HOWTO: IPCop-OpenVPN

28 March 2006 ~ 135 Comments

Linux

I’m a huge fan of IPCop. It’s a great firewall distro that makes administration a snap using a slick web interface. My goal was to use IPCop and an easy-to-use VPN client to allow access to my LAN while away from home.

I ended up going with the ZERINA OpenVPN addon for IPCop and the OpenVPN GUI for Windows.

If you’ve ever wanted full, secure, encrypted access to your LAN from any remote location, here is your guide.

Just follow these ten easy steps…

IMPORTANT UPDATE: Newer versions of both IPCop and ZERINA (new URL!) have been released since I wrote this HOWTO. You will need to go to each of their respective websites and use the latest version of each to make this work. Ignore the version numbers and/or links given below. You need the latest version of each package!

1. Install IPCop

Download, install, and configure IPCop. Remember that it’s a full distro, so you need a dedicated box to be able to run it. But the good thing is that you barely need any processor power or RAM to make it work. I’m currently running mine on a Celeron 433 box with 32MB (yes, megabytes) of RAM. The CD installer really holds your hand and makes it quite easy, but you may want to check out my Building an IPCop Firewall presentation that I gave at CPLUG back in May 2005.

The OpenVPN addon requires the latest version of IPCop, but since you apply security patches as they come out you don’t have to worry about that… right? Right.

Also, I added a line for the IPCop box to /etc/hosts on my other hosts.

$ grep ipcop /etc/hosts 192.168.1.2 ipcop

So from here on, I’ll be refering to it by it’s hostname of ipcop.

2. Enable ssh access on the IPCop box

Point your browser at your IPCop box, usually at https://ipcop:445 and go to System and then SSH Access. Check the boxes for “SSH Access”, “Allow password based authentication”, and “Allow public key based authentication” and then press the Save button.

3. Download and scp the OpenVPN addon

While IPCop does come with a built-in VPN server, by using OpenVPN you will be able to use the nice GUI clients that are available for it. So download the ZERINA installer and save it to one of your boxen other than the IPCop box. I recommend using wget.

Next, scp the file to your ipcop box:

$ scp -P 222 ZERINA-0.9.3b-Installer.tar.gz root@ipcop: root@ipcop's password: ********* ZERINA-0.9.3b-Installer.tar.gz 100% 327KB 326.5KB/s 00:00

Please note that the version numbers in the listing above and throughout this HOWTO were current as of the writing of this page. However, newer versions have been released since that time. Please be sure to use the latest versions of all packages as you follow along.

4. Unpack and install the OpenVPN addon

First, ssh into the ipcop box:

$ ssh -p 222 root@ipcop

Make a directory in which to unpack the addon and move the tar file into there:

root@ipcop:~ # mkdir zerina root@ipcop:~ # mv ZERINA-0.9.3b-Installer.tar.gz zerina root@ipcop:~ # cd zerina root@ipcop:~ # tar -xzvf ./ZERINA-0.9.3b-Installer.tar.gz

You should now have the following files:

root@ipcop:~/zerina # ls _GPL library.addons _README updatefiles install patch.tar.gz uninstall

Now run the installation script:

root@ipcop:~ # ./install

The addon is now installed.

5. Create a configuration file

This is an important step. Do not skip it.

Point your browser at https://ipcop:445/ and go to the VPNs tab and then OpenVPN. Hit the Advanced Server Options button. Without making any changes to the options, hit the Save button.

6. Follow the OpenVPN/ZERINA HOWTO

There is no sense in me repeating the extremely clear and helpful howto at the ZERINA site. Go there and carefully walk through each of the steps. Along the way you will generate your certificates and create a new connection profile for a user.

If you follow the directions, you’ll end up with both a Root Certificate and a Host Certificate. You will also have a connection certificate that you will need to put on the client/remote PC, and you’ll end up setting the password for the client/connection. Make sure it is the Host-to-Net Virtual Private Network (RoadWarrior) type:

Don’t forget to turn OpenVPN on in Step 5. :)

7. Download the OpenVPN client package (zip)

On the OpenVPN configuration page, after you have created a client connection profile, you will see the following icons next to it:

Click the multicolored icon to the left of the info icon, and save the zip file to somewhere. You’ll need to get this file to the client/remote computer (e.g. via USB drive or email).

8. Load the OpenVPN GUI client

Download the OpenVPN GUI for Windows and install it on your client computer.

Installation docs are available, but there’s not much to do other than walk through the installer.

After it is installed, you’ll have the following icon at the bottom of your screen:

9. Unzip OpenVPN client package

Take the client package that you saved in Step 7 and unzip the contents into your OpenVPN client config directory. That is probably located at: C:\Program Files\OpenVPN\config.

10. Connect to the VPN

Make sure that OpenVPN is running on the ipcop box, and that you are connected to the Internet.

Right-click on the OpenVPN icon and click Connect:

Note that if you did not install the client package correctly in Step 9, you will not have that option available.

Enter the password that you set in Step 6, and you should be connected! You will get assigned an IP address in the 10.241.239.0 range by default.

Once you have an IP, you’ll be able to access all the resources on the LAN (e.g. Samba shares).

Thanks go to Matt and Fuzzie for all their help with config and testing.

Update: Heh! Getting some linkage from Digg right now…

Corrections/Addendum:

If you are using Windows XP and get a WSAEADDRINUSE error when you try to connect the VPN, add the “nobind” keyword to your client config and save it. That should fix it.
If you are trying to connect to the Blue interface on IPCop you’ll need to edit your OpenVPN client config. Comment the first remote line and uncomment the one for the internal IP address of the Blue interface:
#remote serpent.thinkhole.org 1194 remote 192.168.2.1 1194

That should fix it.
If you are using a client (usually on Linux) and getting lots of dropped connections and ping timeouts, try switching from UDP to TCP. You’ll need to change it in IPCop and then edit the “proto” line in the client config. Seems to have fixed it for me.
Need an OpenVPN for OSX? Check out Tunnelblick.

135 Responses to “HOWTO: IPCop-OpenVPN”

Sverre 2 February 2008 at 6:40 am Permalink

Followed your guide, workes very well, look forward to see how well it copes under full load. thanks for a good guide!
Greg 2 March 2008 at 12:50 am Permalink

Hi, great tutorial. I was able to get the VPN to connect. For some reason I cannot ping anything in my green network other than the Green interface on ipcop. From inside my green network I cannot ping the VPN interfaces. I tried everything I could think of to get access to my green network but nothing works from the VPN. It connects but I cant access anything, remote desktop, web, ftp, ping, drive shares, etc. Is there something I could be missing? I have used OpenVPN with my Endian firewall and it works a bit differently, but still the same idea. I cant seem to get it to work with IpCop and Zerina. Any suggestions would be much appreciated. Thanks!
Ben May 5 March 2008 at 8:10 pm Permalink

Great tutorial, very helpful!! THANKS
Dan 17 March 2008 at 12:47 pm Permalink

Hi all. This works great but I am having an issue….. I have a Green-Red setup and running OpenVPN. I can connect to IPCop from a client PC and even ping the internal IP address of IPCop. However, I can’t ping the server or any other item on the network.

Any help would be appreciated……

Thanks.
Darshan 17 March 2008 at 10:07 pm Permalink

Hi,
Did you add push “route ip address mask” statement to your server.conf
knarF 17 March 2008 at 10:38 pm Permalink

Dan:
I got the same issue here, but i can’t solve it :(
If someone have fixed this, please post it.
Wirgo 7 April 2008 at 1:54 pm Permalink

My VPN is working correctely, but i have a problem with the client netmask. It is 255.255.255.252 and i would like it was 255.255.255.0. I cant find where to change this setting. Thanks
Meissen 16 April 2008 at 3:40 pm Permalink

Great VPN Howto everything works fine.

Thanks.
trevor 21 July 2008 at 6:38 pm Permalink

Tried this thing but nothing works using putty and winscp403 the only commands that worked is mkdir zerina. I am using ipcop 1.4. I am able to putty and scp into the ipcop box but your commands do not and I am not sure which ones to use – please help
sippy 3 October 2008 at 7:07 am Permalink

doesn’t work for any version of IPcop > 1.4.18
sippy 3 October 2008 at 9:47 am Permalink

That is, unless you uncomment the version check. Then it works perfectly!
dippy 31 January 2009 at 5:59 am Permalink

How do you uncomment the version check??
nishad 31 January 2009 at 6:11 am Permalink

add routes to the servers as the green interface of IPCop as it’s gateway. It’ll work.
Ken 15 February 2009 at 11:35 am Permalink

Have anyone tried to get openvpn work with smoothwall? Is it the same?
Bender-420 5 March 2009 at 10:56 pm Permalink

I am new with the vpn thing, but the instructions here, and the Zerina site were great… till I got to the last step

I get to the last steps and am able to connect the client to the vpn server, but I am not able to see anyting but the virtual subnet that openVPN created.

I dont know if there is a line of code missing in the most rescent version, but there is no NAT or PROXY options available in the GUI.

I have tried appending rules within iptables, but nothing I do seems to make it able to see the Green network.

Any ideas? I am starting to pull my hair out.

Bender
Pieter 6 May 2009 at 5:13 am Permalink

I want to install a new IPCOP box with Open VPN in our network-. We have a Cisco 877W ADSL router with NAT enabled. The ISP does not allow us to change or even look at the settings. Now obviously double natting will be performed.
To get the RoadWarrior VPN going, will the solution be as simple just op open port 1194 on the Cisco router and disabling NAT? How will the Red interface be configured, with the private or public IP address?
Danur 7 November 2009 at 7:29 am Permalink

I’ve installed IPCop 1.4.21 and Zerina OpenVPN, I create Roadwarrior Client and can connect but can’t recognize the server behind the Green interface, and also I make a Net-to-Net but can’t connect each other, can anyone please give suggestions for troubleshooting, thank you.
Mirko 13 January 2010 at 5:39 am Permalink

Hi all,
I have the same problem that Dan had on 17 March 2008 at 12:47 pm.
From the vpn client I can reach ipcop but not any lan host.
For example I can reach the server that has the address 10.7.0.1 but not an internal host with address push 192.168.0.1.
The GREEN address of ipcop is 192.168.0.253/255.255.255.0.
I tried to add “route 192.168.0.0 255.255.255.0″ at /var/ipcop/ovpn/server.conf but I have the same problem.
Did somebody solved it?
Mike 18 January 2010 at 7:45 pm Permalink

They glossed over the advanced server options button on the openvpn page. On this page is options to push down information to the VPN client such as domain and dns information.

When I first set this up, I thought I couldn’t get out to the internet. After troubleshooting, I saw that I could get pages via IP but not by name. I added IPCOPs internal address to this page and restarted the server, and my internet access is back :-)
Magnus Wedberg 2 February 2010 at 11:30 am Permalink

everyone has the same problem :-) For OpenVPN that seems to stop at the router, add

iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A INPUT -i tap+ -j ACCEPT
iptables -A FORWARD -i tap+ -j ACCEPT

to /etc/rc.d/rc.local, or rc.firewall.local, or another start script of choice.

Thinkhole Labs

www.thinkhole.org

HOWTO: IPCop-OpenVPN

135 Responses to “HOWTO: IPCop-OpenVPN”

Leave a Reply

Search

Flickr Photos

Meta