«

»

Mar 03 2015

Install bridged OpenVPN on Ubuntu 14.04 x64 Server and configure Windows 8.1 x64 client

This tutorial is based on the document found here with a few minor corrections and a sample config file, used on OpenVPN client running on Windows 8.1 PRO x64.

This tutorial assumes the following :
1) You have Ubuntu Server 14.04 with a private IP, behind a router with a public IP. That’s in our home network.
2) You want to use bridged mode (outside clients will receive addresses in the same subnet as the Ubuntu server and will be able to see printers and Windows computers).
3) You are using OpenVPN client on Windows 8.1 from a remote location.

Tested on : Ubuntu 14.04.1 Server x64, Windows 8.1 Pro x64, OpenVPN windows 64 bit client : OpenVPN 2.3.6 — released on 2014.12.01

[email protected]:/etc/openvpn# uname -a

Linux box2 3.16.0-31-generic #41~14.04.1-Ubuntu SMP Wed Feb 11 19:30:13 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux

Other considerations :

a) Because the OpenVPN server is not the gateway for our home network we need to forward port 1194 UDP on the router. The router’s private IP is 192.168.0.1, and it’s public IP is : 89.33.34.35
b) Ubuntu Server running OpenVPN server needs to have a static IP. In our case is 192.168.0.160. This address is used on eth0.
c) OpenVPN server will provide DHCP addresses to remote clients. Be sure not to overlap the addresses with the ones provided by the gateway.
d) After a client connects, it will pass all it’s internet traffic through our home network’s gateway.
e) All commands are executed under root. So make yourself root.

[email protected]:~$ sudo su
[sudo] password for bogdan:

Step 1: Make sure you have the latest updates for your Ubuntu server installations.
[email protected]:/home/bogdan# apt-get update && apt-get upgrade

Step 2: Install openvpn server on our Ubuntu machine.

apt-get install bridge-utils openvpn libssl-dev openssl

Step 3: Because we will use bridge mode, we will need to setup a bridge between our eth0 (local network interface) and the OpenVPN adapter (tap mode).
Edit : /etc/network/interfaces
Comment existing eth0 settings and and add the following lines, changing the network settings to match your setup :

auto br0
iface br0 inet static
        address 192.168.0.160
        netmask 255.255.255.0
        gateway 192.168.0.1
        network 192.168.0.0
        broadcast 192.168.0.255
        bridge_ports eth0
        dns-nameservers 8.8.8.8 4.4.4.4
#### NOTE: If you are running OpenVPN in a virtual machine, then uncomment these lines:
# bridge_fd 9
# bridge_hello 2
# bridge_maxage 12
# bridge_stp off

iface eth0 inet manual
        up ifconfig $IFACE 0.0.0.0 up
        up ip link set $IFACE promisc on
        down ip link set $IFACE promisc off
        down ifconfig $IFACE down

Activate forwarding on the Ubuntu Server :

nano /etc/sysctl.conf

Uncomment : net.ipv4.ip_forward=1

Double check the network settings, then restart the server.

The next step is to create the server keys. We will use easy-rsa :

apt-get install easy-rsa
make-cadir /etc/openvpn/easy-rsa

Edit the vars file and edit the following items for your needs.

sudo nano /etc/openvpn/easy-rsa/vars

export KEY_COUNTRY="RO"
export KEY_PROVINCE="B"
export KEY_CITY="Bucharest"
export KEY_ORG="Evilbox"
export KEY_EMAIL="[email protected]"

Generate the server keys :

cd /etc/openvpn/easy-rsa/
source vars
./clean-all
./build-dh
./pkitool --initca
./pkitool --server server
cd keys
openvpn --genkey --secret ta.key

Copy the needed keys to OpenVPN directory :

cp server.crt server.key ca.crt dh2048.pem ta.key /etc/openvpn/

Create client certificates (they will need to be transfereed to the Windows box, inside C:\Program Files\OpenVPN\config folder.

cd /etc/openvpn/easy-rsa/
source vars
./pkitool client-name

This will generate client-name.crt and client-name.key.

Next step is to create OpenVPN start/stop scripts.

nano /etc/openvpn/up.sh

#!/bin/sh
BR=$1
DEV=$2
MTU=$3
/sbin/ifconfig $DEV mtu $MTU promisc up
/sbin/brctl addif $BR $DEV

and

nano /etc/openvpn/down.sh

#!/bin/sh
BR=$1
DEV=$2
/sbin/brctl delif $BR $DEV
/sbin/ifconfig $DEV down

Make the scripts executable :

sudo chmod 755 /etc/openvpn/down.sh
sudo chmod 755 /etc/openvpn/up.sh

Next, we need to configure OpenVPN Server :

cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
gzip -d /etc/openvpn/server.conf.gz
nano /etc/openvpn/server.conf

Edit /etc/openvpn/server.conf

Change :

;dev tap
dev tun

to
dev tap0
;dev tun

dh dh1024.pem
to
dh dh2048.pem

server 10.8.0.0 255.255.255.0
to
;server 10.8.0.0 255.255.255.0

;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
to
server-bridge 192.168.0.160 255.255.255.0 192.168.0.161 192.168.0.170
;OpenVPN server will assign DHCP addresses between 192.168.0.161-192.168.0.170 to connecting clients

;push “route 192.168.10.0 255.255.255.0”
to
push “route 192.168.0.1 255.255.255.0”

;push “redirect-gateway def1 bypass-dhcp”
to
push “redirect-gateway def1 bypass-dhcp”

;push “dhcp-option DNS 208.67.222.222”
;push “dhcp-option DNS 208.67.220.220”

to
push “dhcp-option DNS 208.67.222.222”
push “dhcp-option DNS 8.8.8.8”

;tls-auth ta.key 0 # This file is secret
to
tls-auth ta.key 0 # This file is secret

;user nobody
;group nogroup

to
user nobody
group nogroup

Add start/stop script to the end of the file :

up "/etc/openvpn/up.sh br0"
down "/etc/openvpn/down.sh br0"
script-security 3

Start OpenVPN server :
[email protected]:/etc/openvpn# service openvpn start

Now comes the Windows part.
1. Download and install OpenVPN
2. Edit C:\Program Files\OpenVPN\sample-config\client.opvn to look like this :

client
dev tap
;dev tun
;dev-node MyTap
;proto tcp
proto udp
remote 89.33.34.35 1194
;remote my-server-2 1194
;remote-random
resolv-retry infinite
nobind
;user nobody
;group nobody
persist-key
persist-tun
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
;mute-replay-warnings
ca ca.crt
cert client-name.crt
key client-name.key
remote-cert-tls server
tls-auth ta.key 1
;cipher x
comp-lzo
verb 3
;mute 20

3. Copy C:\Program Files\OpenVPN\sample-config\client.opvn file to folder C:\Program Files\OpenVPN\config

4. Also, the following files will need to be on the Windows OpenVPN client, inside C:\Program Files\OpenVPN\config folder :

/etc/openvpn/ca.crt
/etc/openvpn/ta.key
/etc/openvpn/easy-rsa/keys/client-name.crt
/etc/openvpn/easy-rsa/keys/client-name.key

Copy them using SFTP for example, but change their permissions first, so you can access them using a SFTP client (Filezilla for example).

22 comments

Skip to comment form

  1. mono

    Hello, i made this config and i get an TLS error: TLS key negotiation failed to occur within 60 seconds….
    When i try with a machine in the same local network where is the server and i modify remote IP to local 192.168.1.160 in the client.ovpn the connection is successful. Whats wrong with my config? My english is wrong sry.

    1. Bogdan

      Have you checked OpenVPN FAQ – TLS Error question ?

  2. Jonathan Vargas

    Hello Bogdan. Thanks for the post.

    I follow your guide and I was able to connect successfully. But I have a big problem: The client can’t connect to other hosts in the LAN. I try pings and telnet to some ports, and no answer:

    My setup described here:
    https://gist.github.com/jonvargas/1302109ac73331b9fd30e8294e914e2c

    Do you have any idea what could it be? This is a VM, so I enabled the promiscuous mode for the NICs, just in case.

    1. Bogdan

      You need to add –client-to-client in openvpn.conf.

  3. Victor

    I don’t know if you’re still watching this post, but I would like all internet traffic from clients to go through VPN server, while still using Bridged setup, is this achievable, as I was fiddling for a couple days already, but all I find online is for the tunnelled version.
    Some help from you will be much appreciated.

    1. Bogdan

      Enable push “redirect-gateway def1 bypass-dhcp” in OpenVPN server config, and it should be enough.
      But if you are using Vista or a newer Windows OS, run OpenVPN client with Admin privileges or it will not accept the new route.

      1. Victor

        That’s the first thing I tried and client basically just connects to the VPN server but I can’t ping anything afterwards, not even server’s ip, also I start all with admin rights.
        I forgot to mention I’m running OpenVPN on Ubuntu 14 server LTS in a HyperV environement, so maybe that is a factor.
        I’m literally out of ideas.

        1. Mike

          Something is wrong with your route table. If you used IP addresses outside your what your lan does your router doesn’t know the route for VPN clients so you send data but it didn’t get related back correctly. Make sure you enabled forwarding correctly and added route in your server config AND your router adding only to server means server knows how to reach your lan but your router running your lan also need to know to send pockets for VPN back through the VPN server before the client address

      2. Victor

        Update: actually client can ping server’s ip, but it’s not consistent, like a lot of “host unreachable” messages, then a couple might get through.

      3. Victor

        Update 2: it seems I can ping everything on network but there are a lot of “host unreachable” messages, keep in mind that this only happens if I add the push “redirect-gateway def1 bypass-dhcp” line, without it all internal network works like a charm.

      4. Victor

        Update 3: I’ve set up another machine respecting the exact procedure you have provided on this page and it still kills all vpn connectivity when I add the “redirect” directive, but that’s on a Win10 client, on a W7 one it works ( though also with some “host unreachable” events on ping here and there ), but it connects, there is internet and there is internal network.

        1. Bogdan

          You need to diagnose “host unreachable” events. Duplicate MAC addresses maybe ?
          In my setup the VPN server is not a gateway for the network.

          1. Victor

            I narrowed all this down to a NIC driver problem, as it’s only happening on a single W10 laptop, it seems the driver doesn’t like the virtual tap adapter interfering in it’s business .

          2. Bogdan

            Great ! So it’s all working ?

          3. Mike

            If that’s the case you need to enable promiscuous mode. Really junkie nics may not be able to, but for tap adapters to work they need “direct access”to the physical nic (hence promiscuous messing it’s being promiscuous with other hardware and not talking to only the OS kinda :-D).

        2. Mike

          Increase the time for packets on the Windows client most high speed connections use 32ms adjust to like 128 should help. Sounds like the client has packet timer set too low so it stops waiting for its return before the pocket actually does.

          1. Victor

            Thanks for all your messages, I narrowed this down myself a short time after all these messages were posted, also this seems to be an issue with the newer TAP driver, as the older one seems to not have all these problems.
            Anyway now I’ve configured my server to push TAP’s settings and there is no need in tinkering on the actual client machine.

  4. Victor

    Yeah..all working great, it was just that particular laptop that was causing problems, once I tried this on another machine it worked like a charm 🙂

  5. Sergio

    Thank you, working great!

  6. Mike

    Your up script is incorrect should be dev=$3. With it set to $2 you’re asking it to bind eth0 back to the bridge and you get error never stating can’t add device to bridge is already a member.

    1. Mike

      Never= message

  7. Mirwais Shah Arya

    Thanks a Wold it is working great but do anybody know how to increase its speed ?

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

*