How to generate .opvn file from Ubuntu OpenVPN server?

[Noctis0791]

Hello Guys,

I just have some questions that I would like to confirm.

1. Windows client needs key, cert and .opvn files to connect to the server. We can generate the key and cert in Ubuntu OpenVPN server but how can we generate that .opvn file?
2. What client should we use for Windows in order to connect to the VPN, OpenVPN desktop client for windows http://openvpn.net/index.php/access-ser ... w/357.html or the community OpenVPN installer for windows http://openvpn.net/index.php/download/c ... downloads.? I would just like to confirm because it said on the description that the OpenVPN desktop client is only compatible with OpenVPN Access Server.
3. If we install OpenVPN on Ubuntu using this command (sudo apt-get install openvpn), are using the community installer?

Thank You,

Arnel

[Noctis0791]

Thanks Sandy.

I was able to connect the windows client to the OpenVPN server now but the client was not able to access its local resources anymore until it disconnects to the VPN. I tried uncommenting this line on /etc/sysctl.conf file.

net.ipv4.ip_forward=1

And adding this on /etc/rc.local file.

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

Same as what mentioned in the bottom of this post but it doesn't still work. Any idea?

Thank You,

Arnel

[Noctis0791]

Okay. Here's my config files.

### SERVER ###
local 10.10.1.37
port 1194
proto udp
dev tun
ca ca.crt
cert monitor.crt
key monitor.key # This file should be kept secret
dh dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 10.10.1.0 255.255.255.0"
push "route 192.168.1.0 255.255.255.0"
route 192.168.1.0 255.255.255.0
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3

### CLIENT ###
client
dev tun
proto udp
216.218.xxx.xxx 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca C:\\Users\\Administrator\\Desktop\\ca.crt
cert C:\\Users\\Administrator\\Desktop\\testpc.crt
key C:\\Users\\Administrator\\Desktop\\testpc.key
ns-cert-type server
comp-lzo
verb 3

Cant find my OpenVPN logs in Ubuntu 12.04, where can I find it? I'll post it back along with the client's log.

Thanks,

Arnel

[Noctis0791]

Got it, thanks.

### SERVER ###
OpenVPN CLIENT LIST
Updated,Fri Nov 22 14:35:48 2013
Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
testpc,122.53.1xx.xx:62755,62522,46269,Fri Nov 22 13:37:09 2013
ROUTING TABLE
Virtual Address,Common Name,Real Address,Last Ref
10.8.0.6,testpc,122.53.1xx.xx:62755,Fri Nov 22 14:35:54 2013
GLOBAL STATS
Max bcast/mcast queue length,0
END

### CLIENT ###

Sat Nov 23 05:35:33 2013 OpenVPN 2.3.2 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [eurephia] [IPv6] built on Aug 22 2013
Sat Nov 23 05:35:33 2013 Socket Buffers: R=[8192->8192] S=[8192->8192]
Sat Nov 23 05:35:33 2013 UDPv4 link local: [undef]
Sat Nov 23 05:35:33 2013 UDPv4 link remote: [AF_INET]216.218.xxx.xxx:1194
Sat Nov 23 05:35:33 2013 TLS: Initial packet from [AF_INET]216.218.xxx.xxx:1194, sid=df1130c3 0312d1b5
Sat Nov 23 05:35:34 2013 VERIFY OK: depth=1, C=US, ST=CA, L=Newark, O=SOLUTIONaaS, OU=IT Dept., CN=monitor, name=monitor, emailAddress=someone@domain.com
Sat Nov 23 05:35:34 2013 VERIFY OK: nsCertType=SERVER
Sat Nov 23 05:35:34 2013 VERIFY OK: depth=0, C=US, ST=CA, L=Newark, O=SOLUTIONaaS, OU=IT Dept., CN=monitor, name=monitor, emailAddress=someone@domain.com
Sat Nov 23 05:35:36 2013 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sat Nov 23 05:35:36 2013 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Nov 23 05:35:36 2013 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sat Nov 23 05:35:36 2013 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Nov 23 05:35:36 2013 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Sat Nov 23 05:35:36 2013 [monitor] Peer Connection Initiated with [AF_INET]216.218.xxx.xxx:1194
Sat Nov 23 05:35:38 2013 SENT CONTROL [monitor]: 'PUSH_REQUEST' (status=1)
Sat Nov 23 05:35:38 2013 PUSH: Received control message: 'PUSH_REPLY,route 10.10.1.0 255.255.255.0,route 192.168.1.0 255.255.255.0,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5'
Sat Nov 23 05:35:38 2013 OPTIONS IMPORT: timers and/or timeouts modified
Sat Nov 23 05:35:38 2013 OPTIONS IMPORT: --ifconfig/up options modified
Sat Nov 23 05:35:38 2013 OPTIONS IMPORT: route options modified
Sat Nov 23 05:35:38 2013 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Sat Nov 23 05:35:38 2013 open_tun, tt->ipv6=0
Sat Nov 23 05:35:38 2013 TAP-WIN32 device [Local Area Connection 3] opened: \\.\Global\{6883E6D7-75EF-4C65-8DEB-E9E699AAA1DD}.tap
Sat Nov 23 05:35:38 2013 TAP-Windows Driver Version 9.9
Sat Nov 23 05:35:38 2013 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.8.0.6/255.255.255.252 on interface {6883E6D7-75EF-4C65-8DEB-E9E699AAA1DD} [DHCP-serv: 10.8.0.5, lease-time: 31536000]
Sat Nov 23 05:35:38 2013 Successful ARP Flush on interface [38] {6883E6D7-75EF-4C65-8DEB-E9E699AAA1DD}
Sat Nov 23 05:35:43 2013 TEST ROUTES: 3/3 succeeded len=3 ret=1 a=0 u/d=up
Sat Nov 23 05:35:43 2013 C:\Windows\system32\route.exe ADD 10.10.1.0 MASK 255.255.255.0 10.8.0.5
Sat Nov 23 05:35:43 2013 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
Sat Nov 23 05:35:43 2013 Route addition via IPAPI succeeded [adaptive]
Sat Nov 23 05:35:43 2013 C:\Windows\system32\route.exe ADD 192.168.1.0 MASK 255.255.255.0 10.8.0.5
Sat Nov 23 05:35:43 2013 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
Sat Nov 23 05:35:43 2013 Route addition via IPAPI succeeded [adaptive]
Sat Nov 23 05:35:43 2013 C:\Windows\system32\route.exe ADD 10.8.0.1 MASK 255.255.255.255 10.8.0.5
Sat Nov 23 05:35:43 2013 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
Sat Nov 23 05:35:43 2013 Route addition via IPAPI succeeded [adaptive]
Sat Nov 23 05:35:43 2013 Initialization Sequence Completed
Sat Nov 23 06:35:36 2013 TLS: soft reset sec=0 bytes=93693/0 pkts=1153/0
Sat Nov 23 06:35:47 2013 VERIFY OK: depth=1, C=US, ST=CA, L=Newark, O=SOLUTIONaaS, OU=IT Dept., CN=monitor, name=monitor, emailAddress=someone@domain.com
Sat Nov 23 06:35:47 2013 VERIFY OK: nsCertType=SERVER
Sat Nov 23 06:35:47 2013 VERIFY OK: depth=0, C=US, ST=CA, L=Newark, O=SOLUTIONaaS, OU=IT Dept., CN=monitor, name=monitor, emailAddress=someone@domain.com
Sat Nov 23 06:36:12 2013 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sat Nov 23 06:36:12 2013 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Nov 23 06:36:12 2013 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sat Nov 23 06:36:12 2013 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Nov 23 06:36:12 2013 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA


Arnel

[Noctis0791]

Yes, I copied this log from the client located at C:\Program Files (x86)\OpenVPN\log\testpc.txt.

That is correct 10.10.1.0/24 is the server's subnet and 192.168.1.0/24 is the client's subnet.

Thank You,

Arnel

[Noctis0791]

Thanks Debbie. I just have a few questions though.

1. When enabling IP forwarding, is running this command (echo 1 > /proc/sys/net/ipv4/ip_forward) similar to uncommenting this this below line on /etc/sysctl.conf?
net.ipv4.ip_forward=1
2. How can I enable TUN forwarding on the OpenVPN server machine?
3. Is the TUN forwarding equal to NAT-ting wherein we forward the OpenVPN traffic from the public IP of the server going to its internal IP?
4. How to do this below step?
“Next, you must set up a route on the server-side LAN gateway to route the VPN client subnet (10.8.0.0/24) to the OpenVPN server (this is only necessary if the OpenVPN server and the LAN gateway are different machines).”

Thanks again,

Arnel

[Noctis0791]

Thanks a lot Debbie. Appreciate your help. I'll try to find out how to add that routing on our firewall.

By the way, when you said "I have never had to do this.", does it mean its not necessary? Just to confirm.

Thank You,

Arnel