OpenVPN / VyprVPN Router using Ubuntu Server

//OpenVPN / VyprVPN Router using Ubuntu Server

OpenVPN / VyprVPN Router using Ubuntu Server

I hope I haven’t kept anyone waiting too long for this solution, but here is how I got over the slow OpenVPN connection problem that I was experiencing in my blog post:

OpenVPN / VyprVPN and DD-WRT Router

I decided to approach this in a totally different way by installing a Virtual Machine with Ubuntu Server 12.04.4 LTS as follows:

Personally, I am using VMware Fusion on my iMAC, but there are a number of alternative approaches for getting a virtual machine running on your desired machine, bearing in mind that you should have sufficient processing and memory capacity to sustain the running of the virtual machine.

If you are looking for an Open Source Virtualisation product then I know that a lot of people use and recommend Oracle VirtualBox

Ensure that you create your virtual machine with 2 network cards as this will be required in order to perform the required routing and OpenVPN tunnel.

I will not go through the entire process of installing the Ubuntu Server as I trust that if you are confident with looking at this approach, you should be comfortable with the process of downloading and installing Ubuntu or have the ability to follow any number of walkthrough installation procedures available by searching the Internet.

I chose to use Ubuntu Server because of my experience of using Unix systems and I did not need a GUI interface and wanted to keep the virtual machine footprint as small as possible, but you could also use the Ubuntu or any Debian based Linux installation to perform this function if you have a particular preference.

Once you have your Ubuntu (or other) Linux Server up and running then here is the procedure that I followed on my Ubuntu Server:

After the initial installation ensure that you perform a full update and upgrade of the installed packages using the following commands.

$ sudo apt-get -y update

$ sudo apt-get -y upgrade

 

You will now need to setup your 2 network cards.

One card will be the Primary Internet (WAN) access and the other will be the Secondary (LAN) access

Use the following command to edit the Network Interfaces: (I have used vi as the editor, but you can substitute this with your preferred editor)

$ sudo vi /etc/network/interfaces

 

Set primary network card to access the Internet with the following entries (likely already set like this as the default is to use DHCP) depending on your setup you may notice that your interfaces are name differently, so set them accordingly. in the following example I am using eth0 and eth1

# The primary network interface *WAN*

auto eth0
iface eth0 inet dhcp

Set the Secondary card on a separate Subnet of your choice, I have used 192.168.99.* in this example

# Secondary Network interface *LAN*

auto eth1
iface eth1 inet static
address 192.168.99.1
netmask 255.255.255.0
network 192.168.99.0
broadcast 192.168.99.255

 

Save the file

Now we will need to set the system to enable IP Forwarding between the interfaces, in order to do this you will need to edit the following file:

$ sudo vi /etc/sysctl.conf

 

You will need to ensure that the following line is UNCOMMENTED

# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1

 

then save the file

Now we need to set the iptables rule that will perform the necessary routing, so enter the following, replacing the eth0 with the interface that you are using for your Internet (WAN) connection as required.

$ sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

 

You can verify that the entry is correct by entering the following command:

$ sudo iptables -t nat -L

 

You should see something resembling the following, there may be more if you already have firewall rules setup.

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
MASQUERADE  all  --  anywhere             anywhere           

 

The important line that you are looking for is the final line…

You should now be able to test that the routing is functional by placing a client in the same SUBNET as you configured for the Secondary (LAN) interface and setting the GATEWAY and DNS to point to the IP Address of eth1 and you should find that it will route through to the internet.

One final important thing to consider is that your setting are saved and will survive a reboot of the server, this can be easily achieved by editing the network interfaces using the following command:

$ sudo vi /etc/network/interfaces

 

and adding the following lines to the end of the file:

# Ensure that your iptables rules are saved and restored in the event of a reboot
# This entry ensures iptables are restored before restart of network interfaces

pre-up iptables-restore < /etc/iptables.rules

# This entry ensures iptables are saved before stopping network interfaces.

post-down iptables-save > /etc/iptables.rules

 

Now save the file and reboot your server with the following command:

$ sudo reboot

 

to ensure that the routing is still functioning.

Now that you have proved that your routing works we can set-up the OpenVPN / VyprVPN tunnel.

Install the OpenVPN package by running the following command:

$ sudo apt-get install openvpn

 

Next we need to download the VyperVPN Certificate from Giganews with the following command:

$ sudo wget -O /etc/openvpn/ca.vyprvpn.com.crt http://www.giganews.com/vyprvpn/ca.vyprvpn.com.crt

 

We are now ready to test the connection using the following command, the required VPN location (shown in red) can be replaced with any alternative VPN location.

$ sudo openvpn --client --remote us2.vpn.giganews.com --dev tun --comp-lzo --auth-user-pass --tls-client --ca /etc/openvpn/ca.vyprvpn.com.crt

 

You will then be prompted for your login credentials after which the connection should be established and can then be tested.

Open a separate Console session and enter the following command to confirm the tunnel has been created:

$ ifconfig -a

 

You can also perform a wget as follows to confirm the country location:

$ wget -q -O - www.ip2location.com | grep chkCountry\"\> 

 

The resulting string should give the details of the country of the connection.

Press C to cancel the connection or kill the OpenVPN process.

If all is well then you are now ready to automate the connection process if you wish which can be accomplished as follows:

Using openvpn configuration files you can automate the process of connection to a preferred VPN connection as in the following example saved as /etc/openvpn/USWash.conf

# This is the configuration file for connecting to the VyprVPN in Washington USA
client
dev tun
proto udp
remote us2.vpn.giganews.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
persist-remote-ip
ca /etc/openvpn/ca.vyprvpn.com.crt
tls-remote us2.vpn.giganews.com
auth-user-pass
comp-lzo
verb 3
# End of File

Update: Michael Jata discovered that he was having issues with the tls-remote command which is apparently now deprecated and being replaced with verify-x509-name so please be aware of this if you are using an OpenVPN version above 2.2.2

You can now test the configuration file by running the following command:

 

$ sudo openvpn —config /etc/openvpn/USWash.conf 

 

This configuration file would then prompt you for your Username and Password, however, but in order to pass your username and password through the configuration script this can be accomplished by creating a text file for example:

$ sudo vi /etc/openvpn/auth.txt

 

the file will only require 2 lines, the first should contain your username and the second should contain your password.

Then modify your configuration file by adding to the “auth-user-pass” line to make it read as follows:

auth-user-pass /etc/openvpn/auth.txt

 

Now when you run the command:

$ sudo openvpn —config /etc/openvpn/USWash.conf

 

you will no longer be prompted for your Username and Password.

The next step is to autostart your VPN connection upon starting your server which can be easily achieved by modifying the /etc/default/openvpn file and inserting the line AUTOSTART=”USWash” as shown below:

# This is the configuration file for /etc/init.d/openvpn


#
# Start only these VPNs automatically via init script.
# Allowed values are "all", "none" or space separated list of
# names of the VPNs. If empty, "all" is assumed.
# The VPN name refers to the VPN configutation file name.
# i.e. "home" would be /etc/openvpn/home.conf
#
#AUTOSTART="all"
#AUTOSTART="none"
#AUTOSTART="home office"
AUTOSTART="USWash"
#
# Refresh interval (in seconds) of default status files
# located in /var/run/openvpn.$NAME.status
# Defaults to 10, 0 disables status file generation
#
#STATUSREFRESH=10
#STATUSREFRESH=0
# Optional arguments to openvpn's command line
OPTARGS=""
#
# If you need openvpn running after sendsigs, i.e.
# to let umountnfs work over the vpn, set OMIT_SENDSIGS
# to 1 and include umountnfs as Required-Stop: in openvpn's
# init.d script (remember to run insserv after that)
#
OMIT_SENDSIGS=0

Now reboot your server with the following command:

$ sudo reboot

 

Once your server has started verify that your VPN connection is active and Voila!!!

Here is my Speedtest result using the Ubuntu Router with VyprVPN connection through the above connection:

3366320819

A bit of a reduction but far better that through the DD_WRT Router…

Updated 19th May 2014

I have received some interesting feedback in relation to this post specifically from Michael Jata in Germany in relation to some changes he has made that I thought some of you might find interesting, and might help you to also modify the installation for your own purposes.

Here are the details of Michael’s changes…

Ok, first of all I forwarded the VPN traffic since i drop all other connections because I wanted firewall functionalities.

Here is the excerpt especially for vpn passthrough to subnet 192.168.2.0/24 (my main network is 192.168.0.0/24) whereas eth0 is connected to WAN and eth1 is LAN:

# Masquerade vpn tunnel for specific ip source

iptables -A POSTROUTING -t nat -o tun0 -j MASQUERADE --src 192.168.2.0/24

# Accept already allowed connection from specific ip range for incoming traffic on tun0 and outgoing to eth1

iptables -A FORWARD -i tun0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT --src 192.168.2.0/24

# Forward incoming traffic from eth1 to outgoing tun0 for specific ip range

iptables -A FORWARD -i eth1 -o tun0 -j ACCEPT --src 192.168.2.0/24
iptables -A FORWARD -j DROP

So now ubuntu has a static ip 192.168.0.254 on the WAN interface and 192.168.2.1 on the LAN interface allowing subnet 192.168.2.0/24 both vpn connection and normal gateway (I used same iptables but with eth0 instead of tun0 as well).

Next I created a script called vpnConnectionCheck.sh.

This script checks if tun0 is up and running. tun0 is a virtual interface created by openvpn whenever the connection is established.

I created a “generalConnection” config for VyprVPN where I left out the attributes “–remote server 1194” and “–verify-x509-name server name” since those will be assigned within the script.

In the script you can find an array with vpnServers.

You can just add some of your own choice.

For my purpose, a random server for the reconnection will be selected from this array if the current connection is fails for any reason.

I write some logs to a custom file, you can also write it to syslog if you prefer.

 


#!/bin/bash


arr=(vpnServers) #GER_Frankfurt arr

[0]=de1.vyprvpn.com #SWI_Zurich arr[1]=ch1.vyprvpn.com arrLength=${#arr[*]} randomArrIndex=$[ ( $RANDOM % $arrLengt h ) +0 ] echo "Random generated Array Index from VPN Servers: $randomArrIndex" echo "Amount of VPN Servers available: $arrLength" if ifconfig | grep -q tun0; then echo "$(date): Tun0 device up: OpenVPN sollte bereits laufen" >> /home/michael/Schreibtisch/CustomScripts/logs/vpnlog else #logging to customlog echo "$(date): !!! tun0 is not up !!!" >>/home/michael/Schreibtisch/CustomScripts/logs/vpnlog echo "$(date): Reconnecting to" ${arr[$randomArrIndex]} >>/home/michael/Schreibtisch/CustomScripts/logs/vpnlog openvpn --config /etc/openvpn/generalConnection.conf --remote ${arr[$randomArrIndex]} 1194 --verify-x509-name ${arr[$randomArrIndex]} name fi

In the final step I wanted to have a cron job running every X minute(s) to check the vpn connection and if it has failed, reconnect…

For this purpose I used the system wide crontab:
/etc/crontab

Here I added following line:

*/1 * * * * root [Path to my Script]/vpnConnectionCheck.sh

To test it i set up the job to run once every minute.

Later I will add email notification to inform me if the connection to the VPN has failed, but for now I am happy as a Linux newbie 😉

Hope you like it 🙂

I have not had the chance to thoroughly test the changes that Michael has made, and I am sure that many of you will have alternative approaches, but I thought it would be nice to share Michael’s findings and minor enhancments with you all.

By | 2016-11-04T16:45:25+00:00 Wednesday, March 12th, 2014|My Life|15 Comments

About the Author:

I am truly lucky to have found Sharon Garratt, a wonderful partner to share my passions for food, technology, photography and travel with. I really don't know how she puts up with me.