首页
登录 | 注册

HOWTO: IPCop-OpenVPN

I’m a huge fan of IPCop. It’s a great firewall distro that makes administration a snap using a slick web interface. My goal was to use IPCop and an easy-to-use VPN client to allow access to my LAN while away from home.

I ended up going with the ZERINA OpenVPN addon for IPCop and the OpenVPN GUI for Windows.

If you’ve ever wanted full, secure, encrypted access to your LAN from any remote location, here is your guide.

Just follow these ten easy steps…

IMPORTANT UPDATE: Newer versions of both IPCop and ZERINA (new URL!) have been released since I wrote this HOWTO. You will need to go to each of their respective websites and use the latest version of each to make this work. Ignore the version numbers and/or links given below. You need the latest version of each package!

1. Install IPCop

Download, install, and configure IPCop. Remember that it’s a full distro, so you need a dedicated box to be able to run it. But the good thing is that you barely need any processor power or RAM to make it work. I’m currently running mine on a Celeron 433 box with 32MB (yes, megabytes) of RAM. The CD installer really holds your hand and makes it quite easy, but you may want to check out my Building an IPCop Firewall presentation that I gave at CPLUG back in May 2005.

The OpenVPN addon requires the latest version of IPCop, but since you apply security patches as they come out you don’t have to worry about that… right? Right.

Also, I added a line for the IPCop box to /etc/hosts on my other hosts.

$ grep ipcop /etc/hosts 192.168.1.2 ipcop

So from here on, I’ll be refering to it by it’s hostname of ipcop.

2. Enable ssh access on the IPCop box

Point your browser at your IPCop box, usually at https://ipcop:445 and go to System and then SSH Access. Check the boxes for “SSH Access”, “Allow password based authentication”, and “Allow public key based authentication” and then press the Save button.

3. Download and scp the OpenVPN addon

While IPCop does come with a built-in VPN server, by using OpenVPN you will be able to use the nice GUI clients that are available for it. So download the ZERINA installer and save it to one of your boxen other than the IPCop box. I recommend using wget.

Next, scp the file to your ipcop box:

$ scp -P 222 ZERINA-0.9.3b-Installer.tar.gz root@ipcop: root@ipcop's password: ********* ZERINA-0.9.3b-Installer.tar.gz 100% 327KB 326.5KB/s 00:00

Please note that the version numbers in the listing above and throughout this HOWTO were current as of the writing of this page. However, newer versions have been released since that time. Please be sure to use the latest versions of all packages as you follow along.

4. Unpack and install the OpenVPN addon

First, ssh into the ipcop box:

$ ssh -p 222 root@ipcop

Make a directory in which to unpack the addon and move the tar file into there:

root@ipcop:~ # mkdir zerina root@ipcop:~ # mv ZERINA-0.9.3b-Installer.tar.gz zerina root@ipcop:~ # cd zerina root@ipcop:~ # tar -xzvf ./ZERINA-0.9.3b-Installer.tar.gz

You should now have the following files:

root@ipcop:~/zerina # ls _GPL library.addons _README updatefiles install patch.tar.gz uninstall

Now run the installation script:

root@ipcop:~ # ./install

The addon is now installed.

5. Create a configuration file

This is an important step. Do not skip it.

Point your browser at https://ipcop:445/ and go to the VPNs tab and then OpenVPN. Hit the Advanced Server Options button. Without making any changes to the options, hit the Save button.

6. Follow the OpenVPN/ZERINA HOWTO

There is no sense in me repeating the extremely clear and helpful howto at the ZERINA site. Go there and carefully walk through each of the steps. Along the way you will generate your certificates and create a new connection profile for a user.

If you follow the directions, you’ll end up with both a Root Certificate and a Host Certificate. You will also have a connection certificate that you will need to put on the client/remote PC, and you’ll end up setting the password for the client/connection. Make sure it is the Host-to-Net Virtual Private Network (RoadWarrior) type:

Don’t forget to turn OpenVPN on in Step 5. :)

7. Download the OpenVPN client package (zip)

On the OpenVPN configuration page, after you have created a client connection profile, you will see the following icons next to it:

Click the multicolored icon to the left of the info icon, and save the zip file to somewhere. You’ll need to get this file to the client/remote computer (e.g. via USB drive or email).

8. Load the OpenVPN GUI client

Download the OpenVPN GUI for Windows and install it on your client computer.

Installation docs are available, but there’s not much to do other than walk through the installer.

After it is installed, you’ll have the following icon at the bottom of your screen:

9. Unzip OpenVPN client package

Take the client package that you saved in Step 7 and unzip the contents into your OpenVPN client config directory. That is probably located at: C:\Program Files\OpenVPN\config.

10. Connect to the VPN

Make sure that OpenVPN is running on the ipcop box, and that you are connected to the Internet.

Right-click on the OpenVPN icon and click Connect:

Note that if you did not install the client package correctly in Step 9, you will not have that option available.

Enter the password that you set in Step 6, and you should be connected! You will get assigned an IP address in the 10.241.239.0 range by default.

Once you have an IP, you’ll be able to access all the resources on the LAN (e.g. Samba shares).

Thanks go to Matt and Fuzzie for all their help with config and testing.

Update: Heh! Getting some linkage from Digg right now…

Corrections/Addendum:

  1. If you are using Windows XP and get a WSAEADDRINUSE error when you try to connect the VPN, add the “nobind” keyword to your client config and save it. That should fix it.
  2. If you are trying to connect to the Blue interface on IPCop you’ll need to edit your OpenVPN client config. Comment the first remote line and uncomment the one for the internal IP address of the Blue interface:

    #remote serpent.thinkhole.org 1194 remote 192.168.2.1 1194

    That should fix it.

  3. If you are using a client (usually on Linux) and getting lots of dropped connections and ping timeouts, try switching from UDP to TCP. You’ll need to change it in IPCop and then edit the “proto” line in the client config. Seems to have fixed it for me.
  4. Need an OpenVPN for OSX? Check out Tunnelblick.

相关文章

  • 1) 修改注册表(开启TCP/IP转发): HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters IPEnableRouter=1 2) net stop ...
  •     普华桌面3安装完毕后,为了满足操作喜欢,需要进行一些设置工作,同时安装需要的软件工具.         1.设置主机名         2.终端字体大小调节         3.文本编辑器kwrite字体大小调节.换行        ...
  • 行业首推!计讯物联为5G物联网打造专用5G工业级路由器——TR342
    5G时代,万物互联,未来将改变我们的生活,主流的通信技术,它将极大提升物联网的应用,计讯物联为5G量身打造一款可以边缘计算的高端5G工业级路由器--TR342于4月19日隆重发布! TR342支持5G多模.并同时支持5G NR mmWave ...
  • Python打包的艺术(一)- 综述-a
    Python打包的艺术(一)- 综述 By Harrison Feng Python打包的艺术是一个专题,我将在这个专题里分享自己对构建.管理和发布Python软件包的理解.这个专题 将涉及几个Python模块,他们分别是distutils ...
  • (一)Linux网络编程--网络知识介绍 Linux网络编程--网络知识介绍 客户端和服务端          网络程序和普通的程序有一个最大的区别是网络程序是由两个部分组成的--客户端和服务器端.  客户端         在网络程序中, ...
  • gitlab-ce 在docker swarm集群上的安装使用 摘要 目的 使用gitlab社区版管理代码和文档 方法 利用gitlab官方docker影像和docker swarm集群来运行gitlab 结论 在三个server搭建doc ...

2020 unjeep.com webmaster#unjeep.com
12 q. 0.011 s.
京ICP备10005923号