神马文学网HOWTO: IPCop-OpenVPN
来源:百度文库 编辑:神马文学网 时间:2024/04/25 07:36:56
«Five algorithms you need to know
PyWeather »
HOWTO: IPCop-OpenVPN
I’m a huge fan ofIPCop. It’s a great firewall distro that makes administration a snap using a slick web interface. My goal was to use IPCop and an easy-to-useVPN client to allow access to my LAN while away from home.
I ended up going with theZERINA OpenVPN addon for IPCop and theOpenVPN GUI for Windows.
If you’ve ever wanted full, secure, encrypted access to your LAN from any remote location, here is your guide.
Just follow these ten easy steps…
IMPORTANT UPDATE: Newer versions of both IPCop andZERINA (new URL!) have been released since I wrote this HOWTO. You will need to go to each of their respective websites and use the latest version of each to make this work. Ignore the version numbers and/or links given below. You need the latest version of each package!
1. Install IPCop
Download, install, and configureIPCop. Remember that it’s a full distro, so you need a dedicated box to be able to run it. But the good thing is that you barely need any processor power or RAM to make it work. I’m currently running mine on a Celeron 433 box with 32MB (yes, megabytes) of RAM. The CD installer really holds your hand and makes it quite easy, but you may want to check out myBuilding an IPCop Firewall presentation that I gave atCPLUG back in May 2005.
The OpenVPN addon requires the latest version of IPCop, but since you apply security patches as they come out you don’t have to worry about that… right? Right.
Also, I added a line for the IPCop box to /etc/hosts on my other hosts.
$ grep ipcop /etc/hosts 192.168.1.2 ipcop
So from here on, I’ll be refering to it by it’s hostname of ipcop.
2. Enable ssh access on the IPCop box
Point your browser at your IPCop box, usually at https://ipcop:445 and go to System and then SSH Access. Check the boxes for “SSH Access”, “Allow password based authentication”, and “Allow public key based authentication” and then press the Save button.
3. Download and scp the OpenVPN addon
While IPCop does come with a built-in VPN server, by using OpenVPN you will be able to use the nice GUI clients that are available for it. So download theZERINA installer and save it to one of your boxen other than the IPCop box. I recommend usingwget.
Next, scp the file to your ipcop box:
$ scp -P 222 ZERINA-0.9.3b-Installer.tar.gz root@ipcop: root@ipcop's password: ********* ZERINA-0.9.3b-Installer.tar.gz 100% 327KB 326.5KB/s 00:00
Please note that the version numbers in the listing above and throughout this HOWTO were current as of the writing of this page. However, newer versions have been released since that time. Please be sure to use the latest versions of all packages as you follow along.
4. Unpack and install the OpenVPN addon
First, ssh into the ipcop box:
$ ssh -p 222 root@ipcop
Make a directory in which to unpack the addon and move the tar file into there:
root@ipcop:~ # mkdir zerina root@ipcop:~ # mv ZERINA-0.9.3b-Installer.tar.gz zerina root@ipcop:~ # cd zerina root@ipcop:~ # tar -xzvf ./ZERINA-0.9.3b-Installer.tar.gz
You should now have the following files:
root@ipcop:~/zerina # ls _GPL library.addons _README updatefiles install patch.tar.gz uninstall
Now run the installation script:
root@ipcop:~ # ./install
The addon is now installed.
5. Create a configuration file
This is an important step. Do not skip it.
Point your browser at https://ipcop:445/ and go to the VPNs tab and then OpenVPN. Hit the Advanced Server Options button. Without making any changes to the options, hit the Save button.
6. Follow the OpenVPN/ZERINA HOWTO
There is no sense in me repeating the extremely clear and helpfulhowto at the ZERINA site. Gothere and carefully walk through each of the steps. Along the way you will generate your certificates and create a new connection profile for a user.
If you follow the directions, you’ll end up with both a Root Certificate and a Host Certificate. You will also have a connection certificate that you will need to put on the client/remote PC, and you’ll end up setting the password for the client/connection. Make sure it is the Host-to-Net Virtual Private Network (RoadWarrior) type:
Don’t forget to turn OpenVPN on in Step 5. :)
7. Download the OpenVPN client package (zip)
On the OpenVPN configuration page, after you have created a client connection profile, you will see the following icons next to it:
Click the multicolored icon to the left of the info icon, and save the zip file to somewhere. You’ll need to get this file to the client/remote computer (e.g. via USB drive or email).
8. Load the OpenVPN GUI client
Download theOpenVPN GUI for Windows and install it on your client computer.
Installationdocs are available, but there’s not much to do other than walk through the installer.
After it is installed, you’ll have the following icon at the bottom of your screen:
9. Unzip OpenVPN client package
Take the client package that you saved in Step 7 and unzip the contents into your OpenVPN client config directory. That is probably located at: C:\Program Files\OpenVPN\config.
10. Connect to the VPN
Make sure that OpenVPN is running on the ipcop box, and that you are connected to the Internet.
Right-click on the OpenVPN icon and click Connect:
Note that if you did not install the client package correctly in Step 9, you will not have that option available.
Enter the password that you set in Step 6, and you should be connected! You will get assigned an IP address in the 10.241.239.0 range by default.
Once you have an IP, you’ll be able to access all the resources on the LAN (e.g. Samba shares).
Thanks go toMatt andFuzzie for all their help with config and testing.
Update:Heh! Getting somelinkage from Digg right now…
Corrections/Addendum:
If you are using Windows XP and get a WSAEADDRINUSE error when you try to connect the VPN, add the “nobind” keyword to your client config and save it. That should fix it. If you are trying to connect to the Blue interface on IPCop you’ll need to edit your OpenVPN client config. Comment the first remote line and uncomment the one for the internal IP address of the Blue interface:
#remote serpent.thinkhole.org 1194 remote 192.168.2.1 1194
That should fix it.
If you are using a client (usually on Linux) and getting lots of dropped connections and ping timeouts, try switching from UDP to TCP. You’ll need to change it in IPCop and then edit the “proto” line in the client config. Seems to have fixed it for me. Need an OpenVPN for OSX? Check outTunnelblick.
This entry was posted on Tuesday, March 28th, 2006 at 9:37 pm and is filed underHOWTO,Linux,Security. You can follow any responses to this entry through theRSS 2.0 feed. You canleave a response, ortrackback from your own site.
117 Responses to “HOWTO: IPCop-OpenVPN”
Matt Says:
March 28th, 2006 at 10:47 pm
Wow. I’m famous!
AlbanyWiFi.com » Blog Archive » IPCop-OpenVPN HOWTO Says:
March 29th, 2006 at 6:49 pm
[…] thinkhole.org/wp/2006/03/28/ipcop-openvpn-howto […]
Jeff Says:
March 29th, 2006 at 7:17 pm
Webserver was set to maxclients 20, I just raised it to 256, sorry anyone that had problems getting here!
John Says:
March 29th, 2006 at 7:42 pm
Thanks Jeff! You rule. :)
[GEEKS ARE SEXY] Tech. News Says:
March 29th, 2006 at 7:59 pm
Just one question, Is this solution performant enough to handle 10’s of tunnel with heavy 3DES encrypted traffic? I’ve always used hardware solutions for my VPN implementations.. Usually Cisco PIXes with some integrated VPN acceleration hardware to handle big jobs..
So? :)
Kiltak
[Geeks Are Sexy] Tech. News
Rama Says:
March 29th, 2006 at 8:05 pm
VERY NICE!!!!!!!!!!!!
Thank you for posting
dennis Says:
March 29th, 2006 at 8:40 pm
Thanks dude,
Awesome walkthrough. I wanna try this at home now.
kud Says:
March 29th, 2006 at 9:19 pm
This is great, but is there any way you can use this also as an INTERNET GATEWAY - so you can access both your LAN and use the internet connection? I’m a roadwarrior and that’d be so great for me as everything i do on the internet would be excrypted. thanks!
John Says:
March 29th, 2006 at 9:39 pm
@Kiltak: I’m only using this for myself at home, so I haven’t personally done any scalability testing. But I do know that IPCop scales very well, and know a couple of people using it in rather large deployments (e.g. school districts). I would imagine ability to handle VPN traffic would depend on your hardware. Probably wouldn’t be so hot on my Celeron 433MHz IPCop box. :)
@Rama, Dennis: Cool! Glad you like it.
@Kud: By default the OpenVPN addon does not encrypt your other traffic. Personally, for web stuff I use a squid proxy at home and reroute everything through that. IPCop includes Squid as a bundled service, so that might be the easiest way.
Deep Says:
March 29th, 2006 at 10:21 pm
Great article…!!
Web 2.0 Watch » Blog Archive » IPCop-OpenVPN HOWTO Says:
March 29th, 2006 at 10:24 pm
[…] Very easy to follow! Check it out here! […]
Nick Stango Says:
March 30th, 2006 at 12:05 am
Awsome Tutorial. My place for STEAKS n’ BEER.
THNAKS!!!!!!!!!
Bob Says:
March 30th, 2006 at 2:49 am
@Kud: I haven’t used OpenVPN within IPCop, but I’ve used OpenVPN standalone and you can configure it to push a default gateway to the vpn clients when they connect so that all of your normal web browsing gets sent through the vpn then out your connection back at home if you are on the road as you requested. I’m sure you can still do this when using it within IPCop, it just might require some manual config tweaks.
~*hArSeIsIs*~ Says:
March 30th, 2006 at 8:41 am
Great tutorial, but can this be used to connect to the lan & net through vpn from the blue interface?
Mike M Says:
March 30th, 2006 at 10:07 am
Great HowTo article!
Seems like everyone is on the OpenVPN and IPCOP kick these days :-)
ref:[1][2]
(Edited for formatting –JPM)
HOWTO: Setup your own VPN with IPCop and OpenVPN! at Morad’s Bloggie Says:
March 30th, 2006 at 1:01 pm
[…] You will be able to log into your network from anywhere. This is a great tutorialread more | digg story […]
BlackMacs Stuff Says:
March 30th, 2006 at 2:39 pm
Get OpenVPN running on IPCop…
Finally I found an easy tutorial on how to setup OpenVPN on IPCop - Hooray, now I can work on Sundays and at night… maybe not so great???
Check it out!…
John Says:
March 30th, 2006 at 5:15 pm
@hArSeIsIs: You can enable OpenVPN on Red or on Blue on the same configuration screen. I’ll probably end up enabling it on Blue soon, as that would be handy when I’m using the laptop/wireless.
@BlackMacs: Actually, this is to go from remote locations (including to work) to home, not from home to work. :)
Wilco Niessen dot com » Blog Archive » HOWTO: Setup your own VPN with IPCop and OpenVPN! Says:
March 31st, 2006 at 1:59 am
[…] read more | digg story […]
John Says:
April 2nd, 2006 at 12:47 am
Great instructions, however after I connect via OpenVPN is still connot access any of the other systems on the network. I configured Blue to Green, Blue is 192.168.2.0/255.255.255.0, Green is 192.168.1.0/255.255.255.0. Openvpn assigns an IP of 10.208.75.6. So, don’t have any way of accessing the Green Network.
Any help will be greatly appreciated.
Thanks.
John Says:
April 2nd, 2006 at 9:25 am
@John:
That’s the same setup I have here (Green = 1.x, Blue = 2.x, VPN = 10.x.x.x), so it’s odd that it isn’t working for you.
I haven’t tried the VPN on blue yet myself though. But coming in from Red (external) does work from remote locations. I can try the VPN on blue tonight and let you know.
Are you sure you hit the checkbox to enable it on Blue and not just Red? :)
John Says:
April 2nd, 2006 at 8:58 pm
FYI: I just tried the instructions above on a Windows XP laptop going to the Blue (wlan) interface on my IPCop box. Turns out it doesn’t work. I had to add “nobind” to the configuration file, comment out the one remote line and uncomment the line for “remote 192.168.2.1″. After I did that it worked.
I’ll update the instructions above to reflect that.
Dallas H Says:
April 3rd, 2006 at 3:47 pm
One thing to point out is that if you have a connection name with spaces, the configuration editor changes these to dashes (when you download the zip file), which in turn, does not work with the OpenVPN client software for Windows. Just remove the dashes and/or underscores and you shouldn’t have any other issues. Simple enough fix, but one I was unable to find that information anywhere else on the web. Also, I’ve yet to see an issue with placing “standard” OpenVPN options in the config file for IPCOP (/var/ipcop/ovpn/server.conf). However, if you do make manual changes to the OpenVPN config file and they are not options in the web interface, make sure you don’t attempt to save from the web page as you will lose all of your additional configuration information.
IPCOP is a wonderful product and OpenVPN is a great product and add-on. Happy VPNing and firewalling. — Dallas
John Says:
April 4th, 2006 at 8:22 pm
@Dallas: Thanks for the tips! Good to know.
Chewy Says:
April 7th, 2006 at 4:30 pm
One thing I found when trying to access some file shares on my desktop which was running the XP firewall was that I had to change the scope of my file and printer sharing settings within the XP firewall. To change this all one needs to do is go the the Exceptions tab on the XP firewall and click “edit” for file and printer sharing. Then change the scope of each of the ports to a Custom type. Here is an example
10.10.10.0/255.255.255.0,192.168.1.0/255.255.255.0
Where the first subnet is my Open VPN, and the second is my LAN.
Hope this helps a few other people!
bytemix » Blog Archive » IPCop+OpenVPN = Acceso externo seguro Says:
April 9th, 2006 at 9:35 am
[…] Enlace: IPCop-OpenVPN Howto […]
janishikari Says:
April 10th, 2006 at 5:03 pm
HI,
I m looking for a help … i have configured the vpn as mentioned in the docs, but when i try to connect from the outside world it’s not allowing me….it shows me udp port is in use and it configures on my local red ip address……….
i want to get access from the out side world…
plz, any one help me out
TWBowser Says:
April 11th, 2006 at 11:11 pm
I have ipcop with openvpn running (Red/Green configuration) , I can create client to client connections on the vpn clients. I can access the ipcop server from the clients,after i added a route to the xp clients. But I cannot access the Green network from the VPN clients.
Is this possible? Any suggestions?
Fons Says:
April 12th, 2006 at 4:19 am
hello
I tried following the HOWTO
I get stuck on section 3 installing the ZERINA file to the ipcop box
I get constantly after connection error 503 service unavailable
can someone help me out on this
regards Fopns
Jim O’Halloran’s Weblog » Blog Archive » links for 2006-04-13 Says:
April 13th, 2006 at 5:19 pm
[…] IPCop-OpenVPN HOWTO Excelent article explaining how to set up IPCop and OpenVPN. Will need to do this soon, so this will help a lot. From the article: “I’m a huge fan of IPCop. It’s a great firewall distro that makes administration a snap using a slick web interface. M (tags: linux openvpn ipcop security) […]
William Says:
May 5th, 2006 at 10:53 am
“I have ipcop with openvpn running (Red/Green configuration) , I can create client to client connections on the vpn clients. I can access the ipcop server from the clients,after i added a route to the xp clients. But I cannot access the Green network from the VPN clients.
Is this possible? Any suggestions? ”
I have a similiar setup except I also have an orange network. When I VPN into the network I can access the IPCop manangement portal, but I am unable to access, or even ping, any of the servers on orange. Any advice???
Jose El Maestro Says:
May 5th, 2006 at 12:01 pm
Thanks so much for this cool howto. This is the best tutorial ever!!! I’m now up and running and I feel safer when I’m on the road knowing that I can VPN back home in a snap.
J Somadelis Says:
May 5th, 2006 at 2:30 pm
Hi,
I’ve just install OpenVPN via the above instructions and had no problems, connected on the very first try. I can create a VPN connection to my office, MS domain setup, and then remote desktop to my pc. Works great. My problem is, if I VPN in, I can’t see any machines on the lan. I can ping by ip but not buy name. I though if I can ping by ip I would be able to map a share by ip, \\192.168.100.100\sharename, but I can’t. Is there something else I need to do on IPCop to make this work. Seems like for some people it works and others it doesn’t.
Thanks,
Jeff
» Digg Makes Australian News Says:
May 6th, 2006 at 1:28 pm
[…] Anything above that will get cropped off of the image. My goal was to use IPCop and an easy-to-use VPN client to allow access to my LAN while away from home. I ended up going with the ZERINA OpenVPN addon for IPCop and the OpenVPN GUI for Windows. Install IPCop Download, install, and configure IPCop. Download and scp the OpenVPN addon While IPCop does come with a built-in VPN server, by using OpenVPN you will be able to use the nice GUI clients that are available for it.Summary of:http://thinkhole.org/wp/2006/03/28/ipcop-openvpn-howto/ […]
J Somadelis Says:
May 9th, 2006 at 8:49 am
Solved my problem. I had to change the scope for File and Printer Sharing exception in the Windows XP firewall. Instead of my subnet only, I added a custom of, 10.167.167.0/255.255.255.0,192.168.100.0/255.255.255.0. Oops, I guess my answer was above. (Chewy April 7) Well I got some satisfaction from figuring it out myself. - jeff
Two Mad Geeks » Blog Archive » Setup your own VPN with IPCop and OpenVPN! Says:
May 10th, 2006 at 3:04 pm
[…] Link: import this […]
import this. » Blog Archive » HOWTO: Secure Firefox and IM with PuTTY Says:
May 10th, 2006 at 9:24 pm
[…] One of the best ways to secure your connection is to use a VPN, but that isn’t always practical. So here’s a way to securely connect to the net using only an SSH client and a remote box that you control/trust. […]
Len Says:
May 19th, 2006 at 8:53 am
This worked very nicely. Thanks! However…
If i tried to connect a 2nd vpn client to my ipcop box, it fails. And not only that, this attempt also resets the running connection on my first client.
Both clients have their own entires set up in IPCOP OpenVPN client settings.
I connect from work LAN (which i assume is behind some sort of f/w and NAT infrastructure) to my home network running ipcop. Both clients are on the same work LAN subnet. It appears that both can connect, just not simultaneously.
After 2nd connection is rejected, there is a brief period while neither clients can connect. It soon returns to its normal state after a minute or two.
Is this weird? Or a known thing with my setup?
Is there a workaround?
zean.no-ip.info » HOWTO: Secure Firefox and IM with PuTTY Says:
May 22nd, 2006 at 9:54 pm
[…] One of the best ways to secure your connection is to use a VPN, but that isn’t always practical. So here’s a way to securely connect to the net using only an SSH client and a remote box that you control/trust. […]
vicky Says:
May 23rd, 2006 at 9:19 pm
soryy for being out of topic.but maybe its about gaming in openvpn.
i use openvpn and paling call of uity 2.
whan i play cod2 my openvpn going to drop in few minute but my static ip still connected in network and still able to ping ip whan openvpn server running.
i tried difrent methon in openvpn.using udp and tcp.using comp-lzo and not.
but still had a same problem.anyone have same trouble ?
or advice
Chris Sait Says:
June 18th, 2006 at 11:13 am
Great stuff - works fine. Doesn’t work with Block-Outgoing-Traffic though. any ideas on how to get around this?
Chris Sait Says:
June 18th, 2006 at 5:53 pm
d’oh! I created a rule to allow GREEN access to a private network - bingo!
Great how-to btw. Thanks and keep up the good work.
Dale Says:
July 3rd, 2006 at 1:22 pm
Is it possiblel to connect to the VPN through a browser (like VNC?)
Thanks
Dale
Uris Says:
July 3rd, 2006 at 8:43 pm
I have setup vpn connections between 2 sites (net–to-net). I can ssh between both sides with no problem; however, I can’t access my webservers. I currently have the servers on the green LAN, and I plan to move them to the red LAN sometime in the future. I’m in the testing phase at the moment and Im new to vpn.
Anyone has any ideas??
omichaux Says:
July 14th, 2006 at 5:30 am
Hello,
for people having trouble with vnc / or tse trought openvpn, add
mssfix 1200
fragment 1200
in your config file and try again. this should correct problem
neno Says:
July 17th, 2006 at 3:47 pm
have simple IPCop 1. red, 1 green, 1.4.10. OpenVPN config went fine. on PC clinet (winXP SP2), i have connected sign, and IP address but can not ping nothing behind IPCop, I dont know even the new IPCop address, range is 10.0.10.0 any idea ?
Robbie Says:
July 20th, 2006 at 4:32 pm
Is there a way of fixing a VPN IP address to a spesific user? So when this user logs in via VPN, he will always get the same VPN IP.
Greener Says:
July 28th, 2006 at 1:21 pm
Worked great, running on two production IPCOPs. Also, found out that it is possible to connect to two different IPCOP vpns at the same time. For example, if you want to connect to two different office sites.
first, add another virtual ethernet adapter
second, edit the config for the second connection and add port 1195
third, make sure you have both cert keys in the config folder
Thanks for the tutorial!
Jonathan Says:
August 2nd, 2006 at 2:50 pm
Just a quick FYI:
Although the site you link (http://home.arcor.de/u.altinkaynak/openvpn.html) references Zerina 0.9.3b, the new site (http://www.zerina.de/) details that .4b is available.
Apart from that, thanks a million for some really useful instructions! I got mine and my dad’s ipcop boxes serving vpns in under an evening! :-)
Cheers!
Jonathan
Nadin Says:
August 4th, 2006 at 6:46 pm
I think if I modify the server.conf and change the “push” command to give the ip/subnet of my orange network, it will restrict access to the vpn clients into my orange network (which is what I want). However is it possible to have another instance running where I can still have vpn access (for me) into my green network?
David Killingsworth Says:
August 21st, 2006 at 7:16 am
You specify to check password based authentication 2 times, during SSH setup, one should be public key as the check box notes.
John Says:
August 26th, 2006 at 8:05 am
@Green: Cool! Nice tip.
@Jonathan: Yes, there is a newer version of Zerina available. You should definitely use that one instead. In general, when using a HOWTO, it is best to confirm that you are using the latest version of all software mentioned.
@David: Thanks for the catch. I fixed it.
Mick Says:
August 27th, 2006 at 8:33 pm
Oops don’t work with ipcop 1.4.11
Signal64 Says:
August 29th, 2006 at 3:48 am
Just a quick tip and question.
If you update IPCop to 1.4.11 you’ll need to update Zerina to 0.9.4c (on their website).
Question:
I have a RED+GREEN+BLUE setup and have OpenVPN on BLUE.
Everything is working except being able to browse shares on BLUE from GREEN (Looking at shares on GREEN from BLUE is fine). Both clients are WinXP.
Before trying OpenVPN, I was trying to use DMZ Pinholes (now turnned off) between BLUE and GREEN which got me the ability to see the share, so I know it can work. Windows Firewall is off on both clients at the moment.
Any ideas?
David Says:
August 30th, 2006 at 1:38 pm
Great article. Loaded OpenVPN on my IPCOP. Thanks!
I can connect with OpenVPN on my Green Network. (I do not have access to a second outside network at moment).
OpenVPN connects to IPCop. No errors.
I can not ping the IPCop nor can I surf the internet through the VPN tunnerl.
this is my client config:
#OpenVPN Server conf
tls-client
client
dev tun
proto udp
tun-mtu 1400
float
remote rapheal.homeip.net 1194
pkcs12 DCG.p12
cipher BF-CBC
comp-lzo
verb 3
ns-cert-type server
this is my IPCONFIG
Ethernet adapter NVIDIA Ethernet:
Connection-specific DNS Suffix . : rapheal.homeip.net
Description . . . . . . . . . . . : NVIDIA nForce Networking Controller
Physical Address. . . . . . . . . : 00-01-80-60-4C-DD
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.1.115
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.1
DNS Servers . . . . . . . . . . . : 192.168.1.1
Lease Obtained. . . . . . . . . . : Wednesday, August 30, 2006 2:34:13 P
M
Lease Expires . . . . . . . . . . : Wednesday, August 30, 2006 3:34:13 P
M
Ethernet adapter Local Area Connection 3:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : TAP-Win32 Adapter V8
Physical Address. . . . . . . . . : 00-FF-A9-BA-F0-B8
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 10.203.60.6
Subnet Mask . . . . . . . . . . . : 255.255.255.252
Default Gateway . . . . . . . . . : 10.203.60.5
DHCP Server . . . . . . . . . . . : 10.203.60.5
Lease Obtained. . . . . . . . . . : Wednesday, August 30, 2006 2:37:19 P
M
Lease Expires . . . . . . . . . . : Thursday, August 30, 2007 2:37:19 PM
What am I missing here?
Linux Unix » HOWTO: Setup your own VPN with IPCop and OpenVPN! Says:
September 1st, 2006 at 4:20 am
[…] This is a great little tutorial for anyone looking to set up a vpn through the linux based IPCop firewall. A must read!read more | digg story […]
Carlos Bracho Says:
September 1st, 2006 at 9:19 am
Great tutorial… I have been using Ipcop for two months and I applied ZERINA addon inmediatly… it woks well, and all the external users are happy using it. But, i have a tiny problem, even when openvpn is running and the users access the LAN (green network) the ipcop openvpn page show the client status as closed, why did not show open or something like this??
Regards and thanks for the tutorial
Luciano Says:
September 30th, 2006 at 1:41 am
Hello, I modulate of high rail of using of I am of native of VPN of IPCOP. I have created a connection RoadWarrior and configured TauVPN in my Notebook. I have problems to connect me from hotels, airports and cybers that filter the ports 4500 and 500 or they don’t have them open. The consultation is: will I solve these inconveniences using OpenVPN?? Comments of their of I wait.
Thank you.
Luciano
mario Says:
October 3rd, 2006 at 11:01 am
An ask:
when i try to connect from a client with openvpn to an ipcop server with openvpn module, appears to me the message: udp link remote 10.100.100.115 (red interface on ipcop) and it remain in this state.
But…how the client knows the public ip of the router connected to ipcop?
mario Says:
October 3rd, 2006 at 11:06 am
the message is:
Tue Oct 03 18:04:44 2006 TCP/UDP: Incoming packet rejected from 10.100.100.116 (GREEN INTERFACE) :1194[2], expected peer address: 10.100.100.115:1194 (RED INTERFACE) (allow this incoming source address/port by removing –remote or adding –float)
Ruben Says:
October 13th, 2006 at 1:27 am
Thanks a lot this tutorial helped a lot, but i still have a problem…
after connecting to my VPN i can’t even ping server 2003 that is behind IpCop… Any iedeas
Thanks a lot
angelo Says:
October 17th, 2006 at 10:05 am
i’ve installed the zerina open vpn as per step-by-step instructions. I’ve also generated a certificate but the OPEN VPN Server is still saying that it is STOPPED. I can’t seem to get it to run. Can anyone please help.
thank you.
Rolf Says:
October 17th, 2006 at 5:47 pm
A great guide.
But when i try to connect, I get this message.
“Unable to connect because your certificate is not yet valid. Check that your time is correct.”
I have checked the time and it is the same on both sides.
In the .zip file there where 1 config file and 1 certificate file.
What can be wrong?
Thanks.
John Says:
October 17th, 2006 at 11:29 pm
@Ruben
No idea.
@Dale
OpenVPN and VNC are two totally different things. But you could certainly connect to a VNC server over the VPN if you want. That’s a common application.
@angelo
Please seeStep 5: OpenVPN Server Start in theZerina HOWTO. You need to start OpenVPN before you can use it.
John Says:
October 18th, 2006 at 9:37 am
@Rolf:
Please check the time on both systems (clienta and server) again to ensure that they are both correct. Then re-generate the root and host certificates.
Some related info may be in theopenvpn.se forums.
John Says:
October 18th, 2006 at 9:40 am
@Signal64:
Browsing Samba shares may be problematic over OpenVPN. Part of it may be due to using a netmask of 255.255.255.255 while trying to use broadcast.
I’ve found that if you use the IP of the host rather than the name (e.g. use \\192.168.1.2 rather than \\servername) it works just fine.
Hopefully that helps.
PS. This assumes you have Samba configured correctly to allow hosts from the 10.x.x.x range.
Chad Says:
November 2nd, 2006 at 8:00 pm
Great article…!
THis sounds good as I want a solution to secure wireless at home without having to resort to WPA-PSK and associated ping drops/reduced performance. (ie. Run wireless open with VPN from blue to green)
However, your comment 29th March …
‘@Kud: By default the OpenVPN addon does not encrypt your other traffic…’
has caused me some concern! Does the OpenVPN addon only use encryption to authenticate clients? and then the rest of the traffic through the tunnel is unencrypted/plaintext?
I am v. new to VPN, so sorry if that question is defamatory to me intelligence!
Thanks for your time.
John Says:
November 2nd, 2006 at 8:12 pm
@Chad:
Using a VPN is a good way to keep your wireless network secure. That’s personally how I am currently set up. The only access allowed from my Blue network (wireless) to the Green network (LAN) is via VPN.
What I meant by my comment was that using the VPN will only encrypt the traffic from Blue< -->Green. If you browse the web from the Blue network, it won’t be encrypted, as that would be going from Blue< -->Red.
To solve that, you can enable a proxy on your Green network, and route the traffic there. But even then, your DNS queries will still probably go out unencrypted over Red unless you use something like Privoxy.
Hopefully that helps.
- J
Tom NS Says:
November 9th, 2006 at 10:28 am
Hi There,
I just noticed that after a vpn session connects my DHCP server stops running
and doesn’t seem to restart again.
Anyone else had the same issue ?
Thanks
Tom
EvylRat Says:
November 13th, 2006 at 7:53 am
This is great! It works fine (until I messed some settings up). Thanks for such a simple tutorial.
BUT, I’ve still got a few questions. I’d like to use this setup for Online gameing, as an alternative to Hamachi. Here’s my setup on Green network
IPCOP : 192.168.1.1
SERVER : 192.168.1.9
GAMES PC : 192.16.1.10
I setup Zerina as per tutorial, so the VPN network is on 10.0.10.0
I’d like for friends to be able to VPN in and all of us be seen on same network.
Like Mario, I get the following message (similar) when trying to connect to VPN from my GAMES PC
“Tue Oct 03 18:04:44 2006 TCP/UDP: Incoming packet rejected from 10.100.100.116 (GREEN INTERFACE) :1194[2], expected peer address: 10.100.100.115:1194 (RED INTERFACE) (allow this incoming source address/port by removing –remote or adding –float)”
Advice please!
Rich
Nick Says:
November 14th, 2006 at 1:37 pm
I’ve been struggling with ipcop and openvpn for about 24 hrs now. I was able to make the connection and was able to ping the gateway, just couldn’t talk to anything past the gateway. It really didn’t make any sense to me so I googled and googled and googled. Finally I have a answer that works. Apparently this is a big problem for alot of people and nobody ever posts the “answer”. Heck just in this blog several people suffer the same problem.
The Setup
My Laptop (192.168.1.100) ==> Linksys Router (LAN 192.168.1.1 / WAN 68.13.33.194) ==> Internet
Internet ==> IPCOP (WAN 85.1.33.14 / LAN 10.0.1.1 / OPENVPN 10.0.2.0/24)
ETH0 - 10.0.1.1
ETH1 - 85.1.33.14
Just by typing this in at the command prompt in IPCop I was able to ping everything behind the gateway(IPCOP).
iptables -t nat -A CUSTOMPOSTROUTING -s 10.0.2.0/24 -o eth0 -j MASQUERADE
Where 10.0.2.0 is your OpenVPN Network Information.
Rajesh Says:
November 15th, 2006 at 5:44 am
Hi,
We have two offcies protected with IPCOP. I have installed OPen vpn in both side. If I am out of office and trying to access vpn it is working excellent. If am inside office I am not able to connect to the next office VPN? Please suggest tofedorahacker@gmail.com
Thank you.
Regards.
Hacker.
Dale Says:
November 26th, 2006 at 6:17 pm
I was hoping to test this as it looks very good, but can’t get through to the zerina web site. It’s pingable but the web pages do not come up so I can DL the IPCOP plugin.
Is it permently down?
Thanks
Dale
John Says:
November 27th, 2006 at 7:50 pm
Dale:
No idea. I can’t reach the site either. I doubt that it is “permanently” down, but it does seem they are having some rather serious connectivity issues.
- JPM
Shap Says:
December 15th, 2006 at 12:01 pm
Since you have this installed, I’m curious: can OpenVPN on the ipcop machine act as a *client*? I’m looking for this because I want to build a tunnel to my colo box at softlayer, and they have a scheme for connecting in to their administration network using either PPTP or SSL-based vpn. If I can use OpenVPN as an SSL-based vpn, that would be very helpful.
Marcus Says:
December 15th, 2006 at 6:40 pm
Hi,
has anyone figured out a way to configure ZERIA (or IPcop) in a way that any traffic from the green side gets routed back to the road warrior without having to set the routes in the green network? I mean, the IPcop is not necessarily the defaultrouter. The problem would not arise, if ZERINA would NAT the traffic from the roadwarrior, i.e. make it appear to come from the IPcop and not from the tunnel.
jags Says:
January 9th, 2007 at 6:01 am
i am using ipcop. i have few questions about vpn and proxy.
about vpn… is there a limit on the number of client that can connect simulatenously to the ipcop.if yes can we increase it and how.
i am using ipcop proxy and along with it am uisng squid proxy for webfiltering.firstly the internet speed has gone slow.. second i have to put internet gateway in the ip setting to access emails (which i need to connect to pop account). is there a way to configure the proxy in such a way the email traffic also uses proxy settings.
if not, is there a way to restrict user to use internet gateway for internet access. as it will not filter the traffic for content filtering or webfiltering….
i hope you understand.
jake Says:
January 11th, 2007 at 1:14 pm
now can you do the same magic trick for mandriva linus 2007 power pack….??????
jags Says:
January 16th, 2007 at 1:36 am
i am using ipcop. i have few questions about vpn and proxy.
about vpn… is there a limit on the number of client that can connect simulatenously to the ipcop.if yes can we increase it and how.
i am using ipcop proxy and along with it am uisng squid proxy for webfiltering.firstly the internet speed has gone slow.. second i have to put internet gateway in the ip setting to access emails (which i need to connect to pop account). is there a way to configure the proxy in such a way the email traffic also uses proxy settings.
if not, is there a way to restrict user to use internet gateway for internet access. as it will not filter the traffic for content filtering or webfiltering….
i hope you understand.
EvylRat Says:
January 20th, 2007 at 11:54 am
Just installed the latest Zerina, all working great.
Got some more questions about using this OpenVPN.
Scenario: My sister is on an wireless unsecure network, ouch! (brand new, fitted last week).
I’ve got her setup on OpenVPN, she can connect to my router OK, and can Ping it, and I can Ping her.
How can she use my proxy to browse the web and use messenger, so it’d be secure over the OpenVPN connection?
jags Says:
January 24th, 2007 at 7:18 am
evylrat,
are you having two separate pcs. one where you have installed ipcop and another is from where you are pinging your sisters pc?
if this is the scenaio. Then ask her to ping the ipcop machine. if she can do that. all she is reqd to do is put theproxy setting in the internet explorer and use port 800. Also you have to activate the proxy of ipcop.
let me know if you have doubts.
jags
EvylRat Says:
January 25th, 2007 at 9:00 am
Thanks for the reply jags. I started off by trying the proxy, thinking it’d be that simple. Just tried again and got a partial result…
It’s talking to IPCOP, but web brower returns “Access Denied” from IPCOP, rather than the webpage. I’m still running the standard proxy.
EvylRat Says:
January 25th, 2007 at 9:05 am
I’m going to look at this link later…
http://tinyurl.com/ynlbfc
“Proxy - Access denied”…
EDIT: Ran URL through TinyURL to fix formatting. -JPM
Pat Says:
January 25th, 2007 at 11:03 am
I am using ipCop and Openvpn over Blue and Red for my office. I have been able to setup 2 RoadWarrior systems, on being my computer at home, the second being a portable. For the portable, I generated 2 certs, and edited the remote ips accordingly. It works great on both machines, and even the portable’s 2 connections work perfectly.
Here is my problem: Every other computer (Very similar to the working portable, with XP Pro Sp2) I try to set up the connection on complains with the following line:
TLS Error:TLS Key Negotiation failed to occur within 60 seconds
Does anyone have any insight on this error? Help!!!
EvylRat Says:
January 26th, 2007 at 4:53 am
For the Proxy “Access Denied” problem, install Advanced Proxy on IPCOP, and there’s a field in the settings page that allow you to enter the VPN subnet mask into the proxy to allow it. Works great!
John Says:
February 5th, 2007 at 10:25 pm
Hi, I just installed this on my ipcop using your very detailed instructions. Everything worked great, thank you very much. But when I installed the openvpn gui on a second PC in the blue zone, it created a conflict with the first PC in the Blue zone. Every 60 seconds or so, the PCs would drop their network connections - “Local Area connection cable unplugged” alternating between PCs.
Do I need to create a unique host certificate for every PC on the blue interface?
John Says:
February 5th, 2007 at 10:26 pm
I should have also stated above, that when I disable the vpn connection on one of the PCs everything works fine again.
John Says:
February 5th, 2007 at 10:49 pm
@John:
I think you need to make a new cert for each host if you want them to connect at the same time. If you don’t want them to connect at the same time, you can probably use the same one.
I could be wrong. :)
John Says:
February 6th, 2007 at 12:59 am
I think I have solved my problem with duplicate clients connecting simultaneously. I checked the log files for openvpn and it pointed me in the direction of the duplicate cn option for allowing more than one client connection at a time.
I edited the file /var/ipcop/ovpn/server.conf (I couldn’t find this option via the web config) and added a line “duplicate-cn” without quotes and restarted the openvpn server. Everything has been working good so far.
I apologize if this is obvious, but I couldn’t find this easily online. I can’t believe I didn’t implement openvpn sooner. Thanks again for your howto.
Fred Says:
February 23rd, 2007 at 3:03 pm
Hi, I’ve been running several OpenVPN (zerina)/IPCop sites for about 6 months. What a great system! But I’ve discovered that the Enable/Disable checkbox in IPCop/Zerina doesn’t do anything on the client side. Even when the certificate is disabled, the client can still connect. Is this feature not yet implemented? Do I need to revoke/delete a cert in order to keep a particular client from connecting?
Also, my Linux clients are using KVpnc to access OpenVPN on IPCop boxes. This has the nice feature of being able to specify the IP address to ping. Is there any way to accomplish this with OpenVPN GUI on Windows? This would enable the Windows OpenVPN connection to terminate gracefully when a host behind IPCop/OpenVPN goes offline (like a mounted drive). As it is now, the IPCop/OpenVPN box is the keep-alive host, and (of course) it never goes down.
Thanks in advance for your ideas.
IPCop 1.4.11
ZERINA-0.9.7a10
OpenVPN 2.0.9
OpenVPN GUI 1.0.3
steve Says:
March 11th, 2007 at 9:07 pm
Hi,
Thanks for a clear writeup. got a DNS question…
Seems that when our machines go to sleep, IPCop’s DNS server forgets about them after some point.
This makes it impossible to send the sleeping machine the wake up packet from our client management software (without relying on IP addresses).
So then I added a manual DNS entry for the sleeping machine under Services > Edit Hosts. This fixed the immediate problem– now I have a working DNS entry for the sleeping machine. But is this the right way? Couldn’t the DNS entry I added under Edit Host easily become wrong when the IP address/dynamic lease assigned to the machine changes?
Then I noticed the Create Fixed Lease button, I thought oh this is just what I want. So I clicked the Create Fixed Lease button for the sleeping machine under the Dynamic Lease section which moved it up to the Fixed Lease section. Good, I thought, so I did for a dozen other hosts under the Dynamic Lease Section.
Not good– I soon realized!! Once a host is moved to a Static Lease, IPCop assigned it a new IP address outside the scope of the DHCP server’s pool which is OK— but what’s not OK was that it no longer has any DNS entry assigned! Pinging it by name is impossible, only by IP address, so now I lost access to all my DNS entries!
So I now moved everything back down to the Dynamic Lease section, which was difficuly since everythng now had a new IP address.
In any case, what’s the proper way to do this?
Am I supposed to enter in all hosts under Services > Hosts, just to avoid loosing them when they sleep, and then I must simulataneously create an entry for each as a Static Lease?
Is it dangerous like I am assuming to leave them as Dynamic Leases with an entry under Edit Hosts?
This all makes for much more maintenance than I hoped. Is there a setting I can adjust that the DNS server in IPCop will keep the address for some period of time despite the machine gone AWOL?
Thanks!
Klassics Says:
March 17th, 2007 at 3:13 am
I have two internet connections in office, Can i setup IPCOP so it can use one connection when the other is down.
Also, when i setup the IPCOP, and try to use Cisco sofware to connect to my client Cisco VPN network. It allow only one machine to get connected.
Vic Says:
March 18th, 2007 at 12:57 am
Thanks a bunch for the tutorial. Really made securing my WiFi connection a less daunting task. Pictures, Step by step instructions, etc. You should do more of these.
karl Says:
March 20th, 2007 at 5:47 pm
Steve,
You can either create a fixed lease and edit the hosts file to make a corresponding entry, or (simpler) lengthen the DHCP lease period to something longer than your machines stay asleep.
Sam Snow Says:
March 21st, 2007 at 5:18 pm
For those asking about how to route all traffice from the remote user through the VPN, here is some documentation on the OpenVPN site:http://openvpn.net/howto.html#redirect .
How this exactly would work with IPCOP/ZERINA I am not sure. It looks like some edits via the command line would be needed.
Sam
Ale Says:
March 23rd, 2007 at 9:51 am
Hello. I need help.I installed openvpn client in windows 98 but i can not connect to de openvpn server because the client do not support windows 98.
Someone know a vpn client software to connect to my openvpn server. ???
my email isadecchi@gmail.com
Thz
Ale
Aaron Says:
March 28th, 2007 at 10:00 pm
This guide rules!!
you rule bro!!!
Cristian Livadaru’s blog » IPCop out of the “box” Says:
April 7th, 2007 at 9:13 am
[…] I bought a VIA mini ITX mainboard to make a new firewall, the old one with a Pentium1 166mhz was going a bit slow and since I also wanted to use VPN I needed something better. IPCop was installed quite fast, and a quick search brought me to this great howto. After setting up VPN I needed a client for Mac OS and I found “Tunnelblick“, quick installation and everything worked great. Now together with my mobile internet connection I can log in from everywhere and also be secured Ok but what is it with the topic, out of the box? Well, usually this has some other meaning, but I really mean my IPCop works “out of the box”, I couldn’t find a case where I could fit it in so I just took a cardboard box April 07th 2007 Posted to Apple, Computer, linux […]
Marcello Says:
April 15th, 2007 at 7:25 pm
just set up open vpn. It connects but then gives me the following error message.
write UDPv4: No Route to Host (WSAEHOSTUNREACH) (code=10065)
I am using openvpn on XP. The IPcop in question is behind a nat firewall and I have port 1194 opened
Thanks for any help
Marcello Says:
April 15th, 2007 at 8:11 pm
btw my email address ismarcello@powercall.ca
klapio Says:
April 27th, 2007 at 3:51 am
Thanks for the great how-to!
This couldn’t be any easier. I only have one problem. We have a Samba server running in the ORANGE network and I can’t connect to it over openvpn.
Anybody have a solution for that?
My LAN is 10.0.0.0/255.255.255.0 and OpenVPN is set to 10.50.0.0/255.255.0.0
mark Says:
April 30th, 2007 at 10:33 am
I’m going to be setting up OpenVPN to use with my Linux laptop (Kubuntu 7.04) with red and blue access.
The IPCop setup looks fairly straightforward, but I’m having more trouble finding any howto help with the needed settings for Kvpnc (on the laptop).
Any good guides out there with examples on setting up Kvpnc for OpenVPN?
Thanks
IPCOP with OpenVPN and Fiesty’s Network Manager at It all flows together Says:
May 10th, 2007 at 4:23 pm
[…] First we install, Zerina’s OpenVPN addon to IPCop. Basically copy the zip to the IPCop box, unzip and run the install file. Actually follow this guy’s great tutorial up to step 7. he’s got it all covered. […]
Child of Wonder Says:
July 26th, 2007 at 4:11 pm
Anyone wanting to web surf through their VPN needs to do the following:
add this to /var/ipcop/ovpn/server.conf
push “redirect-gateway def1″
push “dhcp-options DNS x.x.x.x” (use IP of DNS you use on green network)
then add the following iptables rule:
iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth1 -j MASQUERADE
(replace 10.0.0.0/24 with your OpenVPN network you chose and eth1 with the RED interface on your IPCop box)
Restart OpenVPN, connect to it, and you’re off!
Sangita Goel Says:
August 16th, 2007 at 9:00 am
I am a novice at this: I want to setup IP cop on an old computer then be able to network a new computer and have a wireless router in the hosu for other laptops. Can this be done? Would someone be willing to talk me through it.
Oliver Says:
September 24th, 2007 at 7:18 pm
Thanks for the tip about the WSAEADDRINUSE error. It was working fine for a week and then I suddenly received that error. All working well again now. :)
ck Says:
October 11th, 2007 at 3:50 pm
is there a link to ZERINA for the setup of the openVPN that is in english and not in German?
Albert Says:
November 12th, 2007 at 6:04 am
Great Jobs!
Thanks for your good articles, which help me to construct my VPN network!
another question, why openVPN in this situation can only setup host-to-net VPN, net-to-net VPN is gray?
Thanks!
Eric Says:
December 9th, 2007 at 3:01 pm
I don’t believe in stealing someone’s work. Your how-to website is one of those websites that shouldn’t be lost because a server went down or the author didn’t renew a domain, etc. Are you cool with me doing a pdf of your site and placing it on my site? Obviously a pdf of your site would be your exact site and no changes. Please email me a response.
Jofie Says:
December 17th, 2007 at 8:58 am
Dear Friends,
i have successfully install OPenVPN and its running at both ends Client and server side. the only problem i ‘m facing is when i trying to access the complete network it could not help me out.
i have added this line in the Server.ovpn file
push “route ip address and subnet mask”
e.g 192.168.0.0 255.255.255.0
please advise wot to do net i ‘m using Windows XP professional Ediution at both ends.
looking forward.
Brother
Jofie Says:
December 17th, 2007 at 9:01 am
the file i have on the machine please advise if is not correct.
## server.ovpn ##
port 1194
proto udp
dev tun
ca ca.crt
cert widget.crt
key widget.key
dh dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push “route 192.168.0.0 255.255.255.0″
push “dhcp-option WINS 192.168.0.1″
push “dhcp-option DNS 192.168.0.1″
push “dhcp-option DOMAIN acme.com.local”
keepalive 10 120
comp-lzo
max-clients 4
persist-key
persist-tun
status openvpn-status.log
verb 3
Nick Says:
December 20th, 2007 at 7:24 pm
Here is an updated link to the ZERINA how-to, in English!
http://www.vpnforum.de/zerina/?q=documentation/howto-roadwarrior
(thanks be to Google)
Shane Says:
January 21st, 2008 at 11:12 pm
Thanks for the clear and easy walk through. Have you thought about a paypal donate button?
We use this with macs and PCs in a mixed network. It works mighty fine.
Cheers,
Shane
John Says:
January 27th, 2008 at 5:47 pm
Hi Shane:
Heh, I guess I could add something like that. I guess I just never thought that anyone would bother to donate. :)
Glad you liked the guide.
Thanks,
John
Sverre Says:
February 2nd, 2008 at 6:40 am
Followed your guide, workes very well, look forward to see how well it copes under full load. thanks for a good guide!
Greg Says:
March 2nd, 2008 at 12:50 am
Hi, great tutorial. I was able to get the VPN to connect. For some reason I cannot ping anything in my green network other than the Green interface on ipcop. From inside my green network I cannot ping the VPN interfaces. I tried everything I could think of to get access to my green network but nothing works from the VPN. It connects but I cant access anything, remote desktop, web, ftp, ping, drive shares, etc. Is there something I could be missing? I have used OpenVPN with my Endian firewall and it works a bit differently, but still the same idea. I cant seem to get it to work with IpCop and Zerina. Any suggestions would be much appreciated. Thanks!
Ben May Says:
March 5th, 2008 at 8:10 pm
Great tutorial, very helpful!! THANKS
from site :http://thinkhole.org/wp/2006/03/28/ipcop-openvpn-howto/
PyWeather »
HOWTO: IPCop-OpenVPN
I’m a huge fan ofIPCop. It’s a great firewall distro that makes administration a snap using a slick web interface. My goal was to use IPCop and an easy-to-useVPN client to allow access to my LAN while away from home.
I ended up going with theZERINA OpenVPN addon for IPCop and theOpenVPN GUI for Windows.
If you’ve ever wanted full, secure, encrypted access to your LAN from any remote location, here is your guide.
Just follow these ten easy steps…
IMPORTANT UPDATE: Newer versions of both IPCop andZERINA (new URL!) have been released since I wrote this HOWTO. You will need to go to each of their respective websites and use the latest version of each to make this work. Ignore the version numbers and/or links given below. You need the latest version of each package!
1. Install IPCop
Download, install, and configureIPCop. Remember that it’s a full distro, so you need a dedicated box to be able to run it. But the good thing is that you barely need any processor power or RAM to make it work. I’m currently running mine on a Celeron 433 box with 32MB (yes, megabytes) of RAM. The CD installer really holds your hand and makes it quite easy, but you may want to check out myBuilding an IPCop Firewall presentation that I gave atCPLUG back in May 2005.
The OpenVPN addon requires the latest version of IPCop, but since you apply security patches as they come out you don’t have to worry about that… right? Right.
Also, I added a line for the IPCop box to /etc/hosts on my other hosts.
$ grep ipcop /etc/hosts 192.168.1.2 ipcop
So from here on, I’ll be refering to it by it’s hostname of ipcop.
2. Enable ssh access on the IPCop box
Point your browser at your IPCop box, usually at https://ipcop:445 and go to System and then SSH Access. Check the boxes for “SSH Access”, “Allow password based authentication”, and “Allow public key based authentication” and then press the Save button.
3. Download and scp the OpenVPN addon
While IPCop does come with a built-in VPN server, by using OpenVPN you will be able to use the nice GUI clients that are available for it. So download theZERINA installer and save it to one of your boxen other than the IPCop box. I recommend usingwget.
Next, scp the file to your ipcop box:
$ scp -P 222 ZERINA-0.9.3b-Installer.tar.gz root@ipcop: root@ipcop's password: ********* ZERINA-0.9.3b-Installer.tar.gz 100% 327KB 326.5KB/s 00:00
Please note that the version numbers in the listing above and throughout this HOWTO were current as of the writing of this page. However, newer versions have been released since that time. Please be sure to use the latest versions of all packages as you follow along.
4. Unpack and install the OpenVPN addon
First, ssh into the ipcop box:
$ ssh -p 222 root@ipcop
Make a directory in which to unpack the addon and move the tar file into there:
root@ipcop:~ # mkdir zerina root@ipcop:~ # mv ZERINA-0.9.3b-Installer.tar.gz zerina root@ipcop:~ # cd zerina root@ipcop:~ # tar -xzvf ./ZERINA-0.9.3b-Installer.tar.gz
You should now have the following files:
root@ipcop:~/zerina # ls _GPL library.addons _README updatefiles install patch.tar.gz uninstall
Now run the installation script:
root@ipcop:~ # ./install
The addon is now installed.
5. Create a configuration file
This is an important step. Do not skip it.
Point your browser at https://ipcop:445/ and go to the VPNs tab and then OpenVPN. Hit the Advanced Server Options button. Without making any changes to the options, hit the Save button.
6. Follow the OpenVPN/ZERINA HOWTO
There is no sense in me repeating the extremely clear and helpfulhowto at the ZERINA site. Gothere and carefully walk through each of the steps. Along the way you will generate your certificates and create a new connection profile for a user.
If you follow the directions, you’ll end up with both a Root Certificate and a Host Certificate. You will also have a connection certificate that you will need to put on the client/remote PC, and you’ll end up setting the password for the client/connection. Make sure it is the Host-to-Net Virtual Private Network (RoadWarrior) type:
Don’t forget to turn OpenVPN on in Step 5. :)
7. Download the OpenVPN client package (zip)
On the OpenVPN configuration page, after you have created a client connection profile, you will see the following icons next to it:
Click the multicolored icon to the left of the info icon, and save the zip file to somewhere. You’ll need to get this file to the client/remote computer (e.g. via USB drive or email).
8. Load the OpenVPN GUI client
Download theOpenVPN GUI for Windows and install it on your client computer.
Installationdocs are available, but there’s not much to do other than walk through the installer.
After it is installed, you’ll have the following icon at the bottom of your screen:
9. Unzip OpenVPN client package
Take the client package that you saved in Step 7 and unzip the contents into your OpenVPN client config directory. That is probably located at: C:\Program Files\OpenVPN\config.
10. Connect to the VPN
Make sure that OpenVPN is running on the ipcop box, and that you are connected to the Internet.
Right-click on the OpenVPN icon and click Connect:
Note that if you did not install the client package correctly in Step 9, you will not have that option available.
Enter the password that you set in Step 6, and you should be connected! You will get assigned an IP address in the 10.241.239.0 range by default.
Once you have an IP, you’ll be able to access all the resources on the LAN (e.g. Samba shares).
Thanks go toMatt andFuzzie for all their help with config and testing.
Update:Heh! Getting somelinkage from Digg right now…
Corrections/Addendum:
If you are using Windows XP and get a WSAEADDRINUSE error when you try to connect the VPN, add the “nobind” keyword to your client config and save it. That should fix it. If you are trying to connect to the Blue interface on IPCop you’ll need to edit your OpenVPN client config. Comment the first remote line and uncomment the one for the internal IP address of the Blue interface:
#remote serpent.thinkhole.org 1194 remote 192.168.2.1 1194
That should fix it.
If you are using a client (usually on Linux) and getting lots of dropped connections and ping timeouts, try switching from UDP to TCP. You’ll need to change it in IPCop and then edit the “proto” line in the client config. Seems to have fixed it for me. Need an OpenVPN for OSX? Check outTunnelblick.
This entry was posted on Tuesday, March 28th, 2006 at 9:37 pm and is filed underHOWTO,Linux,Security. You can follow any responses to this entry through theRSS 2.0 feed. You canleave a response, ortrackback from your own site.
117 Responses to “HOWTO: IPCop-OpenVPN”
Matt Says:
March 28th, 2006 at 10:47 pm
Wow. I’m famous!
AlbanyWiFi.com » Blog Archive » IPCop-OpenVPN HOWTO Says:
March 29th, 2006 at 6:49 pm
[…] thinkhole.org/wp/2006/03/28/ipcop-openvpn-howto […]
Jeff Says:
March 29th, 2006 at 7:17 pm
Webserver was set to maxclients 20, I just raised it to 256, sorry anyone that had problems getting here!
John Says:
March 29th, 2006 at 7:42 pm
Thanks Jeff! You rule. :)
[GEEKS ARE SEXY] Tech. News Says:
March 29th, 2006 at 7:59 pm
Just one question, Is this solution performant enough to handle 10’s of tunnel with heavy 3DES encrypted traffic? I’ve always used hardware solutions for my VPN implementations.. Usually Cisco PIXes with some integrated VPN acceleration hardware to handle big jobs..
So? :)
Kiltak
[Geeks Are Sexy] Tech. News
Rama Says:
March 29th, 2006 at 8:05 pm
VERY NICE!!!!!!!!!!!!
Thank you for posting
dennis Says:
March 29th, 2006 at 8:40 pm
Thanks dude,
Awesome walkthrough. I wanna try this at home now.
kud Says:
March 29th, 2006 at 9:19 pm
This is great, but is there any way you can use this also as an INTERNET GATEWAY - so you can access both your LAN and use the internet connection? I’m a roadwarrior and that’d be so great for me as everything i do on the internet would be excrypted. thanks!
John Says:
March 29th, 2006 at 9:39 pm
@Kiltak: I’m only using this for myself at home, so I haven’t personally done any scalability testing. But I do know that IPCop scales very well, and know a couple of people using it in rather large deployments (e.g. school districts). I would imagine ability to handle VPN traffic would depend on your hardware. Probably wouldn’t be so hot on my Celeron 433MHz IPCop box. :)
@Rama, Dennis: Cool! Glad you like it.
@Kud: By default the OpenVPN addon does not encrypt your other traffic. Personally, for web stuff I use a squid proxy at home and reroute everything through that. IPCop includes Squid as a bundled service, so that might be the easiest way.
Deep Says:
March 29th, 2006 at 10:21 pm
Great article…!!
Web 2.0 Watch » Blog Archive » IPCop-OpenVPN HOWTO Says:
March 29th, 2006 at 10:24 pm
[…] Very easy to follow! Check it out here! […]
Nick Stango Says:
March 30th, 2006 at 12:05 am
Awsome Tutorial. My place for STEAKS n’ BEER.
THNAKS!!!!!!!!!
Bob Says:
March 30th, 2006 at 2:49 am
@Kud: I haven’t used OpenVPN within IPCop, but I’ve used OpenVPN standalone and you can configure it to push a default gateway to the vpn clients when they connect so that all of your normal web browsing gets sent through the vpn then out your connection back at home if you are on the road as you requested. I’m sure you can still do this when using it within IPCop, it just might require some manual config tweaks.
~*hArSeIsIs*~ Says:
March 30th, 2006 at 8:41 am
Great tutorial, but can this be used to connect to the lan & net through vpn from the blue interface?
Mike M Says:
March 30th, 2006 at 10:07 am
Great HowTo article!
Seems like everyone is on the OpenVPN and IPCOP kick these days :-)
ref:[1][2]
(Edited for formatting –JPM)
HOWTO: Setup your own VPN with IPCop and OpenVPN! at Morad’s Bloggie Says:
March 30th, 2006 at 1:01 pm
[…] You will be able to log into your network from anywhere. This is a great tutorialread more | digg story […]
BlackMacs Stuff Says:
March 30th, 2006 at 2:39 pm
Get OpenVPN running on IPCop…
Finally I found an easy tutorial on how to setup OpenVPN on IPCop - Hooray, now I can work on Sundays and at night… maybe not so great???
Check it out!…
John Says:
March 30th, 2006 at 5:15 pm
@hArSeIsIs: You can enable OpenVPN on Red or on Blue on the same configuration screen. I’ll probably end up enabling it on Blue soon, as that would be handy when I’m using the laptop/wireless.
@BlackMacs: Actually, this is to go from remote locations (including to work) to home, not from home to work. :)
Wilco Niessen dot com » Blog Archive » HOWTO: Setup your own VPN with IPCop and OpenVPN! Says:
March 31st, 2006 at 1:59 am
[…] read more | digg story […]
John Says:
April 2nd, 2006 at 12:47 am
Great instructions, however after I connect via OpenVPN is still connot access any of the other systems on the network. I configured Blue to Green, Blue is 192.168.2.0/255.255.255.0, Green is 192.168.1.0/255.255.255.0. Openvpn assigns an IP of 10.208.75.6. So, don’t have any way of accessing the Green Network.
Any help will be greatly appreciated.
Thanks.
John Says:
April 2nd, 2006 at 9:25 am
@John:
That’s the same setup I have here (Green = 1.x, Blue = 2.x, VPN = 10.x.x.x), so it’s odd that it isn’t working for you.
I haven’t tried the VPN on blue yet myself though. But coming in from Red (external) does work from remote locations. I can try the VPN on blue tonight and let you know.
Are you sure you hit the checkbox to enable it on Blue and not just Red? :)
John Says:
April 2nd, 2006 at 8:58 pm
FYI: I just tried the instructions above on a Windows XP laptop going to the Blue (wlan) interface on my IPCop box. Turns out it doesn’t work. I had to add “nobind” to the configuration file, comment out the one remote line and uncomment the line for “remote 192.168.2.1″. After I did that it worked.
I’ll update the instructions above to reflect that.
Dallas H Says:
April 3rd, 2006 at 3:47 pm
One thing to point out is that if you have a connection name with spaces, the configuration editor changes these to dashes (when you download the zip file), which in turn, does not work with the OpenVPN client software for Windows. Just remove the dashes and/or underscores and you shouldn’t have any other issues. Simple enough fix, but one I was unable to find that information anywhere else on the web. Also, I’ve yet to see an issue with placing “standard” OpenVPN options in the config file for IPCOP (/var/ipcop/ovpn/server.conf). However, if you do make manual changes to the OpenVPN config file and they are not options in the web interface, make sure you don’t attempt to save from the web page as you will lose all of your additional configuration information.
IPCOP is a wonderful product and OpenVPN is a great product and add-on. Happy VPNing and firewalling. — Dallas
John Says:
April 4th, 2006 at 8:22 pm
@Dallas: Thanks for the tips! Good to know.
Chewy Says:
April 7th, 2006 at 4:30 pm
One thing I found when trying to access some file shares on my desktop which was running the XP firewall was that I had to change the scope of my file and printer sharing settings within the XP firewall. To change this all one needs to do is go the the Exceptions tab on the XP firewall and click “edit” for file and printer sharing. Then change the scope of each of the ports to a Custom type. Here is an example
10.10.10.0/255.255.255.0,192.168.1.0/255.255.255.0
Where the first subnet is my Open VPN, and the second is my LAN.
Hope this helps a few other people!
bytemix » Blog Archive » IPCop+OpenVPN = Acceso externo seguro Says:
April 9th, 2006 at 9:35 am
[…] Enlace: IPCop-OpenVPN Howto […]
janishikari Says:
April 10th, 2006 at 5:03 pm
HI,
I m looking for a help … i have configured the vpn as mentioned in the docs, but when i try to connect from the outside world it’s not allowing me….it shows me udp port is in use and it configures on my local red ip address……….
i want to get access from the out side world…
plz, any one help me out
TWBowser Says:
April 11th, 2006 at 11:11 pm
I have ipcop with openvpn running (Red/Green configuration) , I can create client to client connections on the vpn clients. I can access the ipcop server from the clients,after i added a route to the xp clients. But I cannot access the Green network from the VPN clients.
Is this possible? Any suggestions?
Fons Says:
April 12th, 2006 at 4:19 am
hello
I tried following the HOWTO
I get stuck on section 3 installing the ZERINA file to the ipcop box
I get constantly after connection error 503 service unavailable
can someone help me out on this
regards Fopns
Jim O’Halloran’s Weblog » Blog Archive » links for 2006-04-13 Says:
April 13th, 2006 at 5:19 pm
[…] IPCop-OpenVPN HOWTO Excelent article explaining how to set up IPCop and OpenVPN. Will need to do this soon, so this will help a lot. From the article: “I’m a huge fan of IPCop. It’s a great firewall distro that makes administration a snap using a slick web interface. M (tags: linux openvpn ipcop security) […]
William Says:
May 5th, 2006 at 10:53 am
“I have ipcop with openvpn running (Red/Green configuration) , I can create client to client connections on the vpn clients. I can access the ipcop server from the clients,after i added a route to the xp clients. But I cannot access the Green network from the VPN clients.
Is this possible? Any suggestions? ”
I have a similiar setup except I also have an orange network. When I VPN into the network I can access the IPCop manangement portal, but I am unable to access, or even ping, any of the servers on orange. Any advice???
Jose El Maestro Says:
May 5th, 2006 at 12:01 pm
Thanks so much for this cool howto. This is the best tutorial ever!!! I’m now up and running and I feel safer when I’m on the road knowing that I can VPN back home in a snap.
J Somadelis Says:
May 5th, 2006 at 2:30 pm
Hi,
I’ve just install OpenVPN via the above instructions and had no problems, connected on the very first try. I can create a VPN connection to my office, MS domain setup, and then remote desktop to my pc. Works great. My problem is, if I VPN in, I can’t see any machines on the lan. I can ping by ip but not buy name. I though if I can ping by ip I would be able to map a share by ip, \\192.168.100.100\sharename, but I can’t. Is there something else I need to do on IPCop to make this work. Seems like for some people it works and others it doesn’t.
Thanks,
Jeff
» Digg Makes Australian News Says:
May 6th, 2006 at 1:28 pm
[…] Anything above that will get cropped off of the image. My goal was to use IPCop and an easy-to-use VPN client to allow access to my LAN while away from home. I ended up going with the ZERINA OpenVPN addon for IPCop and the OpenVPN GUI for Windows. Install IPCop Download, install, and configure IPCop. Download and scp the OpenVPN addon While IPCop does come with a built-in VPN server, by using OpenVPN you will be able to use the nice GUI clients that are available for it.Summary of:http://thinkhole.org/wp/2006/03/28/ipcop-openvpn-howto/ […]
J Somadelis Says:
May 9th, 2006 at 8:49 am
Solved my problem. I had to change the scope for File and Printer Sharing exception in the Windows XP firewall. Instead of my subnet only, I added a custom of, 10.167.167.0/255.255.255.0,192.168.100.0/255.255.255.0. Oops, I guess my answer was above. (Chewy April 7) Well I got some satisfaction from figuring it out myself. - jeff
Two Mad Geeks » Blog Archive » Setup your own VPN with IPCop and OpenVPN! Says:
May 10th, 2006 at 3:04 pm
[…] Link: import this […]
import this. » Blog Archive » HOWTO: Secure Firefox and IM with PuTTY Says:
May 10th, 2006 at 9:24 pm
[…] One of the best ways to secure your connection is to use a VPN, but that isn’t always practical. So here’s a way to securely connect to the net using only an SSH client and a remote box that you control/trust. […]
Len Says:
May 19th, 2006 at 8:53 am
This worked very nicely. Thanks! However…
If i tried to connect a 2nd vpn client to my ipcop box, it fails. And not only that, this attempt also resets the running connection on my first client.
Both clients have their own entires set up in IPCOP OpenVPN client settings.
I connect from work LAN (which i assume is behind some sort of f/w and NAT infrastructure) to my home network running ipcop. Both clients are on the same work LAN subnet. It appears that both can connect, just not simultaneously.
After 2nd connection is rejected, there is a brief period while neither clients can connect. It soon returns to its normal state after a minute or two.
Is this weird? Or a known thing with my setup?
Is there a workaround?
zean.no-ip.info » HOWTO: Secure Firefox and IM with PuTTY Says:
May 22nd, 2006 at 9:54 pm
[…] One of the best ways to secure your connection is to use a VPN, but that isn’t always practical. So here’s a way to securely connect to the net using only an SSH client and a remote box that you control/trust. […]
vicky Says:
May 23rd, 2006 at 9:19 pm
soryy for being out of topic.but maybe its about gaming in openvpn.
i use openvpn and paling call of uity 2.
whan i play cod2 my openvpn going to drop in few minute but my static ip still connected in network and still able to ping ip whan openvpn server running.
i tried difrent methon in openvpn.using udp and tcp.using comp-lzo and not.
but still had a same problem.anyone have same trouble ?
or advice
Chris Sait Says:
June 18th, 2006 at 11:13 am
Great stuff - works fine. Doesn’t work with Block-Outgoing-Traffic though. any ideas on how to get around this?
Chris Sait Says:
June 18th, 2006 at 5:53 pm
d’oh! I created a rule to allow GREEN access to a private network - bingo!
Great how-to btw. Thanks and keep up the good work.
Dale Says:
July 3rd, 2006 at 1:22 pm
Is it possiblel to connect to the VPN through a browser (like VNC?)
Thanks
Dale
Uris Says:
July 3rd, 2006 at 8:43 pm
I have setup vpn connections between 2 sites (net–to-net). I can ssh between both sides with no problem; however, I can’t access my webservers. I currently have the servers on the green LAN, and I plan to move them to the red LAN sometime in the future. I’m in the testing phase at the moment and Im new to vpn.
Anyone has any ideas??
omichaux Says:
July 14th, 2006 at 5:30 am
Hello,
for people having trouble with vnc / or tse trought openvpn, add
mssfix 1200
fragment 1200
in your config file and try again. this should correct problem
neno Says:
July 17th, 2006 at 3:47 pm
have simple IPCop 1. red, 1 green, 1.4.10. OpenVPN config went fine. on PC clinet (winXP SP2), i have connected sign, and IP address but can not ping nothing behind IPCop, I dont know even the new IPCop address, range is 10.0.10.0 any idea ?
Robbie Says:
July 20th, 2006 at 4:32 pm
Is there a way of fixing a VPN IP address to a spesific user? So when this user logs in via VPN, he will always get the same VPN IP.
Greener Says:
July 28th, 2006 at 1:21 pm
Worked great, running on two production IPCOPs. Also, found out that it is possible to connect to two different IPCOP vpns at the same time. For example, if you want to connect to two different office sites.
first, add another virtual ethernet adapter
second, edit the config for the second connection and add port 1195
third, make sure you have both cert keys in the config folder
Thanks for the tutorial!
Jonathan Says:
August 2nd, 2006 at 2:50 pm
Just a quick FYI:
Although the site you link (http://home.arcor.de/u.altinkaynak/openvpn.html) references Zerina 0.9.3b, the new site (http://www.zerina.de/) details that .4b is available.
Apart from that, thanks a million for some really useful instructions! I got mine and my dad’s ipcop boxes serving vpns in under an evening! :-)
Cheers!
Jonathan
Nadin Says:
August 4th, 2006 at 6:46 pm
I think if I modify the server.conf and change the “push” command to give the ip/subnet of my orange network, it will restrict access to the vpn clients into my orange network (which is what I want). However is it possible to have another instance running where I can still have vpn access (for me) into my green network?
David Killingsworth Says:
August 21st, 2006 at 7:16 am
You specify to check password based authentication 2 times, during SSH setup, one should be public key as the check box notes.
John Says:
August 26th, 2006 at 8:05 am
@Green: Cool! Nice tip.
@Jonathan: Yes, there is a newer version of Zerina available. You should definitely use that one instead. In general, when using a HOWTO, it is best to confirm that you are using the latest version of all software mentioned.
@David: Thanks for the catch. I fixed it.
Mick Says:
August 27th, 2006 at 8:33 pm
Oops don’t work with ipcop 1.4.11
Signal64 Says:
August 29th, 2006 at 3:48 am
Just a quick tip and question.
If you update IPCop to 1.4.11 you’ll need to update Zerina to 0.9.4c (on their website).
Question:
I have a RED+GREEN+BLUE setup and have OpenVPN on BLUE.
Everything is working except being able to browse shares on BLUE from GREEN (Looking at shares on GREEN from BLUE is fine). Both clients are WinXP.
Before trying OpenVPN, I was trying to use DMZ Pinholes (now turnned off) between BLUE and GREEN which got me the ability to see the share, so I know it can work. Windows Firewall is off on both clients at the moment.
Any ideas?
David Says:
August 30th, 2006 at 1:38 pm
Great article. Loaded OpenVPN on my IPCOP. Thanks!
I can connect with OpenVPN on my Green Network. (I do not have access to a second outside network at moment).
OpenVPN connects to IPCop. No errors.
I can not ping the IPCop nor can I surf the internet through the VPN tunnerl.
this is my client config:
#OpenVPN Server conf
tls-client
client
dev tun
proto udp
tun-mtu 1400
float
remote rapheal.homeip.net 1194
pkcs12 DCG.p12
cipher BF-CBC
comp-lzo
verb 3
ns-cert-type server
this is my IPCONFIG
Ethernet adapter NVIDIA Ethernet:
Connection-specific DNS Suffix . : rapheal.homeip.net
Description . . . . . . . . . . . : NVIDIA nForce Networking Controller
Physical Address. . . . . . . . . : 00-01-80-60-4C-DD
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.1.115
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.1
DNS Servers . . . . . . . . . . . : 192.168.1.1
Lease Obtained. . . . . . . . . . : Wednesday, August 30, 2006 2:34:13 P
M
Lease Expires . . . . . . . . . . : Wednesday, August 30, 2006 3:34:13 P
M
Ethernet adapter Local Area Connection 3:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : TAP-Win32 Adapter V8
Physical Address. . . . . . . . . : 00-FF-A9-BA-F0-B8
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 10.203.60.6
Subnet Mask . . . . . . . . . . . : 255.255.255.252
Default Gateway . . . . . . . . . : 10.203.60.5
DHCP Server . . . . . . . . . . . : 10.203.60.5
Lease Obtained. . . . . . . . . . : Wednesday, August 30, 2006 2:37:19 P
M
Lease Expires . . . . . . . . . . : Thursday, August 30, 2007 2:37:19 PM
What am I missing here?
Linux Unix » HOWTO: Setup your own VPN with IPCop and OpenVPN! Says:
September 1st, 2006 at 4:20 am
[…] This is a great little tutorial for anyone looking to set up a vpn through the linux based IPCop firewall. A must read!read more | digg story […]
Carlos Bracho Says:
September 1st, 2006 at 9:19 am
Great tutorial… I have been using Ipcop for two months and I applied ZERINA addon inmediatly… it woks well, and all the external users are happy using it. But, i have a tiny problem, even when openvpn is running and the users access the LAN (green network) the ipcop openvpn page show the client status as closed, why did not show open or something like this??
Regards and thanks for the tutorial
Luciano Says:
September 30th, 2006 at 1:41 am
Hello, I modulate of high rail of using of I am of native of VPN of IPCOP. I have created a connection RoadWarrior and configured TauVPN in my Notebook. I have problems to connect me from hotels, airports and cybers that filter the ports 4500 and 500 or they don’t have them open. The consultation is: will I solve these inconveniences using OpenVPN?? Comments of their of I wait.
Thank you.
Luciano
mario Says:
October 3rd, 2006 at 11:01 am
An ask:
when i try to connect from a client with openvpn to an ipcop server with openvpn module, appears to me the message: udp link remote 10.100.100.115 (red interface on ipcop) and it remain in this state.
But…how the client knows the public ip of the router connected to ipcop?
mario Says:
October 3rd, 2006 at 11:06 am
the message is:
Tue Oct 03 18:04:44 2006 TCP/UDP: Incoming packet rejected from 10.100.100.116 (GREEN INTERFACE) :1194[2], expected peer address: 10.100.100.115:1194 (RED INTERFACE) (allow this incoming source address/port by removing –remote or adding –float)
Ruben Says:
October 13th, 2006 at 1:27 am
Thanks a lot this tutorial helped a lot, but i still have a problem…
after connecting to my VPN i can’t even ping server 2003 that is behind IpCop… Any iedeas
Thanks a lot
angelo Says:
October 17th, 2006 at 10:05 am
i’ve installed the zerina open vpn as per step-by-step instructions. I’ve also generated a certificate but the OPEN VPN Server is still saying that it is STOPPED. I can’t seem to get it to run. Can anyone please help.
thank you.
Rolf Says:
October 17th, 2006 at 5:47 pm
A great guide.
But when i try to connect, I get this message.
“Unable to connect because your certificate is not yet valid. Check that your time is correct.”
I have checked the time and it is the same on both sides.
In the .zip file there where 1 config file and 1 certificate file.
What can be wrong?
Thanks.
John Says:
October 17th, 2006 at 11:29 pm
@Ruben
No idea.
@Dale
OpenVPN and VNC are two totally different things. But you could certainly connect to a VNC server over the VPN if you want. That’s a common application.
@angelo
Please seeStep 5: OpenVPN Server Start in theZerina HOWTO. You need to start OpenVPN before you can use it.
John Says:
October 18th, 2006 at 9:37 am
@Rolf:
Please check the time on both systems (clienta and server) again to ensure that they are both correct. Then re-generate the root and host certificates.
Some related info may be in theopenvpn.se forums.
John Says:
October 18th, 2006 at 9:40 am
@Signal64:
Browsing Samba shares may be problematic over OpenVPN. Part of it may be due to using a netmask of 255.255.255.255 while trying to use broadcast.
I’ve found that if you use the IP of the host rather than the name (e.g. use \\192.168.1.2 rather than \\servername) it works just fine.
Hopefully that helps.
PS. This assumes you have Samba configured correctly to allow hosts from the 10.x.x.x range.
Chad Says:
November 2nd, 2006 at 8:00 pm
Great article…!
THis sounds good as I want a solution to secure wireless at home without having to resort to WPA-PSK and associated ping drops/reduced performance. (ie. Run wireless open with VPN from blue to green)
However, your comment 29th March …
‘@Kud: By default the OpenVPN addon does not encrypt your other traffic…’
has caused me some concern! Does the OpenVPN addon only use encryption to authenticate clients? and then the rest of the traffic through the tunnel is unencrypted/plaintext?
I am v. new to VPN, so sorry if that question is defamatory to me intelligence!
Thanks for your time.
John Says:
November 2nd, 2006 at 8:12 pm
@Chad:
Using a VPN is a good way to keep your wireless network secure. That’s personally how I am currently set up. The only access allowed from my Blue network (wireless) to the Green network (LAN) is via VPN.
What I meant by my comment was that using the VPN will only encrypt the traffic from Blue< -->Green. If you browse the web from the Blue network, it won’t be encrypted, as that would be going from Blue< -->Red.
To solve that, you can enable a proxy on your Green network, and route the traffic there. But even then, your DNS queries will still probably go out unencrypted over Red unless you use something like Privoxy.
Hopefully that helps.
- J
Tom NS Says:
November 9th, 2006 at 10:28 am
Hi There,
I just noticed that after a vpn session connects my DHCP server stops running
and doesn’t seem to restart again.
Anyone else had the same issue ?
Thanks
Tom
EvylRat Says:
November 13th, 2006 at 7:53 am
This is great! It works fine (until I messed some settings up). Thanks for such a simple tutorial.
BUT, I’ve still got a few questions. I’d like to use this setup for Online gameing, as an alternative to Hamachi. Here’s my setup on Green network
IPCOP : 192.168.1.1
SERVER : 192.168.1.9
GAMES PC : 192.16.1.10
I setup Zerina as per tutorial, so the VPN network is on 10.0.10.0
I’d like for friends to be able to VPN in and all of us be seen on same network.
Like Mario, I get the following message (similar) when trying to connect to VPN from my GAMES PC
“Tue Oct 03 18:04:44 2006 TCP/UDP: Incoming packet rejected from 10.100.100.116 (GREEN INTERFACE) :1194[2], expected peer address: 10.100.100.115:1194 (RED INTERFACE) (allow this incoming source address/port by removing –remote or adding –float)”
Advice please!
Rich
Nick Says:
November 14th, 2006 at 1:37 pm
I’ve been struggling with ipcop and openvpn for about 24 hrs now. I was able to make the connection and was able to ping the gateway, just couldn’t talk to anything past the gateway. It really didn’t make any sense to me so I googled and googled and googled. Finally I have a answer that works. Apparently this is a big problem for alot of people and nobody ever posts the “answer”. Heck just in this blog several people suffer the same problem.
The Setup
My Laptop (192.168.1.100) ==> Linksys Router (LAN 192.168.1.1 / WAN 68.13.33.194) ==> Internet
Internet ==> IPCOP (WAN 85.1.33.14 / LAN 10.0.1.1 / OPENVPN 10.0.2.0/24)
ETH0 - 10.0.1.1
ETH1 - 85.1.33.14
Just by typing this in at the command prompt in IPCop I was able to ping everything behind the gateway(IPCOP).
iptables -t nat -A CUSTOMPOSTROUTING -s 10.0.2.0/24 -o eth0 -j MASQUERADE
Where 10.0.2.0 is your OpenVPN Network Information.
Rajesh Says:
November 15th, 2006 at 5:44 am
Hi,
We have two offcies protected with IPCOP. I have installed OPen vpn in both side. If I am out of office and trying to access vpn it is working excellent. If am inside office I am not able to connect to the next office VPN? Please suggest tofedorahacker@gmail.com
Thank you.
Regards.
Hacker.
Dale Says:
November 26th, 2006 at 6:17 pm
I was hoping to test this as it looks very good, but can’t get through to the zerina web site. It’s pingable but the web pages do not come up so I can DL the IPCOP plugin.
Is it permently down?
Thanks
Dale
John Says:
November 27th, 2006 at 7:50 pm
Dale:
No idea. I can’t reach the site either. I doubt that it is “permanently” down, but it does seem they are having some rather serious connectivity issues.
- JPM
Shap Says:
December 15th, 2006 at 12:01 pm
Since you have this installed, I’m curious: can OpenVPN on the ipcop machine act as a *client*? I’m looking for this because I want to build a tunnel to my colo box at softlayer, and they have a scheme for connecting in to their administration network using either PPTP or SSL-based vpn. If I can use OpenVPN as an SSL-based vpn, that would be very helpful.
Marcus Says:
December 15th, 2006 at 6:40 pm
Hi,
has anyone figured out a way to configure ZERIA (or IPcop) in a way that any traffic from the green side gets routed back to the road warrior without having to set the routes in the green network? I mean, the IPcop is not necessarily the defaultrouter. The problem would not arise, if ZERINA would NAT the traffic from the roadwarrior, i.e. make it appear to come from the IPcop and not from the tunnel.
jags Says:
January 9th, 2007 at 6:01 am
i am using ipcop. i have few questions about vpn and proxy.
about vpn… is there a limit on the number of client that can connect simulatenously to the ipcop.if yes can we increase it and how.
i am using ipcop proxy and along with it am uisng squid proxy for webfiltering.firstly the internet speed has gone slow.. second i have to put internet gateway in the ip setting to access emails (which i need to connect to pop account). is there a way to configure the proxy in such a way the email traffic also uses proxy settings.
if not, is there a way to restrict user to use internet gateway for internet access. as it will not filter the traffic for content filtering or webfiltering….
i hope you understand.
jake Says:
January 11th, 2007 at 1:14 pm
now can you do the same magic trick for mandriva linus 2007 power pack….??????
jags Says:
January 16th, 2007 at 1:36 am
i am using ipcop. i have few questions about vpn and proxy.
about vpn… is there a limit on the number of client that can connect simulatenously to the ipcop.if yes can we increase it and how.
i am using ipcop proxy and along with it am uisng squid proxy for webfiltering.firstly the internet speed has gone slow.. second i have to put internet gateway in the ip setting to access emails (which i need to connect to pop account). is there a way to configure the proxy in such a way the email traffic also uses proxy settings.
if not, is there a way to restrict user to use internet gateway for internet access. as it will not filter the traffic for content filtering or webfiltering….
i hope you understand.
EvylRat Says:
January 20th, 2007 at 11:54 am
Just installed the latest Zerina, all working great.
Got some more questions about using this OpenVPN.
Scenario: My sister is on an wireless unsecure network, ouch! (brand new, fitted last week).
I’ve got her setup on OpenVPN, she can connect to my router OK, and can Ping it, and I can Ping her.
How can she use my proxy to browse the web and use messenger, so it’d be secure over the OpenVPN connection?
jags Says:
January 24th, 2007 at 7:18 am
evylrat,
are you having two separate pcs. one where you have installed ipcop and another is from where you are pinging your sisters pc?
if this is the scenaio. Then ask her to ping the ipcop machine. if she can do that. all she is reqd to do is put theproxy setting in the internet explorer and use port 800. Also you have to activate the proxy of ipcop.
let me know if you have doubts.
jags
EvylRat Says:
January 25th, 2007 at 9:00 am
Thanks for the reply jags. I started off by trying the proxy, thinking it’d be that simple. Just tried again and got a partial result…
It’s talking to IPCOP, but web brower returns “Access Denied” from IPCOP, rather than the webpage. I’m still running the standard proxy.
EvylRat Says:
January 25th, 2007 at 9:05 am
I’m going to look at this link later…
http://tinyurl.com/ynlbfc
“Proxy - Access denied”…
EDIT: Ran URL through TinyURL to fix formatting. -JPM
Pat Says:
January 25th, 2007 at 11:03 am
I am using ipCop and Openvpn over Blue and Red for my office. I have been able to setup 2 RoadWarrior systems, on being my computer at home, the second being a portable. For the portable, I generated 2 certs, and edited the remote ips accordingly. It works great on both machines, and even the portable’s 2 connections work perfectly.
Here is my problem: Every other computer (Very similar to the working portable, with XP Pro Sp2) I try to set up the connection on complains with the following line:
TLS Error:TLS Key Negotiation failed to occur within 60 seconds
Does anyone have any insight on this error? Help!!!
EvylRat Says:
January 26th, 2007 at 4:53 am
For the Proxy “Access Denied” problem, install Advanced Proxy on IPCOP, and there’s a field in the settings page that allow you to enter the VPN subnet mask into the proxy to allow it. Works great!
John Says:
February 5th, 2007 at 10:25 pm
Hi, I just installed this on my ipcop using your very detailed instructions. Everything worked great, thank you very much. But when I installed the openvpn gui on a second PC in the blue zone, it created a conflict with the first PC in the Blue zone. Every 60 seconds or so, the PCs would drop their network connections - “Local Area connection cable unplugged” alternating between PCs.
Do I need to create a unique host certificate for every PC on the blue interface?
John Says:
February 5th, 2007 at 10:26 pm
I should have also stated above, that when I disable the vpn connection on one of the PCs everything works fine again.
John Says:
February 5th, 2007 at 10:49 pm
@John:
I think you need to make a new cert for each host if you want them to connect at the same time. If you don’t want them to connect at the same time, you can probably use the same one.
I could be wrong. :)
John Says:
February 6th, 2007 at 12:59 am
I think I have solved my problem with duplicate clients connecting simultaneously. I checked the log files for openvpn and it pointed me in the direction of the duplicate cn option for allowing more than one client connection at a time.
I edited the file /var/ipcop/ovpn/server.conf (I couldn’t find this option via the web config) and added a line “duplicate-cn” without quotes and restarted the openvpn server. Everything has been working good so far.
I apologize if this is obvious, but I couldn’t find this easily online. I can’t believe I didn’t implement openvpn sooner. Thanks again for your howto.
Fred Says:
February 23rd, 2007 at 3:03 pm
Hi, I’ve been running several OpenVPN (zerina)/IPCop sites for about 6 months. What a great system! But I’ve discovered that the Enable/Disable checkbox in IPCop/Zerina doesn’t do anything on the client side. Even when the certificate is disabled, the client can still connect. Is this feature not yet implemented? Do I need to revoke/delete a cert in order to keep a particular client from connecting?
Also, my Linux clients are using KVpnc to access OpenVPN on IPCop boxes. This has the nice feature of being able to specify the IP address to ping. Is there any way to accomplish this with OpenVPN GUI on Windows? This would enable the Windows OpenVPN connection to terminate gracefully when a host behind IPCop/OpenVPN goes offline (like a mounted drive). As it is now, the IPCop/OpenVPN box is the keep-alive host, and (of course) it never goes down.
Thanks in advance for your ideas.
IPCop 1.4.11
ZERINA-0.9.7a10
OpenVPN 2.0.9
OpenVPN GUI 1.0.3
steve Says:
March 11th, 2007 at 9:07 pm
Hi,
Thanks for a clear writeup. got a DNS question…
Seems that when our machines go to sleep, IPCop’s DNS server forgets about them after some point.
This makes it impossible to send the sleeping machine the wake up packet from our client management software (without relying on IP addresses).
So then I added a manual DNS entry for the sleeping machine under Services > Edit Hosts. This fixed the immediate problem– now I have a working DNS entry for the sleeping machine. But is this the right way? Couldn’t the DNS entry I added under Edit Host easily become wrong when the IP address/dynamic lease assigned to the machine changes?
Then I noticed the Create Fixed Lease button, I thought oh this is just what I want. So I clicked the Create Fixed Lease button for the sleeping machine under the Dynamic Lease section which moved it up to the Fixed Lease section. Good, I thought, so I did for a dozen other hosts under the Dynamic Lease Section.
Not good– I soon realized!! Once a host is moved to a Static Lease, IPCop assigned it a new IP address outside the scope of the DHCP server’s pool which is OK— but what’s not OK was that it no longer has any DNS entry assigned! Pinging it by name is impossible, only by IP address, so now I lost access to all my DNS entries!
So I now moved everything back down to the Dynamic Lease section, which was difficuly since everythng now had a new IP address.
In any case, what’s the proper way to do this?
Am I supposed to enter in all hosts under Services > Hosts, just to avoid loosing them when they sleep, and then I must simulataneously create an entry for each as a Static Lease?
Is it dangerous like I am assuming to leave them as Dynamic Leases with an entry under Edit Hosts?
This all makes for much more maintenance than I hoped. Is there a setting I can adjust that the DNS server in IPCop will keep the address for some period of time despite the machine gone AWOL?
Thanks!
Klassics Says:
March 17th, 2007 at 3:13 am
I have two internet connections in office, Can i setup IPCOP so it can use one connection when the other is down.
Also, when i setup the IPCOP, and try to use Cisco sofware to connect to my client Cisco VPN network. It allow only one machine to get connected.
Vic Says:
March 18th, 2007 at 12:57 am
Thanks a bunch for the tutorial. Really made securing my WiFi connection a less daunting task. Pictures, Step by step instructions, etc. You should do more of these.
karl Says:
March 20th, 2007 at 5:47 pm
Steve,
You can either create a fixed lease and edit the hosts file to make a corresponding entry, or (simpler) lengthen the DHCP lease period to something longer than your machines stay asleep.
Sam Snow Says:
March 21st, 2007 at 5:18 pm
For those asking about how to route all traffice from the remote user through the VPN, here is some documentation on the OpenVPN site:http://openvpn.net/howto.html#redirect .
How this exactly would work with IPCOP/ZERINA I am not sure. It looks like some edits via the command line would be needed.
Sam
Ale Says:
March 23rd, 2007 at 9:51 am
Hello. I need help.I installed openvpn client in windows 98 but i can not connect to de openvpn server because the client do not support windows 98.
Someone know a vpn client software to connect to my openvpn server. ???
my email isadecchi@gmail.com
Thz
Ale
Aaron Says:
March 28th, 2007 at 10:00 pm
This guide rules!!
you rule bro!!!
Cristian Livadaru’s blog » IPCop out of the “box” Says:
April 7th, 2007 at 9:13 am
[…] I bought a VIA mini ITX mainboard to make a new firewall, the old one with a Pentium1 166mhz was going a bit slow and since I also wanted to use VPN I needed something better. IPCop was installed quite fast, and a quick search brought me to this great howto. After setting up VPN I needed a client for Mac OS and I found “Tunnelblick“, quick installation and everything worked great. Now together with my mobile internet connection I can log in from everywhere and also be secured Ok but what is it with the topic, out of the box? Well, usually this has some other meaning, but I really mean my IPCop works “out of the box”, I couldn’t find a case where I could fit it in so I just took a cardboard box April 07th 2007 Posted to Apple, Computer, linux […]
Marcello Says:
April 15th, 2007 at 7:25 pm
just set up open vpn. It connects but then gives me the following error message.
write UDPv4: No Route to Host (WSAEHOSTUNREACH) (code=10065)
I am using openvpn on XP. The IPcop in question is behind a nat firewall and I have port 1194 opened
Thanks for any help
Marcello Says:
April 15th, 2007 at 8:11 pm
btw my email address ismarcello@powercall.ca
klapio Says:
April 27th, 2007 at 3:51 am
Thanks for the great how-to!
This couldn’t be any easier. I only have one problem. We have a Samba server running in the ORANGE network and I can’t connect to it over openvpn.
Anybody have a solution for that?
My LAN is 10.0.0.0/255.255.255.0 and OpenVPN is set to 10.50.0.0/255.255.0.0
mark Says:
April 30th, 2007 at 10:33 am
I’m going to be setting up OpenVPN to use with my Linux laptop (Kubuntu 7.04) with red and blue access.
The IPCop setup looks fairly straightforward, but I’m having more trouble finding any howto help with the needed settings for Kvpnc (on the laptop).
Any good guides out there with examples on setting up Kvpnc for OpenVPN?
Thanks
IPCOP with OpenVPN and Fiesty’s Network Manager at It all flows together Says:
May 10th, 2007 at 4:23 pm
[…] First we install, Zerina’s OpenVPN addon to IPCop. Basically copy the zip to the IPCop box, unzip and run the install file. Actually follow this guy’s great tutorial up to step 7. he’s got it all covered. […]
Child of Wonder Says:
July 26th, 2007 at 4:11 pm
Anyone wanting to web surf through their VPN needs to do the following:
add this to /var/ipcop/ovpn/server.conf
push “redirect-gateway def1″
push “dhcp-options DNS x.x.x.x” (use IP of DNS you use on green network)
then add the following iptables rule:
iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth1 -j MASQUERADE
(replace 10.0.0.0/24 with your OpenVPN network you chose and eth1 with the RED interface on your IPCop box)
Restart OpenVPN, connect to it, and you’re off!
Sangita Goel Says:
August 16th, 2007 at 9:00 am
I am a novice at this: I want to setup IP cop on an old computer then be able to network a new computer and have a wireless router in the hosu for other laptops. Can this be done? Would someone be willing to talk me through it.
Oliver Says:
September 24th, 2007 at 7:18 pm
Thanks for the tip about the WSAEADDRINUSE error. It was working fine for a week and then I suddenly received that error. All working well again now. :)
ck Says:
October 11th, 2007 at 3:50 pm
is there a link to ZERINA for the setup of the openVPN that is in english and not in German?
Albert Says:
November 12th, 2007 at 6:04 am
Great Jobs!
Thanks for your good articles, which help me to construct my VPN network!
another question, why openVPN in this situation can only setup host-to-net VPN, net-to-net VPN is gray?
Thanks!
Eric Says:
December 9th, 2007 at 3:01 pm
I don’t believe in stealing someone’s work. Your how-to website is one of those websites that shouldn’t be lost because a server went down or the author didn’t renew a domain, etc. Are you cool with me doing a pdf of your site and placing it on my site? Obviously a pdf of your site would be your exact site and no changes. Please email me a response.
Jofie Says:
December 17th, 2007 at 8:58 am
Dear Friends,
i have successfully install OPenVPN and its running at both ends Client and server side. the only problem i ‘m facing is when i trying to access the complete network it could not help me out.
i have added this line in the Server.ovpn file
push “route ip address and subnet mask”
e.g 192.168.0.0 255.255.255.0
please advise wot to do net i ‘m using Windows XP professional Ediution at both ends.
looking forward.
Brother
Jofie Says:
December 17th, 2007 at 9:01 am
the file i have on the machine please advise if is not correct.
## server.ovpn ##
port 1194
proto udp
dev tun
ca ca.crt
cert widget.crt
key widget.key
dh dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push “route 192.168.0.0 255.255.255.0″
push “dhcp-option WINS 192.168.0.1″
push “dhcp-option DNS 192.168.0.1″
push “dhcp-option DOMAIN acme.com.local”
keepalive 10 120
comp-lzo
max-clients 4
persist-key
persist-tun
status openvpn-status.log
verb 3
Nick Says:
December 20th, 2007 at 7:24 pm
Here is an updated link to the ZERINA how-to, in English!
http://www.vpnforum.de/zerina/?q=documentation/howto-roadwarrior
(thanks be to Google)
Shane Says:
January 21st, 2008 at 11:12 pm
Thanks for the clear and easy walk through. Have you thought about a paypal donate button?
We use this with macs and PCs in a mixed network. It works mighty fine.
Cheers,
Shane
John Says:
January 27th, 2008 at 5:47 pm
Hi Shane:
Heh, I guess I could add something like that. I guess I just never thought that anyone would bother to donate. :)
Glad you liked the guide.
Thanks,
John
Sverre Says:
February 2nd, 2008 at 6:40 am
Followed your guide, workes very well, look forward to see how well it copes under full load. thanks for a good guide!
Greg Says:
March 2nd, 2008 at 12:50 am
Hi, great tutorial. I was able to get the VPN to connect. For some reason I cannot ping anything in my green network other than the Green interface on ipcop. From inside my green network I cannot ping the VPN interfaces. I tried everything I could think of to get access to my green network but nothing works from the VPN. It connects but I cant access anything, remote desktop, web, ftp, ping, drive shares, etc. Is there something I could be missing? I have used OpenVPN with my Endian firewall and it works a bit differently, but still the same idea. I cant seem to get it to work with IpCop and Zerina. Any suggestions would be much appreciated. Thanks!
Ben May Says:
March 5th, 2008 at 8:10 pm
Great tutorial, very helpful!! THANKS
from site :http://thinkhole.org/wp/2006/03/28/ipcop-openvpn-howto/
HOWTO: IPCop-OpenVPN
IPCOP
OpenVPN笔记
OPENVPN技巧
OPENVPN技巧
OpenVPN 配置和使用
OpenVPN相关连接
RouterOS 配置OpenVPN
OpenVPN 結合 LDAP 認證機制
OpenVPN 結合 LDAP 認證機制
什么是Ajax [IPCOP中文研究院--IPCOP中文研究院致力于软路由方面的专业技术]
Program Library HOWTO
The RCS MINI-HOWTO
Linux Daemon Writing HOWTO
NAT HowTo 简体中文
Linux 2.4 NAT HOWTO
C dlopen mini HOWTO
沟通交流 - 中文HowTO
Linux netfilter hacking HOWTO
沟通交流 1- 中文HowTO
沟通交流 - 中文HowTO
C++ dlopen mini HOWTO
Linux 2.4 NAT HOWTO
教你如何在虚拟机安装IPCOP软路由[组图]