I’m a huge fan of IPCop. It’s a great firewall distro that makes administration a snap using a slick web interface. My goal was to use IPCop and an easy-to-use VPN client to allow access to my LAN while away from home.
I ended up going with the ZERINA OpenVPN addon for IPCop and the OpenVPN GUI for Windows.
If you’ve ever wanted full, secure, encrypted access to your LAN from any remote location, here is your guide.
Just follow these ten easy steps…
IMPORTANT UPDATE: Newer versions of both IPCop and ZERINA (new URL!) have been released since I wrote this HOWTO. You will need to go to each of their respective websites and use the latest version of each to make this work. Ignore the version numbers and/or links given below. You need the latest version of each package!
1. Install IPCop
Download, install, and configure IPCop. Remember that it’s a full distro, so you need a dedicated box to be able to run it. But the good thing is that you barely need any processor power or RAM to make it work. I’m currently running mine on a Celeron 433 box with 32MB (yes, megabytes) of RAM. The CD installer really holds your hand and makes it quite easy, but you may want to check out my Building an IPCop Firewall presentation that I gave at CPLUG back in May 2005.
The OpenVPN addon requires the latest version of IPCop, but since you apply security patches as they come out you don’t have to worry about that… right? Right.
Also, I added a line for the IPCop box to /etc/hosts on my other hosts.
$ grep ipcop /etc/hosts
So from here on, I’ll be refering to it by it’s hostname of ipcop.
2. Enable ssh access on the IPCop box
Point your browser at your IPCop box, usually at https://ipcop:445 and go to System and then SSH Access. Check the boxes for “SSH Access”, “Allow password based authentication”, and “Allow public key based authentication” and then press the Save button.
3. Download and scp the OpenVPN addon
While IPCop does come with a built-in VPN server, by using OpenVPN you will be able to use the nice GUI clients that are available for it. So download the ZERINA installer and save it to one of your boxen other than the IPCop box. I recommend using wget.
Next, scp the file to your ipcop box:
$ scp -P 222 ZERINA-0.9.3b-Installer.tar.gz root@ipcop:
root@ipcop's password: *********
ZERINA-0.9.3b-Installer.tar.gz 100% 327KB 326.5KB/s 00:00
Please note that the version numbers in the listing above and throughout this HOWTO were current as of the writing of this page. However, newer versions have been released since that time. Please be sure to use the latest versions of all packages as you follow along.
4. Unpack and install the OpenVPN addon
First, ssh into the ipcop box:
$ ssh -p 222 root@ipcop
Make a directory in which to unpack the addon and move the tar file into there:
root@ipcop:~ # mkdir zerina
root@ipcop:~ # mv ZERINA-0.9.3b-Installer.tar.gz zerina
root@ipcop:~ # cd zerina
root@ipcop:~ # tar -xzvf ./ZERINA-0.9.3b-Installer.tar.gz
You should now have the following files:
root@ipcop:~/zerina # ls
_GPL library.addons _README updatefiles
install patch.tar.gz uninstall
Now run the installation script:
root@ipcop:~ # ./install
The addon is now installed.
5. Create a configuration file
This is an important step. Do not skip it.
Point your browser at https://ipcop:445/ and go to the VPNs tab and then OpenVPN. Hit the Advanced Server Options button. Without making any changes to the options, hit the Save button.
6. Follow the OpenVPN/ZERINA HOWTO
There is no sense in me repeating the extremely clear and helpful howto at the ZERINA site. Go there and carefully walk through each of the steps. Along the way you will generate your certificates and create a new connection profile for a user.
If you follow the directions, you’ll end up with both a Root Certificate and a Host Certificate. You will also have a connection certificate that you will need to put on the client/remote PC, and you’ll end up setting the password for the client/connection. Make sure it is the Host-to-Net Virtual Private Network (RoadWarrior) type:
Don’t forget to turn OpenVPN on in Step 5. :)
7. Download the OpenVPN client package (zip)
On the OpenVPN configuration page, after you have created a client connection profile, you will see the following icons next to it:
Click the multicolored icon to the left of the info icon, and save the zip file to somewhere. You’ll need to get this file to the client/remote computer (e.g. via USB drive or email).
8. Load the OpenVPN GUI client
Download the OpenVPN GUI for Windows and install it on your client computer.
Installation docs are available, but there’s not much to do other than walk through the installer.
After it is installed, you’ll have the following icon at the bottom of your screen:
9. Unzip OpenVPN client package
Take the client package that you saved in Step 7 and unzip the contents into your OpenVPN client config directory. That is probably located at: C:\Program Files\OpenVPN\config.
10. Connect to the VPN
Make sure that OpenVPN is running on the ipcop box, and that you are connected to the Internet.
Right-click on the OpenVPN icon and click Connect:
Note that if you did not install the client package correctly in Step 9, you will not have that option available.
Enter the password that you set in Step 6, and you should be connected! You will get assigned an IP address in the 10.241.239.0 range by default.
Once you have an IP, you’ll be able to access all the resources on the LAN (e.g. Samba shares).
Thanks go to Matt and Fuzzie for all their help with config and testing.
Update: Heh! Getting some linkage from Digg right now…
- If you are using Windows XP and get a WSAEADDRINUSE error when you try to connect the VPN, add the “nobind” keyword to your client config and save it. That should fix it.
- If you are trying to connect to the Blue interface on IPCop you’ll
need to edit your OpenVPN client config. Comment the first remote line
and uncomment the one for the internal IP address of the Blue
#remote serpent.thinkhole.org 1194 remote 192.168.2.1 1194
That should fix it.
- If you are using a client (usually on Linux) and getting lots of dropped connections and ping timeouts, try switching from UDP to TCP. You’ll need to change it in IPCop and then edit the “proto” line in the client config. Seems to have fixed it for me.
- Need an OpenVPN for OSX? Check out Tunnelblick.