Tutorials:OpenVPN with uPNP support in 10 minutes

From Knowledge base
Jump to: navigation, search

This tutorial allows you to get a VPN with UPnP support. It is useful if need you need incoming connection.

All your traffic goes through the server, and your IP is masked from the internet.

This configuration fits well with tools like BitTorrent or anything that need to open port on the fly to share data.

What do you need:

Host (VPS)

I suggest a cheap host with enough bandwidth to hold your connexion.

  • FirstHeberg: for less than 1.5 euros you got 100Mbit/s with 20GB disk and 1GB ram

uPNP daemon

Install linux-igd. It contains a very simple daemon we can plug on OpenVPN connexion

$ sudo apt-get install linux-igd

OpenVPN Server

It is a configuration on Ubuntu. You may find the same tools on other distributions.

You need OpenVPN and easy-rsa to get a working OpenVPN server.

$ sudo apt-get install openvpn easyrsa

Let's start the configuration :

$ cd /etc/openvpn
$ cp -a /usr/share/easy-rsa .
$ cd easy-rsa

You can use nano or emacs also as you which:

$ vim vars

Edit KEY_COUNTRY to KEY_OU, example :

export KEY_CITY="Paris"
export KEY_ORG="Celogeek"
export KEY_OU="OpenVPN"

Now we can use the tools to generate the necessary keys :

source vars
run this only if you want to set up a new set of keys
$ ./clean-all
build your ca
$ ./build-ca
build Diffie Hellman random key
$ ./build-dh
build your server key
$ ./build-key-server server
build your client key
$ ./build-key client

The "server" and "client" is the name of the final configuration. You can use another to create more clients or more servers.

If you need to build another client just run :

$ ./build-key myotherclient

Everything is inside "keys" directory.

Now let's create an OpenVPN Server configuration.

$ zcat /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz > server.conf
$ vim server.conf

Change this:

ca ca.crt
cert server.crt
key server.key
# by this
ca easy-rsa/keys/ca.crt
cert easy-rsa/keys/server.crt
key easy-rsa/keys/server.key

# change this
dh dh1024.pem
# by this
dh easy-rsa/keys/dh2048.pem

# Uncomment this to force all connexion to go through the VPN
push "redirect-gateway def1 bypass-dhcp"

# add some DNS (ex the google one)
push "dhcp-option DNS"
push "dhcp-option DNS"

# add up and down script for uPNP
script-security 2
up /etc/openvpn/server.up
down /etc/openvpn/server.down

Now create the server.up and server.down script :

$ cat <<__EOF__ > /etc/openvpn/server.up
/usr/sbin/upnpd eth0 tun0

$ cat <<__EOF__ > /etc/openvpn/server.down
/usr/bin/killall upnpd

$ chmod +x /etc/openvpn/server.up /etc/openvpn/server.down

Activate the ip_forward in sysctl :

$ vim /etc/sysctl.conf

Uncomment or add:


Save it and run:

sysctl -p /etc/sysctl.conf

Create a masquerade rule that is fire on connexion up :

$ cat <<__EOF__ > /etc/network/if-pre-up.d/iptables
/sbin/iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADE

$ chmod +x /etc/network/if-pre-up.d/iptables
$ /etc/network/if-pre-up.d/iptables

You can now start your server :

$ service openvpn start

OpenVPN Client

You are now ready to get the configuration for your client.

You need :

  • ca
  • client crt
  • client key
  • config file

On your client, create a vpn directory :

$ ssh [email protected] cat /usr/share/doc/openvpn/examples/sample-config-files/client.conf | tee client.ovpn
$ vim client.ovpn

Change the IP server:

remote yourvps_IP 1194

Load the ca and the client key and crt:

$ ssh [email protected] cat /etc/openvpn/easy-rsa/keys/ca.crt | tee ca.crt
$ ssh [email protected] cat /etc/openvpn/easy-rsa/keys/client.crt | tee client.crt
$ ssh [email protected] cat /etc/openvpn/easy-rsa/keys/client.key | tee client.key

Now you can start your VPN client.

To configure your OpenVPN client, check the documentation for your platform. You need those files to set it.

Test if it works

  • MonIP]: it should display the IP of your VPS now
  • TorrentMyIP]: it should confirm that your torrent works and has the right IP.

You can also check in transmission configuration if the "port open" works.New feature

Share your opinion