This image be our episode 2004-147 entitled Cerma-86104 Open VPN Server.
It is posted back-later and in about 43 minutes long and Karima Clean Flag.
The server is.
Clotu walks you through installing and configuring Open VPN Server.
This episode of HBR is brought to you by an honest host.com.
Get 15% discount on all shared hosting with the offer code HPR-15.
Better web hosting that's honest and fair at an honest host.com.
Hi everybody, this is Ken from HPR with an important.
From Wednesday to the 28th of December 2017, the media in the HPR feeds will be served
via redirect from archive.org.
If you run into any problems, can you email admin at hackerpublicradio.org?
We've done quite a lot of testing and I'd like to thank everybody who helped out
that on the mailing list.
So nothing should change and nothing should be impacted.
All the URLs are going to remain in the feeds.
It's just that for new shows and they will be downloaded via a 302 redirect to archive.org.
And they'll be downloaded directly from there.
So we don't expect your problem, but if there is, we contact us, we great.
The reason behind this is that Josh, as an honest host.com, who's been providing our servers
has been receiving an unacceptable amount of traffic over the last period.
That's resulted in slowdowns on the website and lots of issues.
So hopefully this move will take some of the burden of the website.
In addition to this, if you can through a few shackles in the direction of Josh, we would
appreciate it.
If you go to any page on the HPR website, there's information there on how you help him.
So once again, as of Wednesday, the 20th of December 2017, the media for the HPR feeds
will be served via a redirect from archive.org.
Thank you very much for your time.
Hi everyone.
This is Class II.
You're listening to Hacker Public Radio.
This is episode four of my server-based series, where I'm just admin and series, whatever
I'm calling it.
In this episode, I want to talk about OpenVPN, or VPN, generally speaking.
But before I get into that, I want to talk about, or I want to address some feedback
that I got on this series.
Feedback came from, well, X1101 on MasterDawn, or a Lyle from the DevU random podcast.
And he mentioned to me that, I mean, he's a Sysadman, long time Sysadman, and he mentioned
to me that while the series was good, I should probably at least acknowledge that,
if you go out into the real world and try to get a job, entry level, whatever, in Sysad
meaning, you're going to encounter non-free software, shock and horror.
Yeah, it's true.
There's a lot of non-free stuff out there, and the chances are that wherever you work,
you're going to encounter some of it.
Now when I started looking for work as a Sysadman with zero experience to my name, I
looked very exclusively at jobs that were Linux or Unix based, so I didn't even, didn't
even entertain the idea of doing Windows support.
I just didn't, and it meant that I was unemployed for about a year, I mean, I wasn't
unemployed, I just wasn't employed as a Sysadman, I was working at a bagel shop, and that
was great, because I got free bagels, it was really a great job actually, I'm thinking
of getting back into that line of work, but as a Sysadman, when I finally did find
the job, I did get a lot of Linux experience, it was great, but even though it was Linux,
there's a lot of proprietary stuff that sits on top of that sometimes, so you might walk
in and find that for OpenVPN, or for VPN, I keep seeing OpenVPN for VPN, they might
be using Sysco, and for virtualization, they might be using VMware.
All things like that, so just be aware that while I'm covering the Open Source stuff,
there is stuff out there that is not Open Source, and you might find yourself having
to deal with that.
Now what I have found in practice is that learning the Open Source stuff as is often
the case teaches you so much about the principle behind the technology, really, the technology
behind the technology, I guess, and in the end you come out knowing just everything you
could possibly know about that subject, and so when someone throws something proprietary
at you, you may or may not have ever used it, but at least you know the concepts that
you're going to have to tackle, and so you know kind of how to approach that closed source
system, so sure you may not know a thing about how to log in to Sysco box router, you
may not know anything about the command line that Sysco provides you, but once you look
up a couple of tricks here and there, you're going to see what exactly it is that they're
configuring with different commands, and you'll be able to equate that with all the
open source stuff that you actually do know, and it's a lot easier to sort of tackle
if you understand, all right, so this stupid command here is really adding a route to get
my traffic to this subnet blah blah blah, you know, and so it makes sense, and so I'm going
to obviously stick with talking about the open source stuff, and I don't think while
it meant for me to change away from that, but I will continue to talk about the open source
stuff because that's what I know anyway, just with the acknowledgement that closed source
solutions for the same technology you're going to encounter them on the job, and unfortunately
a lot of people are going to now getting tied directly in, but unfortunately a lot of
people are going to sort of try to sell you on the idea that the open source stuff that
you want to use is actually more to maintain, that's an old one, that's an oldie, but
goodie, and it just keeps rearing it, so I've had people keep saying it, and if you do
open source wrong, then it's true, but then again, if you do closed source wrong, you
have whole set of other problems, so if you do anything wrong, you're going to be unhappy.
So if you're doing open source correctly, you're going to learn it, and then you're going
to automate the heck out of it, and you're not going to have to deal with it every day,
and if you do a closed source wrong, then you're going to use closed source, and someone else
is going to take care of it for you, and you'll just never know what's going on within
that box, and where your traffic is actually going, and when something breaks, you're
not going to be able to fix it because you're going to have to call in someone else to
work their magic in their magic box.
You don't want to do that trust me.
People are going to try to sell you on this, and they're going to say, well, we can
take work off of you out of your hands.
You're not going to have to worry about this, and you will will set up your VPN for you,
all it takes is this mysterious box in your server rack, and we'll manage it for you,
and you'll, you know, at some times, you will be tempted to go that route.
You will say, well, I'm still trying to work out my open VPN config files, and it's
not working, and this is horrible, and I'm really busy, and people are yelling at me.
All right, let's sign up with this service.
Do not do it. Stick with open source. If you have any say in the matter, rely on open source,
it will not steer you wrong.
You might have to struggle to get it set up from time to time, because you don't know
it yet, but you're learning, you set it up, you automate it, and it's perfect.
So that's just my experience.
Now let's talk about VPN and why it's important.
So VPN is kind of a big deal. It's almost, I would say, to the point that it's expected,
especially within technical industries, having a VPN and being able to access your work
network from away, from work, is it's just expected people, people expect you to have
that set up. So if you get a job as a CIS admin, that's going to be one of the things
that you're going to have to set up almost guaranteed.
Now, you might think, well, hey, I set up SSH at home, and I even poked a hole in my router
firewall, and I can SSH to my home network from the cyber cafe, because we're
pretending like cyber cafe, this is a modern term still.
And that might seem really cool to you, and maybe you even do fancy things like four
X forwarding on over SSH. So you think it's practically like I'm sitting at home.
It's amazing. That's not going to work for on the larger scale, trust me, for a couple of reasons.
Number one, because a lot of the closed source of vendors out there, and Windows
Admin's, and people who just generally don't know a whole lot about the Linux tool chain,
are going to say, well, SSH is horrible. It's a, it's a, it's a, it's a gaping vulnerability.
You've got to, you can't have that open on your, on your network. And they say that because
they hear things about exploits, and they, they know that, they know that SSH runs on port 22.
So they know that people will brute force SSH on port 22, as routes, and they'll get in,
and they'll take over your network, and all that other good stuff. Of course, again,
you know, if you've done it wrong, which is, you know, if you didn't listen to the episode
previous episode about SSH and setting it up and stuff, then yeah, maybe you would do something
like that. But of course, in real life, you personally would not do that. You would not run it on
port 22. You would run it on some other port. You would not have passwords even enabled,
much less route log in enabled, and you would have something sitting in front, or sitting between
that SSH port in the rest of the system, such as fail to ban, or whatever. So it's not really
an issue. People will say, well, SSH is not good. So they will frown on SSH because they believe
that it's a bad thing. And they will say, no, you have to use VPN because everyone knows VPN's
perfect, and nothing's ever gone wrong with VPN. So that's what they'll say. Now, the other reason,
the actual reasonable reason that SSH will not stand up to VPN is that VPN provides a network.
SSH is just a shell. That's what it stands for, secure shell. So in order to use SSH,
you're logging, when you use SSH, you log into a computer, and you are presented as you
probably know with a prompt. And a lot of people don't know what to do with that. That's not a
useful thing for a lot of people. So providing them with access to one computer on a network
and a prompt, it's pretty limited. So VPN is a virtual private network. It provides not just a
computer. It provides an IP address, so your computer stays the same. It's the one that you're
actually typing on. And you inherit everything else on the network, whether it's IP addresses,
access to networked printers, access to internal information management systems, you know, maybe
an internal wiki, or something like that. Important services, like maybe if you are sick
for the day, and you need to go into the system and apply for, you know, a paid day off,
maybe that runs on the internal network. And in order to reach that, you have to log into the VPN.
So that you can get to the server within the network that runs that sort of thing.
So it's an important sort of service to provide to your people, to your crew,
because it provides them a network away from the office with encryption and a pretty darn good
set of authentication options. So what we're going to set up today, what we're going to set
up in this episode, because this is quite a complex process to be honest, is a VPN server. And then
in the next episode, I'll step you through setting up the VPN clients. We'll just work to get
essentially the connection going. That's that's the hardest part I have found. And open VPN is
such a big technology with so many different options. And frankly, a lot of different use cases,
it gets pretty overwhelming. It would be overwhelming if I tried to step you through all the
different options. So what I'm going to do is get you running a VPN so that the server and the
client can talk to each other. We're just going to get them to ping back and forth over the same
subnet. And from there, you can try to sort out what you actually need to know on top of that.
I, in my experience, the initials of configuration, figuring out the certificates and
pinging back and forth, you know, getting that connection to actually function, that's the hard part.
After that, it's just a matter of adding other stuff on other features. Maybe you want a different
kind of authentication, maybe you want to add in some TLS, whatever, that stuff you can look up
after you've got that connection going. Once it went to the ping list, start responding to each other.
So in order to install open VPN, you'll need two different things. One is the open VPN package itself,
which will be in your repository. Certainly, it's already installed on some distros. Certainly,
it's already on Slackware. I don't think it was on SintoS initially, but yeah, like I say,
it's in the in the repository. And then you'll also need something called EZRSA. And EZRSA
used to be part of the open VPN package, apparently. And then it got sort of forked off into
community support, quote unquote, meaning it's its own project now. Confusingly,
there are two, there are two EZRSA versions that are still sort of equally in use.
So if you go online and look for instructions on how to do all of this stuff,
you will may come across a tutorial that just happens to have used RSA, EZRSA, too.
Or you may have, you may stumble across one that uses RSA 3. And that'll be confusing.
I'm going to go with RSA 3 because that's sort of where everything's going,
but just be aware that there are two very RSA 2 is still pretty, I guess, popular, or there's
a lot of use still of EZRSA 2, presumably because a lot of those the server guys, the server
distros are very slow to change and update because they test everything first and so open RSA 2
is still just what they've got in their docs. Okay, so that out of the way, you need both of
those packages, open VPN and EZRSA. On SintoS, certainly you would need to enable the EPEL,
that's the extra package extra packages for enterprise Linux. You can look up on the
Fedora sites or the SintoS site on how to do that. Okay, so the first thing that you have to do
for open VPN really is come to grips with the fact that you're going to be managing a bunch of keys.
So you remember in the previous episode when I was talking about SSH and how you should not use
passwords and you should use SSH keys and that's all kind of built into SSH and it's pretty simple
to manage because it's you've just got SSH key gen and you're just generating keys and passing them out
to your user as soon as it's pretty simple. Well, open VPN is a little bit more like I would say
for instance PGP. If you've ever tried to use PGP for your email or you're going to PG whatever
or open SSL. And open VPN is a lot more like open SSL. In fact, it actually even uses an
open SSL library. So it doesn't have the infrastructure that for instance SSH has kind of built
in to juggle all these keys around. EZRSA is kind of our easy solution to doing that. So once you
install EZRSA, which I've just done, then it usually dumps this folder of scripts or a script
depending on whether you're using two or three into some shared location and generally speaking,
I don't believe I've ever seen it anywhere else but slash USR slash share and then slash EZRSA.
So they, they really mean in their docs. They tell you to do this. So what they're really
intending for you to do is to copy dash RV slash USR slash share slash EZRSA just to some
location that you can, that you want to use it from. I'm just going to copy it to my home folder
right now and then I'm going to change into that folder and I see that there's an EZRSA script.
There's an open SSL dash one dot zero dot count and there's a vars example and then X509 types. So
EZRSA itself is a shell script and it's right there so I'll just do a dot slash EZRSA.
The first thing that I need to do is create my public key infrastructure which everyone just
refers to as PKI and the command for that is dot slash EZRSA space in knit dash PKI.
And it tells you, okay, and it PKI complete. You may now create a CA or requests.
Your newly created PKI der is slash home slash cloud two slash EZRSA slash PKI. Great.
Okay, so in the folder now that we are in, if you, if you do an LS, you'll see that
there is a new folder called PKI and if you look in PKI, you see that there's a
file called private and there's a folder called private and a folder called rex and they're empty.
That's fine. That's expected so far. Okay, so that's that's just set up the infrastructure for our PKI.
Now what we're going to do is as, as it kind of told us or as it hinted for us,
it's going to create a CA or certificate authority. So dot slash EZRSA space build dash CA.
That generates a 2048 bit RSA private key and it prompts us to create a password for this
private key. Now notice it might, you might notice that it's telling you it's putting this
private key in the PKI directory that we had that we just created with that in it PKI command.
So I'm going to enter really embarrassingly simple password just to keep it easy for myself.
And then don't do that in real life, but since this is just a test environment, I'm just
using the bare minimum password, which is four characters. It will enforce a four character
password. It will not let you just enter a single character. But anyway, you shouldn't be doing that
anyway. I'm just doing that so that as I type and talk, I don't have to remember too many strings.
So now it's asking me for a common name, which is your user, your host, your server name,
whatever. So it can be pretty much anything, but I think what I've always done is I've just
used the host name. So I'm going to use dark star, which is not actually my host name, but that's
what I'm going to do anyway. Now again, the CA creation is complete and you may now import and sign
cert requests. And so it says your new CA certificate file for publishing is at slash home slash
CA dot CRT. So that is the CA, the certificate authority certificate that we have created.
Now we're going to create something called a request dot slash easy RSA. Gen, that's G in like
generate dash REQ, like request. And then the thing that we're creating the request for is our
server, which we can identify by by the the the name that we created that CA for. So I put in dark
star. So that's what I'll do. Now again, it is asking me for a passphrase. And again, I'm doing
like a ridiculously simple simple one. And it's asking me for a distinguished name or a DN.
And that is, of course, again, dark star. Okay. So now we have just we've a key pair and a certificate
request have been completed. Your files are for the request till this slash easy RSA slash
PKI slash wrecks slash dark star wreck. And the key is in the same place except PKI slash
private slash dark star key. So now we need to create a certificate for our server. And the way that we
do that is dot slash easy RSA space sign dash REQ. So that's SI G in dash REQ. So it's a sign
request space server because that's what we're generating at four that it's the literal string
server. And then space dark star, which of course is the name of our server that we, you know,
that's how we're identifying it. So you say, you press enter on that and then it tells you,
it kind of tells you what, what your request, you know, it summarizes the request. And the subject
is, okay, well, here's your request, you're about to make a certificate with a common name of dark
star type of the word, yes to continue or any other input to abort. So I'm going to type, yes,
confirm request, yes. And then it asks me for the passphrase of my, for this certificate authority.
So I created that. And I made it really stupid simple, which hopefully you're never going to do.
And then I hit return on the keyboard. And it generates it really quickly. It tells me where it is.
It says it's in easy RSA PKI issued dark star dot CRT. So we'll need that later. We'll
move that to a different location. But first, the server needs to have a diffy,
a Hellman file to look at. And the command for that is open SSL, DH Param. That's DH is in diffy Hellman
Param, like Parameter, PARM, space dash out. And then some name,
generally speaking, the default name is DH2048.pm.pm. And then space 2048. And that tells it, obviously,
how many bits this should be. Usually the default name is DH2048.pm. It might be something different
in your example, open VPN config file. So just kind of pay attention, eventually make sure that
that name is something that you actually set. I find it easiest just to use the convention DH2048.
I don't see any reason to do anything but that. And that's still actually generating on my computer.
So I'm going to pause this as that generates. Okay, it's done. Cool. Now, took no time for you.
Now, this next step that we'll go through together, we're not actually going to use the key
that we produce during these two episodes. But it is important because it's a key that you
would need later on if you're going to add in extra features, specifically TLS authentication
on top of all the open VPN handshakes that occur, which helps set up kind of a firewall to block
denial of service attacks. So it's important, but not not essential to get this thing working
in a secure manner. It's just an added feature that you can you can go in and investigate later
for yourself. When you do that, though, you will need to generate a TA.key. And if I don't tell
you how to do that, you might get confused and think that it's a key that you already generated.
Well, as of now, it will be. It's a key that you'll generate. We won't use, but you might use
personally later on. And this we actually get to use the open VPN command finally. I mean,
it's just to generate yet another key, but you know, whatever. So you do an open VPN space--gen key.
That's generate key. Gen key, all one stream space--secret space-ta.key. TA.key is the
traditional name for it. Like I say, it stands for TLS off. And you do that and that creates
the TA.key in your current directory right alongside of all the other files that we've been
generating. Well, not all of them, but right alongside the DH2048.pms, certainly. Okay, that's all
the setup for the, well, it's not all the setup. That's all the key generation that we need to do
right now for the server infrastructure. Now we have to move everything to where we're open VPN
is going to be looking for them. So the DH2048.pms, since it's right here in the current directory,
you might as well move that first, goes to slash edc slash open VPN slash search. And if the
sub-directory search does not exist, you can create it. You'll obviously have to do all this as
route. So you can just do a make-der-p slash edc slash open VPN slash search. That doesn't exist. It's okay,
it will create it. And then you can move the 2048 into there, the DH2048.pms into that directory.
And I'm sorry, I should be clearer here when I'm saying I'm saying move and what I'm actually doing is
copying. And I do this for a very good reason. And that is that all of these keys, we're going to
want to archive. We're going to want to back this stuff up. So you want to copy all the things that
you've generated from this directory to the rest of your system. And then at some point, you will
want to tar this directory up and put it in a safe place. So if anything happens, you have all this
information. You don't want to have to revoke all of your keys and make all your clients update
and regenerate all your client keys. I mean, you might if there's a breach or something, but if
you're server crashes, you don't want to lose this back it up. So I'm copying, even though I'm just
I'm frivolously saying move. I mean copy. And then you'll also want to create, make der slash
atc slash open VPN slash keys, k-e-y-s. And if that doesn't exist, you'll want to create that.
And you'll want to copy the t-a dot key to slash atc slash open VPN slash keys. And there's more.
So let's copy the c-a-sert that we created, which remember easy RSA placed in the p-k-i directory.
So you'll copy p-k-i slash c-a-sert to slash open vp slash atc slash open vp and slash
certs. That kind of makes sense if you really think about it because, yeah, dot c-r-t goes into a
search directory. Makes sense. You'll also have to copy the server specific cert to the search
directory. So that was placed in the p-k-i slash issued slash dark star dot c-r-t. And you'll
put that into slash atc slash open vp and slash certs. And then you'll also want to copy the key,
the server key, the private key, which, again, placed in p-k-i slash private this time. And it's called
dark star dot key. And you can put that into slash atc slash open vp and slash keys.
So if you really really think about it, it's not, I'm not saying it's intuitive by any means,
but I am saying it does kind of make sense if you, if you look at the, the kinds of files
that you've generated, which are practically magical. But if you look at their extension and you
kind of look at what kind of directory structure, open vp and main configuration directory has,
it does kind of make some sense. Okay. So once that is finished, it's time to set up the
configuration file. And I think that, that key step is probably the most frustrating. And it's
one of the least well-explained things on the internet in terms of when you go to look up how to
do open vp and configuration, because generally all the, how to is just kind of rush through it,
which I mean to some degree I have as well, but they, they kind of just, they're throwing all these
generation commands around and you have no idea what you're generating or where they're supposed to go,
and it gets really frustrating. So anyway, onto the configuration step, the first configuration we
need to do is the server configuration. So that open vp and when we start it knows that it's actually
running on the server that it's not in client mode that it's in server mode. So we'll do a,
well, okay, so server.conf is the file that we want to do. And it really kind of depends again on
your package or like where did you get open vp in from, how did they set it up for you, where is
server.conf? If server.conf is nowhere to be found, you can find it from, or rather within the, the
open vp in source code that you can download from open vp in. So if you go to open vp in dot net,
just go into the community wiki and then on the left hand side you'll see downloads, they go to
downloads and then you'll see all the different tar balls and things that you can, you can download.
So download one of them and inside of there you'll find in a slash, let me, I'm going to actually
start, I'm going to just do a cat of slash, home slash, cloud to slash downloads slash, open vp in
blah and then there's a folder in there called sample and there's a bunch of folders in there and
there's a folder called sample config files and in there sure enough there's one called server.conf
and that's what I want. So I'm going to redirect that to slash, Etsy slash open vp in slash
server.conf. Simple as that. And now I can open up server.conf in emax and this is, and I mean,
that those sample files are actually really, really good to look at because it kind of gives you a
bunch of different use cases. So there, there are lots of different configuration files in there.
Some of them will still be a little bit confusing, I guess, because you won't know what you need
and what, what you should activate and deactivate and that's sort of thing. But a lot of them
do at least give you a notion of what is possible. And I mean, some people I've read like to just,
there's, there's so SSH shy that they just like to use open vp in as, as just for a single
computer, computer type of connection, which you can do, you just have to set it up for that.
And there's a sample configuration file I think in there, if I recall correctly for that sort of
set up. So lots of good config samples in there. Okay. So anyway, we're setting up a server right now.
So let's talk about that config. So what I've got here is first, first, I mean, if read through it,
as I said, but the first thing that you need to look at is the port port 1194. That is the default
port for vp in traffic and you can keep it there. I guess if this is your first time ever setting up
a vp in, I would say, keep it there just so you remove variables. But if you want to change it,
you can. Then the next one is the protocol. Protocol that I think is the default I guess is UDP.
I don't know why you would need anything other than that. There may be valid reasons. I'm just saying
I've always set it up with UDP. All right. Next, the device. The device to use on Linux,
certainly, would be the tunnel device to you in tunnel. I think I've used a tap interface before.
I don't think it was for vp in. I think I want to say it was for bridging something from Qemu or something.
I'm not sure, but anyway, ton is the default and that's what I'm going to go with. It's generally
what I would say that you should go with. Although that said, I have no idea if you have to use
tap on Windows or if there's a tunnel option for Windows on that, I'm not sure.
Okay. Next, three lines are going to be looking for your certificate information.
And luckily, we know where those are because we put them there ourselves.
So the first one is the CA. This certificate authority certificate is in my case.
I put it in slash edc. So I'm changing this in my config file.
Open VPN slash search slash CA dot CRT. I happen to know that that's where I put it.
The next one is going to be looking for the certificate of this server itself.
So that's CERT space slash edc slash open VPN slash search. I put that in search again
or as well slash darkstar dot CRT. And then the final one is the key which this is the secret key.
So slash edc slash open VPN slash keys slash darkstar dot key. Now if you put them somewhere else
or you named them something else, then obviously you would want to adjust that for your use case.
And then after a little bit of more comment, it asks for the Diffy Helman parameters.
And for that DH space slash edc slash open VPN slash search slash DH 2048 dot
PM. That's just again kind of the default stuff. Okay. So topology subnet. That's fine. I don't care.
Down here, there's this thing about configuring the server mode and supplying a VPN subnet
for open VPN to draw client addresses from. So this is essentially establishing your own little
private DHCP pool that you want open VPN to use when when clients connect. So I put in here
server space 10 dot eight dot zero dot zero. That's the default subnet. And then space for the
mask 255 dot 255 dot 255. So in other words, don't touch 10 don't touch eight don't touch zero.
And then dot zero meaning yes hand out that last that last number. We can skip over the
if config pool persist. We can skip over server bridge. We don't need to do that because we're not
using a tap device. Now there are a couple. I mean, you're going to have to come back to this
kind of configuration file depending on some of on how you want to configure this stuff. But right now,
since you don't know how you want to configure it, I'm kind of skipping over a bunch of this
bunch of this, the options. But there are a couple that you'll probably have to look up and
kind of see how you want this all to go. One of them being the redirect gateway definition, which
that's kind of a thing in open VPN, you might have to use at some point. So TLS off right now,
we are going to leave that off. So if that's not commented out, comment it out. It's an important
one, and it uses the TA dot key that we generated earlier. But it adds a variable to the connection
stuff. So if we have time, we'll go back to this and try to turn that back on for now. We're going
to leave it off just for simplicity's sake. Now it says cipher, AES256CBC, and we're going to need to
put that also in our client configuration. So don't let me forget. Then there's compression.
And we could use a couple of different types of compression. To keep things simple, we're just
going to do the comp-LZO compression. Technically speaking, that's not even all that necessary, but
we're going to do it anyway. Max clients is 100. So we're just going to uncomment that and say,
well, we're going to do max clients as more like 10, just because this is a test.
User nobody, group nobody, yeah, you want to uncomment that. So that we're using un-privileged users here.
Persist key and persist ton. We're going to kind of, I guess we'll just leave that as is.
That's one of those troubleshooting things that if something's not working, sometimes you
have to go back and comment that out as you troubleshoot. Output a short status file,
showing current connections, truncated, and rewritten every minute. Status, open VPN-status.log.
So I'm setting the log location and then I'm going to set the log append location to log-upend
space slash bar slash log slash open VPN.log. And once again, that may be that depending on where you
got your open VPN package from, that might already be the default. Now for verbosity, we can set
that pretty high right now. So while we're troubleshooting. So I'm going to set that to verb six,
which is sort of debugging. And that's a good thing to have. Now you can do nine, but I find that
that's too much and it just flies off your screen way too fast. But you can resort to that if you
if you're having a lot of problems. And then I like to mute 20, which means if there are 20 of
the same messages in a row, it will not write all 20 to the log file. And that's about it, I think.
That's everything for this file. That's the server configuration. So I went through that pretty fast,
but a lot of those were the defaults anyway. So that's a good thing. And to be honest, a lot of these
options, you're going to have to come back to and set some other way because your use case
is probably going to differ from this test case. That said, I want to be very clear. The options
and the values that I put into that config file, they will work for you. You can do exactly
as I was doing. You don't need to customize the IP addresses or anything. Those are standard
open VPN expectations, like the port numbers, not IP addresses. So you can use those exact same
values. Unless that is your home network happens to run 1080 as its main network, then you want to
change the subnet that you are then creating. That's a pretty odd ball default, though. I doubt that
you're using that. So you should be able to enter the exact same values as I entered into my
config and get an open VPN server up and running. So what we'll do now is we'll start open VPN
just to see if it's working. We don't have any clients set up, so it won't really be all that
exciting, but at least we'll see that it works. So what we'll do, well, actually, first before we even
do that, do an IP space A or you could do if you want to do it the longer way, IP space
at or space show. And that should show you all of the, that's the new if config essentially.
So IP A will show you IP space A will show you all of your network connections or your network
interfaces rather. So there's the loop back device, there's the eTH device, the actual ethernet port,
and then there's your wireless port or your wireless card, whatever, WLans0 or whatever your
one is called. So that's, that's good. Now we know, great. And now we'll do the open VPN start thing.
So it's open VPN is the command. Now there's a dash dash config option, but if, if that's your
only option that you're passing, you don't have to use that. So you can just tell it, you can just
do open via VPN space slash Etsy slash open VPN slash server.com. And now it just gives me a
prompt back. It gives me my, my prompt straight back. Well, that's kind of crazy. So if you do a
p-grep open VPN, no, nothing, p-grep, VPN, no, nothing. Okay, so I don't think this thing started.
Well, let's do a cat of our log open VPN log. And you'll see in your log that yeah, it actually
failed. So it says options error dash dash explicit dash exit dash notify cannot be used with dash
dash mode server. So then if you look in your slash Etsy slash open VPN slash server.com,
down at the bottom of that file, there is a notify the client that when the server
restarts, so it can automatically reconnect and, and that's set to one. So we're going to have to
set that to zero. And then if we do an open VPN slash Etsy slash open VPN slash server.com,
it prompts us for a password, private key password. Now we know our private key password,
we created that earlier. So I'll enter it and then it just kind of hangs. So if I switch over to a
different terminal and do a p-grep open VPN, I do see that it is working. So the reason that
it appears to be sort of just frozen is because we didn't demonize this process. And that's okay,
I wanted to be able to see that everything was working and I wanted the feedback.
So I'll go ahead and control C out of that. Now I can restart it again and do demon dash dash
demon d-e-m-o-n. Let's call it dark star VPN. And then we'll do a dash dash config because now that's not the only option we're using slash Etsy slash open VPN slash server.com.
And now if I start that, then again, it just gives me my prompt right back. So that kind of felt like a failure again.
So let's do another cat on our log file and sure enough, it's a failure. So it says, okay,
can't ask for interprivate key password. If you use dash dash demon, you need to use dash dash ask pass
to make pass phrase protected keys work. And you cannot use dash dash off no cash. Well, I didn't use dash dash off no cash.
But neither did I use dash dash ask pass. So now I'm doing it again with dash dash ask pass.
It now it tells me it now it asks me for my password and it gives me my prompt back. But that felt a little bit better.
So let's do a p-grap VPN. And yes, I get a 592. That's the process that it's running at right now.
Yours will be different. And so that means that open VPN is running on our server.
So that's great. That's huge. That's a big deal. Remember when we did the IP space dash a before note space a
before we started open VPN. Do that again, IP space a. Now this time you might notice you've got a new network interface.
My friend, you have loop back, you have eth0, you have wlan0, whatever your wire was called. And then you got ton 0.
That's a new tunnel interface created by open VPN. Now things are getting exciting.
I'm going to close this one out. We've got the server, the open VPN server up and running.
Ready to accept clients. We have zero clients configured. And that's a whole other thing.
You will be making lots of client keys ostensibly because that's that's the one to many
relationship. You've got your open VPN server and lots of different clients. So rather than trying to
cram all the client stuff, both the key stuff and the client configuration into this episode.
I'm going to break it into the next episode where we'll configure clients. We'll launch the open
VPN client on the client and start pinging back and forth. That'll be fun.
You've been listening to Hecker Public Radio as Hecker Public Radio.org.
We are a community podcast network that releases shows every weekday Monday through Friday.
Today's show, like all our shows, was contributed by a HBR listener like yourself.
If you ever thought of recording a podcast and click on our contributin to find out how easy it really is.
Hecker Public Radio was found by the digital.com and the informomicon computer club
and is part of the binary revolution at bmf.com. If you have comments on today's show,
please email the host directly. Leave a comment on the website or record a follow up episode yourself.
On this otherwise status, today's show is released on the Creative Commons, Appribution,
Share your life, see you to our live streams.