March 28, 2006

HOWTO: IPCop-OpenVPN

I’m a huge fan of IPCop. It’s a great firewall distro that makes administration a snap using a slick web interface. My goal was to use IPCop and an easy-to-use VPN client to allow access to my LAN while away from home.

I ended up going with the ZERINA OpenVPN addon for IPCop and the OpenVPN GUI for Windows.

If you’ve ever wanted full, secure, encrypted access to your LAN from any remote location, here is your guide.

Just follow these ten easy steps…

IMPORTANT UPDATE: Newer versions of both IPCop and ZERINA (new URL!) have been released since I wrote this HOWTO. You will need to go to each of their respective websites and use the latest version of each to make this work. Ignore the version numbers and/or links given below. You need the latest version of each package!

1. Install IPCop

Download, install, and configure IPCop. Remember that it’s a full distro, so you need a dedicated box to be able to run it. But the good thing is that you barely need any processor power or RAM to make it work. I’m currently running mine on a Celeron 433 box with 32MB (yes, megabytes) of RAM. The CD installer really holds your hand and makes it quite easy, but you may want to check out my Building an IPCop Firewall presentation that I gave at CPLUG back in May 2005.

The OpenVPN addon requires the latest version of IPCop, but since you apply security patches as they come out you don’t have to worry about that… right? Right.

Also, I added a line for the IPCop box to /etc/hosts on my other hosts.

$ grep ipcop /etc/hosts 192.168.1.2 ipcop

So from here on, I’ll be refering to it by it’s hostname of ipcop.

2. Enable ssh access on the IPCop box

Point your browser at your IPCop box, usually at https://ipcop:445 and go to System and then SSH Access. Check the boxes for “SSH Access”, “Allow password based authentication”, and “Allow public key based authentication” and then press the Save button.

3. Download and scp the OpenVPN addon

While IPCop does come with a built-in VPN server, by using OpenVPN you will be able to use the nice GUI clients that are available for it. So download the ZERINA installer and save it to one of your boxen other than the IPCop box. I recommend using wget.

Next, scp the file to your ipcop box:

$ scp -P 222 ZERINA-0.9.3b-Installer.tar.gz root@ipcop: root@ipcop's password: ********* ZERINA-0.9.3b-Installer.tar.gz 100% 327KB 326.5KB/s 00:00

Please note that the version numbers in the listing above and throughout this HOWTO were current as of the writing of this page. However, newer versions have been released since that time. Please be sure to use the latest versions of all packages as you follow along.

4. Unpack and install the OpenVPN addon

First, ssh into the ipcop box:

$ ssh -p 222 root@ipcop

Make a directory in which to unpack the addon and move the tar file into there:

root@ipcop:~ # mkdir zerina root@ipcop:~ # mv ZERINA-0.9.3b-Installer.tar.gz zerina root@ipcop:~ # cd zerina root@ipcop:~ # tar -xzvf ./ZERINA-0.9.3b-Installer.tar.gz

You should now have the following files:

root@ipcop:~/zerina # ls _GPL library.addons _README updatefiles install patch.tar.gz uninstall

Now run the installation script:

root@ipcop:~ # ./install

The addon is now installed.

5. Create a configuration file

This is an important step. Do not skip it.

Point your browser at https://ipcop:445/ and go to the VPNs tab and then OpenVPN. Hit the Advanced Server Options button. Without making any changes to the options, hit the Save button.

6. Follow the OpenVPN/ZERINA HOWTO

There is no sense in me repeating the extremely clear and helpful howto at the ZERINA site. Go there and carefully walk through each of the steps. Along the way you will generate your certificates and create a new connection profile for a user.

If you follow the directions, you’ll end up with both a Root Certificate and a Host Certificate. You will also have a connection certificate that you will need to put on the client/remote PC, and you’ll end up setting the password for the client/connection. Make sure it is the Host-to-Net Virtual Private Network (RoadWarrior) type:

Don’t forget to turn OpenVPN on in Step 5. :)

7. Download the OpenVPN client package (zip)

On the OpenVPN configuration page, after you have created a client connection profile, you will see the following icons next to it:

Click the multicolored icon to the left of the info icon, and save the zip file to somewhere. You’ll need to get this file to the client/remote computer (e.g. via USB drive or email).

8. Load the OpenVPN GUI client

Download the OpenVPN GUI for Windows and install it on your client computer.

Installation docs are available, but there’s not much to do other than walk through the installer.

After it is installed, you’ll have the following icon at the bottom of your screen:

9. Unzip OpenVPN client package

Take the client package that you saved in Step 7 and unzip the contents into your OpenVPN client config directory. That is probably located at: C:\Program Files\OpenVPN\config.

10. Connect to the VPN

Make sure that OpenVPN is running on the ipcop box, and that you are connected to the Internet.

Right-click on the OpenVPN icon and click Connect:

Note that if you did not install the client package correctly in Step 9, you will not have that option available.

Enter the password that you set in Step 6, and you should be connected! You will get assigned an IP address in the 10.241.239.0 range by default.

Once you have an IP, you’ll be able to access all the resources on the LAN (e.g. Samba shares).

Thanks go to Matt and Fuzzie for all their help with config and testing.

Update: Heh! Getting some linkage from Digg right now…

Corrections/Addendum:

If you are using Windows XP and get a WSAEADDRINUSE error when you try to connect the VPN, add the “nobind” keyword to your client config and save it. That should fix it.
If you are trying to connect to the Blue interface on IPCop you’ll need to edit your OpenVPN client config. Comment the first remote line and uncomment the one for the internal IP address of the Blue interface:
#remote serpent.thinkhole.org 1194 remote 192.168.2.1 1194

That should fix it.
If you are using a client (usually on Linux) and getting lots of dropped connections and ping timeouts, try switching from UDP to TCP. You’ll need to change it in IPCop and then edit the “proto” line in the client config. Seems to have fixed it for me.
Need an OpenVPN for OSX? Check out Tunnelblick.

« Five algorithms you need to know

PyWeather »

142 Responses to “HOWTO: IPCop-OpenVPN”

Sverre February 2, 2008 at 6:40 am #
Followed your guide, workes very well, look forward to see how well it copes under full load. thanks for a good guide!
Greg March 2, 2008 at 12:50 am #
Hi, great tutorial. I was able to get the VPN to connect. For some reason I cannot ping anything in my green network other than the Green interface on ipcop. From inside my green network I cannot ping the VPN interfaces. I tried everything I could think of to get access to my green network but nothing works from the VPN. It connects but I cant access anything, remote desktop, web, ftp, ping, drive shares, etc. Is there something I could be missing? I have used OpenVPN with my Endian firewall and it works a bit differently, but still the same idea. I cant seem to get it to work with IpCop and Zerina. Any suggestions would be much appreciated. Thanks!
Ben May March 5, 2008 at 8:10 pm #
Great tutorial, very helpful!! THANKS
Dan March 17, 2008 at 12:47 pm #
Hi all. This works great but I am having an issue….. I have a Green-Red setup and running OpenVPN. I can connect to IPCop from a client PC and even ping the internal IP address of IPCop. However, I can’t ping the server or any other item on the network.

Any help would be appreciated……

Thanks.
Darshan March 17, 2008 at 10:07 pm #
Hi,
Did you add push “route ip address mask” statement to your server.conf
knarF March 17, 2008 at 10:38 pm #
Dan:
I got the same issue here, but i can’t solve it :(
If someone have fixed this, please post it.
Wirgo April 7, 2008 at 1:54 pm #
My VPN is working correctely, but i have a problem with the client netmask. It is 255.255.255.252 and i would like it was 255.255.255.0. I cant find where to change this setting. Thanks
Meissen April 16, 2008 at 3:40 pm #
Great VPN Howto everything works fine.

Thanks.
trevor July 21, 2008 at 6:38 pm #
Tried this thing but nothing works using putty and winscp403 the only commands that worked is mkdir zerina. I am using ipcop 1.4. I am able to putty and scp into the ipcop box but your commands do not and I am not sure which ones to use – please help
sippy October 3, 2008 at 7:07 am #
doesn’t work for any version of IPcop > 1.4.18
sippy October 3, 2008 at 9:47 am #
That is, unless you uncomment the version check. Then it works perfectly!
dippy January 31, 2009 at 5:59 am #
How do you uncomment the version check??
nishad January 31, 2009 at 6:11 am #
add routes to the servers as the green interface of IPCop as it’s gateway. It’ll work.
Ken February 15, 2009 at 11:35 am #
Have anyone tried to get openvpn work with smoothwall? Is it the same?
Bender-420 March 5, 2009 at 10:56 pm #
I am new with the vpn thing, but the instructions here, and the Zerina site were great… till I got to the last step

I get to the last steps and am able to connect the client to the vpn server, but I am not able to see anyting but the virtual subnet that openVPN created.

I dont know if there is a line of code missing in the most rescent version, but there is no NAT or PROXY options available in the GUI.

I have tried appending rules within iptables, but nothing I do seems to make it able to see the Green network.

Any ideas? I am starting to pull my hair out.

Bender
Pieter May 6, 2009 at 5:13 am #
I want to install a new IPCOP box with Open VPN in our network-. We have a Cisco 877W ADSL router with NAT enabled. The ISP does not allow us to change or even look at the settings. Now obviously double natting will be performed.
To get the RoadWarrior VPN going, will the solution be as simple just op open port 1194 on the Cisco router and disabling NAT? How will the Red interface be configured, with the private or public IP address?
Danur November 7, 2009 at 7:29 am #
I’ve installed IPCop 1.4.21 and Zerina OpenVPN, I create Roadwarrior Client and can connect but can’t recognize the server behind the Green interface, and also I make a Net-to-Net but can’t connect each other, can anyone please give suggestions for troubleshooting, thank you.
Mirko January 13, 2010 at 5:39 am #
Hi all,
I have the same problem that Dan had on 17 March 2008 at 12:47 pm.
From the vpn client I can reach ipcop but not any lan host.
For example I can reach the server that has the address 10.7.0.1 but not an internal host with address push 192.168.0.1.
The GREEN address of ipcop is 192.168.0.253/255.255.255.0.
I tried to add “route 192.168.0.0 255.255.255.0″ at /var/ipcop/ovpn/server.conf but I have the same problem.
Did somebody solved it?
Mike January 18, 2010 at 7:45 pm #
They glossed over the advanced server options button on the openvpn page. On this page is options to push down information to the VPN client such as domain and dns information.

When I first set this up, I thought I couldn’t get out to the internet. After troubleshooting, I saw that I could get pages via IP but not by name. I added IPCOPs internal address to this page and restarted the server, and my internet access is back :-)
Magnus Wedberg February 2, 2010 at 11:30 am #
everyone has the same problem :-) For OpenVPN that seems to stop at the router, add

iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A INPUT -i tap+ -j ACCEPT
iptables -A FORWARD -i tap+ -j ACCEPT

to /etc/rc.d/rc.local, or rc.firewall.local, or another start script of choice.
Ziou April 7, 2010 at 9:42 pm #
did de last post work? the iptables rules…
Zizou April 8, 2010 at 6:25 pm #
>Magnus Wedberg 2 February 2010 at 11:30 am Permalink
>
>everyone has the same problem :-) For OpenVPN that seems to stop at >the router, add
>
>iptables -A INPUT -i tun+ -j ACCEPT
>iptables -A FORWARD -i tun+ -j ACCEPT
>iptables -A INPUT -i tap+ -j ACCEPT
>iptables -A FORWARD -i tap+ -j ACCEPT
>
>to /etc/rc.d/rc.local, or rc.firewall.local, or another start script >of choice.

did this work?
Gary Sandoval April 16, 2010 at 10:33 pm #
tengo el ipcop 1.4.21, y no logro encontrar el Zerina OpenVPN para esa version de ipcop, por favor denme una mano. Saludos
marc June 27, 2010 at 11:33 pm #
Nick
14 November 2006 at 1:37 pm
PERMALINK
I’ve been struggling with ipcop and openvpn for about 24 hrs now. I was able to make the connection and was able to ping the gateway, just couldn’t talk to anything past the gateway. It really didn’t make any sense to me so I googled and googled and googled. Finally I have a answer that works. Apparently this is a big problem for alot of people and nobody ever posts the “answer”. Heck just in this blog several people suffer the same problem.

The Setup

My Laptop (192.168.1.100) ==> Linksys Router (LAN 192.168.1.1 / WAN 68.13.33.194) ==> Internet

Internet ==> IPCOP (WAN 85.1.33.14 / LAN 10.0.1.1 / OPENVPN 10.0.2.0/24)

ETH0 – 10.0.1.1
ETH1 – 85.1.33.14

Just by typing this in at the command prompt in IPCop I was able to ping everything behind the gateway(IPCOP).

iptables -t nat -A CUSTOMPOSTROUTING -s 10.0.2.0/24 -o eth0 -j MASQUERADE

Where 10.0.2.0 is your OpenVPN Network Information.

this work on me. thanks nick!
jowi July 21, 2010 at 1:15 am #
Hai.. I have problem with connected zerina ovpn ipcop, with this message :
Wed Jul 21 14:08:51 2010 OpenVPN 2.1.1 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Dec 11 2009
Wed Jul 21 14:08:51 2010 IMPORTANT: OpenVPN’s default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Wed Jul 21 14:08:51 2010 NOTE: OpenVPN 2.1 requires ‘–script-security 2′ or higher to call user-defined scripts or executables
Wed Jul 21 14:09:32 2010 WARNING: this configuration may cache passwords in memory — use the auth-nocache option to prevent this
Wed Jul 21 14:09:32 2010 Control Channel MTU parms [ L:1541 D:138 EF:38 EB:0 ET:0 EL:0 ]
Wed Jul 21 14:09:33 2010 RESOLVE: Cannot resolve host address: RahayuComp.Server: [NO_DATA] The requested name is valid but does not have an IP address.
Wed Jul 21 14:09:33 2010 Data Channel MTU parms [ L:1541 D:1450 EF:41 EB:4 ET:0 EL:0 ]
Wed Jul 21 14:09:33 2010 Local Options hash (VER=V4): ’3514370b’
Wed Jul 21 14:09:33 2010 Expected Remote Options hash (VER=V4): ’239669a8′
Wed Jul 21 14:09:33 2010 RESOLVE: Cannot resolve host address: RahayuComp.Server: [NO_DATA] The requested name is valid but does not have an IP address.
Wed Jul 21 14:09:38 2010 RESOLVE: Cannot resolve host address: RahayuComp.Server: [NO_DATA] The requested name is valid but does not have an IP address.
Wed Jul 21 14:09:43 2010 RESOLVE: Cannot resolve host address: RahayuComp.Server: [NO_DATA] The requested name is valid but does not have an IP address.
Wed Jul 21 14:09:48 2010 RESOLVE: Cannot resolve host address: RahayuComp.Server: [NO_DATA] The requested name is valid but does not have an IP address.
Wed Jul 21 14:09:53 2010 RESOLVE: Cannot resolve host address: RahayuComp.Server: [NO_DATA] The requested name is valid but does not have an IP address.
Wed Jul 21 14:09:58 2010 RESOLVE: Cannot resolve host address: RahayuComp.Server: [NO_DATA] The requested name is valid but does not have an IP address.
Wed Jul 21 14:10:03 2010 RESOLVE: Cannot resolve host address: RahayuComp.Server: [NO_DATA] The requested name is valid but does not have an IP address.
Wed Jul 21 14:10:08 2010 RESOLVE: Cannot resolve host address: RahayuComp.Server: [NO_DATA] The requested name is valid but does not have an IP address.
Wed Jul 21 14:10:13 2010 RESOLVE: Cannot resolve host address: RahayuComp.Server: [NO_DATA] The requested name is valid but does not have an IP address.
Wed Jul 21 14:10:18 2010 RESOLVE: Cannot resolve host address: RahayuComp.Server: [NO_DATA] The requested name is valid but does not have an IP address.
Wed Jul 21 14:10:23 2010 RESOLVE: Cannot resolve host address: RahayuComp.Server: [NO_DATA] The requested name is valid but does not have an IP address.
Wed Jul 21 14:10:28 2010 RESOLVE: Cannot resolve host address: RahayuComp.Server: [NO_DATA] The requested name is valid but does not have an IP address.
Wed Jul 21 14:10:33 2010 RESOLVE: Cannot resolve host address: RahayuComp.Server: [NO_DATA] The requested name is valid but does not have an IP address.
Wed Jul 21 14:10:38 2010 RESOLVE: Cannot resolve host address: RahayuComp.Server: [NO_DATA] The requested name is valid but does not have an IP address.
Wed Jul 21 14:10:43 2010 RESOLVE: Cannot resolve host address: RahayuComp.Server: [NO_DATA] The requested name is valid but does not have an IP address.
Wed Jul 21 14:10:48 2010 RESOLVE: Cannot resolve host address: RahayuComp.Server: [NO_DATA] The requested name is valid but does not have an IP address.
Wed Jul 21 14:10:53 2010 RESOLVE: Cannot resolve host address: RahayuComp.Server: [NO_DATA] The requested name is valid but does not have an IP address.
Wed Jul 21 14:10:58 2010 RESOLVE: Cannot resolve host address: RahayuComp.Server: [NO_DATA] The requested name is valid but does not have an IP address.
Wed Jul 21 14:11:03 2010 RESOLVE: Cannot resolve host address: RahayuComp.Server: [NO_DATA] The requested name is valid but does not have an IP address.
Wed Jul 21 14:11:08 2010 RESOLVE: Cannot resolve host address: RahayuComp.Server: [NO_DATA] The requested name is valid but does not have an IP address.
Wed Jul 21 14:11:13 2010 RESOLVE: Cannot resolve host address: RahayuComp.Server: [NO_DATA] The requested name is valid but does not have an IP address.
Wed Jul 21 14:11:18 2010 RESOLVE: Cannot resolve host address: RahayuComp.Server: [NO_DATA] The requested name is valid but does not have an IP address.
Wed Jul 21 14:11:23 2010 RESOLVE: Cannot resolve host address: RahayuComp.Server: [NO_DATA] The requested name is valid but does not have an IP address.
Wed Jul 21 14:11:28 2010 RESOLVE: Cannot resolve host address: RahayuComp.Server: [NO_DATA] The requested name is valid but does not have an IP address.
Wed Jul 21 14:11:33 2010 RESOLVE: Cannot resolve host address: RahayuComp.Server: [NO_DATA] The requested name is valid but does not have an IP address.
Wed Jul 21 14:11:38 2010 RESOLVE: Cannot resolve host address: RahayuComp.Server: [NO_DATA] The requested name is valid but does not have an IP address.
Wed Jul 21 14:11:43 2010 RESOLVE: signal received during DNS resolution attempt
Wed Jul 21 14:11:43 2010 TCP/UDP: Closing socket
Wed Jul 21 14:11:43 2010 SIGTERM[hard,init_instance] received, process exiting

What have i to do? Please help
Ibrahim August 2, 2010 at 10:42 pm #
All,
I experienced the same issue as several above. I could connect, get a 10. IP, and ping the green gateway itself but could not reach anything on the green network.
For me, the cause was foolishness, my own client PC is connected to a gateway having the same exact IP as the green gateway
(IPCop green interface was 192.168.2.1 and so was my linksys)

Once I changed the IP scheme at the Linksys, it works flawlessly.
Chuck August 23, 2010 at 11:37 pm #
I have been reading this post so I decided to load IP cop up and test it. I got the same problem. It is simply a routing problem. There was no mention of the advance server options page. If you are using a dns name such as myoffice.dyndns.org, the you need to go to this page and put that domain name in dhcp push options. Other wise, check all your IP address on all your interfaces to make sure you put all in correct.

Trackbacks/Pingbacks

AlbanyWiFi.com » Blog Archive » IPCop-OpenVPN HOWTO - March 29, 2006
[...] thinkhole.org/wp/2006/03/28/ipcop-openvpn-howto [...]
Web 2.0 Watch » Blog Archive » IPCop-OpenVPN HOWTO - March 29, 2006
[...] Very easy to follow! Check it out here! [...]
HOWTO: Setup your own VPN with IPCop and OpenVPN! at Morad’s Bloggie - March 30, 2006
[...] You will be able to log into your network from anywhere. This is a great tutorialread more | digg story [...]
BlackMacs Stuff - March 30, 2006
Get OpenVPN running on IPCop…

Finally I found an easy tutorial on how to setup OpenVPN on IPCop – Hooray, now I can work on Sundays and at night… maybe not so great???
Check it out!…
Wilco Niessen dot com » Blog Archive » HOWTO: Setup your own VPN with IPCop and OpenVPN! - March 31, 2006
[...] read more | digg story [...]
bytemix » Blog Archive » IPCop+OpenVPN = Acceso externo seguro - April 9, 2006
[...] Enlace: IPCop-OpenVPN Howto [...]
Jim O’Halloran’s Weblog » Blog Archive » links for 2006-04-13 - April 13, 2006
[...] IPCop-OpenVPN HOWTO Excelent article explaining how to set up IPCop and OpenVPN. Will need to do this soon, so this will help a lot. From the article: “I’m a huge fan of IPCop. It’s a great firewall distro that makes administration a snap using a slick web interface. M (tags: linux openvpn ipcop security) [...]
» Digg Makes Australian News - May 6, 2006
[...] Anything above that will get cropped off of the image. My goal was to use IPCop and an easy-to-use VPN client to allow access to my LAN while away from home. I ended up going with the ZERINA OpenVPN addon for IPCop and the OpenVPN GUI for Windows. Install IPCop Download, install, and configure IPCop. Download and scp the OpenVPN addon While IPCop does come with a built-in VPN server, by using OpenVPN you will be able to use the nice GUI clients that are available for it.Summary of: http://thinkhole.org/wp/2006/03/28/ipcop-openvpn-howto/ [...]
Two Mad Geeks » Blog Archive » Setup your own VPN with IPCop and OpenVPN! - May 10, 2006
[...] Link: import this [...]
import this. » Blog Archive » HOWTO: Secure Firefox and IM with PuTTY - May 10, 2006
[...] One of the best ways to secure your connection is to use a VPN, but that isn’t always practical. So here’s a way to securely connect to the net using only an SSH client and a remote box that you control/trust. [...]
zean.no-ip.info » HOWTO: Secure Firefox and IM with PuTTY - May 22, 2006
[...] One of the best ways to secure your connection is to use a VPN, but that isn’t always practical. So here’s a way to securely connect to the net using only an SSH client and a remote box that you control/trust. [...]
Linux Unix » HOWTO: Setup your own VPN with IPCop and OpenVPN! - September 1, 2006
[...] This is a great little tutorial for anyone looking to set up a vpn through the linux based IPCop firewall. A must read!read more | digg story [...]
Cristian Livadaru’s blog » IPCop out of the “box” - April 7, 2007
[...] I bought a VIA mini ITX mainboard to make a new firewall, the old one with a Pentium1 166mhz was going a bit slow and since I also wanted to use VPN I needed something better. IPCop was installed quite fast, and a quick search brought me to this great howto. After setting up VPN I needed a client for Mac OS and I found “Tunnelblick“, quick installation and everything worked great. Now together with my mobile internet connection I can log in from everywhere and also be secured Ok but what is it with the topic, out of the box? Well, usually this has some other meaning, but I really mean my IPCop works “out of the box”, I couldn’t find a case where I could fit it in so I just took a cardboard box April 07th 2007 Posted to Apple, Computer, linux [...]
IPCOP with OpenVPN and Fiesty’s Network Manager at It all flows together - May 10, 2007
[...] First we install, Zerina’s OpenVPN addon to IPCop. Basically copy the zip to the IPCop box, unzip and run the install file. Actually follow this guy’s great tutorial up to step 7. he’s got it all covered. [...]
Linux for Christians » Blog Archive » The Over-Committed Geek’s Firewall - May 3, 2008
[...] Just drop in a second network card into the machine you want to turn into a firewall and boot from the CD. After that, it is just a matter of following the on screen instructions. After install, IPCop will allow full configuration from a web-based GUI, show you metrics on Internet usage, stability and security that make the paranoid proud, drop-dead simple upgrades, Intrusion Detection, DHCP, DNS, DMZ, Port Forwarding, NAT, separate WiFi network for your in church coffee shop (with additional NIC) and other fun things. Some VPN capability is also built-in, but for the road-warrior style VPN usage that most ministries use, I’d recommend an OpenVPN plugin as an alternative that is much easier to maintain on the client side. For more information on this, check out HOWTO: IPCop-OpenVPN. [...]

HOWTO: IPCop-OpenVPN

More from this category

142 Responses to “HOWTO: IPCop-OpenVPN”

Trackbacks/Pingbacks