The 'Point and Click' Home VPN HowTo Guide

contact: beakmyn <at> frontiernet <dot> net
The 'Point and Click' Home VPN HowTo Guide by beakmyn is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License
Rev 1.7, Jun 06, 2009

This document is under peer review and as such may change and may not be 100% correct or complete.

Best viewed at 1024x768 or better, using a computer.

A PDF COPY IS AVAILABLE HERE

Background

I travel a lot and many times I'm connecting to wireless hotspots or I'm in a foreign country. As such I don't always want everyone to know what websites I'm surfing or what message boards I'm posting to. I also want to be able to troubleshoot any problems on the home network while away. There are many methods by which one can anonymize their web traffic or at the minimum control, to some extent, who sees it and what they see. For me, using a random proxy server or Tor doesn't look so good when you don't know who is controling the end point server. 

Audience

This guide is for those who want to quickly set up and administer a OpenVPN server.  While the technical detail isn't high it does require some basic understanding of the Linux operating system. For those that are unsure, I have included screenshots in order to make things easier to understand. For those of you who refuse to acknowledge the existence of a GUI in Linux and swear by vi and ssh this guide isn't really for you. I've gone down that road and now I'm trying something different.

So, this guide is for those who want a straightforward 'point and click' solution that makes it very easy and gets you up and running with minimal effort. If you want to read about all the parameters, check the footnotes.



Disclaimer

The VPN  in this guide is a Tun routed solution, aka "Road Warrior". While Tun is more efficient and easier to administer it only passes TCP/IP traffic. It will not route IPX or NetBEUI for that you need a TAP configuration. It will route all web traffic from your client through the VPN. This does come at some cost of bandwidth. Most residential broadband packages limit your upstream speed. This is important because your web traffic will need to be uploaded from your VPN back to you. So while I've found that services like Hulu and Skype are bearable, there is a noticeable decrease in performance.

Software


Conventions Used

vpnuser@vpnserver:~$ This is command to type
This is text that was added to a file


Prerequisites

You'll want to set a static IP on your VPN server or at the very least set a permanent reservation in the DHCP pool for the VPN Server. You'll also want to create a port forward rule to forward all traffic on the WAN destined for Port 1194 of type UDP to the VPN Server. 

Let's Get Started: Installing Ubuntu

Insert your Ubuntu server CD-ROM press F4 and select Install a command-line system
You can choose any name you wish for the vpnserver however, since I'm not very creative I just call it vpnserver.
For partitioning I chose to let Ubuntu use the entire disk and not use LVM or encryption. If you do use encryption on the disk bear in mind that this will require you to enter a password at boot, before the system will start.

Installing Webmin

For installation we'll be using the author's maintained apt repository, which will require some configuration to use as it's not part of the standard Ubuntu repository.

Modify apt sources.list

We need to add webmin's repository to apt in order to download. Webmin doesn't have a specific Ubuntu repository but that' not a problem the one provided is compatible. You can use vi or nano or any other text editor to make the neccesary changes to your sources.list. In this guide I will be nano.

vpnuser@vpnserver:~$ sudo nano /etc/apt/sources.list

deb http://download.webmin.com/download/repository sarge contrib

Press Ctrl+X and Y to save. Press <enter> to use the current file name

Add the maintainer's GPG key

Next we need to get the GPG key for the repository so that apt will trust it.
vpnuser@vpnserver:~$ wget http://www.webmin.com/jcameron-key.asc
vpnuser@vpnserver:~$ sudo apt-key add jcameron-key.asc

Update your apt sources

vpnuser@vpnserver:~$ sudo apt-get update

Install Webmin package

vpnuser@vpnserver:~$ sudo apt-get install webmin

Now sit back and let Webmin install it'll take a little bit of time. All dependencies will automatically be included.


Once installed the Webmin server is accessible by using your web browser and navigating to https://<your server name>:10000/
We'll bring up the Webmin interface in a bit but first we need to install OpenVPN. If you don't have a local DNS then you'll need to access your VPN by using the IP address. If accessing it from a Window's OS then you add an entry to your host file.

Install OpenVPN

vpnuser@vpnserver:~$ sudo apt-get install openvpn

Access Webmin

It's not time to leave the console and remotely administer the server using Webmin. Fire up your browser of choice and head over to https://vpnserver:10000 . If your browser asks about an invalid self certificate you can add an exception and allow it.



We can now log into the Webmin interface. Take a moment to look around and get aquainted.Go ahead and poke around. I'll still be here when you get back. Really, go ahead and click those little green arrows on the left.

Setup IP forwarding and masquerading

In the Webmin interface click on the green arrow for Others and select File Manager. Navigate to /etc/sysctl.conf  and select edit. Uncomment the line:
net.ipv4.ip_forward=1

Click Save and Close

Setting Firewall rule(s) to allow VPN web traffic to redirect out eth0

First we'll assume that the firewall is not set up yet so click Reset Firewall. Now we need to add some rules. From Showing IPTables dropdown select Packet filtering  (filter) we'll created the following rules

Packet filtering  (filter)

Incoming Packets (INPUT)
Accept If state of connection is ESTABLISHED, RELATED
Connection statesEqualsExisting connection (ESTABLISHED)
(use Ctrl+Click to select multiple)Related to existing (RELATED)

Accept If input interface is eth0
Incoming interfaceequalseth0


Accept If input interface is tun0
Incoming interfaceEqualstun0

Accept If input interface is lo
Incoming interfaceEqualslo

Accept If protocol is TCP and destination ports are 10000
Network ProtocolEqualsTCP
Destination TCP or UDP PortEquals10000

Accept If protocol is UDP and destination ports are 1194
Network ProtocolEqualsUDP
Destination TCP or UDP PortEquals1194

Forwarded Packets (FORWARD)

Accept If input interface is tun0
Incoming interfaceEqualstun0

Network address translation (nat)

This is the rule that goes along with the VPN "push redirect-gateway". This allows the VPN web traffic to be routed out through your connection.
Packets after routing (POSTROUTING)
Masquerade If source is 10.8.0.0/24 and output interface is eth0
Source address or networkEquals10.8.0.0/24
Outgoing interfaceEqualseth0

Install OpenVPN-admin module

Click on the green arrow on the left to expand Webmin and select Webmin Configuration, then click on Webmin modules.
Now it's time to install the OpenVPN module. The Install tab should be select by default. Set the radio button to select From ftp or http URL and enter the following address to download the OpenVPN admin module.
http://www.openit.it/index.php/openit_en/content/download/3566/14487/file/openvpn-2.5.wbm.gz

Now click on Install Module. Once the module has installed you click on the green arrow on the left to expand Servers and you click on OpenVPN + CA. We'll be jumping around in here for the rest of the howto.

Creating the Certificate Authority
The first thing we need to do is create our Certificate Authority (CA)

Make the appropriate changes to Since this a home server you can really enter anything you want here. You can change the Key size to 1024 if you like. This pertains to the Diffie Hellman parameters key by which the server and client “can agree on a secret key over an insecure communication channel. Before a VPN connection is established, the channel is insecure, after all. “1




For this guide I'm going to leave everything at the default. Click on Save and the system will now create the Diffie Hellman file. This took 20 minutes on my machine. You'll see lots of ...+......+ and finally some ****

Click on Return to OpenVPN Administration then click on the icon Certificate Authority List and you'll see you're new CA listed.

ca list

Creating the Keys list

Now we need to create our keys. At a minimum you will need to create one (1) server key and one (1) client key. Each client will need it's own key.

Create the Server Key

server key
Set the key name. In my case I chose the very creative serverky. Set the Key Server to server, then click Save.

Once the key is created,Click on Return to Keys list of Certificate Authority changeme, where changeme is the name  you gave your CA.

Create the Client Key(s)

Each client will need it's own key. I suggest setting a password as this provides you with a two factor authentication. Just in case someone gets your key file they still need a password to authenticate and use the VPN.

NOTE: Minimum password and name length is four (4) characters

client key

Both keys should now be listedkeys

Go back to the Administration page and click on icon name VPN List

Add VPN to the list


Your CA should automatically be listed so all you need to do is click on the button labeled New VPN Server


Ok there's a lot of information here. Fortunately we don't need to change most of it. The image below has all the changing. Here's what was changed.

NameMyVPN
enable TLS and assume server role during TLS handshakeyes
Net IP assigns (option server)10.8.0.0 255.255.255.0
Persisit/unpersist fconfig-pool data to fileyes
Add an additional layer or HMAC authenticaion... yes
Limit server to a maximum of n concurrent clients3set your accordingly
Additional configurationspush "route 192.168.254.0 255.255.255.0"

To access all ressource on the server Lan

push "redirect-gateway"To redirect all your web traffic through your VPN 

push "dhcp-option DNS 192.168.254.254"

For Windows machines send DNS queries to VPN 

When you're all done click Save and return to VPN List

You're almost done.

Add Clients to Server

Click on Client List. Now we'll add the clients we created early to the VPN. Click on the button New VPN Client

Setup New Client on Server

Yes, it's another long list of parameters. Remember how one of the requirements is a DynDNS account? Well this is where you put in the hostname of the DYNDNS account you created.

remote (Remote IP)myvpn.dyndns.com

Now click Save. Rinse, lather and repeat for each additional client, the remote will stay the same.

Start your VPN Server

On Actions click on the text Start



After a few moments the Name will turn black and the action will change to Stop. This means your VPN server is running and ready to start using it.



Setup Client Machine

On the VPN Client list click on the Export text. This will allow you to download the <clientName>.tgz file. IT contains everything you need to put in the config directory of your OpenVPN config directory on your client machine. Isn't technology wonderful?!



Testing the VPN Server using the OpenVPN client GUI from Windows

Be sure to install the "latest" development beta of OpenVPN (OpenVPN 2.1_beta7 & OpenVPN GUI 1.0.3) as the push options we created are not valid for release 2.0.9

After uncompressing the .tgz file to your client conf directory. Start up your VPN Client program




You'll see a bunch of message fly by and after a few moments you'll see the ballon popup



You're Done!

Other things to try

Not that you've got the VPN up and running why not install and enable ssh. Then you can get a remote console using putty.
Or perhaps you'd like some file storage, in that case then you'll want to install and enable SAMBA.

Bypassing Wifi Hotspot Logins AKA DNS Tunneling

So for entirely educational  purposes it's possible to set the VPN to run on Port 53 rather then 1194 (don't forget iptables rules).
 I have a FON router at home and rather then log into my own FON router, I simply VPN into my own network and bypass my FON login.

My traffic is now encrypted on the un-encrypted WIFI. You could do the same thing with most WiFi hotspots.  You'll want to diable DnsMasq if it's running and also set Ping-restart 0 in the server.conf file. The ping-restart is to disable the client from ping the server as a keep-alive. Since ping is blocked it's pointless as you would find your connection restarting every few minutes due to timeout.

Creative Commons License
The 'Point and Click' Home VPN HowTo Guide by beakmyn is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License

1http://articles.techrepublic.com.com/5100-22_11-5687400.html