Vyatta is a great free firewall/routing solution. As of version 5 (I’m specifically using 5.0.2), OpenVPN support was added. OpenVPN is a much better alternative than any of the L2TP/IPSec VPN solutions out there, and with just a little problem solving, I was able to get a Client-Server (aka road-warrior) vpn set up.
In Part1, I explained how to get the certificates and keys generated. Part2 explained how to set up OpenVPN within Vyatta. Part3 explains how to set up the client on Windows.
I went the easy route of downloading the latest OpenVPN 2.1 release candidate which included the latest OpenVPN GUI. Make sure to download 2.1 as apparently Vyatta’s implementation doesn’t support 2.0.
Some documents I read online said to download the latest version from the OpenVPN GUI site, but I found the TUN install to fail on Vista. Apparently the latest Vista SP recognizes the tun0801.sys driver as incompatible and will not start the virtual device. The 2.1 release candidate from the OpenVPN site includes the newer tun0901.sys driver, which installs in Vista x86 & x64.
Proceed with a standard install. Read each installable’s description to determine the need for install. I personally did not install the service component as I would always be initiating the connection.
At this point, the client is ready to connect, but we need to tell it where and how. In Part1 I explained how to create keys for the client. At this point, we need those keys locally. The way I retrieved them from the Vyatta server was enabling SSH on Vyatta and using WinSCP. The required files are ca.crt, clientname.crt, and clientname.key. (where clientname is the name given during Part1)
As the VPN documentation from Vyatta says, create an .ovpn file and make the contents the following.
dev tun
client
remote 12.34.56.78
ca ca.crt
cert clientname.crt
key clientname.key
Place this file in the OpenVPN’s config folder (typically c:\program files\openvpn\config). If the crt and key files are not in the config folder as well, make sure to put full paths to the files and use double backslashes since a backslash is a control character.
At this point, OpenVPN GUI should see the config and allow you to connect.
Additional Note for Vista: OpenVPN GUI must be launched as Administrator (which can be set as a property of the .exe if desired) in order to have permissions to set routes.
Hope this helps.
If you wish to review either of the previous blogs about setting up Vyatta’s OpenVPN or the easy-rsa keys/certs, read Part1 and Part2.
Hi
I found the problem on my Vyatta, it was a memory error.
And I have followed all your steps, but is still getting errors.
My HQ network – 10.10.100.0/24
Vyatta IP – 10.10.100.177
Remote Network – 172.16.11.0/24
Remote PC (XP) – 172.16.11.25
Virtual network – 172.50.1.0/24
My Vyatta and PC is directlu connected to the internet – No Firewall.
”
Mon Aug 24 13:47:22 2009 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct 1 2
006
Mon Aug 24 13:47:22 2009 IMPORTANT: OpenVPN’s default port number is now 1194, b
ased on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earl
ier used 5000 as the default port.
Mon Aug 24 13:47:22 2009 WARNING: No server certificate verification method has
been enabled. See http://openvpn.net/howto.html#mitm for more info.
Mon Aug 24 13:47:23 2009 UDPv4 link local (bound): [undef]:1194
Mon Aug 24 13:47:23 2009 UDPv4 link remote: 165.146.58.156:1194
Mon Aug 24 13:47:28 2009 [XXX.XXX.XXX.XXX] Peer Connection Initiated
with 165.146.58.XXX:1194
Mon Aug 24 13:47:29 2009 Options error: Unrecognized option or missing parameter
(s) in [PUSH-OPTIONS]:2: topology (2.0.9)
Mon Aug 24 13:47:29 2009 WARNING: Since you are using –dev tun, the second argu
ment to –ifconfig must be an IP address. You are using something (255.255.255.
0) that looks more like a netmask. (silence this warning with –ifconfig-nowarn)
Mon Aug 24 13:47:29 2009 There is a problem in your selection of –ifconfig endp
oints [local=172.50.1.2, remote=255.255.255.0]. The local and remote VPN endpoi
nts must exist within the same 255.255.255.252 subnet. This is a limitation of
–dev tun when used with the TAP-WIN32 driver. Try ‘openvpn –show-valid-subnet
s’ option for more info.
Mon Aug 24 13:47:29 2009 Exiting
Press any key to continue…
”
Thanks
Hendrik
I would look back at steps 5 and 7 in part 2. By the “WARNING” in your comment, it looks like step 5 may have a value reversed, or it could also be from step 7. From your given IP Addresses, I think you want 172.50.1.0/24 as the server value for step 7 and to “–push route 10.10.100.0/24 255.255.255.0″ for a route in step 5.