1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
  2. If you had a PIAF Forum account in the vBulletin days, log in with your old credentials. Otherwise, sign up again and we'll get you back in business as soon as we can.
  3. A serious FreePBX vulnerability has been reported. Update your Framework Module immediately. Click here for details.
  4. Critical FreePBX vulnerability! Update your server immediately. Details here.

TUTORIAL Easy OpenVPN

Discussion in 'Add-On Install Instructions' started by dad311, Dec 17, 2010.

  1. Wish I could, Ward. Unfortunately, there is no version of the Tomato firmware (used on routers) that natively supports Hamachi, whereas there is for OpenVPN. That means that you can make all communication through that router go through the VPN tunnel if you like, but only when using OpenVPN, sadly.
  2. newvoiper New Member

    I flashed my LG Optimus V to a Cyanogen7 7.1RC (Gingerbread) ROM, mainly for the OpenVPN client support that is built into this ROM. My OpenVPN server is on my PBX.

    Using the mobile network, I could get my server to authenticate the client and assign IP addresses, with the default server.conf configuration for OpenVPN. Then the client (Optimus) immediately refused the connection.

    Here are the log entries:

    Sep 21 21:30:13 pbx openvpn[20925]: <snip>:36700 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
    Sep 21 21:30:13 pbx openvpn[20925]: <snip>:36700 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Sep 21 21:30:13 pbx openvpn[20925]: <snip>:36700 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
    Sep 21 21:30:13 pbx openvpn[20925]: <snip>:36700 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Sep 21 21:30:13 pbx openvpn[20925]: <snip>:36700 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
    Sep 21 21:30:13 pbx openvpn[20925]: <snip>:36700 [LGPhone] Peer Connection Initiated with <snip>:36700
    Sep 21 21:30:13 pbx openvpn[20925]: LGPhone/<snip>:36700 MULTI: Learn: 10.8.0.10 -> LGPhone/<snip>:36700
    Sep 21 21:30:13 pbx openvpn[20925]: LGPhone/<snip>:36700 MULTI: primary virtual IP for LGPhone/<snip>:36700: 10.8.0.10
    Sep 21 21:30:15 pbx openvpn[20925]: read UDPv4 [ECONNREFUSED]: Connection refused (code=111)

    One thing I noticed, that seemed strange: the IP in the logs, is not the IP of my Optimus in Virgin Mobile's network, it seems to try connecting to proxy server on my mobile network.

    Has anyone else got CM7 to work with OpenVPN?
  3. MyKroFt Guru

    Am now just finally getting back to this - dam hamachi....

    I am going to assume I create a client in pfsense openvpn, which looks like it is storeing its files in /var/etc/openvpn.

    I have server1 and client2 sets of files - only have 1 client defined - am going to assume the client2.* files are what I need?

    Thanks
    Myk
  4. dad311 Guru

    Here is a listing of my client files in /etc/openvpn on the PBX.
    root@pbx:/etc/openvpn $ ls
    ca.crt client1.conf client1.crt client.key client1.tar ta.key

    The .conf file may needed edited to point to the correct dirrectory for the above files.

    When the first Easy OpenVPN script finishes, it will ask you to edit some files. Ignore, this step if you only setting up a Openvpn client.

    Of all the Open Source stuff Ive have, OpenVPN maybe the most reliable. Once setup, it runs no stop and auto reconnects if needed. Its been built proof for over 3 years.
  5. MyKroFt Guru

    here are the files in my /var/etc/openvpn dir

    Code:
    client2.ca              client2.tls-auth        server1.key
    client2.cert            server1.ca              server1.sock
    client2.conf            server1.cert            server1.tls-auth
    client2.key             server1.conf            server1.tls-verify.php
    client2.sock            server1.crl-verify
    So all I need are the client2.* files minus the .sock file?

    here is the contents of client2.conf sanatized....

    Code:
    dev ovpnc2
    dev-type tun
    dev-node /dev/tun2
    writepid /var/run/openvpn_client2.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp
    cipher AES-128-CBC
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local xxx.xx.xx.xx
    tls-client
    client
    lport 0
    management /var/etc/openvpn/client2.sock unix
    remote xxxxx.dyndns.org 1194
    ifconfig 192.168.1.2 192.168.1.1
    I am over my head here :(

    Myk
  6. dad311 Guru

    I would copy ALL the client2 files to the client machine. Restart OpenVPN, check your /var/log/messages files for errors.
  7. MyKroFt Guru

    ok, getting somewhere slowly...

    execute:

    Code:
    root@pbx:/etc/openvpn $ service openvpn start
    Starting openvpn: [  OK  ]
    here is what /var/log/messages states:

    Code:
    Jan 21 10:54:25 pbx openvpn[12931]: OpenVPN 2.1.0 i686-pc-linux-gnu [SSL] [LZO1] [EPOLL] [PKCS11] built on Jan 20 2012
    Jan 21 10:54:25 pbx openvpn[12931]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Jan 21 10:54:25 pbx openvpn[12931]: WARNING: file '/etc/openvpn/client2.key' is group or others accessible
    Jan 21 10:54:25 pbx openvpn[12931]: LZO compression initialized
    Jan 21 10:54:25 pbx openvpn[12931]: Control Channel MTU parms [ L:1558 D:138 EF:38 EB:0 ET:0 EL:0 ]
    Jan 21 10:54:26 pbx openvpn[12931]: Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]
    Jan 21 10:54:26 pbx openvpn[12931]: Local Options hash (VER=V4): '1a7820b3'
    Jan 21 10:54:26 pbx openvpn[12931]: Expected Remote Options hash (VER=V4): '3e6cc37d'
    Jan 21 10:54:26 pbx openvpn[12932]: Socket Buffers: R=[110592->131072] S=[110592->131072]
    Jan 21 10:54:26 pbx openvpn[12932]: UDPv4 link local (bound): [undef]:1194
    Jan 21 10:54:26 pbx openvpn[12932]: UDPv4 link remote: 174.19.16.29:1194
    but no other device shows up in ifconfig for a ip address...

    ideas?

    thanks
    Myk
  8. dad311 Guru

    No other messages? No error messages?

    Also check the log file on your pf server for clues.
  9. MyKroFt Guru

    openvpn[215]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]192.168.0.29:1194

    over and over on the pfsense box
  10. MyKroFt Guru

    after 60 seconds i get this added to messages

    Jan 21 12:17:05 pbx openvpn[14313]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    Jan 21 12:17:05 pbx openvpn[14313]: TLS Error: TLS handshake failed
    Jan 21 12:17:05 pbx openvpn[14313]: TCP/UDP: Closing socket
    Jan 21 12:17:05 pbx openvpn[14313]: SIGUSR1[soft,tls-error] received, process restarting
    Jan 21 12:17:05 pbx openvpn[14313]: Restart pause, 2 second(s)
  11. MyKroFt Guru

    here is current .conf file...

    port 1194
    dev /dev/tun
    proto udp
    remote xxxxxxxxxx.dyndns.org 1194
    ping 30

    persist-tun
    persist-key

    cipher AES-128-CBC

    tls-client

    ca /etc/openvpn/client2.crt
    cert /etc/openvpn/client2.crt
    key /etc/openvpn/client2.key

    ns-cert-type server
    comp-lzo
  12. MyKroFt Guru

  13. MyKroFt Guru

    added

    auth /etc/openvpn/client2.tls-auth

    to the .conf file and now get

    Jan 21 12:33:17 pbx openvpn[14703]: Message hash algorithm '/etc/openvpn/client2.tls-auth' not found (OpenSSL)
    Jan 21 12:33:17 pbx openvpn[14703]: Exiting

    the client2.tls-auth came from the pfsene router....

    so I think I am getting close....

    Myk
  14. dad311 Guru

  15. dad311 Guru

    All the links in post one have been updated to reflect several changes to the Easy OpenVPN project.

    Changes / additions include:

    • Centos 6 amd64 OS.
    • Openvpn Client Username & password authentication(OpenVZ template).
    • Scripts to build and OpenVPN server with dd-wrt clients on Centos 6.
  16. stuck Member

    dad311,
    I know this thread is old, but I am interested in installing easyopenvpn on my existing rentpbx machine (configured with travelin man3). The reason mainly is to see if I can resolve some registration issue with one remote site behind pfsense with a mixture of various endpoints.
    Do you know how (if possible) to make openvpn play nice with travelin man3? On a test system, the scripts wipes all of the travelin man3's iptable entries...
  17. dad311 Guru

    It appears that some of the links in the thread no longer work. Below are the Easy-OpenVPN scripts for version 1.2. These scripts will create DD-wrt and Yealink clients.

    Attached Files:

  18. ghurty Senior Member

    Is there a ubuntu version of this script?

    Thank you

Share This Page