Newbie:Help install VPN

This forum is dedicated to basic help and support :

Ask here your questions about basic installation and usage of Mageia. For example you may post here all your questions about getting Mageia isos and installing it, configuring your printer, using your word processor etc.

Try to ask your questions in the right sub-forum with as much details as you can gather. the more precise the question will be, the more likely you are to get a useful answer

Newbie:Help install VPN

Postby santo » Oct 23rd, '16, 09:18

Hi all,
I would like to install a VPN on my Mageia5 system...
The options are btw Cisco VPN and OpenVPN
I installed OpenVPN and gave the name ( sigh! ) 'assange' after that, is very difficult for me to know what I am supposed to do...I did try myself to continue but always failed...
TIA for your help...

Santo
santo
 
Posts: 40
Joined: Oct 7th, '14, 13:24

Re: Newbie:Help install VPN

Postby wintpe » Oct 26th, '16, 11:33

Hi Santo

ive always found that the gui in mageia of add vpn is good for getting you started.

so go into magia control center, and a new vpn, type openvpn and just put any old rubish in the dialog boxes to make it complete, it realy does not matter what you put in.

then open a terminal switch user to root and go to /etc/sysconfig/network-scripts/vpn.d/openvpn

in there you will find a file named after your config.

now edit that file as follows.

Code: Select all
client
dev tun
tun-mtu 1500
remote VPNSERVERIPADDRESS PORTNUMBER(1194, usualy)
resolv-retry infinite
nobind
user openvpn
group openvpn
persist-key
persist-tun
ca /pathtoca/ca.crt
cert /pathtoca/device.crt
key /pathtoca/device.key
ns-cert-type server
cipher AES-256-CBC
auth sha512
comp-lzo
verb 3


for the pathtoca, your openvpn provider will give you 3 files, a ca.crt, a device.crt and a device.key

the name device might be different depending on your provider.

so locate those 3 files somewhere on your system, and change pathtoca to reflect that and the names to reflect the 3 files.

your vpn provider will also have given you an ipaddress and port number, update the line

remote VPNSERVERIPADDRESS PORTNUMBER(1194, usualy)

accordingly

go into magia control center and disable the outgoing firewall.

start the vpn, and make sure it has connected (this can be done via the netapplet, if you are using that for networking)

then go and re-enable the firewall, it will notice thats there is a new network connection and give you a chance to include that as a allowed outgoing service.

thats it.

i use this for my own vpn and for torguard

if you want to setup your own vpn server, i recommend not using your mageia box for that, not because its not good at doing that,
but simply because having a desktop pc running as a vpn server, is costly power wise, and a ddwrt or openwrt based wifi access point
can do this really easily out of the box and costs almost nothing to run 24x7.


regards peter
Redhat 6 Certified Engineer (RHCE)
Sometimes my posts will sound short, or snappy, however its realy not my intention to offend, so accept my apologies in advance.
wintpe
 
Posts: 1204
Joined: May 22nd, '11, 17:08
Location: Rayleigh,, Essex , UK

Re: Newbie:Help install VPN

Postby santo » Oct 26th, '16, 16:14

Thanks for answering...
No I am not planning to build a VPN server...as I write on the title I am a newbie...
Doing to work related problem I will try to follow your advices and guidance in the next couple of days...but it does look intimidating...hope I will manage to understand everything...

Thanks
santo
santo
 
Posts: 40
Joined: Oct 7th, '14, 13:24

Re: Newbie:Help install VPN

Postby wintpe » Oct 27th, '16, 16:44

Santo

you know i get the impression that you want a vpn, but dont understand how it works.

this leads to not understanding why the steps are necessary or how to go about it.

it also means that if you make a mistake following any of the instructions you may not know what part is not working.

so i thought id add an explanation of what you are trying to achieve, it might help you see why the steps are necessary.
i dont know, but it might help someone else to.

when you use a web browser or any other network app to go over the internet, the first thing it does is looks up the ipaddress of that
host , when it looks it up it uses the address coded in your resolv.conf for the lookup.
dns or bind is the system that returns the address, and that in itself visits many hosts on the internet to get the final address.

once it has the address it then opens a connection to that host, and that connection may well make many hops through network switches, gateways and firewalls.

the connection always goes out through your default gateway, which initially is the network card in your PC, and then the adsl router, and so on.

the outgoing connection of a web page, then returns the index.html to your browser, or specific page, and that in turn initiates many connections to then get all the graphics, javascript, css content templates etc to your browser, and each of those uses the same process as the first page.

so to the vpn, you want a vpn because you are worried that connections like above can be spied upon, it might be a webpage, a facebook connection, or similar, or it might be that you want your address to look like it originated in the country that the vpn tunnel exists.

all good reasons.

so the vpn tunnel, is similar to the ssh protocol, in that , you start the connection, it establishes a connection with a vpn server process on the other end,
and all that passes through it is encrypted.

to establish the connection crypto keys are used which act like stored passwords.

where opsnvpn differs from ssh, is that ssh is a single port tunnel, carrying just one port connection, vpn creates a virtual network interface, like having a private network adapter in software, with a virtual network cable running from that virtual network adapter to a virtual network adapter on the other end in some other country, or place than your own network.

an extra gateway or route is added to your config that says from now on (while the vpn is up) forward all traffic down this virtual network and have it exit at the other end.

so what happens on the pc.

the configuration i defined above for you is for the openvpn service to use when it starts up, it tells openvpn the password to use (the certificates and keys)
and the host and port to connect to at the other end.

openvpn when it start with this config file, will open the connection to the other end (providing its not prevented from getting there)

then it will create a virtual network card called tun0 (ifconfig -a will show this when its up and running)

and it will add a default route down tun0 when its up and running as well. (netstat -rn |grep tun0 will help show this)

and traffic will then go down the tun0 tunnel (traceroute 8.8.8.8 will show that tun0 is one of the hops it goes through when its working)

and exit wherever the vpn providers infrastructure is.

if successful an openvpn process will be seen with ps -ef|grep openvpn, and the logs of what openvpn is doing as it negotiates with the other end, will be recorded in /var/log/messages, providing you have rsyslog installed and running.

hopefully ive painted a clearer picture for you as a self confessed newby to follow.

all of the above commands rely on the rpm that holds the command being installed, not all are on by default, but if something does not work as described above, ensure the software (like traceroute) is installed.

we all have to start somewhere.

regards peter
Redhat 6 Certified Engineer (RHCE)
Sometimes my posts will sound short, or snappy, however its realy not my intention to offend, so accept my apologies in advance.
wintpe
 
Posts: 1204
Joined: May 22nd, '11, 17:08
Location: Rayleigh,, Essex , UK

Re: Newbie:Help install VPN

Postby santo » Oct 28th, '16, 08:53

wintpe wrote:Santo

you know i get the impression that you want a vpn, but dont understand how it works.

this leads to not understanding why the steps are necessary or how to go about it.

.....

regards peter


Thank you very much for this post. It was very intelligent of you not only to understand the origin of my post but also to follow up with such an explanation.
I will read it carefully and then will start the attempt to install OpenVPN

hope you will be with me ( and bearwith my newbiness...) while I'll go through the attempt..
:-)
Santo
santo
 
Posts: 40
Joined: Oct 7th, '14, 13:24

Re: Newbie:Help install VPN

Postby santo » Oct 28th, '16, 09:10

wintpe wrote:Santo

....

so to the vpn, you want a vpn because you are worried that connections like above can be spied upon, it might be a webpage, a facebook connection, or similar, or it might be that you want your address to look like it originated in the country that the vpn tunnel exists.

all good reasons.

....

regards peter


Forgot to mention...I live in in a country where the government - mostly to protect the local film industry - ...is blocking/deny access to ALL torrents sites ...but this is going a bit too far... I used to download stuff that ( mostly' was not covered by property rights like old Italian movies etc...which can not be found on youtube anymore...one may end up in jail or pay an hefty fine even to connect to any torrent sites...Computer savvy here say that it is basically impossible for the government to implement such draconian measure...but being foreigner here ( I am italian ) I do not want to risk much...I still try to bypass this by using Google open DNS but now it does not seem to work anymore...

When I browse internet to try to go around this I always find references to VPN...I was shy to start this tread because I thought that it was illegal to use VPN but given that I find references everywhere I concluded that it is fair enough to at least try it out...

Hope to say openly the above is 'legal' and acceptable...otherwise moderator please delete it right away...
;-)

santo
santo
 
Posts: 40
Joined: Oct 7th, '14, 13:24

Re: Newbie:Help install VPN

Postby wintpe » Oct 28th, '16, 11:21

nope it is not illegal to use or discuss a vpn as far as im aware on this forum.

its what you do with it, that could potentially land you in trouble, and while we dont know what any one on this forum is
using their vpn for, its not our place to police them, or cast any aspersions to their morality, that's a private thing
and falls into the realms of human rights.

however, if anyone came on here and asked how to get something that was illegal generally, and globally, they will get no help
and probably have their posts deleted.

i use torguard.

its about £40 pounds a year, and i use it with mageia 5

its works fine. you must also change your resolver to be torguards one, otherwise those dns lookups will go straight to your isp and they can then be seen.

i have posted on this forum elsewhere a torguard config file, and if you decide to go for torguard i can post it in this thread.
but you may already have subscribed to a vpn, since you are already trying to get it working.


regards peter
Redhat 6 Certified Engineer (RHCE)
Sometimes my posts will sound short, or snappy, however its realy not my intention to offend, so accept my apologies in advance.
wintpe
 
Posts: 1204
Joined: May 22nd, '11, 17:08
Location: Rayleigh,, Essex , UK

Re: Newbie:Help install VPN

Postby santo » Oct 28th, '16, 13:46

wintpe wrote:...
but you may already have subscribed to a vpn, since you are already trying to get it working.

...
regards peter


Ha! ... you got me...
Do I have to subscribe to a VPN before trying to get my OpenVPN working?

I tryed a lot with the suggestion you gave and in fact I got stuck at the line :
romote VPNSERVERIPADDRESS PORTNUMBER ...

where you write that ...'my vpn provider will also give an ipaddress and port number' ...it felt to me a catch 22...if I can not connect to an VPN how can I get the ipaddress and port number?
not so sure how to continue...
any suggestion to any vpn I can subscribe to if this is the case?

I am pasting here my .conf file...edited so that it is not too long please tell me if it was correct. The lines
tun-mtu 1500 and auth sha512 I assumed go under these headings...

TIA

santo


Code: Select all
# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client

# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
dev tun
tun-mtu 1500
;dev tun

# Windows needs the TAP-Win32 adapter name
.....
;dev-node MyTap

# Are we connecting to a TCP or
# UDP server?  Use the same setting as
# on the server.
;proto tcp
;proto udp

# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote
;remote my-server-2 1194

# Choose a random host from the remote
# list for load-balancing.  Otherwise
# try hosts in the order specified.
;remote-random

....
# to the internet such as laptops.
resolv-retry infinite

# Most clients don't need to bind to
# a specific local port number.
nobind

# Downgrade privileges after initialization (non-Windows only)
user openvpn
group openvpn

# Try to preserve some state across restarts.
persist-key
persist-tun

# If you are connecting through an
......

# Wireless networks often produce a lot
# of duplicate packets.  Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings

# SSL/TLS parms.
# See the server config file for more
# description.  It's best to use
# a separate .crt/.key file pair
# for each client.  A single ca
# file can be used for all clients.

ca /usr/share/openvpn/sample-keys/ca.crt
cert /usr/share/openvpn/sample-keys/client.crt
key /usr/share/openvpn/sample-key/client.key

# Verify server certificate by checking that the
# certicate has the correct key usage set.
# This is an important precaution to protect against
# a potential attack discussed here:
#  http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the keyUsage set to
#   digitalSignature, keyEncipherment
# and the extendedKeyUsage to
#   serverAuth
# EasyRSA can do this for you.
 ns-cert-type server

# If a tls-auth key is used on the server
# then every client must also have the key.
;tls-auth ta.key 1

# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
cipher AES-256-CBC
auth sha512

# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
comp-lzo

# Set log file verbosity.
verb 3

# Silence repeating messages
;mute 20
Last edited by isadora on Oct 28th, '16, 13:50, edited 1 time in total.
Reason: Placed command-output in between [CODE]-tags for better readability ;)
santo
 
Posts: 40
Joined: Oct 7th, '14, 13:24

Re: Newbie:Help install VPN

Postby doktor5000 » Oct 28th, '16, 18:30

santo wrote:Do I have to subscribe to a VPN before trying to get my OpenVPN working?

Yes. You can also set up your own VPN server, but in your use case that would not help. This is usually done if you want to connect e.g. from home to your work computers, to secure the connection in between those. And then you would need to configure both ends, the VPN server and the client. In your use case you need the VPN server/service to be provided by any VPN provider. There are a few threads here on VPN providers which others are using, best use the forum search function for that.
Cauldron is not for the faint of heart!
Caution: Hot, bubbling magic inside. May explode or cook your kittens!
----
Disclaimer: Beware of allergic reactions in answer to unconstructive complaint-type posts
User avatar
doktor5000
 
Posts: 17633
Joined: Jun 4th, '11, 10:10
Location: Leipzig, Germany

Re: Newbie:Help install VPN

Postby wintpe » Oct 31st, '16, 11:36

As Doktor has said there are plenty too choose from out there, maybe even some are free, for limited use.

but yes absolutely will not work without the remote vpnserver and port and the ca, and keys supplied by your chosen vpn provider.

i use torguard, as ive already stated, but there are so many to choose, you need to find one that suits your reqirements.

regards peter
Redhat 6 Certified Engineer (RHCE)
Sometimes my posts will sound short, or snappy, however its realy not my intention to offend, so accept my apologies in advance.
wintpe
 
Posts: 1204
Joined: May 22nd, '11, 17:08
Location: Rayleigh,, Essex , UK

Re: Newbie:Help install VPN

Postby santo » Oct 31st, '16, 13:59

wintpe wrote:As Doktor has said there are plenty too choose from out there, maybe even some are free, for limited use.

but yes absolutely will not work without the remote vpnserver and port and the ca, and keys supplied by your chosen vpn provider.

i use torguard, as ive already stated, but there are so many to choose, you need to find one that suits your reqirements.

regards peter


Yes, I am exploring different possibilities...my interest in using VPN is mainly to be able to use torrent which are blocked here ...I checked for free VPN servers...but the only one who could be helpful was CyberGhost which is not free in the end...but very cheap...then AirVPN but is only a .deb package so...

I do not use credit card etc...so to pay for a VPN service online is a bit complicated... have to find a provider who accept DD ...
;-)

santo
santo
 
Posts: 40
Joined: Oct 7th, '14, 13:24

Re: Newbie:Help install VPN

Postby wintpe » Nov 1st, '16, 15:25

AirVPN but is only a .deb package so
you absolutely do not need a package to use their vpn.

you just need to do what i have already described to you.

openvpn is standard, its not customized to a particular provider.

all there deb file will contain is the 3 certificate files, and a config file.

deb files are just "ar" archives

ar -vx file.deb

regards peter
Redhat 6 Certified Engineer (RHCE)
Sometimes my posts will sound short, or snappy, however its realy not my intention to offend, so accept my apologies in advance.
wintpe
 
Posts: 1204
Joined: May 22nd, '11, 17:08
Location: Rayleigh,, Essex , UK

Re: Newbie:Help install VPN

Postby santo » Nov 2nd, '16, 12:23

wintpe wrote:AirVPN but is only a .deb package so
you absolutely do not need a package to use their vpn.

you just need to do what i have already described to you.
.....
regards peter



I thought that if I find a VPN server and download and install it , it will then
give me some data to insert into my OpenVPN.conf e.g.

remote VPNSERVERIPADDRESS PORTNUMBER(1194, usualy)
which will allow me to connect with OpenVPN...


Now I fin myself in some middle earth and have no idea how and what to think...I
thought that to use OpenVPN I needed an VPN server ... I looked it up and found
some free some non-free but cheap server

You always said you use TOR so after a little try with a free trial of
Windscribe I installed 'TOR'...

But - as with Windscribe I see no relation with OpenVPN...Tor Browser is the
only Download available so obviously TOR IS a browser and not a VPN server ...

What is it I do not understand? ( it may seem a funny question...)

What am I supposed to do to use OpenVPN?

remember I am a newbie...
:?

santo
santo
 
Posts: 40
Joined: Oct 7th, '14, 13:24

Re: Newbie:Help install VPN

Postby wintpe » Nov 2nd, '16, 21:54

I never said use tor.
I said use torguard .
Use Google. Don't guess what I mean .
Torguard is a commercial vpn provider.
Costs about 40 dollars a year.
Regards peter
Redhat 6 Certified Engineer (RHCE)
Sometimes my posts will sound short, or snappy, however its realy not my intention to offend, so accept my apologies in advance.
wintpe
 
Posts: 1204
Joined: May 22nd, '11, 17:08
Location: Rayleigh,, Essex , UK


Return to Basic support

Who is online

Users browsing this forum: No registered users and 1 guest

cron