Mar 122014
 

I hope I haven’t kept anyone waiting too long for this solution, but here is how I got over the slow OpenVPN connection problem that I was experiencing in my blog post:

OpenVPN / VyprVPN and DD-WRT Router

I decided to approach this in a totally different way by installing a Virtual Machine with Ubuntu Server 12.04.4 LTS as follows:

Personally, I am using VMware Fusion on my iMAC, but there are a number of alternative approaches for getting a virtual machine running on your desired machine, bearing in mind that you should have sufficient processing and memory capacity to sustain the running of the virtual machine.

If you are looking for an Open Source Virtualisation product then I know that a lot of people use and recommend Oracle VirtualBox

Ensure that you create your virtual machine with 2 network cards as this will be required in order to perform the required routing and OpenVPN tunnel.

I will not go through the entire process of installing the Ubuntu Server as I trust that if you are confident with looking at this approach, you should be comfortable with the process of downloading and installing Ubuntu or have the ability to follow any number of walkthrough installation procedures available by searching the Internet.

I chose to use Ubuntu Server because of my experience of using Unix systems and I did not need a GUI interface and wanted to keep the virtual machine footprint as small as possible, but you could also use the Ubuntu or any Debian based Linux installation to perform this function if you have a particular preference.

Once you have your Ubuntu (or other) Linux Server up and running then here is the procedure that I followed on my Ubuntu Server:

After the initial installation ensure that you perform a full update and upgrade of the installed packages using the following commands.

$ sudo apt-get -y update

$ sudo apt-get -y upgrade

You will now need to setup your 2 network cards.

One card will be the Primary Internet (WAN) access and the other will be the Secondary (LAN) access

Use the following command to edit the Network Interfaces: (I have used vi as the editor, but you can substitute this with your preferred editor)

$ sudo vi /etc/network/interfaces

Set primary network card to access the Internet with the following entries (likely already set like this as the default is to use DHCP) depending on your setup you may notice that your interfaces are name differently, so set them accordingly. in the following example I am using eth0 and eth1

# The primary network interface *WAN*

auto eth0
iface eth0 inet dhcp

Set the Secondary card on a separate Subnet of your choice, I have used 192.168.99.* in this example

# Secondary Network interface *LAN*

auto eth1
iface eth1 inet static
address 192.168.99.1
netmask 255.255.255.0
network 192.168.99.0
broadcast 192.168.99.255

Save the file

Now we will need to set the system to enable IP Forwarding between the interfaces, in order to do this you will need to edit the following file:

$ sudo vi /etc/sysctl.conf

You will need to ensure that the following line is UNCOMMENTED

# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1

then save the file

Now we need to set the iptables rule that will perform the necessary routing, so enter the following, replacing the eth0 with the interface that you are using for your Internet (WAN) connection as required.

$ sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

You can verify that the entry is correct by entering the following command:

$ sudo iptables -t nat -L

You should see something resembling the following, there may be more if you already have firewall rules setup.

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
MASQUERADE  all  --  anywhere             anywhere           

The important line that you are looking for is the final line…

You should now be able to test that the routing is functional by placing a client in the same SUBNET as you configured for the Secondary (LAN) interface and setting the GATEWAY and DNS to point to the IP Address of eth1 and you should find that it will route through to the internet.

One final important thing to consider is that your setting are saved and will survive a reboot of the server, this can be easily achieved by editing the network interfaces using the following command:

$ sudo vi /etc/network/interfaces

and adding the following lines to the end of the file:

# Ensure that your iptables rules are saved and restored in the event of a reboot
# This entry ensures iptables are restored before restart of network interfaces

pre-up iptables-restore < /etc/iptables.rules

# This entry ensures iptables are saved before stopping network interfaces.

post-down iptables-save > /etc/iptables.rules

Now save the file and reboot your server with the following command:

$ sudo reboot

to ensure that the routing is still functioning.

Now that you have proved that your routing works we can set-up the OpenVPN / VyprVPN tunnel.

Install the OpenVPN package by running the following command:

$ sudo apt-get install openvpn

Next we need to download the VyperVPN Certificate from Giganews with the following command:

$ sudo wget -O /etc/openvpn/ca.vyprvpn.com.crt http://www.giganews.com/vyprvpn/ca.vyprvpn.com.crt

We are now ready to test the connection using the following command, the required VPN location (shown in red) can be replaced with any alternative VPN location.

$ sudo openvpn --client --remote us2.vpn.giganews.com --dev tun --comp-lzo --auth-user-pass --tls-client --ca /etc/openvpn/ca.vyprvpn.com.crt

You will then be prompted for your login credentials after which the connection should be established and can then be tested.

Open a separate Console session and enter the following command to confirm the tunnel has been created:

$ ifconfig -a

You can also perform a wget as follows to confirm the country location:

$ wget -q -O - www.ip2location.com | grep chkCountry\"\> 

The resulting string should give the details of the country of the connection.

Press <CTRL> C to cancel the connection or kill the OpenVPN process.

If all is well then you are now ready to automate the connection process if you wish which can be accomplished as follows:

Using openvpn configuration files you can automate the process of connection to a preferred VPN connection as in the following example saved as /etc/openvpn/USWash.conf

# This is the configuration file for connecting to the VyprVPN in Washington USA
client
dev tun
proto udp
remote us2.vpn.giganews.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
persist-remote-ip
ca /etc/openvpn/ca.vyprvpn.com.crt
tls-remote us2.vpn.giganews.com
auth-user-pass
comp-lzo
verb 3
# End of File

You can now test the configuration file by running the following command:

$ sudo openvpn —config /etc/openvpn/USWash.conf 

This configuration file would then prompt you for your Username and Password, however, but in order to pass your username and password through the configuration script this can be accomplished by creating a text file for example:

$ sudo vi /etc/openvpn/auth.txt

the file will only require 2 lines, the first should contain your username and the second should contain your password.

Then modify your configuration file by adding to the “auth-user-pass” line to make it read as follows:

auth-user-pass /etc/openvpn/auth.txt

Now when you run the command:

$ sudo openvpn —config /etc/openvpn/USWash.conf

you will no longer be prompted for your Username and Password.

The next step is to autostart your VPN connection upon starting your server which can be easily achieved by modifying the /etc/default/openvpn file and inserting the line AUTOSTART=”USWash” as shown below:

# This is the configuration file for /etc/init.d/openvpn


#
# Start only these VPNs automatically via init script.
# Allowed values are "all", "none" or space separated list of
# names of the VPNs. If empty, "all" is assumed.
# The VPN name refers to the VPN configutation file name.
# i.e. "home" would be /etc/openvpn/home.conf
#
#AUTOSTART="all"
#AUTOSTART="none"
#AUTOSTART="home office"
AUTOSTART="USWash"
#
# Refresh interval (in seconds) of default status files
# located in /var/run/openvpn.$NAME.status
# Defaults to 10, 0 disables status file generation
#
#STATUSREFRESH=10
#STATUSREFRESH=0
# Optional arguments to openvpn's command line
OPTARGS=""
#
# If you need openvpn running after sendsigs, i.e.
# to let umountnfs work over the vpn, set OMIT_SENDSIGS
# to 1 and include umountnfs as Required-Stop: in openvpn's
# init.d script (remember to run insserv after that)
#
OMIT_SENDSIGS=0

Now reboot your server with the following command:

$ sudo reboot

Once your server has started verify that your VPN connection is active and Voila!!!

Here is my Speedtest result using the Ubuntu Router with VyprVPN connection through the above connection:

3366320819

A bit of a reduction but far better that through the DD_WRT Router…

Mar 062014
 

Tweet Having recently received a scare with my credit card being used for some fraudulent transactions (thankfully caught by my Credit Card company) it became apparent to me that I needed another layer of security within my home internet connection. As a Diamond subscriber to Giganews Usenet services, I have an included VyprVPN Pro subscription [...]

Feb 102014
 

Tweet If you are looking for Cheat Sheets here is a great site that offers a large repository of Cheat Sheets on a vast array of subjects It is a really useful Website to keep at hand when looking for some information rapidly. The web address is OverAPI.com I hope you will find it as useful [...]