OpenVPN on wireless networks

Notes on setting simple static key OpenVPN tunnels that work over wireless networks.

In the server
# apt-get install openvpn
# cd /etc/openvpn
# openvpn --genkey --secret static.key
# vi /etc/openvpn/tun0.conf
# cat /etc/openvpn/tun0.conf 
dev tun0
proto tcp-server
ifconfig 192.168.50.1 192.168.50.2
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
secret /etc/openvpn/static.key


In the client
# apt-get install openvpn
# cd /etc/openvpn
# scp root@10.13.157.13:/etc/openvpn/static.key .
# vi /etc/openvpn/tun0.conf
# cat /etc/openvpn/tun0.conf 
remote 10.13.157.13
dev tun0
proto tcp-client
ifconfig 192.168.50.2 192.168.50.1
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
secret /etc/openvpn/static.key
Assuming that the OpenVPN server is at 10.13.157.13

Testing the tunnel

You may find it useful to run the following commands in a screen or another ssh session ( in case you are allergic to screen ).

In the server
# openvpn --config /etc/openvpn/tun0.conf --verb 6


In the client
# openvpn --config /etc/openvpn/tun0.conf --verb 6


still in the client
# ping 192.168.50.1
PING 192.168.50.1 (192.168.50.1) 56(84) bytes of data.
64 bytes from 192.168.50.1: icmp_req=1 ttl=64 time=2.72 ms
64 bytes from 192.168.50.1: icmp_req=2 ttl=64 time=2.94 ms
^C


Forward IP traffic through the OpenVPN tunnel

In the server
# echo net.ipv4.ip_forward=1 >> /etc/sysctl.conf
# sysctl -p
# iptables -t nat -I POSTROUTING -s 192.168.50.0/24 -o eth0 -j MASQUERADE


In the client
# route del default gw 192.168.48.1
# route add default gw 192.168.50.1
# ping ipduh.com
PING ipduh.com (85.25.242.245) 56(84) bytes of data.
64 bytes from archimedes.ipduh.com (85.25.242.245): icmp_req=1 ttl=55 time=74.7 ms
^C
where 192.168.48.1 is the previous LAN default gateway

Make it stick

In the server
# vi /etc/network/if-pre-up.d/ipv4init.sh
# cat /etc/network/if-pre-up.d/ipv4init.sh 
#!/bin/sh
/sbin/iptables-restore < /etc/rules.iptables


# iptables -A FORWARD -i eth0 -o tun0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# iptables -A FORWARD -s 192.168.50.0/24 -o eth0 -j ACCEPT
# iptables -t nat -I POSTROUTING -s 192.168.50.0/24 -o eth0 -j MASQUERADE
# iptables-save > /etc/rules.iptables


Both systems

Set the AUTOSTART parameter in /etc/default/openvpn ... "all" works
/etc/default/openvpn is the configuration file for /etc/init.d/openvpn
# /etc/init.d/openvpn start


In the client

Add a route to the OpenVPN server(s) in /etc/network/interface eg:
up route add -net 10.0.0.0 netmask 255.0.0.0 gw 10.21.241.88
and a script that starts the vpn tun and adds the default route in /etc/network/if-up.d/
# cat /etc/network/if-up.d/routes.sh 
#!/bin/sh
/etc/init.d/openvpn start 
#there is also another script in if-up.d that should start openvpn 

/sbin/route add default gw 192.168.50.1


To test restart networking
# /etc/init.d/networking restart
# ping ipduh.com
PING ipduh.com (85.25.242.245) 56(84) bytes of data.
64 bytes from archimedes.ipduh.com (85.25.242.245): icmp_req=1 ttl=55 time=73.4 ms
^C


that's all folks!



OpenVPN ... simple setup that works on wireless community networks ...