This tutorial is based on the document found here with a few minor corrections and a sample config file, used on OpenVPN client running on Windows 8.1 PRO x64.
This tutorial assumes the following :
1) You have Ubuntu Server 14.04 with a private IP, behind a router with a public IP. That’s in our home network.
2) You want to use bridged mode (outside clients will receive addresses in the same subnet as the Ubuntu server and will be able to see printers and Windows computers).
3) You are using OpenVPN client on Windows 8.1 from a remote location.
Tested on : Ubuntu 14.04.1 Server x64, Windows 8.1 Pro x64, OpenVPN windows 64 bit client : OpenVPN 2.3.6 — released on 2014.12.01
root@box2:/etc/openvpn# uname -a
Linux box2 3.16.0-31-generic #41~14.04.1-Ubuntu SMP Wed Feb 11 19:30:13 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
Other considerations :
a) Because the OpenVPN server is not the gateway for our home network we need to forward port 1194 UDP on the router. The router’s private IP is 192.168.0.1, and it’s public IP is : 89.33.34.35
b) Ubuntu Server running OpenVPN server needs to have a static IP. In our case is 192.168.0.160. This address is used on eth0.
c) OpenVPN server will provide DHCP addresses to remote clients. Be sure not to overlap the addresses with the ones provided by the gateway.
d) After a client connects, it will pass all it’s internet traffic through our home network’s gateway.
e) All commands are executed under root. So make yourself root.
bogdan@box2:~$ sudo su
[sudo] password for bogdan:
Step 1: Make sure you have the latest updates for your Ubuntu server installations.
root@box2:/home/bogdan# apt-get update && apt-get upgrade
Step 2: Install openvpn server on our Ubuntu machine.
apt-get install bridge-utils openvpn libssl-dev openssl
Step 3: Because we will use bridge mode, we will need to setup a bridge between our eth0 (local network interface) and the OpenVPN adapter (tap mode).
Edit : /etc/network/interfaces
Comment existing eth0 settings and and add the following lines, changing the network settings to match your setup :
auto br0 iface br0 inet static address 192.168.0.160 netmask 255.255.255.0 gateway 192.168.0.1 network 192.168.0.0 broadcast 192.168.0.255 bridge_ports eth0 dns-nameservers 8.8.8.8 4.4.4.4 #### NOTE: If you are running OpenVPN in a virtual machine, then uncomment these lines: # bridge_fd 9 # bridge_hello 2 # bridge_maxage 12 # bridge_stp off iface eth0 inet manual up ifconfig $IFACE 0.0.0.0 up up ip link set $IFACE promisc on down ip link set $IFACE promisc off down ifconfig $IFACE down
Activate forwarding on the Ubuntu Server :
nano /etc/sysctl.conf
Uncomment : net.ipv4.ip_forward=1
Double check the network settings, then restart the server.
The next step is to create the server keys. We will use easy-rsa :
apt-get install easy-rsa make-cadir /etc/openvpn/easy-rsa
Edit the vars file and edit the following items for your needs.
sudo nano /etc/openvpn/easy-rsa/vars
export KEY_COUNTRY="RO" export KEY_PROVINCE="B" export KEY_CITY="Bucharest" export KEY_ORG="Evilbox" export KEY_EMAIL="adm@myserver.org"
Generate the server keys :
cd /etc/openvpn/easy-rsa/ source vars ./clean-all ./build-dh ./pkitool --initca ./pkitool --server server cd keys openvpn --genkey --secret ta.key
Copy the needed keys to OpenVPN directory :
cp server.crt server.key ca.crt dh2048.pem ta.key /etc/openvpn/
Create client certificates (they will need to be transfereed to the Windows box, inside C:\Program Files\OpenVPN\config folder.
cd /etc/openvpn/easy-rsa/
source vars
./pkitool client-name
This will generate client-name.crt and client-name.key.
Next step is to create OpenVPN start/stop scripts.
nano /etc/openvpn/up.sh
#!/bin/sh BR=$1 DEV=$2 MTU=$3 /sbin/ifconfig $DEV mtu $MTU promisc up /sbin/brctl addif $BR $DEV
and
nano /etc/openvpn/down.sh
#!/bin/sh BR=$1 DEV=$2 /sbin/brctl delif $BR $DEV /sbin/ifconfig $DEV down
Make the scripts executable :
sudo chmod 755 /etc/openvpn/down.sh
sudo chmod 755 /etc/openvpn/up.sh
Next, we need to configure OpenVPN Server :
cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
gzip -d /etc/openvpn/server.conf.gz
nano /etc/openvpn/server.conf
Edit /etc/openvpn/server.conf
Change :
;dev tap
dev tun
to
dev tap0
;dev tun
dh dh1024.pem
to
dh dh2048.pem
server 10.8.0.0 255.255.255.0
to
;server 10.8.0.0 255.255.255.0
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
to
server-bridge 192.168.0.160 255.255.255.0 192.168.0.161 192.168.0.170
;OpenVPN server will assign DHCP addresses between 192.168.0.161-192.168.0.170 to connecting clients
;push “route 192.168.10.0 255.255.255.0”
to
push “route 192.168.0.1 255.255.255.0”
;push “redirect-gateway def1 bypass-dhcp”
to
push “redirect-gateway def1 bypass-dhcp”
;push “dhcp-option DNS 208.67.222.222”
;push “dhcp-option DNS 208.67.220.220”
to
push “dhcp-option DNS 208.67.222.222”
push “dhcp-option DNS 8.8.8.8”
;tls-auth ta.key 0 # This file is secret
to
tls-auth ta.key 0 # This file is secret
;user nobody
;group nogroup
to
user nobody
group nogroup
Add start/stop script to the end of the file :
up "/etc/openvpn/up.sh br0" down "/etc/openvpn/down.sh br0" script-security 3
Start OpenVPN server :
root@box2:/etc/openvpn# service openvpn start
Now comes the Windows part.
1. Download and install OpenVPN
2. Edit C:\Program Files\OpenVPN\sample-config\client.opvn to look like this :
client dev tap ;dev tun ;dev-node MyTap ;proto tcp proto udp remote 89.33.34.35 1194 ;remote my-server-2 1194 ;remote-random resolv-retry infinite nobind ;user nobody ;group nobody persist-key persist-tun ;http-proxy-retry # retry on connection failures ;http-proxy [proxy server] [proxy port #] ;mute-replay-warnings ca ca.crt cert client-name.crt key client-name.key remote-cert-tls server tls-auth ta.key 1 ;cipher x comp-lzo verb 3 ;mute 20
3. Copy C:\Program Files\OpenVPN\sample-config\client.opvn file to folder C:\Program Files\OpenVPN\config
4. Also, the following files will need to be on the Windows OpenVPN client, inside C:\Program Files\OpenVPN\config folder :
/etc/openvpn/ca.crt
/etc/openvpn/ta.key
/etc/openvpn/easy-rsa/keys/client-name.crt
/etc/openvpn/easy-rsa/keys/client-name.key
Copy them using SFTP for example, but change their permissions first, so you can access them using a SFTP client (Filezilla for example).
23 comments
Skip to comment form
Hello, i made this config and i get an TLS error: TLS key negotiation failed to occur within 60 seconds….
When i try with a machine in the same local network where is the server and i modify remote IP to local 192.168.1.160 in the client.ovpn the connection is successful. Whats wrong with my config? My english is wrong sry.
Author
Have you checked OpenVPN FAQ – TLS Error question ?
Hello Bogdan. Thanks for the post.
I follow your guide and I was able to connect successfully. But I have a big problem: The client can’t connect to other hosts in the LAN. I try pings and telnet to some ports, and no answer:
My setup described here:
https://gist.github.com/jonvargas/1302109ac73331b9fd30e8294e914e2c
Do you have any idea what could it be? This is a VM, so I enabled the promiscuous mode for the NICs, just in case.
Author
You need to add –client-to-client in openvpn.conf.
I don’t know if you’re still watching this post, but I would like all internet traffic from clients to go through VPN server, while still using Bridged setup, is this achievable, as I was fiddling for a couple days already, but all I find online is for the tunnelled version.
Some help from you will be much appreciated.
Author
Enable push “redirect-gateway def1 bypass-dhcp” in OpenVPN server config, and it should be enough.
But if you are using Vista or a newer Windows OS, run OpenVPN client with Admin privileges or it will not accept the new route.
That’s the first thing I tried and client basically just connects to the VPN server but I can’t ping anything afterwards, not even server’s ip, also I start all with admin rights.
I forgot to mention I’m running OpenVPN on Ubuntu 14 server LTS in a HyperV environement, so maybe that is a factor.
I’m literally out of ideas.
Something is wrong with your route table. If you used IP addresses outside your what your lan does your router doesn’t know the route for VPN clients so you send data but it didn’t get related back correctly. Make sure you enabled forwarding correctly and added route in your server config AND your router adding only to server means server knows how to reach your lan but your router running your lan also need to know to send pockets for VPN back through the VPN server before the client address
Update: actually client can ping server’s ip, but it’s not consistent, like a lot of “host unreachable” messages, then a couple might get through.
Update 2: it seems I can ping everything on network but there are a lot of “host unreachable” messages, keep in mind that this only happens if I add the push “redirect-gateway def1 bypass-dhcp” line, without it all internal network works like a charm.
Update 3: I’ve set up another machine respecting the exact procedure you have provided on this page and it still kills all vpn connectivity when I add the “redirect” directive, but that’s on a Win10 client, on a W7 one it works ( though also with some “host unreachable” events on ping here and there ), but it connects, there is internet and there is internal network.
Author
You need to diagnose “host unreachable” events. Duplicate MAC addresses maybe ?
In my setup the VPN server is not a gateway for the network.
I narrowed all this down to a NIC driver problem, as it’s only happening on a single W10 laptop, it seems the driver doesn’t like the virtual tap adapter interfering in it’s business .
Author
Great ! So it’s all working ?
If that’s the case you need to enable promiscuous mode. Really junkie nics may not be able to, but for tap adapters to work they need “direct access”to the physical nic (hence promiscuous messing it’s being promiscuous with other hardware and not talking to only the OS kinda :-D).
Increase the time for packets on the Windows client most high speed connections use 32ms adjust to like 128 should help. Sounds like the client has packet timer set too low so it stops waiting for its return before the pocket actually does.
Thanks for all your messages, I narrowed this down myself a short time after all these messages were posted, also this seems to be an issue with the newer TAP driver, as the older one seems to not have all these problems.
Anyway now I’ve configured my server to push TAP’s settings and there is no need in tinkering on the actual client machine.
Yeah..all working great, it was just that particular laptop that was causing problems, once I tried this on another machine it worked like a charm 🙂
Thank you, working great!
Your up script is incorrect should be dev=$3. With it set to $2 you’re asking it to bind eth0 back to the bridge and you get error never stating can’t add device to bridge is already a member.
Never= message
Thanks a Wold it is working great but do anybody know how to increase its speed ?
hi
am not able to ping local ipp address in the same subnets