HOWTO: IPCop-OpenVPN
I’m a huge fan of IPCop. It’s a great firewall distro that makes administration a snap using a slick web interface. My goal was to use IPCop and an easy-to-use VPN client to allow access to my LAN while away from home.
I ended up going with the ZERINA OpenVPN addon for IPCop and the OpenVPN GUI for Windows.
If you’ve ever wanted full, secure, encrypted access to your LAN from any remote location, here is your guide.
Just follow these ten easy steps…
IMPORTANT UPDATE: Newer versions of both IPCop and ZERINA (new URL!) have been released since I wrote this HOWTO. You will need to go to each of their respective websites and use the latest version of each to make this work. Ignore the version numbers and/or links given below. You need the latest version of each package!
1. Install IPCop
Download, install, and configure IPCop. Remember that it’s a full distro, so you need a dedicated box to be able to run it. But the good thing is that you barely need any processor power or RAM to make it work. I’m currently running mine on a Celeron 433 box with 32MB (yes, megabytes) of RAM. The CD installer really holds your hand and makes it quite easy, but you may want to check out my Building an IPCop Firewall presentation that I gave at CPLUG back in May 2005.
The OpenVPN addon requires the latest version of IPCop, but since you apply security patches as they come out you don’t have to worry about that… right? Right.
Also, I added a line for the IPCop box to /etc/hosts on my other hosts.
$ grep ipcop /etc/hosts
192.168.1.2 ipcop
So from here on, I’ll be refering to it by it’s hostname of ipcop.
2. Enable ssh access on the IPCop box
Point your browser at your IPCop box, usually at https://ipcop:445 and go to System and then SSH Access. Check the boxes for “SSH Access”, “Allow password based authentication”, and “Allow public key based authentication” and then press the Save button.
3. Download and scp the OpenVPN addon
While IPCop does come with a built-in VPN server, by using OpenVPN you will be able to use the nice GUI clients that are available for it. So download the ZERINA installer and save it to one of your boxen other than the IPCop box. I recommend using wget.
Next, scp the file to your ipcop box:
$ scp -P 222 ZERINA-0.9.3b-Installer.tar.gz root@ipcop:
root@ipcop's password: *********
ZERINA-0.9.3b-Installer.tar.gz 100% 327KB 326.5KB/s 00:00
Please note that the version numbers in the listing above and throughout this HOWTO were current as of the writing of this page. However, newer versions have been released since that time. Please be sure to use the latest versions of all packages as you follow along.
4. Unpack and install the OpenVPN addon
First, ssh into the ipcop box:
$ ssh -p 222 root@ipcop
Make a directory in which to unpack the addon and move the tar file into there:
root@ipcop:~ # mkdir zerina
root@ipcop:~ # mv ZERINA-0.9.3b-Installer.tar.gz zerina
root@ipcop:~ # cd zerina
root@ipcop:~ # tar -xzvf ./ZERINA-0.9.3b-Installer.tar.gz
You should now have the following files:
root@ipcop:~/zerina # ls
_GPL library.addons _README updatefiles
install patch.tar.gz uninstall
Now run the installation script:
root@ipcop:~ # ./install
The addon is now installed.
5. Create a configuration file
This is an important step. Do not skip it.
Point your browser at https://ipcop:445/ and go to the VPNs tab and then OpenVPN. Hit the Advanced Server Options button. Without making any changes to the options, hit the Save button.
6. Follow the OpenVPN/ZERINA HOWTO
There is no sense in me repeating the extremely clear and helpful howto at the ZERINA site. Go there and carefully walk through each of the steps. Along the way you will generate your certificates and create a new connection profile for a user.
If you follow the directions, you’ll end up with both a Root Certificate and a Host Certificate. You will also have a connection certificate that you will need to put on the client/remote PC, and you’ll end up setting the password for the client/connection. Make sure it is the Host-to-Net Virtual Private Network (RoadWarrior) type:
Don’t forget to turn OpenVPN on in Step 5. :)
7. Download the OpenVPN client package (zip)
On the OpenVPN configuration page, after you have created a client connection profile, you will see the following icons next to it:
Click the multicolored icon to the left of the info icon, and save the zip file to somewhere. You’ll need to get this file to the client/remote computer (e.g. via USB drive or email).
8. Load the OpenVPN GUI client
Download the OpenVPN GUI for Windows and install it on your client computer.
Installation docs are available, but there’s not much to do other than walk through the installer.
After it is installed, you’ll have the following icon at the bottom of your screen:
9. Unzip OpenVPN client package
Take the client package that you saved in Step 7 and unzip the contents into your OpenVPN client config directory. That is probably located at: C:\Program Files\OpenVPN\config.
10. Connect to the VPN
Make sure that OpenVPN is running on the ipcop box, and that you are connected to the Internet.
Right-click on the OpenVPN icon and click Connect:
Note that if you did not install the client package correctly in Step 9, you will not have that option available.
Enter the password that you set in Step 6, and you should be connected! You will get assigned an IP address in the 10.241.239.0 range by default.
Once you have an IP, you’ll be able to access all the resources on the LAN (e.g. Samba shares).
Thanks go to Matt and Fuzzie for all their help with config and testing.
Update: Heh! Getting some linkage from Digg right now…
Corrections/Addendum:
- If you are using Windows XP and get a WSAEADDRINUSE error when you try to connect the VPN, add the “nobind” keyword to your client config and save it. That should fix it.
- If you are trying to connect to the Blue interface on IPCop you’ll need to edit your OpenVPN client config. Comment the first remote line and uncomment the one for the internal IP address of the Blue interface:
#remote serpent.thinkhole.org 1194
remote 192.168.2.1 1194That should fix it.
- If you are using a client (usually on Linux) and getting lots of dropped connections and ping timeouts, try switching from UDP to TCP. You’ll need to change it in IPCop and then edit the “proto” line in the client config. Seems to have fixed it for me.
- Need an OpenVPN for OSX? Check out Tunnelblick.
A great guide.
But when i try to connect, I get this message.
“Unable to connect because your certificate is not yet valid. Check that your time is correct.”
I have checked the time and it is the same on both sides.
In the .zip file there where 1 config file and 1 certificate file.
What can be wrong?
Thanks.
@Ruben
No idea.
@Dale
OpenVPN and VNC are two totally different things. But you could certainly connect to a VNC server over the VPN if you want. That’s a common application.
@angelo
Please see Step 5: OpenVPN Server Start in the Zerina HOWTO. You need to start OpenVPN before you can use it.
@Rolf:
Please check the time on both systems (clienta and server) again to ensure that they are both correct. Then re-generate the root and host certificates.
Some related info may be in the openvpn.se forums.
@Signal64:
Browsing Samba shares may be problematic over OpenVPN. Part of it may be due to using a netmask of 255.255.255.255 while trying to use broadcast.
I’ve found that if you use the IP of the host rather than the name (e.g. use \\192.168.1.2 rather than \\servername) it works just fine.
Hopefully that helps.
PS. This assumes you have Samba configured correctly to allow hosts from the 10.x.x.x range.
Great article…!
THis sounds good as I want a solution to secure wireless at home without having to resort to WPA-PSK and associated ping drops/reduced performance. (ie. Run wireless open with VPN from blue to green)
However, your comment 29th March …
‘@Kud: By default the OpenVPN addon does not encrypt your other traffic…’
has caused me some concern! Does the OpenVPN addon only use encryption to authenticate clients? and then the rest of the traffic through the tunnel is unencrypted/plaintext?
I am v. new to VPN, so sorry if that question is defamatory to me intelligence!
Thanks for your time.
@Chad:
Using a VPN is a good way to keep your wireless network secure. That’s personally how I am currently set up. The only access allowed from my Blue network (wireless) to the Green network (LAN) is via VPN.
What I meant by my comment was that using the VPN will only encrypt the traffic from Blue< -->Green. If you browse the web from the Blue network, it won’t be encrypted, as that would be going from Blue< -->Red.
To solve that, you can enable a proxy on your Green network, and route the traffic there. But even then, your DNS queries will still probably go out unencrypted over Red unless you use something like Privoxy.
Hopefully that helps.
- J
Hi There,
I just noticed that after a vpn session connects my DHCP server stops running
and doesn’t seem to restart again.
Anyone else had the same issue ?
Thanks
Tom
This is great! It works fine (until I messed some settings up). Thanks for such a simple tutorial.
BUT, I’ve still got a few questions. I’d like to use this setup for Online gameing, as an alternative to Hamachi. Here’s my setup on Green network
IPCOP : 192.168.1.1
SERVER : 192.168.1.9
GAMES PC : 192.16.1.10
I setup Zerina as per tutorial, so the VPN network is on 10.0.10.0
I’d like for friends to be able to VPN in and all of us be seen on same network.
Like Mario, I get the following message (similar) when trying to connect to VPN from my GAMES PC
“Tue Oct 03 18:04:44 2006 TCP/UDP: Incoming packet rejected from 10.100.100.116 (GREEN INTERFACE) :1194[2], expected peer address: 10.100.100.115:1194 (RED INTERFACE) (allow this incoming source address/port by removing –remote or adding –float)”
Advice please!
Rich
I’ve been struggling with ipcop and openvpn for about 24 hrs now. I was able to make the connection and was able to ping the gateway, just couldn’t talk to anything past the gateway. It really didn’t make any sense to me so I googled and googled and googled. Finally I have a answer that works. Apparently this is a big problem for alot of people and nobody ever posts the “answer”. Heck just in this blog several people suffer the same problem.
The Setup
My Laptop (192.168.1.100) ==> Linksys Router (LAN 192.168.1.1 / WAN 68.13.33.194) ==> Internet
Internet ==> IPCOP (WAN 85.1.33.14 / LAN 10.0.1.1 / OPENVPN 10.0.2.0/24)
ETH0 – 10.0.1.1
ETH1 – 85.1.33.14
Just by typing this in at the command prompt in IPCop I was able to ping everything behind the gateway(IPCOP).
iptables -t nat -A CUSTOMPOSTROUTING -s 10.0.2.0/24 -o eth0 -j MASQUERADE
Where 10.0.2.0 is your OpenVPN Network Information.
Hi,
We have two offcies protected with IPCOP. I have installed OPen vpn in both side. If I am out of office and trying to access vpn it is working excellent. If am inside office I am not able to connect to the next office VPN? Please suggest to fedorahacker@gmail.com
Thank you.
Regards.
Hacker.
I was hoping to test this as it looks very good, but can’t get through to the zerina web site. It’s pingable but the web pages do not come up so I can DL the IPCOP plugin.
Is it permently down?
Thanks
Dale
Dale:
No idea. I can’t reach the site either. I doubt that it is “permanently” down, but it does seem they are having some rather serious connectivity issues.
- JPM
Since you have this installed, I’m curious: can OpenVPN on the ipcop machine act as a *client*? I’m looking for this because I want to build a tunnel to my colo box at softlayer, and they have a scheme for connecting in to their administration network using either PPTP or SSL-based vpn. If I can use OpenVPN as an SSL-based vpn, that would be very helpful.
Hi,
has anyone figured out a way to configure ZERIA (or IPcop) in a way that any traffic from the green side gets routed back to the road warrior without having to set the routes in the green network? I mean, the IPcop is not necessarily the defaultrouter. The problem would not arise, if ZERINA would NAT the traffic from the roadwarrior, i.e. make it appear to come from the IPcop and not from the tunnel.
i am using ipcop. i have few questions about vpn and proxy.
about vpn… is there a limit on the number of client that can connect simulatenously to the ipcop.if yes can we increase it and how.
i am using ipcop proxy and along with it am uisng squid proxy for webfiltering.firstly the internet speed has gone slow.. second i have to put internet gateway in the ip setting to access emails (which i need to connect to pop account). is there a way to configure the proxy in such a way the email traffic also uses proxy settings.
if not, is there a way to restrict user to use internet gateway for internet access. as it will not filter the traffic for content filtering or webfiltering….
i hope you understand.
now can you do the same magic trick for mandriva linus 2007 power pack….??????
i am using ipcop. i have few questions about vpn and proxy.
about vpn… is there a limit on the number of client that can connect simulatenously to the ipcop.if yes can we increase it and how.
i am using ipcop proxy and along with it am uisng squid proxy for webfiltering.firstly the internet speed has gone slow.. second i have to put internet gateway in the ip setting to access emails (which i need to connect to pop account). is there a way to configure the proxy in such a way the email traffic also uses proxy settings.
if not, is there a way to restrict user to use internet gateway for internet access. as it will not filter the traffic for content filtering or webfiltering….
i hope you understand.
Just installed the latest Zerina, all working great.
Got some more questions about using this OpenVPN.
Scenario: My sister is on an wireless unsecure network, ouch! (brand new, fitted last week).
I’ve got her setup on OpenVPN, she can connect to my router OK, and can Ping it, and I can Ping her.
How can she use my proxy to browse the web and use messenger, so it’d be secure over the OpenVPN connection?
evylrat,
are you having two separate pcs. one where you have installed ipcop and another is from where you are pinging your sisters pc?
if this is the scenaio. Then ask her to ping the ipcop machine. if she can do that. all she is reqd to do is put theproxy setting in the internet explorer and use port 800. Also you have to activate the proxy of ipcop.
let me know if you have doubts.
jags
Thanks for the reply jags. I started off by trying the proxy, thinking it’d be that simple. Just tried again and got a partial result…
It’s talking to IPCOP, but web brower returns “Access Denied” from IPCOP, rather than the webpage. I’m still running the standard proxy.
I’m going to look at this link later…
http://tinyurl.com/ynlbfc
“Proxy – Access denied”…
EDIT: Ran URL through TinyURL to fix formatting. -JPM
I am using ipCop and Openvpn over Blue and Red for my office. I have been able to setup 2 RoadWarrior systems, on being my computer at home, the second being a portable. For the portable, I generated 2 certs, and edited the remote ips accordingly. It works great on both machines, and even the portable’s 2 connections work perfectly.
Here is my problem: Every other computer (Very similar to the working portable, with XP Pro Sp2) I try to set up the connection on complains with the following line:
TLS Error:TLS Key Negotiation failed to occur within 60 seconds
Does anyone have any insight on this error? Help!!!
For the Proxy “Access Denied” problem, install Advanced Proxy on IPCOP, and there’s a field in the settings page that allow you to enter the VPN subnet mask into the proxy to allow it. Works great!
Hi, I just installed this on my ipcop using your very detailed instructions. Everything worked great, thank you very much. But when I installed the openvpn gui on a second PC in the blue zone, it created a conflict with the first PC in the Blue zone. Every 60 seconds or so, the PCs would drop their network connections – “Local Area connection cable unplugged” alternating between PCs.
Do I need to create a unique host certificate for every PC on the blue interface?
I should have also stated above, that when I disable the vpn connection on one of the PCs everything works fine again.
@John:
I think you need to make a new cert for each host if you want them to connect at the same time. If you don’t want them to connect at the same time, you can probably use the same one.
I could be wrong. :)
I think I have solved my problem with duplicate clients connecting simultaneously. I checked the log files for openvpn and it pointed me in the direction of the duplicate cn option for allowing more than one client connection at a time.
I edited the file /var/ipcop/ovpn/server.conf (I couldn’t find this option via the web config) and added a line “duplicate-cn” without quotes and restarted the openvpn server. Everything has been working good so far.
I apologize if this is obvious, but I couldn’t find this easily online. I can’t believe I didn’t implement openvpn sooner. Thanks again for your howto.
Hi, I’ve been running several OpenVPN (zerina)/IPCop sites for about 6 months. What a great system! But I’ve discovered that the Enable/Disable checkbox in IPCop/Zerina doesn’t do anything on the client side. Even when the certificate is disabled, the client can still connect. Is this feature not yet implemented? Do I need to revoke/delete a cert in order to keep a particular client from connecting?
Also, my Linux clients are using KVpnc to access OpenVPN on IPCop boxes. This has the nice feature of being able to specify the IP address to ping. Is there any way to accomplish this with OpenVPN GUI on Windows? This would enable the Windows OpenVPN connection to terminate gracefully when a host behind IPCop/OpenVPN goes offline (like a mounted drive). As it is now, the IPCop/OpenVPN box is the keep-alive host, and (of course) it never goes down.
Thanks in advance for your ideas.
IPCop 1.4.11
ZERINA-0.9.7a10
OpenVPN 2.0.9
OpenVPN GUI 1.0.3
Hi,
Thanks for a clear writeup. got a DNS question…
Seems that when our machines go to sleep, IPCop’s DNS server forgets about them after some point.
This makes it impossible to send the sleeping machine the wake up packet from our client management software (without relying on IP addresses).
So then I added a manual DNS entry for the sleeping machine under Services > Edit Hosts. This fixed the immediate problem– now I have a working DNS entry for the sleeping machine. But is this the right way? Couldn’t the DNS entry I added under Edit Host easily become wrong when the IP address/dynamic lease assigned to the machine changes?
Then I noticed the Create Fixed Lease button, I thought oh this is just what I want. So I clicked the Create Fixed Lease button for the sleeping machine under the Dynamic Lease section which moved it up to the Fixed Lease section. Good, I thought, so I did for a dozen other hosts under the Dynamic Lease Section.
Not good– I soon realized!! Once a host is moved to a Static Lease, IPCop assigned it a new IP address outside the scope of the DHCP server’s pool which is OK— but what’s not OK was that it no longer has any DNS entry assigned! Pinging it by name is impossible, only by IP address, so now I lost access to all my DNS entries!
So I now moved everything back down to the Dynamic Lease section, which was difficuly since everythng now had a new IP address.
In any case, what’s the proper way to do this?
Am I supposed to enter in all hosts under Services > Hosts, just to avoid loosing them when they sleep, and then I must simulataneously create an entry for each as a Static Lease?
Is it dangerous like I am assuming to leave them as Dynamic Leases with an entry under Edit Hosts?
This all makes for much more maintenance than I hoped. Is there a setting I can adjust that the DNS server in IPCop will keep the address for some period of time despite the machine gone AWOL?
Thanks!
I have two internet connections in office, Can i setup IPCOP so it can use one connection when the other is down.
Also, when i setup the IPCOP, and try to use Cisco sofware to connect to my client Cisco VPN network. It allow only one machine to get connected.
Thanks a bunch for the tutorial. Really made securing my WiFi connection a less daunting task. Pictures, Step by step instructions, etc. You should do more of these.
Steve,
You can either create a fixed lease and edit the hosts file to make a corresponding entry, or (simpler) lengthen the DHCP lease period to something longer than your machines stay asleep.
For those asking about how to route all traffice from the remote user through the VPN, here is some documentation on the OpenVPN site: http://openvpn.net/howto.html#redirect .
How this exactly would work with IPCOP/ZERINA I am not sure. It looks like some edits via the command line would be needed.
Sam
Hello. I need help.I installed openvpn client in windows 98 but i can not connect to de openvpn server because the client do not support windows 98.
Someone know a vpn client software to connect to my openvpn server. ???
my email is adecchi@gmail.com
Thz
Ale
This guide rules!!
you rule bro!!!
just set up open vpn. It connects but then gives me the following error message.
write UDPv4: No Route to Host (WSAEHOSTUNREACH) (code=10065)
I am using openvpn on XP. The IPcop in question is behind a nat firewall and I have port 1194 opened
Thanks for any help
btw my email address is marcello@powercall.ca
Thanks for the great how-to!
This couldn’t be any easier. I only have one problem. We have a Samba server running in the ORANGE network and I can’t connect to it over openvpn.
Anybody have a solution for that?
My LAN is 10.0.0.0/255.255.255.0 and OpenVPN is set to 10.50.0.0/255.255.0.0
I’m going to be setting up OpenVPN to use with my Linux laptop (Kubuntu 7.04) with red and blue access.
The IPCop setup looks fairly straightforward, but I’m having more trouble finding any howto help with the needed settings for Kvpnc (on the laptop).
Any good guides out there with examples on setting up Kvpnc for OpenVPN?
Thanks
Anyone wanting to web surf through their VPN needs to do the following:
add this to /var/ipcop/ovpn/server.conf
push “redirect-gateway def1″
push “dhcp-options DNS x.x.x.x” (use IP of DNS you use on green network)
then add the following iptables rule:
iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth1 -j MASQUERADE
(replace 10.0.0.0/24 with your OpenVPN network you chose and eth1 with the RED interface on your IPCop box)
Restart OpenVPN, connect to it, and you’re off!
I am a novice at this: I want to setup IP cop on an old computer then be able to network a new computer and have a wireless router in the hosu for other laptops. Can this be done? Would someone be willing to talk me through it.
Thanks for the tip about the WSAEADDRINUSE error. It was working fine for a week and then I suddenly received that error. All working well again now. :)
is there a link to ZERINA for the setup of the openVPN that is in english and not in German?
Great Jobs!
Thanks for your good articles, which help me to construct my VPN network!
another question, why openVPN in this situation can only setup host-to-net VPN, net-to-net VPN is gray?
Thanks!
I don’t believe in stealing someone’s work. Your how-to website is one of those websites that shouldn’t be lost because a server went down or the author didn’t renew a domain, etc. Are you cool with me doing a pdf of your site and placing it on my site? Obviously a pdf of your site would be your exact site and no changes. Please email me a response.
Dear Friends,
i have successfully install OPenVPN and its running at both ends Client and server side. the only problem i ‘m facing is when i trying to access the complete network it could not help me out.
i have added this line in the Server.ovpn file
push “route ip address and subnet mask”
e.g 192.168.0.0 255.255.255.0
please advise wot to do net i ‘m using Windows XP professional Ediution at both ends.
looking forward.
Brother
the file i have on the machine please advise if is not correct.
## server.ovpn ##
port 1194
proto udp
dev tun
ca ca.crt
cert widget.crt
key widget.key
dh dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push “route 192.168.0.0 255.255.255.0″
push “dhcp-option WINS 192.168.0.1″
push “dhcp-option DNS 192.168.0.1″
push “dhcp-option DOMAIN acme.com.local”
keepalive 10 120
comp-lzo
max-clients 4
persist-key
persist-tun
status openvpn-status.log
verb 3
Here is an updated link to the ZERINA how-to, in English!
http://www.vpnforum.de/zerina/?q=documentation/howto-roadwarrior
(thanks be to Google)
Thanks for the clear and easy walk through. Have you thought about a paypal donate button?
We use this with macs and PCs in a mixed network. It works mighty fine.
Cheers,
Shane
Hi Shane:
Heh, I guess I could add something like that. I guess I just never thought that anyone would bother to donate. :)
Glad you liked the guide.
Thanks,
John