New: my server is now located in Hong-Kong, and is running Debian 6 / OpenVZ
How to install an OpenVPN server? What I wanted was a fully-routed VPN server, I mean: to make all PC-applications traffic be transparently routed through the gateway, just by establishing VPN connection, and without having to set-up proxy. OpenVPN allows that.
First step: get a Linux server. If you want to bypass the Great Firewall, I recommend http://vpshosting.com.hk, good prices and support.
But when running OpenVpn, I've got following error:
Note: Cannot open TUN/TAP dev /dev/net/tun: No such file or directory
Don't panic, if like me you are running a virtual server, your TUN interface might be disabled by default for your container. Kindly mail your hosting provider so he enables it for you ("dear sir/madam, please enable TUN interface for my container", took mine one hour).
To ensure TUN interface is enabled, check this:
cat /dev/net/tun
cat: /dev/net/tun: File descriptor in bad state <- mean TUN exists :)
Second step: install OpenVPN. With Debian it takes one command:
apt-get install openvpn
Third step: configure VPN
Here I give you the warning: here are some errors I made and that slowed me down.
1_ Don't read 10 tutorial at a time. Focus on http://openvpn.net/index.php/open-source/documentation/howto.html, it just works.
2_ Don't create a secret key-based VPN, for some reason it prevents full traffic redirection (don't have the full picture, it just turned out to be so for me.
3_ Instead of 2, make sure you create a client - server configuration. Follow those steps and save time, they are the truth: http://openvpn.net/index.php/open-source/documentation/howto.html#pki
4_ Oh but, wait, the "iptables" command from previous step is not working? Indeed, it's using "MASQUERADE" rules, which is not supported in OpenVz-based VPS (like yours probably). Fortunately a geek out there found a solution, simply applies his steps: http://unixtitan.net/main/2010/09/20/openvpn-in-openvz-no-masquerade/
IPTABLES rules I finally had to apply:
iptables -t nat -A POSTROUTING -o venet0 -j SNAT --to $VPS_STATIC_IP
iptables -A FORWARD -i venet0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i tun0 -o venet0 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to $VPS_STATIC_IP
That's it. I avoid copy-pasting all my own steps, don't want to be yet-one-more easy step-by-step tutorial (they got me lost).
Redirecting all traffic: this was my main purpose. The keys resides in the two following lines to add to your server.conf:
_ push "redirect-gateway def1"
_ push "dhcp-option DNS 8.8.8.8"
That's directing the client to redirect all traffic through the gateway. 8.8.8.8 is Google's public DNS, which just works well. Note: in some tutorial, tell you to use the "bypass-dhcp" option for full-traffic redirection. It doesn't work unless your VPN server is also a DNS server.
Hmm I think that's all.
If you follow all those steps, all remains is to run your server.
openvpn my_server.conf
You can run it manually if you want, but if you're a newbie like me don't forget the "screen" command (that I let you google)!
Then from client perspective, the OpenVpnGui is pretty easy to use.
lundi 1 août 2011
Inscription à :
Articles (Atom)
