In this article i will explain how to setup a VPN server in your home using OpenVPN using Vyatta as a vpn server. The primary router in this setup is a sagem BBOX2 from ISP Belgacom. Router setup changes that have to be made will allso be covered in this guide.
THIS video allso explains from start to end on how to do this, but its pretty long(1h 13m). with this guide you should be able to set this up faster. If your having trouble following the instructions given below i advise you to watch the video anyways and follow it step by step. (exept for the download links use the ones provided below)
We will use the LAN network of 192.168.1.0/24 and VPN net 192.168.100.0/27.
Router IP: 192.168.1.1/24
VPN Server IP(Vyatta): 192.168.1.100
WAN IP/Hostname: I use a DynDNS account for dynamic wan ip updating, but there are other alternatives
Prerequisites:
Vyatta: http://www.vyatta.org/downloads
OpenVPN Client: http://openvpn.net/index.php/download.html (Bottom of page: Community Downloads)
If you do not have dedicated hardware to install the Vyatta iso you can use a virtualization packet of your choise to do this.
Burn or mount Vyatta and boot from the iso.
log in with the standard passwords:
user: Vyatta
Password: Vyatta
or
user:root
Password: Vyatta
To install the system to hard drive, enter the "install-system" command. After install, unmount and reboot.
after login, change the password using the "sudo passwd" command.
First, set your ip adress so you Vyatta router is reachable
Enter config mode:
root@vyatta:~# configure
[edit]
root@vyatta# set interfaces ethernet eth1 address 192.168.1.100/24
root@vyatta# commit
root@vyatta# saveSaving configuration to '/config/config.boot'...Done[edit]root@vyatta#
The commit is needed in vyatta to actually apply the given command(s), otherwise your commands will not be written to config. Additionally you need to save the running configuration so that it is preserved after reboot. In this guide i have cut the commit and save commands to save space.
Here i use port 443, whereas the standard port for openVPN is 1194. Most ISP block this port, so the use of port 443 is allso supported by openVPN. For Belgacom ports 80 and 443 can be opened, This is not enabled automaticly though, you have to log in to your E-Services account and configure there to have the ports opened)
root@vyatta# set interfaces openvpn vtun0 local-port 443
root@vyatta# set interfaces openvpn vtun0 protocol udp
root@vyatta# set interfaces openvpn vtun0 mode server
root@vyatta# set interfaces openvpn vtun0 openvpn-option "--mssfix --tun-mtu 1488"
root@vyatta# set interfaces openvpn vtun0 replace-default-route
root@vyatta# set interfaces openvpn vtun0 server subnet 192.168.100.0/27
Then create and sign your certificates, watch Roggy's video from 32:30 on how to do this.
Set certificate info:
root@vyatta# set interfaces openvpn vtun0 tls ca-cert-file /etc/openvpn/ca.crt
root@vyatta# set interfaces openvpn vtun0 tls cert-file /etc/openvpn/vpn1.crt
root@vyatta# set interfaces openvpn vtun0 tls dh-file /etc/openvpn/dh1024.pem
root@vyatta# set interfaces openvpn vtun0 tls key-file /etc/openvpn/vpn1.key
Set up NATting for the VPN net:
root@vyatta# set nat source rule 10 outbound-interface eth1
root@vyatta# set nat source rule 10 source address 192.168.100.0/27
root@vyatta# set nat source rule 10 translation address masquerade
Set next hop:
root@vyatta# set protocols static route 0.0.0.0/0 next-hop 192.168.1.1
Enable SSH access(to upload/download cert files)
root@vyatta# set service ssh port 22
Your config should look like this:
interfaces {
ethernet eth1 {
address 192.168.1.100/24
duplex auto
hw-id 9a:6f:ae:18:cd:bf
smp_affinity auto
speed auto
}
openvpn vtun0 {
local-port 443
mode server
openvpn-option "--mssfix --tun-mtu 1488"
protocol udp
replace-default-route {
}
server {
subnet 192.168.100.0/27
}
tls {
ca-cert-file /etc/openvpn/ca.crt
cert-file /etc/openvpn/vpn1.crt
dh-file /etc/openvpn/dh1024.pem
key-file /etc/openvpn/vpn1.key
}
}
}
nat {
source {
rule 10 {
outbound-interface eth1
source {
address 192.168.100.0/27
}
translation {
address masquerade
}
}
}
}
protocols {
static {
route 0.0.0.0/0 {
next-hop 192.168.1.1 {
}
}
}
}
service {
ssh {
allow-root
port 22
}
}
Next, configure you BBOX2:
Log in to your BBOX through your webbrowser (usually ip 192.168.1.1)
Then Advanced Settings -> LAN Servers:
Next, configure you BBOX2:
Log in to your BBOX through your webbrowser (usually ip 192.168.1.1)
Then Advanced Settings -> LAN Servers:
Add port forwarding for port 443 and point it to your vyatta router interface (192.168.1.100)
Disable your router's firewall, or if you dont want to do that add a port trigger rule and afvanced filteringrule for port 443.
Next, you need to change your WAN MTU because on the autodetect function your VPN connection will fail!! The standard MTU value is 1500, but this wil generate errors, so we will set it to match the BBOX maximums MTU of 1488. If you have another ISP, you can just try with the standard settings first.
Set the MTU value to 1488.
Next, setup your OpenVPN client. After installation go the C:\Program Files\OpenVPN\config\ folder and place there your certificate-, key and dh file. Next go to your network inferfaces and rename the "TAP-Windows Adapter V9"'s name to Tap0. Now open the client.ovpn and change the following value's
change following parameters to:
#TAP Adapter name
dev-node Tap0
#protocol
proto udp
#server hostname/ip
remote "YOUR WAN IP" 443
#SSL/TLS params:
ca ca.crt
cert ***.crt
key ***.key
comment out comp-lzo
Add the folowing parameters:
--tun-mtu 1488
--mssfix
--script-security 2
Save the config and now you can start the openVPN client software. It is very important to run it with administrator rights because changing the routing for the VPN tunnel required admin rights.
Now you should be ready to use your VPN tunnel. If i should have forgotten any steps just mention it the comments and i will add it later on. I typed this up rather quick and my network setup is different then the one displayed here, but wanted to make a guide that showed a working config for this ISP. I hope this helps you setup a VPN tunnel quickly.
If you have any configuring just leave a comment and i will try to help.
change following parameters to:
#TAP Adapter name
dev-node Tap0
#protocol
proto udp
#server hostname/ip
remote "YOUR WAN IP" 443
#SSL/TLS params:
ca ca.crt
cert ***.crt
key ***.key
comment out comp-lzo
Add the folowing parameters:
--tun-mtu 1488
--mssfix
--script-security 2
Save the config and now you can start the openVPN client software. It is very important to run it with administrator rights because changing the routing for the VPN tunnel required admin rights.
Now you should be ready to use your VPN tunnel. If i should have forgotten any steps just mention it the comments and i will add it later on. I typed this up rather quick and my network setup is different then the one displayed here, but wanted to make a guide that showed a working config for this ISP. I hope this helps you setup a VPN tunnel quickly.
If you have any configuring just leave a comment and i will try to help.
