CREDITS: I got a lot of assistance from various people on the Proxmox forums, and specifically from one user, Marius.

Prepare the Host Node

There are a few things you will need to do up-front to prepare your “Host Node,” that is, your Proxmox VE host to allow for the TUN network interface that OpenVPN requires. Log in to your Proxmox VE host and open:

nano /etc/vz/vz.conf

Then, scroll down to the section that says “## IPv4 iptables kernel modules” and load a few extra modules for iptables:

IPTABLES="ipt_REJECT ipt_tos ipt_TOS ipt_LOG ip_conntrack ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ipt_state iptable_nat ip_nat_ftp"

You must restart VZ to load the new modules by running:

/etc/init.d/vz restart

(NOTE: This will shut down any running VMs.) Now, you’re ready to install the OS.

Install the OS

First off, at least for the time being, OpenVPN AS needs a 64-bit OS. Currently there are pre-packaged installation files for Ubuntu and Fedora. Installation packages for 32-bit OSes and other distributions are supposedly in the works. Because Proxmox is based on Debian and there are several Debian and Ubuntu OpenVZ templates available already, I chose to use Ubuntu 8.04 LTS 64-bit. That particular template isn’t included in the “Appliance Templates” in Proxmox (at least not in my version), so I had to download it from the Proxmox repositories first. Simply download the “ubuntu-8.0-standard_8.04-1_amd64.tar.gz” template to your Proxmox host. Go to the Proxmox repositories and find the template you want. In my case it was at ftp://download.proxmox.com/appliances/system/ubuntu-8.0-standard_8.04-1_amd64.tar.gz, so:

cd /var/lib/vz/template/cache/
wget ftp://download.proxmox.com/appliances/system/ubuntu-8.0-standard_8.04-1_amd64.tar.gz

Once the template is downloaded, log in to the web interface of your Proxmox VE host.

Creating the OpenVZ container

Hopefully you already know how to create an OpenVZ container in Proxmox. If not, since it’s not really the focus of this how-to, head over to Proxmox Tutorials. Moving on, for my VPN appliance I selected the following settings:

• Template: ubuntu-8.0-standard_8.04-1_amd64
• Disk space (GB): 8
• Memory (MB): 512
• Swap (MB): 512
• Network type: Bridged Ethernet (veth)

IMPORTANT: You must select ‘Bridged Internet (veth).’ ‘Virtual Network (venet)’ will not work.

You should of course also fill out all the other stuff, like hostname, DNS domain, DNS servers, and so on.

Now, simply start the VM.

Configuring and preparing the VM

First things, first. Update your OS! Use the “Open VNC Console” located in the ‘Virtual Machine Configuration’ settings for your VM and run:

apt-get update
apt-get upgrade


You also need to configure the IP settings of the VM. Add the network config settings for your setup, like in the following example:

# Primary network interface
auto eth0
iface eth0 inet static
address 192.168.1.20
netmask 255.255.255.0
network 192.168.1.0
broadcast 192.168.1.255
gateway 192.168.1.1

Then, restart your networking, like so:

/etc/init.d/networking restart

Install OpenVPN

Obviously, first things first, so you’ll need to download the installation file from OpenVPN. To download it you need to first sign up for an account. Once you’ve signed up, find the URL to the download you want. In my case, using Ubuntu 8.04 LTS 64-bit, the latest available version was OpenVPN AS 1.1.0, so I picked the openvpn-as-1.1.0-Ubuntu8.amd_64.deb file.

That out of the way, last thing to do before you can start configuring your OpenVPN Access Server is to actually install it. This is fast. Log in via SSH or using Proxmox’s VNC Console. Then, do this:

cd /tmp
wget http://path/to/openvpn-as/download/directory/openvpn-as-1.1.0-Ubuntu8.amd_64.deb

It’s a fairly small package, so it should download relatively quickly. Then issue:

dpkg -i openvpn-as-1.1.0-Ubuntu8.amd_64.deb

It should install everything. When the installation completes, to run initial configuration for your newly installed OpenVPN Access Server, issue the following command:

/usr/local/openvpn_as/bin/ovpn-init

Unless you have specific requirements, you can just accept the defaults during the configuration process.

I will not cover configuring OpenVPN for your specific needs here. OpenVPN has a good document outlining how to do that. It’s available to download from their website for people who already have OpenVPN accounts. Obviously, if you’ve already gotten this far, you should have an account.

That’s it. All it took in the end was a few “special” tweaks here and there to make OpenVPN run in an OpenVZ container, and overall it wasn’t that complicated once I figured out what those tweaks were. Of course, it would be more straight forward to install OpenVPN AS on a dedicated server, but that would cost you more. And if you already have spare capacity on a virtual host, why not use that?

I hope you enjoyed this how-to. Comments, corrections, feedback, and ideas below are greatly appreciated.

Yesterday OpenVPN Technologies, the company behind the OpenVPN open source project, announced the immediate availability of their new OpenVPN Access Server.

OpenVPN Access Server, or OpenVPN AS, is a commercial product based on the open source version originally developed by James Yonan. OpenVPN AS lends itself perfectly to use either on an appliance-style server or for running in a virtual machine. Installation is straight forward and the licensing agreement is too. The performance and scalability of running OpenVPN AS should be at least on par with most other commercial offerings, while no other, if any, commercial offerings comes even close in cost.

There are other reasons for using OpenVPN too. I won’t go into details about the architecture of OpenVPN and why it in many ways is superior to other VPN technologies. However, if you want to read more, you can read this thorough article on VPNs over at Linux.com.

• They don’t make regular backups of their laptops.
• If they have a “corporate” file server, they don’t back that up either.
• They can’t remotely access their file server.
• If they do have remote access to their file server, typically their small business network is not configured in a very secure way.

When I talk to friends and colleagues who operate small businesses, they all seem to have the same problem. They don’t have the knowledge and/or time to set up a good network and computing environment for themselves and their company. They can’t buying expensive and proprietary hardware and software to solve these problems. And, on top of that, they can’t afford hiring a consultant to implement all these things for them.

In order to see if I could solve at least part of the dilemma, for the last few months I’ve been looking for a Virtual Private Network (VPN) solution that meets the following five requirements:

1. Inexpensive
2. Simple
3. Reliable
4. Scalable
5. OS independent

Well, there’s a sixth requirement, secure, but that’s a given. There are countless VPN solutions on the market and many good ones. But, they typically only meet three or four of the five requirements I have defined as necessary to solve the problem.

So, for the past few months I’ve been doing a lot of research on VPNs. IPSec and PPTP VPNs keep on popping up all the time as the core offerings of the large, well-known firms providing VPN products. Fairly recently many of the established firms have also started offering SSL VPN solutions. No matter what protocols are used, for the most part, what they have to offer is technically sound from a reliability and scalability perspective. And there’s certainly no reason to doubt that these products meet the security requirements expected from a VPN. However, most of the solutions are not:

• inexpensive (at least not in the eyes of the small companies I’m talking about),
• simple enough to install and configure for the lay person with almost no networking and security knowledge, and
• they are not OS independent.

Why is OS independence so important? Well, maybe it’s not … yet. However, more and more people I know and talk to, especially in small companies, are getting Mac OS computers; an operating system largely ignored by most VPN product vendors. So, therefore, I believe OS independence is becoming more and more important. Because of that belief I set my mind on finding a solution that will work for nearly all situations, and not just for Windows users. (I mostly work on Macs myself, so that’s a big driver too.)

After a lot of searching, reading, and testing I found OpenVPN founded by James Yonan. As the name suggests, OpenVPN is an open source product and is therefore free to use and distribute. OpenVPN is a so-called SSL VPN, using Secure Socket Layer (SSL) to to encrypt all traffic. SSL is the same security technology used on e-commerce websites and what banks use for Internet banking. Furthermore, OpenVPN is compatible with a large range of operating systems, including Windows, Mac, and Linux. It is also very scalable and is being actively used in large installations all over the world. Scalability of course depends on the horsepower of the computer hardware on which it is installed, but for a small company, a simple computer, which may otherwise not be fit for today’s computing needs, can be reused to handle many simultaneous VPN connections. That pretty much covers four out of my five requirements. So, what about simplicity? Well, to be quite honest, OpenVPN is not that simple for the average person with limited computing, networking, and security skills. But neither are the big “brand name” vendors’ solutions. Because it does meet all the other requirements, I believe it’s the best fit out there for small businesses.

For a small business that wants to significantly improve its computing environment, I think it’s affordable and worthwhile to hire a good network/security consultant to deploy a VPN. Once installed, OpenVPN is extremely easy to use and it work really well. Obviously, to resolve all the issues around backup, etc, mentioned above, simply installing a VPN won’t solve all that in one swoop, but it does go a long way towards creating a better environment for the “road warrior” and it does open up the doors to a nice and cost effective setup for centralized file storage, management, and backups.