I've spent several days trying to set up an OpenVPN server and failing miserably, so I am in an urgent need for help. Let me explain you what my situation and needs are and what I have done.
I need to set up an OpenVPN server running on a Windows 10 machine. The clients would be on Windows 10 and Linux machines eventually, but right now I urgently need to connect one Linux client. "Urgently", meaning I'm on a deadline and have a couple of weeks to get it working flawlessly.
The purpose of the VPN is to keep the Internet connection of the clients secure even if they are using untrustworthy Internet providers (think public hotspots, etc.). The clients do not need to access assets on a LAN, each other, etc.
The server needs to be able to run unattended. That is, if the machine it runs on is rebooted for some reason (like a power failure), the server has to start automatically without any human intervention like manually starting services or programs or clicking on things like "Connect".
These are my needs and they are non-negotiable. Please do not waste my time and yours by suggesting me to do something else. In particular:
- Do not tell me to use the VPN server that is built in Windows 10.
- Do not tell me to install the server on a different OS (e.g., Linux), physical or in the cloud.
- Do not tell me to use a paid VPN provider; I need to run the server on a metal we own and trust.
- Do not tell me to use a different VPN server software, unless you are 100% certain that what I need cannot be done with OpenVPN.
I was following mostly this guide for setting up an OpenVPN server on Windows.
Something that is not covered by the guide and that wasted me two days full of frustration. When you are installing the software, make sure you check "OpenVPN RSA Certificate Management Scripts". It is not checked by default and if these are not installed, the above guide is mostly useless, because it uses them.
So, I went like "where the blazes is this easy-rsa folder the guide is talking about?!". It wasn't helpful that when I went googling for it, some site suggested that this is no longer part of the OpenVPN distribution and pointed me to a GitHub page, which is clearly designed for Linux, supports commands different from the ones in the guide and asks you to install some Linux-on-Windows crap like mksh and, generally, WTF?!
Anyway. After installing the scripts, the guide started making sense.
One more thing. Initially I installed the package as a regular user (who knows the administrator password, in order to get past the UAC) and I've put it in the default directory. This was probably a mistake. Trying to do anything serious on Windows as a regular user is a f*cking nightmare and trying to modify things in "Program Files" is a f*cking nightmare even if you are Administrator.
So, I ended up scrapping everything, logging in as Administrator and installing the software in "C:\OpenVPN". It might be a good idea to modify the guide and the installer to account for such things.
I made sure that the OpenVPN service is running and is set on Automatic.
I modified the firewall configuration to allow UDP port 1194 in both directions and turned off the firewall for the TAP network.
BTW, by default the OpenVPN service isn't started and is set to Manual. This probably needs to be fixed.
I have also set up the location of the config files and the logs to be "C:\OpenVPN\config" and "C:\OpenVPN\log" respectively in the OpenVPN GUI, instead of the default in the user directory (C:\Users\Administrator\OpenVPN). I am a bit unsure about this and about the main purpose of the GUI as a whole. If it is meant to control the server, then the config and log files should not be in a user directory. If, OTOH, it is meant to control a client, then I probably shouldn't have installed it on the server at all.
At this point the TAP driver is installed, but Windows reports that the "cable is unplugged" on that network.
Not sure what this means but it doesn't sound good. Ignoring this problem for now, continuing with the installation.
I modified the file vars.bat not just the way mentioned in the guide but also to reflect the actual OpenVPN directory (which is NOT in "Program Files"). You might want to modify the guide to cover this part or, even better, make the installer set up this environment variable. I also modified the DH key to use 2048 bits instead of 1024.
The sample config files (*.ovpn) use Linux end-of-line marks. This makes it practically impossible to edit them with Notepad. Come on, folks, fix this. It's a Windows installation package, you can afford to put Windows text files inside! (Yes, I know that I can use another editor to edit them, but, sriously, WTF.)
When editing the server.ovpn file, it's not quite clear to me what to do about the "TUN/TAP" section. By default, it is set to "tun". Should I change it to "tap"? Especially given that the TAP interface doesn't seem to be working?
I set the ca, cert, key, dh and ifconfig-pool-persist parts to point to corresponding files in the C:\OpenVPN\config directory:
Code: Select all
ca "C:\\OpenVPN\\config\\ca.crt"
cert "C:\\OpenVPN\\config\\server.crt"
key "C:\\OpenVPN\\config\\server.key"
dh "C:\\OpenVPN\\config\\dh2048.pem"
ifconfig-pool-persist "C:\\OpenVPN\\config\\ipp.txt"
Code: Select all
tls-auth "C:\\OpenVPN\\config\\ta.key" 0
Code: Select all
status "C:\\OpenVPN\\log\\openvpn-status.log"
log "C:\\OpenVPN\\log\\openvpn.log"
I didn't touch any of the other configuration options; I don't understand most of them anyway.
I edited the client.ovpn file as described in the guide - but mostly as an exercise; not because I intend to use it right now. Remember, my first priority is to connect a Linux client, and there I have a nice GUI applet for setting up such stuff. I'll just remember to copy the client CRT and KEY files, and ta.key, and also set the corresponding ta option in the client to 1 (it is 0 on the server).
The guide then goes to say that I should copy the ca.crt, dh1024.pem, server.crt, server.key, and server.ovpn files from the C:\Program Files\OpenVPN\easy-rsa\ directory to the config directory on the server. This is wrong. There are no such files (except server.ovpn) in the easy-rsa directory. They are in the "keys" subdirectory of that directory (or whatever else you might have named it in vars.bat). Consider modifying the guide to reflect this.
The guide then says to start the OpenVPN GUI and double-click on the icon in the tray to connect. This is fine and dandy (I clicked, and it connected) - but I want the server to be able to run unattended, remember? What is going to happen if the server reboots and there is nobody around to log in as administrator and click on any icons??
The guide doesn't mention it, but I think I need to copy the file ta.key to the client, too.
Both the server and the client are behind a NAT. I created a firewall rule on the client, opening UDP port 1194 in both directions. I also opened this port on the router of the server. Do I need to do the same for the client(s)?
The server has static IP addresses - both external (assigned by the ISP) and internal (assigned by the router), so at least that part won't be a problem.
Sadly, the client does not want to connect. Syslog of the client:
Code: Select all
Feb 19 15:25:46 vesselin-pc NetworkManager[1246]: <info> Starting VPN service 'openvpn'...
Feb 19 15:25:46 vesselin-pc NetworkManager[1246]: <info> VPN service 'openvpn' started (org.freedesktop.NetworkManager.openvpn), PID 21508
Feb 19 15:25:46 vesselin-pc NetworkManager[1246]: <info> VPN service 'openvpn' appeared; activating connections
Feb 19 15:25:46 vesselin-pc nm-openvpn[21511]: OpenVPN 2.3.2 i686-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Dec 1 2014
Feb 19 15:25:46 vesselin-pc nm-openvpn[21511]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Feb 19 15:25:46 vesselin-pc nm-openvpn[21511]: Control Channel Authentication: using '/home/bontchev/.openvpn/ta.key' as a OpenVPN static key file
Feb 19 15:25:46 vesselin-pc nm-openvpn[21511]: UDPv4 link local: [undef]
Feb 19 15:25:46 vesselin-pc nm-openvpn[21511]: UDPv4 link remote: [AF_INET]195.96.252.188:1194
Feb 19 15:26:26 vesselin-pc nm-openvpn[21511]: SIGTERM[hard,] received, process exiting
Feb 19 15:26:31 vesselin-pc NetworkManager[1246]: <info> VPN service 'openvpn' disappeared
Code: Select all
Starting Nmap 6.40 ( http://nmap.org ) at 2017-02-19 15:30 EET
Nmap scan report for mail.x.x.bg (195.x.x.188)
Host is up (0.0050s latency).
PORT STATE SERVICE
1194/udp open|filtered openvpn
Code: Select all
Sun Feb 19 14:55:25 2017 Could not determine IPv4/IPv6 protocol. Using AF_INET6
Sun Feb 19 14:55:25 2017 Socket Buffers: R=[65536->65536] S=[65536->65536]
Sun Feb 19 14:55:25 2017 setsockopt(IPV6_V6ONLY=0)
Sun Feb 19 14:55:25 2017 UDPv6 link local (bound): [AF_INET6][undef]:1194
Sun Feb 19 14:55:25 2017 UDPv6 link remote: [AF_UNSPEC]
Sun Feb 19 14:55:25 2017 MULTI: multi_init called, r=256 v=256
Sun Feb 19 14:55:25 2017 IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
Basically, I am stuck at this point. The client doesn't connect and I have no idea why. Any help would be appreciated.