Jul 13, 2011

OpenVPN and PPTP Server Setup

I wrote this awhile ago trying to figure out how to set up a vpn server to connect to while on unsecure networks (e.g., hotels, coffee shops, etc.). Essentially, using openvpn will connect you and route all traffic through an encrypted connection to the server.

Most of the server setup came from here and the config file and routing setup came from here.

This setup has been tested on Ubuntu 8.04, but should work for most debian-based linux distros. For redhat or other linux distros, substitute yum for apt-get. This tutorial uses the 10.44.77.0 network for openvpn and the 10.44.78.0 network for pptp. Any private network should work as long as the same subnet is not in use on the server or client's existing networks.

OPENVPN SERVER SETUP:

1. Install OpenVPN on the server:
$ apt-get install openvpn openssl
2. Set up OpenVPN:
$ cp /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/
$ cd /etc/openvpn/
$ mkdir keys
3. Create keys:
$ nano vars (edit the last section)
$ source ./vars
$ ./clean-all
$ ./build-ca
$ ./build-key-server server
$ ./build-key client
$ ./build-dh
4. Repeat the $ ./build-key [client name] line to create additional client keys

5. Create Server Config File:
$ nano server.conf
Insert the following text in server.conf:
dev tun
proto tcp
port 1194
ca /etc/openvpn/keys/ca.crt # Path of ca.crt file you generated
cert /etc/openvpn/keys/server.crt # Path of certificate you generated
key /etc/openvpn/keys/server.key # Path of key file you generated
dh /etc/openvpn/keys/dh1024.pem # Path of dh file you generated
user nobody
group nogroup
server 10.44.77.0 255.255.255.0 # Any private subnet not currently in use
persist-key
persist-tun
#status openvpn-status.log
verb 3
client-to-client
push "dhcp-option DOMAIN ###.###.###.###" # Server public IP or domain name
push "dhcp-option DNS 208.67.222.222" # Primary dns server (opendns shown)
push "dhcp-option DNS 208.67.220.220" # Secondary dns server (opendns shown)
push "redirect-gateway" # Directs all traffic through your VPN
#log-append /var/log/openvpn
#comp-lzo
6. Make OpenVPN start automatically (debian-based instructions only):
$ nano /etc/default/openvpn
Uncomment or add the following line:
AUTOSTART="all"
7. Set the server to route all VPN traffic to eth0:
$ iptables -t nat -A POSTROUTING -s 10.44.77.0/24 -o eth0 -j MASQUERADE
8. Allow IP Forwarding:
Edit the file /etc/sysctl.conf
$ nano proc/sys/net/ipv4/ip_forward
Uncomment the following line:
net.ipv4.ip_forward = 1
9. Restart OpenVPN and Networking:
$ /etc/init.d/networking restart
$ /etc/init.d/openvpn restart

OPENVPN CLIENT SETUP:
1. Copy the ca.crt and the client key and cert files to the client computer.
2. Create a client config file with the extension '.conf':
3. Insert the following text: (Note: for windows clients, the paths will look like "C:\Program Files\OpenVPN\Config\ca.crt")
client
dev tun
proto tcp
remote ###.###.###.### 1194 # Server IP address or domain name
remote-cert-tls server
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
ca /etc/openvpn/keys/ca.crt # Path of ca.crt you generated
cert /etc/openvpn/keys/client.crt # Path of client certificate you generated
key /etc/openvpn/keys/client.key # Path of client key you generated
#comp-lzo
verb 3

4. Start OpenVPN using the client software of your choice:
If you're using an Ubuntu client:
Place your *.conf file and keys in "/etc/openvpn/" and run
$ /etc/init.d/openvpn start
If you're using a windows client.
Place your *.conf and keys in "C:\Program Files\OpenVPN\Config".
Start OpenVPN in windows services.

IPOD/IPHONE VPN SETUP (PPTPD)
1. Install pptpd:
$ apt-get install pptpd

2. Edit /etc/pptpd.conf and change the following lines as shown:
localip 10.44.78.1
remoteip 10.44.78.2-100
3. Edit /etc/ppp/chap-secrets and add new users as follows:
# Secrets for authentication using CHAP
# client server secret IP addresses
username1 pptpd password1 10.44.78.2
username2 pptpd password2 10.44.78.3
4. Set the server to route all VPN traffic to eth0:
$ iptables -t nat -A POSTROUTING -s 10.44.78.0/24 -o eth0 -j MASQUERADE
5. To allow dns routing, edit /etc/ppp/pptpd-options and uncomment/edit the following lines (the DNS addresses can be whatever you want - opendns shown):
ms-dns 208.67.222.222
ms-dns 208.67.220.220

CHECK NEW VPN SERVER
To check your VPN connection, open a web browser and navigate to http://whatismyip.com or http://getip.com. Your IP address should be the same as the VPN server.

Oct 2, 2009

FYI

If anyone is wondering how to remove the idler/tensioner on a Jeep 4.0-liter inline 6 (Mine is a 1999 Grand Cherokee), use a TORX!

Sep 15, 2009

YouTube Video Bloggers

I wasn't planning on coming out of retirement, but this just had to be said. I usually don't care too much what celebrity or politician is offending or apologizing to what celebrity or politician. It's always the same. These people are adults playing in a child's sandbox with deadly toys. The things they have to deal with are of enormous import and consequence. However, the things they spend their time actually doing is name calling and becoming outraged at the name calling in order to pretend to have some sense of conscience and if at all possible suck up to King Obama (I'm speaking about the politicians here).

I am writing today, however, about the online reactions to these shenanigans, or anything else, from entertainment to business, weather, sports, you name it. The person doing the offending this time is Kanye West who news outlets report recently made a idiot of himself at some awards show. I was curious and thought I'd check out the video. I hopped on YouTube and tried to play it. I found a video with an appropriate title and a picture of Kanye West on stage holding a microphone. I started the clip and instead of Kanye West on stage I get this skinny little jackass (Obama said it) sitting in front of his computer in his bedroom showing the world how pathetic his life was by video blogging about Kanye West. I'd obviously picked the wrong video and quickly selected another. Again I was greeted by some little puke staring into a web cam giving his take on things. After trying a few more videos with the same result, I gave up.

So, to all the no-lifes video blogging about every stupid thing, I'm giving you some advice. When I go looking for a video, I just wanted to see a stupid video. I don't want to talk about it and I surely don't give a crap what you have to say about it. If I want to watch your video I'll pick one with a picture of you staring into your bedroom web cam. Don't upload your video with a title picture that isn't in the video!

Now I've wasted my time. At least you didn't have to look up my nose reading this.

Oct 21, 2008

website

I started building a website years ago customizing a template that came with a wysiwyg editor that bought. I lost interest and haven't done anything with it for about 3 years. However, recently, I decided to do it right. Although some of the design is borrowed from the previous site, I have been picking up html, php and mySQL and have only used a text editor! I have hand coded a good portion of it and am pretty proud of myself. It's a work in progress, but it's coming along. Check it out and let me know what you think. http://buildhavasu.com/test

Aug 31, 2008

you can't pick your friend's nose

Kiri bragged about Adalyn on her blog and I'm super proud of this one so here it goes. Last night I was with Adalyn at the table and somehow we got to talking about nose picking. She looked at me and said, "You can pick your friends and you can pick your nose, but you can't pick your friends nose!" I guess she does pay attention to all my snippets of wisdom I send her way. She just turned 2 this month. To nail such a useful phrase like that word for word she must be practicing on her own. Can you think of a better thing for a 2 year old to be doing?

Aug 8, 2008

the 'church grope'

"The Wedding Singer" introduced the world to "church tongue" when describing the appropriate wedding kiss. I was recently traveling and stopped in for a church service. I sat in the back and saw the coolest thing. I call it the "church grope". It reminded me of the couples that walk around with their hands in each others' back pockets, except this is the church version (in the hymnal holder on the back of the pew). It's probably bad form to take pictures in church, but I had to. Enjoy.

Jul 28, 2008

in-dash 110v outlet project

I bought an inverter a few months ago to be able to power 110-Volt AC stuff in my car. It's a cheap-o, 200-Watt Wal-Mart special. It plugs into any 12-Volt DC cigarette lighter/accessory outlet and provides a 110-Volt AC outlet, 5-Volt DC USB port and a 12-Volt accessory outlet. Plugging it in and having this thing sit out in the open, however, creates a tangled mess of wires. The new Toyota Tacoma's have a 110-Volt AC outlet in the bed of the truck. So I thought, "hey I've got this inverter, I'll mount an outlet somewhere in my jeep." I finally decided, since my jeep has a covered 12-Volt DC accessory outlet and a cigarette lighter in the dash, I would mount the outlet under the existing accessory cover and still have the cigarette lighter outlet for 12-Volt stuff. I should have taken before and after shots, but I didn't so my before picture kind of sucks. This is my dash before the install.

The boxed part is kind of difficult to see, but you can see the cigarette lighter on the left, the ash tray in the middle and the cover of the accessory outlet closed on the right. I pulled the bottom panel of the dash out and started to tinker. It was a royal pain to find an outlet that looked right and also that fit into the space I had, allowing the existing outlet cover to close. I finally settled on one of those female connectors that are sold to be put on the ends of extension chords. I needed to put a lip on it to mount it in the hole where accessory outlet had been. So, I took the plug to a band saw and trimmed it down until it fit. I also had a small LED rocker switch laying around and decided it would be cool to be able to switch the outlet on and off. I drilled a hole above the outlet cover and mounted the switch. After burning out 3 fuses trying to figure out how to wire the switch and after applying some mad JB Weld skills, this is what the back of the panel looks like:

This is what the front looks like with the cover closed:

This is what it looks like with the cover open and the switch on:

When I got the whole thing wired up I realized that the inverter had to be switched on using a switch on top of the inverter every time power was lost. I didn't want the inverter on the whole time, but I also didn't want to have to push the button on the inverter every time I flipped my cool LED switch on. So, I pulled the inverter apart and removed the circuit board that made the inverter turn itself off every time power was lost. Now the inverter only turns on with the toggle switch and is tucked up under my dashboard out of sight as shown below:

Kiri and certain others think I'm a total dork for doing this, but I'm pretty proud of myself. The final product is shown below:

People may ask why anyone would want a 110-Volt AC outlet in their dash. I say "who wouldn't?" There's no tangle mess of wires for me.