Easy openvpn with network-manager in feisty
Update: some instructions were missing.
The client side of an OpenVPN setup is dead-easy now with the n-m in feisty. Simply sudo apt-get install network-manager-openvpn and fill in the forms. The server side of a forward-everything-over-the-VPN setup is slightly more difficult, but this should do the trick:
sudo -i apt-get install openvpn dnsmasq openssl echo 1 > /proc/sys/net/ipv4/ip_forward iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
Add this last line to /etc/rc.local before exit 0, uncomment the ipv4 forwarding line in /etc/sysctl.conf and grab my openvpn config from kaarsemaker.net (save it as /etc/openvpn/home.conf). This config is pretty standard except for the following
- It expects all traffic to be routed through the VPN, I use this because I mainly use the VPN for safe remote working over unprotected wifi
- It uses a tcp connection instead of udp because the vpn server is behind nat and I want to test it from behind the same nat (yes, the test setup does 3 nat steps before traffic goes out to the internet!)
- It uses a local DNS server on the VPN host (that’s why dnsmasq was being installed earlier)
Read the config and if you use 10.8.0.0/24 in your network, change the IP addresses. Then place it in /etc/openvpn and edit /etc/default/openvpn so the “home” VPN is started automatically.
With the config in place, you only have to generate the PKI for the VPN. Fortunately openvpn makes this all very easy for you with the easy-rsa scripts. First you edit /etc/openvpn/easy-rsa/vars and then you can simply run a few of the easy-rsa scripts:
cp -r /usr/share/doc/openvpn/examples/easy-rsa /etc/openvpn cd /etc/openvpn/easy-rsa source ./vars ./clean-all ./build-ca ./build-key-server server ./build-dh ./build-key client1
If you want to support more than one client, repeat the last command with different names. Now copy the keys/certificates to the appropriate places:
cp /etc/openvpn/easy-rsa/keys/{ca.crt,server.crt,server.key,dh1024.pem} /etc/openvpn
Make sure that each client gets its .key and .crt file and the ca.crt file. Now restart openvpn and you’re ready to connect to it!
To connect to your freshly created openvpn server from another machine which uses network-manager, simply rightclick on the n-m icon, select “VPN Connections” and “Configure VPN”. The following screenshots are my setup, which works with the example OpenVPN setup and the freshly generated keys:
And now I can safely use unprotected wifi, with 2 mouseclicks n-m can switch the VPN connection on and off. Yes, OpenVPN and network-manager rock!
Fantastic! That looks great!
I wrote an OpenVPN HOWTO, and an OpenVPN Certificate HOWTO, which explain the whole thing in more detail. Having NetworkManager support OpenVPN will make the client portion of this an awful lot easier.
Hi, I tried to follow your instructions but I don’t have a ‘/etc/openvpn/easy-rsa’ path on either Feisty or Edgy. Perhaps it’s a symlink to somewhere else or something?
The easy-rsa stuff may be living in /usr/share/doc/openvpn.
I’m having trouble with the dh line from the home.conf. I don’t have a dh1024.pem file, so “sudo invokerc.d openvpn start” fails.
Paul, Michael: thanks for the comments, I’ll fix the instructions.
I’ve got a debian/unstable server behind a NAT box, and my client is also behind a NAT box. I had trouble getting the TUN driver working, so I switched to TAP and I can at least ping the VPN host via the internal address.
I already use the ipmasq package for MASQUERADEing, and it looks like it does the right thing when I run it after openvpn is up. Unfortunately, packets aren’t routing properly. When I attempt to ping the VPN client from the VPN server, I get sendmsg: Operation not permitted. I’ll have to keep fiddling with it on my end.
Also, you’ll need the openssl package which might not be installed because it is not a strict dependency of openvpn.
Also, the new instructions don’t copy the dh1024.pem file to /etc/openvpn
You used the word “easy” on the topic and then proceeded with cryptic shell commands. That was more than slightly funny :)
The network-manager plugin however looks *awesome*. Those VPN plugins should come installed by default - they are small and promote the use of them (because of the easiness). Especially OpenVPN is a rocking solution, it could really benefit from that.
Thanks.
erik: the client side is easy ;) The server side still is awkward.
The Problem with this plugin is, that it ignores the some optiones from the VPN Server. OpenVPN client under console mode does that not.
For example, if you have a server that says “push route XXX.XXX.XXX.XXX “. The Network Manager connects fine and sets the default Gateway to the Server, ( wich he should not only for XXX.XXX.XXX.XXX ) and also DNS and so on.
So if you do not have a DNS Server on the vpn server or some firewall rules, it fails. You can’t use “Only for this address …” in the Preferences because network manager sets the DNS server to the VPN Server.
This is the only Problem I have.
Another question is there a log created when network manager connects ? I have not found anything … Maybe someone know’s.
Greetz from Berlin and keep on with your nice blog
Erik
You can solve the DNS problem by simply pushing another dhcp server to the client instead of 10.8.0.1. The routing problem is probably intentional since the n-m vpn plugins allow you to specify which IP addresses should be routed over the VPN and it defaults to routing everything that way.
n-m logs to syslog and its logs end up in /var/log/syslog
[…] Easy openvpn with network-manager in feisty good notes on setting up your own forward-everything-over-the VPN network integrated with network-manager. Very useful when using laptops on open wireless networks while traveling. […]
Your right that works, thx for the hint. But if you don’t have access to the “Server” and working in a company that would not do that “push DNS ..” for you, you can’t use nm.
Maybe I’m seeing this to complicated … but I always wanne see things as an end-user and not always as a power-user … ;-)
thx and greetz
Erik
This is all great but I recently upgraded to Feisty and I can’t get nm-applet to show no matter what I do. Any help? I’ve added it to sessions and all that to no avail.
Thx in advance.
Jeffinator
Just got feisty today and discovered nm-networkmanager-pptp & nm-networkmanager-openvpn. pptp was drop-dead easy and works great. However, my openvpn client is for work network and when I try to use the “import saved configuration” feature, i just get a blink and nothing. Syslog shows no message, the interface gives me no error message. openvpnadmin just finds my configuration file automatically. However, I’d love to have just that one network icon and not have to go find openvpnadmin to click on. Anybody successfully used the “import saved configuration” feature?
I can not even get the vpn configuration screens to appear.
When I click on “Configure VPN…” nothing happens and nothing is logged.
Did you install the n-m opnvpn plugin? Did you restart networkmanager after doing that?
Is there any way I can get the home.conf? The link does not work. This tutorial is GREAT, except for not being about to get the conf file.
Try http://media.ubuntu-nl.org/home.conf
Hi, that link appears to be broken too. Could you post another?
hellou dennis, could you please give me a link to home.conf file?
thank you a lot.
Nice tutorial. Had the same problem with the home.conf since both links seem somewhat broken. But I found that one: http://web.archive.org/web/20070502190133/http://www.kaarsemaker.net/files/home.conf
thx
I followed this guide, and got everything up and running on my linux server at home. I now tunnel all traffic from my laptop whenever on a wifi connection through that VPN.
One problem I’m having and have been unable to find a solution to is that some google services don’t work through the VPN. Gmail and Google Docs are the two I know of for sure, but I suppose other Web 2.0 apps may have the same problem. All I get when I browse to these sites is a blank page. Does anyone know how to get these services working?
I installed network-manager-openvpn. That was the easy part. I configured a VPN connection that is known to work. However, I was unable to connect. When I use a client configuration file and do from a terminal it also fails and well due to a problem with the tun device. Executing works fine. The questions I have are the following.
1. Why does n-m-openvpn fail
2. Where does n-m-openvpn store the configuration
3. How do I solve the command line problem so I work a openvpn without sudo.
Thanks,
Piet