Installing OpenVPN on Linux and Unix Systems: Part 2

Exclusive offer: get 50% off this eBook here
Beginning OpenVPN 2.0.9

Beginning OpenVPN 2.0.9 — Save 50%

Build and integrate Virtual Private Networks using OpenVPN

$35.99    $18.00
by Markus Feilner | December 2009 | Linux Servers Networking & Telephony Open Source

In the first part of this two-part article by Markus Feilner, we covered Installing OpenVPN on SuSE Linux, Red Hat Fedora using yum, Red Hat Enterprise Linux, and RPM-based systems.

 

In this part we will cover installation of OpenVPN on Debian, Ubuntu and FreeBSD. Please refer to the first part for Prerequisites.

Read Part One of Installing OpenVPN on Linux and Unix Systems here.

Installing OpenVPN on Debian and Ubuntu

Probably the easiest distribution on which to install OpenVPN is Debian and its derivates like Ubuntu. Just type apt-get install openvpn, answer two questions, and OpenVPN is installed and ready to be used.

The Debian package management system is capable of solving all the issues that might occur during the installation. If your system is configured correctly, then the automatic installation will cover the following steps:

  1. The installation helper apt-get will find the software on the installation servers.
  2. The helper will then download the chosen package and unpack it to your local system.
  3. An interactive configuration script is executed, which configures your system and the newly installed software for later use with the parameters that you enter.

The following code extract is the standard output of apt-get install openvpn on a Debian system. This output may vary depending on your previous software selection, and in many cases the LZO compression library will have to be installed. On some systems apt will install OpenSSL libraries, but in most cases, apt-get is able to solve all problems for you.

debian01:~# apt-get install openvpn
Reading Package Lists... Done
Building Dependency Tree... Done
The following NEW packages will be installed:
openvpn
0 upgraded, 1 newly installed, 0 to remove and 7 not upgraded.
Need to get 293kB of archives.
After unpacking 762kB of additional disk space will be used.
Get:1 http://ftp.uni-erlangen.de testing/main openvpn 2.0.9 [293kB]
Fetched 298kB in 1s (247kB/s)
Preconfiguring packages ...
Selecting previously deselected package openvpn.
(Reading database ... 9727 files and directories currently installed.)
Unpacking openvpn (from .../openvpn_2.0-9_i386.deb) ...
Setting up openvpn (2.0-9) ...
Restarting virtual private network daemon:.
debian01:~#

During this process, you will be prompted to answer the following two questions:

  • You have to allow apt to create a TUN/TAP device for use by OpenVPN software. If you select No, your tunnels will not be created and your tunnel software won't work.

    Beginning OpenVPN 2.0.9

  • The second question raises a security issue. OpenVPN software should be stopped during an update, so you have to select YES and hit return.

    Beginning OpenVPN 2.0.9

You have to stop the old tunnel software when an update is running. All tunneling will be stopped, and your users will not be able to connect to your system during this time. From then on, all tunnels are created by the new OpenVPN software, including patches and bug fixes. This is the safe way to go.

However, if you choose No, you risk that the old software and libraries are still running, even after the installation of new OpenVPN software. Bug fixes and patches of the new version may not apply to existing tunnels until they are started again. You may run into serious inconsistencies in your system, if you have several tunnels and they are running different versions of your software. Thus, it is safer to have a short time when users will not be able to connect.

Installing Debian packages

Software packages for Debian systems are provided in the so-called .deb file format. DEB files are usually stored in online repositories on FTP or web servers, and every Debian system holds a list of repositories that can be used for installation. You will find this list in /etc/apt/sources.list. The setup program base-config provides a menu-based configuration interface for apt.

Beginning OpenVPN 2.0.9

If you want to add source repositories to your Debian installation, type base-config and change to the menu configure apt. Select the country you live in and the repository of your choice. Select Ok. Now all the software packages of this server can automatically be installed on your system, simply by typing apt-get install <package>.

A Debian package contains the software and information about it, such as name, version, description, contents, prerequisites, dependencies, and configuration scripts that are to be started after installation.

Debian systems offer some very powerful programs with which you can control software installation very specifically. Listing all programs and options would go far beyond the scope of this article, but here is a short overview of some handy package management commands.

Command

Function

apt-get remove <package>

Removes the selected package from your system

apt-get update

Updates the list of packages available on the repositories listed in /etc/apt/sources.list

apt-get upgrade

Installs the latest available versions of all your installed software

apt-get dist-upgrade

Installs the latest available software related to your configuration

dpkg-reconfigure

Restarts/Starts the configuration script inside the package, which will bring up the menu-based dialogs in the same way as after installation

apt-cache show

<package>

Prints detailed information about the software package

dpkg -l <package>

Prints information on the installed software package

dpkg -L <package>

Lists all files installed by the software package

dpkg -i <file>

Installs a local (.deb) file to your system

dpkg -S <file>

Prints information about the software package owning <file>

apt-cache search

<string>

Searches apt database for packages containing <string> in their name and description

These programs should solve all possible questions, issues, and problems concerning the installation of software on Debian systems. Just try these commands with the freshly installed OpenVPN package on your system. Type the command apt-cache show openvpn to receive information about the installed package.

Beginning OpenVPN 2.0.9

Using Aptitude to search and install packages

Although the Debian command-line tools are very powerful, there are more programs that help you to retrieve and install software. Probably the most common software for this purpose is Aptitude. Type aptitude in a command line in order to start the menu-based installation interface. If Aptitude is not installed on your system, type apt-get install aptitude. If you prefer aptitude, you can use it at the command line in the same way as apt-get.

Beginning OpenVPN 2.0.9

Aptitude consists of a menu at the top of the screen, a list of packages, and a window showing details on the software selected in the package list. If you have console mouse support, you can click on menu entries.

Click on the menu entry Search, or hit the F10 key and navigate through the Search menu. Select the entry Find. You will be prompted with a search mask. Enter openvpn. While you are typing, Aptitude is steadily updating the main window. Click on OK and have a look at the output.

Beginning OpenVPN 2.0.9

Aptitude will find the OpenVPN version that you had installed previously, and the entries in the menus Actions and Package help you to select and install software. Depending on the selection of repositories that you have added to your sources.list during installation, Aptitude can also help you to choose different versions of OpenVPN.

OpenVPN—the files installed on Debian

The following table gives an overview of the files that were installed by the Debian package management system.

Full path and file Installed by OpenVPN

Function

/etc/openvpn

Directory containing configuration files

/etc/network/if-up.d/openvpn

/etc/network/if-down.d

/etc/network/if-down.d/openvpn

Start/stop openvpn when the network

goes up/down

/etc/init.d/openvpn

Start/stop script for services

/sbin/openvpn

The binary

/usr/share/doc/openvpn

Documentation files

/usr/share/man/man8/openvpn.8.gz

Manual page

/usr/share/doc/openvpn/examples/

sample-config-files

Example configuration files

/usr/share/doc/openvpn/examples/

sample-keys

Example keys

/usr/share/doc/openvpn/examples/

easy-rsa

easy-rsa-a collection of scripts useful

for creating tunnels

/usr/share/doc/openvpn/

changelog.Debian.gz

/usr/share/doc/openvpn/changelog.gz

 

Version history

/usr/share/openvpn/verify-cn

verify-cn function (revoke command)

/usr/lib/openvpn/

openvpn-auth-pam.so

/usr/lib/openvpn/

openvpn-down-root.so

Libraries for PAM-Authentication and

chroot mode

 

Beginning OpenVPN 2.0.9 Build and integrate Virtual Private Networks using OpenVPN
Published: December 2009
eBook Price: $35.99
Book Price: $59.99
See more
Select your format and quantity:

Installing OpenVPN on FreeBSD

FreeBSD and BSD in general are Unix systems of outstanding stability and security, and are therefore very popular among network administrators. In practice, with FreeBSD, you do not have to worry much about security issues of the software that you install, but you may not always get up-to-date versions.

FreeBSD also has a modern software management system. Simply type pkg_add -vr openvpn and OpenVPN software is installed on your system. Calling pkg_add with the parameter -r installs software from remote servers, similar to apt-get or rpm. If you run into problems, increasing verbosity with the parameter -v can be helpful.

The following excerpt shows the output of pkg_add:

freebsd# pkg_add -vr openvpn
looking up ftp.freebsd.org
connecting to ftp.freebsd.org:21
setting passive mode
opening data connection
initiating transfer
Fetching ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-5.4-
release/Latest/openvpn.tbz...x +CONTENTS
x +COMMENT
(...)
x share/doc/openvpn/sample-scripts/verify-cn
tar command returns 0 status
Done.
Package 'openvpn-1.6.0' depends on 'lzo-1.08_1' with 'archivers/lzo'
origin.
setting passive mode
opening data connection
initiating transfer
Fetching ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-5.4-
release/All/lzo-1.08_1.tbz...x +CONTENTS
(...)
tar command returns 0 status
Done.
Finished loading lzo-1.08_1 over FTP.
extract: Package name is lzo-1.08_1
(...)
'lzo-1.08_1' loaded successfully.
(...)
extract: Package name is openvpn-1.6.0
(...)
Package openvpn-1.6.0 registered in /var/db/pkg/openvpn-1.6.0
### -----------------------------------------------------------------
----- ###
### To use the tap driver, you may need to do: kldload if_tap
###
### See ${PREFIX}/etc/rc.d/openvpn.sh.sample for how to do this
###
### automatically at system boot-up time.
###
### -----------------------------------------------------------------
----- ###
### To retain backwards compatibility of OpenVPN 1.3.0 with OpenVPN
peers ###
### that run older versions (back to 1.1.0), you will have to set the
MTU ###
### explicitly by command line options since OpenVPN 1.3.0.
###
###
###
### When connecting to 1.4.X or older peers with a TAP-style tunnel,
set ###
### --tun-mtu 1500 --tun-mtu-extra 32 on the peer.
###
###
###
### When using TLS security and your peer runs OpenVPN 1.3.X, the
PEER ###
### must use --disable-occ. This version of OpenVPN cannot use TLS
mode ###
### to peers running OpenVPN 1.2.x or older.
###
###
###
### Note: use at most --verb 4 for regular use, --verb 5 is for
debugging ###
### -----------------------------------------------------------------
----- ###
freebsd#

The pkg_add looks for an appropriate installation candidate, downloads it, and checks for dependencies. As LZO is required, but not installed, pkg_add starts by downloading this package first. After successful installation of LZO, OpenVPN is installed. When called with the parameter -v, pkg_add also gives you a list of all the installed files.

After this installation, there are four issues to be considered.

  • The OpenVPN binary may not be found in the standard path. Call OpenVPN with the full path, or add its path to your startup file.
  • In our example OpenVPN version 1.6.0 was installed. There are some features of version 2.0 that cannot be used. The section that follows shows how you can install a newer version on your system.
  • The standard configuration file path is /usr/local/etc/openvpn/.
  • The init script that is used to start OpenVPN and its tunnels at system boot must be edited before we can use it.

The OpenVPN installation on FreeBSD provides a sample startup script (normally in /etc/rc.d, but in some installations it may be found in /usr/local/etc/ rc.d/) that needs a little editing after which it can be used at system boot. To start OpenVPN at boot time, we have to change three entries in the file /etc/rc.conf, containing the startup configuration for the services.

Simply add or edit the following lines in your /etc/rc.conf to these values:

openvpn_enable="YES"
openvpn_if=tun
openvpn-dir=/etc/openvpn

If you have set the correct paths in your init script, OpenVPN will be started the next time you boot your system.

Installing a newer version of OpenVPN on FreeBSD—the ports system

If you want to install OpenVPN version 2.0 on FreeBSD, you can install a FreeBSD port of OpenVPN. But before that, we should uninstall the version of OpenVPN that we have just installed. Just type pkg_delete openvpn-1.6.0.

freebsd# pkg_delete openvpn-1.6.0

Then browse to the FreeBSD web site http://www.freebsd.org, which is the best place to look for documentation, help, and software for FreeBSD. Click on the Ports under the SHORTCUTS section, which will take you to http://www.freebsd.org/ports/index.html. The ports are patches to the original source code of applications, as well as download routines and information for the software installation management.

Installing the port system with sysinstall

To make use of these ports, the so-called port system has to be installed on your machine. This can easily be done with the setup tool for FreeBSD called sysinstall. Start by typing sysinstall.

Beginning OpenVPN 2.0.9

Beginning OpenVPN 2.0.9

Use the up/down arrow keys to select the entry Configure and press Enter. In the following window called, 'FreeBSD Configuration Menu', change to the module Distributions:

The distributions dialog contains many different distributions to install, but onlyThe FreeBSD Ports collection is relevant for our purpose. Activate this entry with your spacebar and hit Enter. You will be asked to choose a source from which you want to install these ports. Just confirm with Enter three times. The port system is then downloaded and installed.

Downloading and installing a BSD port

Now we must download the port package from the BSD web site and extract it to a local folder. Point your browser to http://www.freebsd.org/ports/index.html ,enter openvpn in the search field, and click on the Submit button.

As result from this search, you will be presented with OpenVPN in version 2.0.2 or newer, in the security section. Click on the download link and save the tarball (.tar file) to a local directory.

Enter this directory and type make. The port system will fetch the appropriate sources for this port, patch them, and start the compilation process. When make is ready, type make install to install the binaries in your system.

freebsd# make install
===> Installing for openvpn-2.0.2
===> openvpn-2.0.2 depends on shared library: lzo.1 - found
===> Generating temporary packing list
===> Checking if security/openvpn already installed
test -z "/usr/local/sbin" || /root/openvpn/work/openvpn-2.0.2/installsh
-d "/usr/local/sbin"
install -s -o root -g wheel -m 555 'openvpn' '/usr/local/sbin/
openvpn'
(...)
This port has installed the following files which may act as
network
servers and may therefore pose a remote security risk to the
system.
/usr/local/sbin/openvpn
This port has installed the following startup scripts which may
cause
these network services to be started at boot time.
/usr/local/etc/rc.d/openvpn.sh
If there are vulnerabilities in these programs there may be a
security
risk to the system. FreeBSD makes no guarantee about the
security of
ports included in the Ports Collection. Please type 'make
deinstall'
to deinstall the port if this is a concern.
For more information, and contact details about the security
status of this software, see the following webpage:
http://openvpn.sourceforge.net/
freebsd#

That's it! A new version of OpenVPN has successfully been installed on your system. You can test it with /usr/local/sbin/openvpn –version.

Summary

In this two-part article, we have seen with numerous installations on different Linux systems that installing OpenVPN is very easy. Modern Linux systems, such as SuSE, Red Hat, Debian, Ubuntu, or FreeBSD, provide sophisticated installation and package management systems, and still offer other ways to install the software.

 

If you have read this article you may be interested to view :

Beginning OpenVPN 2.0.9 Build and integrate Virtual Private Networks using OpenVPN
Published: December 2009
eBook Price: $35.99
Book Price: $59.99
See more
Select your format and quantity:

About the Author :


Markus Feilner

Markus Feilner is a Linux professional from Regensburg, Germany, and has been working with open-source software since the mid 1990s. His first contact with UNIX was a SUN cluster and SPARC workstations at Regensburg University (during his studies of geography). Since the year 2000, he has published several documents used in Linux training all over Germany. In 2001, he founded his own Linux consulting and training company, Feilner IT.

He was working as a trainer, consultant, and systems engineer at Millenux, Munich, where he focused on groupware, collaboration, and virtualization with Linux-based systems and networks.

Since 2007, he is an editor at the German Linux-Magazine, where he is writing about Open-Source-Software for both printed and online magazines, including the Linux Technical Review and the Linux Magazine International www.linux-magazine.com. He regularly holds speeches and lectures at conferences in Germany.

He is interested in anything about geography, traveling, photography, philosophy (especially that of open-source software), global politics, soccer and literature, but always has too little time for these hobbies.

Markus Feilner supports Linux4afrika - a project bringing Linux computers into African schools. For more information please visit www.linux4afrika.de!

Books From Packt


Linux Email
Linux Email

ModSecurity 2.5
ModSecurity 2.5

Asterisk 1.6
Asterisk 1.6

Cacti 0.8 Network Monitoring
Cacti 0.8 Network Monitoring

FreePBX 2.5 Powerful Telephony Solutions
FreePBX 2.5 Powerful Telephony Solutions

Ext JS 3.0 Cookbook
Ext JS 3.0 Cookbook

Building Telephony Systems with OpenSER
Building Telephony Systems with OpenSER

Zabbix 1.6 Network Monitoring [RAW]
Zabbix 1.6 Network Monitoring [RAW]


No votes yet

Post new comment

CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.
q
W
7
K
q
8
Enter the code without spaces and pay attention to upper/lower case.
Code Download and Errata
Packt Anytime, Anywhere
Register Books
Print Upgrades
eBook Downloads
Video Support
Contact Us
Awards Voting Nominations Previous Winners
Judges Open Source CMS Hall Of Fame CMS Most Promising Open Source Project Open Source E-Commerce Applications Open Source JavaScript Library Open Source Graphics Software
Resources
Open Source CMS Hall Of Fame CMS Most Promising Open Source Project Open Source E-Commerce Applications Open Source JavaScript Library Open Source Graphics Software