Clone wiki

linode_jumpbox_config / OpenVPN_install

part of the linode_jumpbox_config project

summary

The following page has one purpose, which can be described in two main ways:

  • hardware-oriented: setup a linode as an OpenVPN server, and setup a client device to use its VPN.
  • software-oriented: setup the OpenVPN server on one device, and setup the OpenVPN client on another device to connect to the server

Following sections on the scripted process (and the now-largely-deprecated manual process) presume

  1. you have read this project's homepage; at the very least, its glossary.
  2. you have already successfully base-installed your linode.
  3. you have not deleted your root account. Portions of this install seem to require su -; sudo does not appear sufficient.

manual processes

The full manual install/config process is now deprecated. Instead, use the (mostly) scripted process, which does {include, refer back to} some of the following manual processes.

client pretest

This section attempts to establish that

  • you correctly know the real IP#s of both your client and your server
  • your underlying networking is sound.

Run the following diagnostics from your client:

  1. Your client's ifconfig -a should not have an entry for tun0. E.g., from a workstation with both wired and wireless ethernet interfaces, you should see something like

    you@client:~$ sudo ifconfig -a
    Sat Nov  8 17:26:05 EST 2014
    eth0      Link encap:Ethernet  HWaddr ...
    ...
    
    lo        Link encap:Local Loopback
    ...
    
    wlan0     Link encap:Ethernet  HWaddr ...
    ...
    
  2. From your ifconfig -a, note the IP# (or inet addr) of the ethernet interface you are using. This is your client's IP#.

  3. ping your server from your client using the special VPN-configured IP#= 10.8.0.1: i.e.,

    ping -c 4 10.8.0.1
    

    This should fail, since you have not yet setup your VPN.

  4. ping your server from your client using the server's IP# from your private.properties: i.e.,

    source ${PATH_TO_PROJECT}/scripts/private.properties # if you have not done so already
    ping -c 4 ${MYNODE_IPV4}
    

    If this fails, you probably don't actually know its IP#; since you must know your server's IP# to do your base-install, you probably need to go do that.

  5. Check that DNS works from your client. Use www.whatismyip.com (or the IP-echo website you prefer), since you will access this website later. You should see something like

    you@client:~$ nslookup www.whatismyip.com
    Server:         192.168.15.1
    Address:        192.168.15.1#53
    
    Non-authoritative answer:
    Name:   www.whatismyip.com
    Address: 141.101.120.14
    Name:   www.whatismyip.com
    Address: 141.101.120.15
    

    The Server: entry will likely differ from the above. (Note if it is one of the DNS servers you set here: perhaps a previous client configuration was not fully cleaned-up/rolled-back?) The other IPs may also change. The important point is, your nslookup should not hang or fail.

  6. ping www.whatismyip.com (or the IP-echo website you prefer): this will later be used to establish validity of routing beyond your VPN. You should see something like

    you@client:~$ ping -c 4 www.whatismyip.com
    PING www.whatismyip.com (141.101.120.15) 56(84) bytes of data.
    64 bytes from 141.101.120.15: icmp_seq=1 ttl=57 time=94.7 ms
    64 bytes from 141.101.120.15: icmp_seq=2 ttl=57 time=157 ms
    64 bytes from 141.101.120.15: icmp_seq=3 ttl=57 time=88.3 ms
    64 bytes from 141.101.120.15: icmp_seq=4 ttl=57 time=88.8 ms
    
    --- www.whatismyip.com ping statistics ---
    4 packets transmitted, 4 received, 0% packet loss, time 15621ms
    rtt min/avg/max/mdev = 88.370/107.325/157.369/29.002 ms
    
  7. Trace your route to www.whatismyip.com (or the IP-echo website you prefer). You should see something like

    you@client:~$ traceroute www.whatismyip.com
    traceroute to www.whatismyip.com (141.101.120.15), 30 hops max, 60 byte packets
     1  192.168.15.1 (192.168.15.1)  0.850 ms  0.838 ms  1.378 ms
    ...
    10  141.101.120.15 (141.101.120.15)  96.397 ms  96.392 ms  95.841 ms
    

    The first IP# is your IP gateway (e.g., the modem/router on your client's physical LAN). The last IP# must be that of your target IP-echo website (as noted by nslookup and ping). The number of lines of traceroute output (aka the number of "hops") is probably not relevant.

  8. Open a web browser and access http://www.whatismyip.com (or the IP-echo website you prefer). It should return the client IP# as listed in your ifconfig -a.

server configuration

This manual process is now deprecated but can be found here. It is currently {downlevel, not up-to-date}!

pre-clean process and logs

You can sorta {check for, cleanup} any previous server processes and logs with OpenVPN_kill_and_cleanup.sh

source ~/private.properties     # or wherever you put it
~/OpenVPN_kill_and_cleanup.sh   # ditto

but that assumes you previously started OpenVPN as described in this project. You can also do it manually (with fewer assumptions but more tedium):

  1. First, kill the OpenVPN process, e.g.,

    sudo foo # will fail; is just here to re-enable sudo
    
    # check for running instances
    pgrep -l openvpn | wc -l
    # if not == 0, kill it
    sudo pkill -9 openvpn
    pgrep -l openvpn | wc -l
    # > 0 # else error
    
  2. Then check for OpenVPN logs and delete (or move/backup) as desired. The following assumes that your OpenVPN logs are named openvpn*.log (which is certainly not true in the default case, where main-log output goes to syslog)

    find /var/ -name 'openvpn*.log' 2> /dev/null | wc -l
    # > 0 # eventually
    find /tmp/ -name 'openvpn*.log' 2> /dev/null | wc -l
    # > 0
    find /etc/ -name 'openvpn*.log' 2> /dev/null | wc -l
    # > 0
    find /home/ -name 'openvpn*.log' 2> /dev/null | wc -l
    # > 0
    

test server startup

Note: the following instructions are derived from the OpenVPN howto which may be useful to read.

  1. Start the server from commandline: e.g.,

    sudo foo # will fail; is just here to re-enable sudo
    source ${PATH_TO_PROJECT}/scripts/private.properties # or wherever you put it
    
    OPENVPN_SERVER_CONF_FP='/etc/openvpn/server.conf'  # or wherever you put it
    if   [[ -z "${OPENVPN_SERVER_CONF_FP}" ]] ; then
      echo -e 'ERROR: OPENVPN_SERVER_CONF_FP not defined!'
    elif [[ ! -e "${OPENVPN_SERVER_CONF_FP}" ]] ; then
      echo -e "ERROR: server config='${OPENVPN_SERVER_CONF_FP}' not found!"
    else
      sudo openvpn --config ${OPENVPN_SERVER_CONF_FP} &
    fi
    

    Check to see that the process is not stopped in background (hence the sudo foo). You can make its output more verbose with, e.g. (for level=6),

    sudo openvpn --config ${OPENVPN_SERVER_CONF_FP} --verb 6 &
    
  2. Server output will go to the main OpenVPN logfile location you defined in your private.properties. Examine the output with something like

    source ~/private.properties # or wherever you put it
    ls -al ${OPENVPN_MAIN_LOG_FP}
    sudo grep -nH -ie 'error\|warn' ${OPENVPN_MAIN_LOG_FP}
    sudo tail -n 1 ${OPENVPN_MAIN_LOG_FP}
    sudo less ${OPENVPN_MAIN_LOG_FP}
    sudo grep -nH -ie 'error\|warn' ${OPENVPN_STATUS_LOG_FP}
    sudo less ${OPENVPN_STATUS_LOG_FP}
    

    You should get innocuous output, e.g.,

    you@server:~$ sudo grep -nH -ie 'error\|warn' ${OPENVPN_MAIN_LOG_FP}
    /var/log/openvpn.log:39:Sat Jan 17 23:06:45 2015 us=786299   ifconfig_nowarn = DISABLED
    /var/log/openvpn.log:129:Sat Jan 17 23:06:45 2015 us=787478   mute_replay_warnings = DISABLED
    you@server:~$ sudo tail -n 1 ${OPENVPN_MAIN_LOG_FP}
    Sat Jan  17 23:06:45 2015 Initialization Sequence Completed
    

    Note that you very much want to see that Initialization Sequence Completed! For extra credit, read both logs fully to check that there is nothing untoward: e.g.,

    you@server:~$ sudo less ${OPENVPN_MAIN_LOG_FP}
    

    With default port#= 1194 and default verbosity= 3, you should see output very similar to this server main log output.

  3. Logout from server (if desired).

client configuration

This manual process is now deprecated but can be found here. It is currently {downlevel, not up-to-date}!

test client startup

Note: the following instructions are derived from the OpenVPN howto which may be useful to read.

  1. Start the client from commandline: e.g.,

    sudo foo # will fail; is just here to re-enable sudo
    source ${PATH_TO_PROJECT}/scripts/private.properties # or wherever you put it
    
    OPENVPN_CLIENT_CONF_FP="${OPENVPN_CLIENT_TARGET_DIR}/${OPENVPN_CLIENT_CONF_FN}"
    if   [[ -z "${OPENVPN_CLIENT_CONF_FP}" ]] ; then
      echo -e 'ERROR: OPENVPN_CLIENT_CONF_FP not defined!'
    elif [[ ! -e "${OPENVPN_CLIENT_CONF_FP}" ]] ; then
      echo -e "ERROR: client config='${OPENVPN_CLIENT_CONF_FP}' not found!"
    else
      sudo openvpn --config ${OPENVPN_CLIENT_CONF_FP} &
    fi
    

    Check to see that the process is not stopped in background (hence the sudo foo). You can make its output more verbose with, e.g. (for level=6),

    sudo openvpn --config ${OPENVPN_CLIENT_CONF_FP} --verb 6 &
    
  2. Client output will go to the main OpenVPN logfile location you defined in your private.properties. Examine the output with something like

    source ${PATH_TO_PROJECT}/scripts/private.properties # or wherever you put it
    ls -al ${OPENVPN_MAIN_LOG_FP}
    sudo grep -nH -ie 'error\|warn' ${OPENVPN_MAIN_LOG_FP}
    sudo tail -n 1 ${OPENVPN_MAIN_LOG_FP}
    sudo less ${OPENVPN_MAIN_LOG_FP}
    sudo grep -nH -ie 'error\|warn' ${OPENVPN_STATUS_LOG_FP}
    sudo less ${OPENVPN_STATUS_LOG_FP}
    

    You should get innocuous output, e.g.,

    you@client:~$ sudo grep -nH -ie 'error\|warn' ${OPENVPN_MAIN_LOG_FP}
    # no result
    you@client:~$ sudo grep -nH -ie 'error\|warn' ${OPENVPN_STATUS_LOG_FP}
    # no result
    you@client:~$ sudo tail -n 1 ${OPENVPN_MAIN_LOG_FP}
    Sat Jan  17 23:06:45 2015 Initialization Sequence Completed
    

    Note that you very much want to see that Initialization Sequence Completed! For extra credit, read the full log to check that there is nothing untoward: e.g.,

    you@server:~$ sudo less ${OPENVPN_MAIN_LOG_FP}
    

    With default port#= 1194 and default verbosity= 3, you should see output very similar to this client main log output.

  3. Your client's ifconfig -a must now have an additional entry for tun0: e.g.,

    tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
              inet addr:10.8.0.6  P-t-P:10.8.0.5  Mask:255.255.255.255
              UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
              RX packets:0 errors:0 dropped:0 overruns:0 frame:0
              TX packets:14 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:100
              RX bytes:0 (0.0 B)  TX bytes:896 (896.0 B)
    
  4. You should still be able to ping your server from your client using the server's IP#: i.e.,

    source ${PATH_TO_PROJECT}/scripts/private.properties # if you have not done so already
    ping -c 4 ${MYNODE_IPV4}
    
  5. You should now also be able to ping the special VPN-configured IP#= 10.8.0.1, i.e.,

    ping -c 4 10.8.0.1
    
  6. DNS should still work from your client, though your DNS server(s) will probably now be different: e.g.,

    you@client:~$ nslookup www.whatismyip.com
    Server:         8.8.8.8
    Address:        8.8.8.8#53
    
    Non-authoritative answer:
    Name:   www.whatismyip.com
    Address: 141.101.120.14
    Name:   www.whatismyip.com
    Address: 141.101.120.15
    
  7. You should still be able to ping www.whatismyip.com, or the IP-echo website you prefer, or some other site "beyond" your VPN. Response may be slower.

  8. You should still be able to traceroute www.whatismyip.com, or the IP-echo website you prefer, or some other site "beyond" your VPN. The route will probably differ: e.g.,

    you@client:~$ traceroute www.whatismyip.com
    traceroute to www.whatismyip.com (141.101.120.15), 30 hops max, 60 byte packets
     1  10.8.0.1 (10.8.0.1)  103.321 ms  103.651 ms  103.596 ms
     2  router1-atl.linode.com (64.22.106.73)  103.602 ms  104.412 ms  104.963 ms
     3  64.22.106.9 (64.22.106.9)  103.755 ms  104.427 ms  104.661 ms
     4  atl-core-g-g1-6.gnax.net (63.247.69.178)  104.384 ms  104.604 ms  104.857 ms
     5  xe-2-0-5-103.ar1.atl1.us.as4436.gtt.net (69.31.135.53)  104.897 ms  105.102 ms  105.118 ms
     6  as13335.xe-7-0-7.ar1.atl1.us.as4436.gtt.net (69.31.135.118)  105.127 ms  106.469 ms  100.254 ms
     7  141.101.120.15 (141.101.120.15)  100.258 ms  100.492 ms  100.799 ms
    
  9. Open a web browser and access http://www.whatismyip.com (or the IP-echo website you prefer). It should return the "real" IP# of your server (i.e., ${MYNODE_IPV4}), not the IP# of your client.

scripted process

Note that this section presumes (as does everything on this page) that you have already successfully base-installed your linode, which (along the way) copies this project's scripts to your linode root space (aka root's homespace, i.e., linode:/root/) and your linode user's homespace.

Unfortunately I cannot see how to run this process from a single script, due to the need for reboot and for running su -. Your suggestions regarding this are welcomed; even better, send a pull request.

server configuration

  1. Login to server as user== ${MYNODE_USER_NAME}

  2. Check to where you copied your scripts and dependencies.

  3. Run OpenVPN_install_server.sh from where you copied it (should be @ ~/OpenVPN_install_server.sh).

  4. Reboot the server (via the Linode Dashboard). Wait ~1 min after the Dashboard web UI indicates the server is up before attempting to reconnect to it (i.e., to ssh ${MYNODE_USER_NAME}@${MYNODE_IPV4}). Reconnection typically fails for many seconds after the web UI returns: e.g.,

    me@client:~$ ssh ${MYNODE_USER_NAME}@${MYNODE_IPV4}
    ssh: connect to host <your server IP#/> port 22: Connection refused
    
  5. Login to server as your user.

  6. Run OpenVPN_config_server_as_user_1.sh from where you copied it.

  7. Login (still on server) as root (i.e., su - from user session)

  8. Run OpenVPN_config_server_as_root.sh from where you copied in rootspace (should be @ /root/OpenVPN_config_server_as_root.sh)

  9. Logout as root (e.g., Ctrl-d): should return to user session

  10. Run OpenVPN_config_server_as_user_2.sh from where you copied it.

  11. Run visiblepw_install.sh with sudo from where you copied it (e.g., sudo ~/visiblepw_install.sh).

  12. Test server startup from commandline manually.

  13. Logout from server (if desired).

client configuration

  1. Login to client as user== ${OPENVPN_CLIENT_USER_NAME} (if you are not already).
  2. Check where you have your scripts. You have already cloned this project, no? Substitute that path for ${PATH_TO_PROJECT}/ in following.
  3. Run ${PATH_TO_PROJECT}/scripts/OpenVPN_install_client.sh
  4. Run ${PATH_TO_PROJECT}/scripts/OpenVPN_config_client.sh
  5. Test OpenVPN client startup manually.

Updated