Jump to content

Openvpn How-to

The Sorrow

By The Sorrow
in Questions

 Share

Recommended Posts

The Sorrow Newbie

The Sorrow

Posted
Posted

So im net to VPN setups. I searched the forums and did plenty of googling but im still at a loss. I have a PFSense firewall running the OpenVPN service. Its configured. Im using TCP. I have a shared key and ive set the port to 1194. BF-CBC cryptography and Shared key authentication. LZO Compression is also enabled. Im using a Cox modem. what do i need to put into the client program to connect VPN at say my school or public wifi?

Link to comment
Share on other sites
Infiltrator Newbie

Infiltrator

Posted
Posted

So im net to VPN setups. I searched the forums and did plenty of googling but im still at a loss. I have a PFSense firewall running the OpenVPN service. Its configured. Im using TCP. I have a shared key and ive set the port to 1194. BF-CBC cryptography and Shared key authentication. LZO Compression is also enabled. Im using a Cox modem. what do i need to put into the client program to connect VPN at say my school or public wifi?

At the client you need to enter your External IP address, along with your username and password, you created in the OpenVPN configuration page.

Link to comment
Share on other sites
digip Newbie

digip

Posted
Posted (edited)

Unless you need OpenVPN installed natively to your machine, there is the alternative of using a VM. OpenVPN has virtual appliances, although the still take some time to setup and don't work out of the box.

What I did was download their vmware appliance from the openvpn site, then unzipped and started the machine up. It got an error connecting to DHCP, so I just configured it manually to an open address on my router. Once this is done, you can then login on the VM as root with password openvpnas. Then do a passwd to change the password.

Also while there, enter "passwd openvpn" and change that password as well, since this is not given in any documentation on their site other than just to change it, we don't know what the default password for that user is but should be changed anyway. Once you change the password for user "openvpn" you can logon to the web admin interface to configure the rest fo the VPN settings, including the client connect manager. Whatever IP you set it up for, go to https://x.x.x.x:5480/'>https://x.x.x.x:5480/ (where x.x.x.x is your local IP of the VM) - This address should give you a login prompt if the ip was configured properly for the VM (login is root and whatever you changed the password to or openvpnas). Nothing really to do here but it verifies the VM is accesible and shows the IP settings.

From there you can go to https://x.x.x.x:943/admin/'>https://x.x.x.x:943/admin/ and edit the VPN IP settings (admin/server_network_settings). This is different than what you setup on the VPN appliance itself, and will be set to your public/internet facing IP address. The reason we need to set this, is so you can download the preconfigured client, which will be compiled with your public IP address automatically. Start the server and change the IP address, then it should prompt to restart the service. Once you configure this setting, test connectivity. This has to be done with the server down, so on that page, stop the server and then test connectivity. This will then try to connect to the VM via your public facing IP address(like what you would see if you went to ipchicken.com). If it gets an error for both, you don't have port forwarding setup properly. For me, I had to enable port forwarding to the VM for ports 443, 943 and 1194. (more on those in a bit)

Once you have the port forwarding working, and get at least the UDP port 1194 showing successful (TCP not required to work) then you can start the server again, and go to your IP address of https://x.x.x.x/'>https://x.x.x.x/ wherex.x.x.x is the address you see when you go to ipchicken.com. Once there, login with openvpn and the password you chose. You can then click connect and download the msi package for windows, which once run on any machine at your school(or your own laptop) will be configured to always point to your home IP address. When at school or anywhere else using the client program, you just click connect from the systray icon to your IP and it will load the web interface at https://x.x.x.x of your IP. Login and you should be part of the network. This connect process only works from remote locations. Does not seem to work locally, on the same machine, although, you could test it from another desktop I imagine, just not going to work on the machine hosting the VM.

edit: Forgot to mention, that if you wanted to tunnel all your web traffic over OpenVPN, it doesn't to that by default either. Only traffic sent to and from the VPN goes over the VPN. If you want to tunnel your web traffic, say, so the school cant see where you are or bypass web filter restrictions, you need to configure the VPN server to grab the traffic and redirect everything. See - http://openvpn.net/index.php/open-source/documentation/howto.html#redirect

Edited by digip
Link to comment
Share on other sites
digip Newbie

digip

Posted
Posted (edited)

So since its behind a cable modem i need to get the IP from IPchicken or whatsmyip and set up port forewarding. Yes/no?

You only need port forwarding, if the box is behind a NAT device, like a router. If its in a DMZ, or directly on the internet with the IP assigned from the ISP, no need for port forwarding. You will however, need to make sure the ports are open on the machines firewall.

Edited by digip
Link to comment
Share on other sites
The Sorrow Newbie

The Sorrow

Posted
  • Author
Posted

i made a rule for the PFSense firewall allowing the port u specified for OpenVPN. I have a cable (Cox) modem which connects to my PFSense firewall (WAN interface) then it routes to my LAN interface which is connected to a 24 port cisco switch, which then connects to my computers.

Link to comment
Share on other sites
digip Newbie

digip

Posted
Posted

i made a rule for the PFSense firewall allowing the port u specified for OpenVPN. I have a cable (Cox) modem which connects to my PFSense firewall (WAN interface) then it routes to my LAN interface which is connected to a 24 port cisco switch, which then connects to my computers.

Well, assuming the pfsense firewall is handling NAT then yes, somewhere you would need to port forward to the PC you have the VPN you want to connect to. If however the pfsense box is what you are VPN'ing into, then no need for the port forward, since its sitting on the edge of your network and more than likely what you hit when you access the IP from the internet. Ports I forwarded to the VPN workstation were 443, 943 and 1194. Once you have the client connect setup on the remote machine, you really only need 1194 forwarded. I just used 943 to setup the administration of the VPN settings and 443 to download the client. Could probably leave 943 out of the equation from the webside as well, since that is only needed if you want remote access to adminster it from the web and make changes to the VPN itself.

Link to comment
Share on other sites
Infiltrator Newbie

Infiltrator

Posted
Posted

Just a question, who is handling the NAT? Is it your modem or the PFSense box?

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...