Knowledgebase:
OpenVPN How-To
Posted by rbTech Staff on 05 January 2012 12:14 PM

(Originally published on 10/30/2008, updates 2/5/2009)

This page is a documentation of how I set up OpenVPN on Linux servers with Windows (non-admin) road warriors. I've documented both the Server and Client side of the installation here because it took me a helluva lot of digging around to get it working right.

Some background: First, I usually put the VPN server on the default gateway for the LAN. This can be a box inside the firewall or the firewall itself (for security reasons, the many boxes approach is better, but for systems management, power consumption and fiscal reasons, the firewall is more common). This is because trying to designate routes to the VPN systems separately from therest of the network is a huge PIA, and will likely have you tearing your hair out as you try to diagnose routing loops and other unexpected behaviours in your network.

First, the server:
My server config looks something like this:

 

port 1194
 proto udp
 dev tun
 ca keys/ca.crt
 cert keys/company.crt
 key keys/company.key # This file should be kept secret
 
 dh dh1024.pem
 server 10.8.254.0 255.255.255.0
 ifconfig-pool-persist ipp.txt
 keepalive 10 120
 
 
 cipher BF-CBC # Blowfish (default)
 
 comp-lzo
 
 max-clients 10
 
 user nobody
 group nogroup
 
 persist-key
 persist-tun
 
 status openvpn-status.log
 
 verb 3
 
 plugin /usr/lib/openvpn/openvpn-auth-pam.so login
 
 push "route 192.168.x.0 255.255.255.0"
 # Insert your WINS server IP here
 push "dhcp-option WINS 12.34.56.78"
 # Insert your DNS server IP here
 push "dhcp-option DNS 12.34.56.78"
 # Insert your second (if you have one) DNS server IP here
 push "dhcp-option DNS 12.34.56.79"
 # Replace with your search domain
 push "dhcp-option DOMAIN domain.tld"
 

Note: If you use the openvpn-auth-pam.so plugin, you will need to have the pam-devel package installed on your system as well (or OpenVPN will bail on startup).

The Certificate and Keyfiles are generated on the server, and copied to the client via a secure channel (i.e.: Over the LAN, via USB Thumbdrive, etc.. NOT VIA EMAIL!!!!).
The ca.crt file will be copied to the Client PC from the server via secure channel.
The system.key and system.crt are generated on the server for each individual system that will be connecting to OpenVPN.

To generate a keypair for a client system:

cd /usr/share/openvn/easy-rsa

Edit the vars file and populate it with your information. Read the README in this directory for how to set up your server and Certificate Authority!

. vars # MUY IMPORTANTE!!!
 ./build-ca
 ./build-dh
 ./build-key-server servername
 ./build-key clientname

 

Next, the client PC:
My Client config looks like this:

 client
 dev tun
 proto udp
 remote your.host.name 1194
 nobind
 persist-tun
 ns-cert-type server
 ca "c:/program files/openvpn/keys/ca.crt"
 cert "c:/program files/openvpn/keys/system.crt"
 key "c:/program files/openvpn/keys/system.key"
 comp-lzo
 verb 3
 auth-user-pass
 pull

On the PC:
As an Administrator, do the following:

Copy 4 files to the client PC: ca.crt, client.crt, client.key and client.ovpn.

Then download the current stable version of the OpenVPN gui from http://openvpn.se and install it. You'll need to make a couple post install modifications: During the install, check "Hide the TAP-Win32 Virtual Ethernet Adapter" box. Leave the rest as their defaults. Make a new directory: C:\Program Files\OpenVPN\keys Copy your config to c:\program files\OpenVPN\config Copy your key and crt files to C:\Program Files\OpenVPN\keys\

2009-02-05 Edit: OpenVPN GUI is now part of OpenVPN and should not be downloaded separately:http://openvpn.net/index.php/downloads.html

Running OpenVPN GUI as a non-admin user on the Windows PC...

You'll have to give the selected user access to start/stop the OpenVPN service:
Download subinacl (a component of the XP Resource Kit) from the Microsoft Website.
Open up a Command Prompt and run the following commands:

cd c:\program files\Windows Resource kits\Tools\
subinacl /SERVICE "OpenVPNService" /GRANT={username}=TO
exit

You'll need to change the following registry keys on the client PC: HKLM\Software\OpenVPN-GUI\allow_edit=0
HKLM\Software\OpenVPN-GUI\allow_password=0
HKLM\Software\OpenVPN-GUI\allow_proxy=0

And that's it... at this point, you should be able to log out and log back in (you'll need to do that *EVERY TIME* you make a change to the OpenVPN-GUI registry keys!), right click the OpenVPN icon in the systray, enter your username and password, and get a connection.

Run OpenVPN-GUI as a NON-Admin user via the Windows XP RUNAS command:You can save the credentials for a runas shortcut thusly (and thanks to the OpenVPN site administrator for clueing me in on this...):
First: toss out the registry entries to start OpenVPN-GUI on bootup: delete HKLM\Software\Microsoft\Windows\Current Version\Run\openvpn-gui.
Next, create a regular shortcut on the desktop to OpenVPN-gui (I usually right-click and drag the binary (C:\Program Files\OpenVPN\bin\openvpn-gui) to the desktop and select "Create a shortcut here...").
Right click the new shortcut and select Properties
In the "Target:" dialog, enter the following before the path to OpenVPN-gui:
C:\windows\system32\runas.exe /savecred /user:"LOCAL ADMIN USERNAME"
Save your shortcut and double-click on it, and you will be presented with a DOS dialog box asking for the password to the account you specified. Enter the password, and the service will start, running under the privileges of the user you specified. NOTE: By saving the credentials this way, a user can run ANY COMMAND ON THE SYSTEM AS AN ADMINISTRATOR, simply by changing the last part of the shortcut!!!

This method is also ONLY AVAILABLE on Windows XP PRO... the /savecred option is silently ignored when using XP Home or any variant of it (i.e. Media Center etc.).

Notes... If your firewall has more than one IP address assigned to the interface you're connecting to OpenVPN on, you may need the float option in your Client config file.
Likewise, you may simply need to make sure that whatever is the primary interface on your firewall is what you're trying to connect to, or that you are properly NATing your OpenVPN traffic fromthe firewall... For examply, my firewall was happily dropping all packets from the remote OpenVPN server because they were coming from the wrong source IP address, and therefore weren't associated with any known ESTABLISHED or RELATED (iptables talk) connection.

(0 vote(s))
Helpful
Not helpful

Comments (0)
Post a new comment
 
 
Full Name:
Email:
Comments:
CAPTCHA Verification 
 
Please enter the text you see in the image into the textbox below (we use this to prevent automated submissions).