directory.

    Code:
    client
    dev tap
    proto tcp
    remote myhome.localnet 443
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    ca myhome/ca.crt
    cert myhome/logon_name.crt
    key myhome/logon_name.key
    ns-cert-type server
    comp-lzo
    verb 3
    up /etc/openvpn/update-resolv-conf
    down /etc/openvpn/update-resolv-conf

    OpenVPN server running under DD-WRT considerations:

    If your OpenVPN server is running under DD-WRT an issue I've encountered that the DHCP server running on DD-WRT doesn't properly pass the DHCP client configuration to the OpenVPN client. If you have control of the server the ideal solution is to modify the server configuration so that IP addresses, DNS suffix, and DNS server is provided by the OpenVPN server and not the DHCP server. For this to work properly make sure the OpenVPN server is configured to provide an IP range outside the DHCP server IP address range. I have provided a sample DD-WRT OpenVPN server configruation below to illustrate this configuration.

    If you don't have control of the OpenVPN server you can either bring up the connection/client configuration manually (ifconfig) or via a custom script specified in the .ovpn client configuration file.

    Sample DD-WRT Firewall Script (I use port 443 since it's very rare for an outgoing firewall to block the https port):
    Code:
    /usr/sbin/iptables -I INPUT 1 -p tcp --dport 443 -j ACCEPT
    Sample DD-WRT Startup Script:
    Code:
    echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
    echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
    echo '600 1800 120 60 120 120 10 60 30 120' > /proc/sys/net/ipv4/ip_conntrack_tcp_timeouts
    
    
    cd /tmp
    openvpn --mktun --dev tap0
    brctl addif br0 tap0
    ifconfig tap0 0.0.0.0 promisc up
    
    echo "
    server-bridge Router LAN IP (eg: 10.10.1.1) Subnet Mask (eg: 255.255.255.0) First DHCP Address to give out (eg: 10.10.1.151) Last IP address to give out (eg: 10.10.1.200)
    proto tcp-server
    port 443
    dev tap0
    keepalive 15 60
    daemon
    verb 3
    comp-lzo
    client-to-client
    push \"dhcp-option DNS DNS server If router is responsible for DNS then router's internal LAN IP (eg: 10.10.1.1) \"
    push \"dhcp-option DOMAIN DNS Suffix (eg: myhome.localnet) \"
    tls-server
    ca ca.crt
    dh dh2048.pem
    cert server.crt
    key server.key
    " > openvpn.conf
    
    echo "
    -----BEGIN CERTIFICATE-----
    --Replace with CA.CRT contents--
    -----END CERTIFICATE-----
    " > ca.crt
    echo "
    -----BEGIN RSA PRIVATE KEY-----
    --Replace with SERVER.KEY contents--
    -----END RSA PRIVATE KEY-----
    " > server.key
    chmod 600 server.key
    echo "
    -----BEGIN CERTIFICATE-----
    --Replace with SERVER.CRT contents--
    -----END CERTIFICATE-----
    " > server.crt
    echo "
    -----BEGIN DH PARAMETERS-----
    --Replace with dh2048.pem contents--
    -----END DH PARAMETERS-----
    " > dh2048.pem
    
    sleep 5
    ln -s /usr/sbin/openvpn /tmp/myvpn
    /tmp/myvpn --config openvpn.conf
    Last edited by TalynOne; December 27th, 2008 at 04:56 AM.

  2. #2
    Join Date
    Aug 2007
    Location
    Maryland
    Beans
    25
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: Tutorial - OpenVPN client the right way, one click with gopenvpn

    I am working with your very interesting and thorough tutorial, and I have an observation and a question.

    There is a small typo in Part 1 where it should say "sudo apt-get install subversion".

    Also, I cannot seem to find .conf/.ovpn in my home directory or anywhere else. Is there a particular place I should be looking, or do I need to create them, and if so where? (I am assuming that .conf is a directory and .ovpn is a file.)

    Thanks!

  3. #3
    Join Date
    Aug 2007
    Location
    Maryland
    Beans
    25
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: Tutorial - OpenVPN client the right way, one click with gopenvpn

    Oops, sorry. With respect to point two, I figured out that you meant "/etc/openvpn/client.conf" on my system. My bad. I cannot really test things until I log on to a different subnet, but I will let you know how it goes. So far, so good.

  4. #4
    Join Date
    Mar 2006
    Beans
    8

    Re: Tutorial - OpenVPN client the right way, one click with gopenvpn

    Yowza. That's one thorough guide. Thanks!

    TalynOne, I don't suppose you would be interested in making a package for gopenvpn? That would make this whole process much smoother. I don't have much experience making packages, but I'd be willing to chip in some time to help, if you're interested. You've already put this much work into it, so you may as well go one more step and make it widely available to everyone.

    What do you think?

    -Ryan
    Last edited by ryanmbruce; February 11th, 2009 at 06:04 AM.

  5. #5
    Join Date
    May 2008
    Location
    Denmark
    Beans
    89
    Distro
    Ubuntu 8.10 Intrepid Ibex

    Re: Tutorial - OpenVPN client the right way, one click with gopenvpn

    great guide, and i totally agree with ryanmbruce that a package for this would be great...

    I did find a few problems though:

    * It should be sudo apt-get install subversion
    * You need to be root to edit /etc/dnsmasq.conf
    * Needs a litle bit information about what to do when you finish this guide

    Other than those minor things, this guide made it happen for me... However, a package would be really helpfull

  6. #6
    Join Date
    Nov 2007
    Location
    Montreal, Canada
    Beans
    17
    Distro
    Kubuntu 10.10 Maverick Meerkat

    Re: Tutorial - OpenVPN client the right way, one click with gopenvpn

    Great tutorial, but i have issues connecting to my office's VPN... I lose my internet connection and lan connection whenever i launch gopenvpn connection.

    Did anyone else experience this issue ?

  7. #7
    Join Date
    Dec 2005
    Beans
    9

    Smile Re: Tutorial - OpenVPN client the right way, one click with gopenvpn

    I have a little problem. I successfully connects to the VPN server but I can't ping remote computer from LAN that have IP 192.168.252.xxx. My tun0 has IP 10.8.142.xxx

    What is't wrong? Give me someone some advice?

  8. #8
    Join Date
    Sep 2006
    Beans
    18

    Arrow Re: Tutorial - OpenVPN client the right way, one click with gopenvpn

    hi there, i stumbled over this thread when looking for a solution to compile gopenvpn and so i should share with you that i made a deb package for it. so far the source package hasn't got a review by some packaging guru, but if you don't mind you can test it already.

    regarding this howto i have included the script security patches, but i didn't comment gksu out. if some are still looking for that there is another solution at http://tranceparance.wordpress.com/tag/vforvpn/ without altering the source code.

    for i386:
    https://launchpad.net/%7Ebojo42/+arc...~ppa1_i386.deb

    for amd64:
    https://launchpad.net/%7Ebojo42/+arc...ppa1_amd64.deb

    and i case you are willing to help to get this package in Ubuntu/Debian go to https://bugs.launchpad.net/ubuntu/+bug/220362

    best regards
    bojo42


  9. #9
    Join Date
    Apr 2009
    Beans
    1

    Re: Tutorial - OpenVPN client the right way, one click with gopenvpn

    Hi you guys,
    I installed the program as described in the tutorial, but it won't open a connection, because my password is not accepted. I double and triple-checked it, and I typed it in absolutely correctly. What should I do?

    And I found a bug: If I activate the "remember password"-option, the program crashes instantly.

    Thanks for your advice

  10. #10
    Join Date
    Apr 2006
    Beans
    Hidden!

    Re: Tutorial - OpenVPN client the right way, one click with gopenvpn

    Quote Originally Posted by TalynOne View Post
    Last Updated: December 26th, 2008.

    <snip>

    Part 3 - Configure gopenvpn build


    [list=1][*] Execute the following commands ("./autogen.sh" needs to be called twice because the first time it's called it will fail, this behavior is observed in Ubuntu Intrepid, but not Hardy):

    Code:
     
    ./autogen.sh
    autoheader
    ./autogen.sh
    intltoolize --force
    ./configure --with-gksu=no
    [*] gopenvpn installs a setuid executable "gopenvpnstart" which is used to start VPN connections without entering a password to gain administrator privileges. We need to use this executable for our setup. The documentation indicates that if a "#define USE_GKSU" statement exists in "gopenvpn.c" then "gopenvpnstart" will not be used. However, this does not seem to be currently true. To get gopenvpn to use the "gopenvpnstart" executable you must go through the following procedure after executing the "/.configure" statement above.

    At the Terminal, execute:
    Code:
    gedit config.h
    [*] This will open up a text editor, find the following line:

    Code:
    #define USE_GKSU 0
    And delete it. A value of 0 is not good enough, it has to be completely undefined.

    [*] Save the changes (On the menu, File->Save) & Exit (File->Quit)

    <snip>
    Hi, I would like to install it so that when I start it I have to enter my gsku password (which is similar to how you would run it from the command line anyway). That is, with out this setuid thing.

    What I can't understand is which method you are using above.

    How can I configure to not use the gopenvpnstartup / setuid feature, but just run it as a normal app.

    Thanks.

Page 1 of 2 12 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •