OpenVPN via password authentification
The purpose of this tutorial is to describe how to configure an OpenVPN connection to a commercial VPN service. The explicit example I will use in this tutorial is connecting to ibVPN, but I am sure the steps described can be applied to many other providers and most places of employment.
I will assume throughout this tutoral you have a USB stick mounted as /opt with optware installed. If you do not have optware or a USB stick, you can probably use your /jmms directory instead of /opt. You are free to choice your own subnet, but for purposes of this example I will use a 172.31.0.0/16 as the address space configured for your LAN, with your router as 172.31.253.1. Where-ever you see these numbers, substitute the values you have used for your configuration.
Installing files and finding information
Your VPN provider probably provides a set of configuration files that includes there certificate, and configuration. Download these and copy them into your /opt/etc/openvpn directory. You will need to identify the following from this package.
- The CA file. For ibVPN this will be ibvpn.com.crt. If the certificate file is not obvious you can recognize by the line "-BEGIN CERTIFICATE-".
- The file or files with the configuration setting. In particular you are looking for a file with a remote line that tells you the server address and port number. For ibVPN there is one file per server. The remote line is the first line in the files. For example, the line "remote 126.96.36.199 1194 udp" would tell you the server is 188.8.131.52, the port is 1194, and the protocol is UDP.
Created a routing script
Create the followings script as /opt/etc/openvpn/route.sh being sure to substitute 172.31.0.0 with whatever you are using for your LAN's subnet:
#!/bin/sh [ "$1" = "up" -o "$1" = "down" ] || (echo "No action specified." && exit 1 ) action="$1" shift [ -z "$1" ] && echo "Failed to specify table." && exit 1 table="$1" shift [ -z "$1" ] && echo "Failed to specify subnet." && exit 1 ip route flush table $table for i in '^127\.' '^172\.31\.' '^192\.168\.' do ip route add $(ip route list|grep "$i") table $table 2>>/dev/null done [ "$action" = "down" ] && ip route add default via $route_net_gateway table $table [ "$action" = "up" ] && ip route add default via $route_vpn_gateway dev $dev table $table for subnet in $* do ip rule del from $subnet table $table 2>>/dev/null [ "$action" != "up" ] || ip rule add from $subnet table $table done
Once you create the script execute the following command:
chmod ugo+rX /opt/etc/openvpn/route.sh
Creating an authorization file.
Next you need to create a file that stores your username and password:
echo "<USERNAME>" > /opt/etc/openvpn/auth1.txt echo "<PASSWORD>" >> /opt/etc/openvpn/auth1.txt chmod 600 /opt/etc/openvpn/auth1.txt
Note: That <USERNAME> should be your actual username. For ibVPN <USERNAME> is your e-mail address. <PASSWORD> should be your actual password. I suggest using auth1.txt for client 1 and auth2.txt for client 2.
Configuring UI settings
You can find the setting information from your configuration files. The following are settings that work for me with ibVPN:
For Client 1 -> Basic I configured the following:
Start with Wan: not checked Interface Type: TAP Protocol: UDP Server Address/Port: 184.108.40.206 1194 Firewall: Automatic Authorization Mode: TLS Extra HMAC authorization (tls-auth): Disabled Service is on the same subnet: not checked Create NAT on tunnel: checked
Note: 220.127.116.11 shold be replace with the server you are going to connect to, and 1194 with the respective port. Protocol will either be UDP or TCP.
For Client 1 -> Advanced I configured the following:
Redirect Internet traffic: unchecked Accept DNS configuration: Disabled Encryption cipher: Use Default Compression: Adaptive TLS Renegotiation Time: -1 Connection retry: 30 Costom Configration (follows): script-security 3 system ca /opt/etc/openvpn/ibvpn.com.crt verb 3 mute 20 ns-cert-type server fragment 1300 route-noexec route-delay 2 redirect-private auth-user-pass /opt/etc/openvpn/auth1.txt auth-nocache reneg-sec 0 route-up "/opt/etc/openvpn/route.sh up 1 172.31.254.0/24" down "/opt/etc/openvpn/route.sh down 1 172.31.254.0/24"
It is very likely you will need to modify the custom settings based on the information in your VPN's provider's configuration. You'll probably also want to change the address 172.31.254.0/24 to something else. The address 172.31.254.0/24 is actually the subnet I want to redirect with VPN, you can replace this with any subnet you want or even a listing of multiple values. e.g. The following would redirect 172.31.253.119 172.31.253.123 and the subnet 172.31.3.0/24:
route-up "/opt/etc/openvpn/route.sh up 1 172.31.253.119 172.31.253.123 172.31.3.0/24" down "/opt/etc/openvpn/route.sh down 1 172.31.253.119 172.31.253.123 172.31.3.0/24"
The number 1 right after the word "up" and "down" is a table number. For simplicity I just make this the same as the client number. So for client #2 I use:
route-up "/opt/etc/openvpn/route.sh up 2 172.31.255.0/24" down "/opt/etc/openvpn/route.sh down 2 172.31.255.0/24"
If you are lucky everything will work the first time you press start. If not, you'll probably need to look at the system log for errors. e.g. Status->Log. This is where you will see error messages such as password authentification failures. Do not check the "Startup on WAN" button until you have verified the connection works when starting manually. If your VPN provider uses a secure token, you need to login and update the the /opt/etc/openvpn/auth manually immediately before clicking start, so you can provide the current token value as part of the password.