Wiki
Clone wikilinode_jumpbox_config / OpenVPN_install
part of the linode_jumpbox_config project
Table of Contents
summary
The following page has one purpose, which can be described in two main ways:
- hardware-oriented: setup a linode as an OpenVPN server, and setup a client device to use its VPN.
- software-oriented: setup the OpenVPN server on one device, and setup the OpenVPN client on another device to connect to the server
Following sections on the scripted process (and the now-largely-deprecated manual process) presume
- you have read this project's homepage; at the very least, its glossary.
- you have already successfully base-installed your linode.
- you have not deleted your root account. Portions of this install seem to require su -; sudo does not appear sufficient.
manual processes
The full manual install/config process is now deprecated. Instead, use the (mostly) scripted process, which does {include, refer back to} some of the following manual processes.
client pretest
This section attempts to establish that
- you correctly know the real IP#s of both your client and your server
- your underlying networking is sound.
Run the following diagnostics from your client:
Your client's ifconfig -a should not have an entry for tun0. E.g., from a workstation with both wired and wireless ethernet interfaces, you should see something like
you@client:~$ sudo ifconfig -a Sat Nov 8 17:26:05 EST 2014 eth0 Link encap:Ethernet HWaddr ... ... lo Link encap:Local Loopback ... wlan0 Link encap:Ethernet HWaddr ... ...
From your ifconfig -a, note the IP# (or inet addr) of the ethernet interface you are using. This is your client's IP#.
ping your server from your client using the special VPN-configured IP#= 10.8.0.1: i.e.,
ping -c 4 10.8.0.1
This should fail, since you have not yet setup your VPN.
ping your server from your client using the server's IP# from your private.properties: i.e.,
source ${PATH_TO_PROJECT}/scripts/private.properties # if you have not done so already ping -c 4 ${MYNODE_IPV4}
If this fails, you probably don't actually know its IP#; since you must know your server's IP# to do your base-install, you probably need to go do that.
Check that DNS works from your client. Use www.whatismyip.com (or the IP-echo website you prefer), since you will access this website later. You should see something like
you@client:~$ nslookup www.whatismyip.com Server: 192.168.15.1 Address: 192.168.15.1#53 Non-authoritative answer: Name: www.whatismyip.com Address: 141.101.120.14 Name: www.whatismyip.com Address: 141.101.120.15
The Server: entry will likely differ from the above. (Note if it is one of the DNS servers you set here: perhaps a previous client configuration was not fully cleaned-up/rolled-back?) The other IPs may also change. The important point is, your nslookup should not hang or fail.
ping www.whatismyip.com (or the IP-echo website you prefer): this will later be used to establish validity of routing beyond your VPN. You should see something like
you@client:~$ ping -c 4 www.whatismyip.com PING www.whatismyip.com (141.101.120.15) 56(84) bytes of data. 64 bytes from 141.101.120.15: icmp_seq=1 ttl=57 time=94.7 ms 64 bytes from 141.101.120.15: icmp_seq=2 ttl=57 time=157 ms 64 bytes from 141.101.120.15: icmp_seq=3 ttl=57 time=88.3 ms 64 bytes from 141.101.120.15: icmp_seq=4 ttl=57 time=88.8 ms --- www.whatismyip.com ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 15621ms rtt min/avg/max/mdev = 88.370/107.325/157.369/29.002 ms
Trace your route to www.whatismyip.com (or the IP-echo website you prefer). You should see something like
you@client:~$ traceroute www.whatismyip.com traceroute to www.whatismyip.com (141.101.120.15), 30 hops max, 60 byte packets 1 192.168.15.1 (192.168.15.1) 0.850 ms 0.838 ms 1.378 ms ... 10 141.101.120.15 (141.101.120.15) 96.397 ms 96.392 ms 95.841 ms
The first IP# is your IP gateway (e.g., the modem/router on your client's physical LAN). The last IP# must be that of your target IP-echo website (as noted by nslookup and ping). The number of lines of traceroute output (aka the number of "hops") is probably not relevant.
Open a web browser and access http://www.whatismyip.com (or the IP-echo website you prefer). It should return the client IP# as listed in your ifconfig -a.
server configuration
This manual process is now deprecated but can be found here. It is currently {downlevel, not up-to-date}!
pre-clean process and logs
You can sorta {check for, cleanup} any previous server processes and logs with OpenVPN_kill_and_cleanup.sh
source ~/private.properties # or wherever you put it ~/OpenVPN_kill_and_cleanup.sh # ditto
but that assumes you previously started OpenVPN as described in this project. You can also do it manually (with fewer assumptions but more tedium):
First, kill the OpenVPN process, e.g.,
sudo foo # will fail; is just here to re-enable sudo # check for running instances pgrep -l openvpn | wc -l # if not == 0, kill it sudo pkill -9 openvpn pgrep -l openvpn | wc -l # > 0 # else error
Then check for OpenVPN logs and delete (or move/backup) as desired. The following assumes that your OpenVPN logs are named openvpn*.log (which is certainly not true in the default case, where main-log output goes to syslog)
find /var/ -name 'openvpn*.log' 2> /dev/null | wc -l # > 0 # eventually find /tmp/ -name 'openvpn*.log' 2> /dev/null | wc -l # > 0 find /etc/ -name 'openvpn*.log' 2> /dev/null | wc -l # > 0 find /home/ -name 'openvpn*.log' 2> /dev/null | wc -l # > 0
test server startup
Note: the following instructions are derived from the OpenVPN howto which may be useful to read.
Start the server from commandline: e.g.,
sudo foo # will fail; is just here to re-enable sudo source ${PATH_TO_PROJECT}/scripts/private.properties # or wherever you put it OPENVPN_SERVER_CONF_FP='/etc/openvpn/server.conf' # or wherever you put it if [[ -z "${OPENVPN_SERVER_CONF_FP}" ]] ; then echo -e 'ERROR: OPENVPN_SERVER_CONF_FP not defined!' elif [[ ! -e "${OPENVPN_SERVER_CONF_FP}" ]] ; then echo -e "ERROR: server config='${OPENVPN_SERVER_CONF_FP}' not found!" else sudo openvpn --config ${OPENVPN_SERVER_CONF_FP} & fi
Check to see that the process is not stopped in background (hence the sudo foo). You can make its output more verbose with, e.g. (for level=6),
sudo openvpn --config ${OPENVPN_SERVER_CONF_FP} --verb 6 &
Server output will go to the main OpenVPN logfile location you defined in your private.properties. Examine the output with something like
source ~/private.properties # or wherever you put it ls -al ${OPENVPN_MAIN_LOG_FP} sudo grep -nH -ie 'error\|warn' ${OPENVPN_MAIN_LOG_FP} sudo tail -n 1 ${OPENVPN_MAIN_LOG_FP} sudo less ${OPENVPN_MAIN_LOG_FP} sudo grep -nH -ie 'error\|warn' ${OPENVPN_STATUS_LOG_FP} sudo less ${OPENVPN_STATUS_LOG_FP}
You should get innocuous output, e.g.,
you@server:~$ sudo grep -nH -ie 'error\|warn' ${OPENVPN_MAIN_LOG_FP} /var/log/openvpn.log:39:Sat Jan 17 23:06:45 2015 us=786299 ifconfig_nowarn = DISABLED /var/log/openvpn.log:129:Sat Jan 17 23:06:45 2015 us=787478 mute_replay_warnings = DISABLED you@server:~$ sudo tail -n 1 ${OPENVPN_MAIN_LOG_FP} Sat Jan 17 23:06:45 2015 Initialization Sequence Completed
Note that you very much want to see that Initialization Sequence Completed! For extra credit, read both logs fully to check that there is nothing untoward: e.g.,
you@server:~$ sudo less ${OPENVPN_MAIN_LOG_FP}
With default port#= 1194 and default verbosity= 3, you should see output very similar to this server main log output.
Logout from server (if desired).
client configuration
This manual process is now deprecated but can be found here. It is currently {downlevel, not up-to-date}!
test client startup
Note: the following instructions are derived from the OpenVPN howto which may be useful to read.
Start the client from commandline: e.g.,
sudo foo # will fail; is just here to re-enable sudo source ${PATH_TO_PROJECT}/scripts/private.properties # or wherever you put it OPENVPN_CLIENT_CONF_FP="${OPENVPN_CLIENT_TARGET_DIR}/${OPENVPN_CLIENT_CONF_FN}" if [[ -z "${OPENVPN_CLIENT_CONF_FP}" ]] ; then echo -e 'ERROR: OPENVPN_CLIENT_CONF_FP not defined!' elif [[ ! -e "${OPENVPN_CLIENT_CONF_FP}" ]] ; then echo -e "ERROR: client config='${OPENVPN_CLIENT_CONF_FP}' not found!" else sudo openvpn --config ${OPENVPN_CLIENT_CONF_FP} & fi
Check to see that the process is not stopped in background (hence the sudo foo). You can make its output more verbose with, e.g. (for level=6),
sudo openvpn --config ${OPENVPN_CLIENT_CONF_FP} --verb 6 &
Client output will go to the main OpenVPN logfile location you defined in your private.properties. Examine the output with something like
source ${PATH_TO_PROJECT}/scripts/private.properties # or wherever you put it ls -al ${OPENVPN_MAIN_LOG_FP} sudo grep -nH -ie 'error\|warn' ${OPENVPN_MAIN_LOG_FP} sudo tail -n 1 ${OPENVPN_MAIN_LOG_FP} sudo less ${OPENVPN_MAIN_LOG_FP} sudo grep -nH -ie 'error\|warn' ${OPENVPN_STATUS_LOG_FP} sudo less ${OPENVPN_STATUS_LOG_FP}
You should get innocuous output, e.g.,
you@client:~$ sudo grep -nH -ie 'error\|warn' ${OPENVPN_MAIN_LOG_FP} # no result you@client:~$ sudo grep -nH -ie 'error\|warn' ${OPENVPN_STATUS_LOG_FP} # no result you@client:~$ sudo tail -n 1 ${OPENVPN_MAIN_LOG_FP} Sat Jan 17 23:06:45 2015 Initialization Sequence Completed
Note that you very much want to see that Initialization Sequence Completed! For extra credit, read the full log to check that there is nothing untoward: e.g.,
you@server:~$ sudo less ${OPENVPN_MAIN_LOG_FP}
With default port#= 1194 and default verbosity= 3, you should see output very similar to this client main log output.
Your client's ifconfig -a must now have an additional entry for tun0: e.g.,
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:10.8.0.6 P-t-P:10.8.0.5 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:14 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:0 (0.0 B) TX bytes:896 (896.0 B)
You should still be able to ping your server from your client using the server's IP#: i.e.,
source ${PATH_TO_PROJECT}/scripts/private.properties # if you have not done so already ping -c 4 ${MYNODE_IPV4}
You should now also be able to ping the special VPN-configured IP#= 10.8.0.1, i.e.,
ping -c 4 10.8.0.1
DNS should still work from your client, though your DNS server(s) will probably now be different: e.g.,
you@client:~$ nslookup www.whatismyip.com Server: 8.8.8.8 Address: 8.8.8.8#53 Non-authoritative answer: Name: www.whatismyip.com Address: 141.101.120.14 Name: www.whatismyip.com Address: 141.101.120.15
You should still be able to ping www.whatismyip.com, or the IP-echo website you prefer, or some other site "beyond" your VPN. Response may be slower.
You should still be able to traceroute www.whatismyip.com, or the IP-echo website you prefer, or some other site "beyond" your VPN. The route will probably differ: e.g.,
you@client:~$ traceroute www.whatismyip.com traceroute to www.whatismyip.com (141.101.120.15), 30 hops max, 60 byte packets 1 10.8.0.1 (10.8.0.1) 103.321 ms 103.651 ms 103.596 ms 2 router1-atl.linode.com (64.22.106.73) 103.602 ms 104.412 ms 104.963 ms 3 64.22.106.9 (64.22.106.9) 103.755 ms 104.427 ms 104.661 ms 4 atl-core-g-g1-6.gnax.net (63.247.69.178) 104.384 ms 104.604 ms 104.857 ms 5 xe-2-0-5-103.ar1.atl1.us.as4436.gtt.net (69.31.135.53) 104.897 ms 105.102 ms 105.118 ms 6 as13335.xe-7-0-7.ar1.atl1.us.as4436.gtt.net (69.31.135.118) 105.127 ms 106.469 ms 100.254 ms 7 141.101.120.15 (141.101.120.15) 100.258 ms 100.492 ms 100.799 ms
Open a web browser and access http://www.whatismyip.com (or the IP-echo website you prefer). It should return the "real" IP# of your server (i.e., ${MYNODE_IPV4}), not the IP# of your client.
scripted process
Note that this section presumes (as does everything on this page) that you have already successfully base-installed your linode, which (along the way) copies this project's scripts to your linode root space (aka root's homespace, i.e., linode:/root/) and your linode user's homespace.
Unfortunately I cannot see how to run this process from a single script, due to the need for reboot and for running su -. Your suggestions regarding this are welcomed; even better, send a pull request.
client pretest
Do this manually.
server configuration
Login to server as user== ${MYNODE_USER_NAME}
Run OpenVPN_install_server.sh from where you copied it (should be @ ~/OpenVPN_install_server.sh).
Reboot the server (via the Linode Dashboard). Wait ~1 min after the Dashboard web UI indicates the server is up before attempting to reconnect to it (i.e., to ssh ${MYNODE_USER_NAME}@${MYNODE_IPV4}). Reconnection typically fails for many seconds after the web UI returns: e.g.,
me@client:~$ ssh ${MYNODE_USER_NAME}@${MYNODE_IPV4} ssh: connect to host <your server IP#/> port 22: Connection refused
Login to server as your user.
Run OpenVPN_config_server_as_user_1.sh from where you copied it.
Login (still on server) as root (i.e., su - from user session)
Run OpenVPN_config_server_as_root.sh from where you copied in rootspace (should be @ /root/OpenVPN_config_server_as_root.sh)
Logout as root (e.g., Ctrl-d): should return to user session
Run OpenVPN_config_server_as_user_2.sh from where you copied it.
Run visiblepw_install.sh with sudo from where you copied it (e.g., sudo ~/visiblepw_install.sh).
Test server startup from commandline manually.
Logout from server (if desired).
client configuration
- Login to client as user== ${OPENVPN_CLIENT_USER_NAME} (if you are not already).
- Check where you have your scripts. You have already cloned this project, no? Substitute that path for ${PATH_TO_PROJECT}/ in following.
- Run ${PATH_TO_PROJECT}/scripts/OpenVPN_install_client.sh
- Run ${PATH_TO_PROJECT}/scripts/OpenVPN_config_client.sh
- Test OpenVPN client startup manually.
Updated