By default OpenVPN only routes traffic to and from the OpenVPN Server. If you need all traffic from a client through the OpenVPN tunnel there are several options listed in the OpenVPN docs (http://openvpn.net/index.php/open-source/documentation/howto.html#redirect). Since I don’t have any control over the server in some cases I needed a client side solution. As I already have ufw running with Ubuntu I wanted to use the existing software.
Here is how to configure ufw to enable routing all traffic from your client machines through the OpenVPN Server.
Change default forward policy, edit /etc/sysctl.conf to permanently enable ipv4 packet forwarding. (Note: This will take effect at next boot).
sudo vim /etc/sysctl.conf
# Enable packet forwarding
And then configure ufw in /etc/default/ufw
sudo vim /etc/default/ufw
UFW before rules
Change /etc/ufw/before.rules to add the following code after the header and before the “*filter” line. Match the IP/subnet mask to the same one as in /etc/openvpn/server.conf.
sudo vim /etc/ufw/before.rules
# START OPENVPN RULES
# NAT table rules
:POSTROUTING ACCEPT [0:0]
# Allow traffic from OpenVPN client to eth0
-A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE
# END OPENVPN RULES
Open openvpn port 1194
sudo ufw allow 1194
sudo service ufw start
I recently had a need to install a VPN service in a OpenVZ container. Since I normally only use Hardware emulating VM’s I ran into quite a few issues in terms of low-level networking support on this Container Virtualisation System. Turns out that you are stuck with a TUN/TAP solution as most services won’t enable PPP services on their infrastructure. Also Ethernet bridging is not available (at least on the service I used) so you’re stuck with NAT IP masquerading. Considering the options I thought best served with using OpenVPN server.
yum --enablerepo=epel -y install openvpn
cp /usr/share/doc/openvpn-*/sample-config-files/server.conf /etc/openvpn/
These are the contents of /etc/openvpn/server.conf
local XXX.XXX.XXX.XXX #Server External IP
key SERVER.key #keep file secret
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 220.127.116.11" #using Google Public DNS
push "dhcp-option DNS 18.104.22.168" #using Google Public DNS
keepalive 10 120
mkdir -p /etc/openvpn/easy-rsa/keys
cp -rf /usr/share/openvpn/easy-rsa/2.0/* .
#Set the country (KEY_COUNTRY)
#organisation name (KEY_ORG)
#support email (KEY_EMAIL)
Create certificate authority
The CA key and certificate should not be in the keys directory inside the easy-rsa directory.
Create certificate for the server
Answer the questions and commit the certificate into the database
Create the Diffie Hellman files
These files are used for the actual key exchange to ensure the confidentiality over an insecure channel, aka the Internet. Based on the length of the key used (KEY_SIZE) it may take a while.
Copy crypto files
cp ca.crt SERVER.crt SERVER.key dh1024.pem /etc/openvpn/
Create the certificate for each client
Enable IP Forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
NAT Masquerading Setup
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j MASQUERADE
chkconfig openvpn on
apt-get install network-manager-openvpn
- Ensure that the client settings reflect EXACTLY the server setting (I learned the hard way wasting a lot of time on troubleshooting the fact that routing would not work – turned out to be a client setting ‘comp-lzo’ !)
- Ensure TUN/TAP services are enabled for your OpenVZ container (http://wiki.openvz.org/VPN_via_the_TUN/TAP_device)
ERROR: Linux ip link set failed: external program exited with error status: 255