How to Install OpenVPN Access Server on Proxmox VE

June 10, 2009 by

OpenVPN+ProxmoxI thought OpenVPN Access Server, or OpenVPN AS, was going to be easy to install on Proxmox VE using an OpenVZ container, but it turned out to be a bit more complicated than I had anticipated. So, I decided to write it all up here for others to benefit from.

CREDITS: I got a lot of assistance from various people on the Proxmox forums, and specifically from one user, Marius.

Prepare the Host Node

There are a few things you will need to do up-front to prepare your “Host Node,” that is, your Proxmox VE host to allow for the TUN network interface that OpenVPN requires. Log in to your Proxmox VE host and open:

nano /etc/vz/vz.conf

Then, scroll down to the section that says “## IPv4 iptables kernel modules” and load a few extra modules for iptables:

IPTABLES="ipt_REJECT ipt_tos ipt_TOS ipt_LOG ip_conntrack ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ipt_state iptable_nat ip_nat_ftp"

You must restart VZ to load the new modules by running:

/etc/init.d/vz restart

(NOTE: This will shut down any running VMs.) Now, you’re ready to install the OS.

Install the OS

First off, at least for the time being, OpenVPN AS needs a 64-bit OS. Currently there are pre-packaged installation files for Ubuntu and Fedora. Installation packages for 32-bit OSes and other distributions are supposedly in the works. Because Proxmox is based on Debian and there are several Debian and Ubuntu OpenVZ templates available already, I chose to use Ubuntu 8.04 LTS 64-bit. That particular template isn’t included in the “Appliance Templates” in Proxmox (at least not in my version), so I had to download it from the Proxmox repositories first. Simply download the “ubuntu-8.0-standard_8.04-1_amd64.tar.gz” template to your Proxmox host. Go to the Proxmox repositories and find the template you want. In my case it was at ftp://download.proxmox.com/appliances/system/ubuntu-8.0-standard_8.04-1_amd64.tar.gz, so:

cd /var/lib/vz/template/cache/
wget ftp://download.proxmox.com/appliances/system/ubuntu-8.0-standard_8.04-1_amd64.tar.gz

Once the template is downloaded, log in to the web interface of your Proxmox VE host.

Creating the OpenVZ container

Hopefully you already know how to create an OpenVZ container in Proxmox. If not, since it’s not really the focus of this how-to, head over to Proxmox Tutorials. Moving on, for my VPN appliance I selected the following settings:

  • Template: ubuntu-8.0-standard_8.04-1_amd64
  • Disk space (GB): 8
  • Memory (MB): 512
  • Swap (MB): 512
  • Network type: Bridged Ethernet (veth)

IMPORTANT: You must select ‘Bridged Internet (veth).’ ‘Virtual Network (venet)’ will not work.

You should of course also fill out all the other stuff, like hostname, DNS domain, DNS servers, and so on.

Now, simply start the VM.

Configuring and preparing the VM

First things, first. Update your OS! Use the “Open VNC Console” located in the ‘Virtual Machine Configuration’ settings for your VM and run:

apt-get update
apt-get upgrade

You also need to configure the IP settings of the VM. Add the network config settings for your setup, like in the following example:

# Primary network interface
	auto eth0
	iface eth0 inet static
	address 192.168.1.20
	netmask 255.255.255.0
	network 192.168.1.0
	broadcast 192.168.1.255
	gateway 192.168.1.1

Then, restart your networking, like so:

/etc/init.d/networking restart

Install OpenVPN

Obviously, first things first, so you’ll need to download the installation file from OpenVPN. To download it you need to first sign up for an account. Once you’ve signed up, find the URL to the download you want. In my case, using Ubuntu 8.04 LTS 64-bit, the latest available version was OpenVPN AS 1.1.0, so I picked the openvpn-as-1.1.0-Ubuntu8.amd_64.deb file.

That out of the way, last thing to do before you can start configuring your OpenVPN Access Server is to actually install it. This is fast. Log in via SSH or using Proxmox’s VNC Console. Then, do this:

cd /tmp
wget http://path/to/openvpn-as/download/directory/openvpn-as-1.1.0-Ubuntu8.amd_64.deb

It’s a fairly small package, so it should download relatively quickly. Then issue:

dpkg -i openvpn-as-1.1.0-Ubuntu8.amd_64.deb

It should install everything. When the installation completes, to run initial configuration for your newly installed OpenVPN Access Server, issue the following command:

/usr/local/openvpn_as/bin/ovpn-init

Unless you have specific requirements, you can just accept the defaults during the configuration process.

I will not cover configuring OpenVPN for your specific needs here. OpenVPN has a good document outlining how to do that. It’s available to download from their website for people who already have OpenVPN accounts. Obviously, if you’ve already gotten this far, you should have an account.

That’s it. All it took in the end was a few “special” tweaks here and there to make OpenVPN run in an OpenVZ container, and overall it wasn’t that complicated once I figured out what those tweaks were. Of course, it would be more straight forward to install OpenVPN AS on a dedicated server, but that would cost you more. And if you already have spare capacity on a virtual host, why not use that?

I hope you enjoyed this how-to. Comments, corrections, feedback, and ideas below are greatly appreciated.

Comments (9)

 

  1. Hi,
    Is there any way to make it works with venet ?
    Because on some hoster like ovh.com, the pre-install version of proxmox, and the additionnal ip failover works only with venet interface … ? Any ideas to make it works ?

    And great post !
    Thanks

  2. Jay says:

    Thank you so much for putting this together. I tried installing it with other how-tos and failed miserably. Your steps worked in my first try.

    Thanks for saving many hours.

  3. What can i say, Another Great write up martin, i can’t wait to see what you gonna pull outta the hat next!

    Im still using proxmox 1.3 (no build tools for 1.4)
    It didn’t work for me first time but after reading the post on the proxmox forum i got there in the end.
    I wonder why you didn’t put these in the post.
    rm -rf /dev/as0t0
    vzctl exec VEID mkdir -p /dev/net
    vzctl exec VEID mknod /dev/net/tun c 10 200
    vzctl exec VEID chmod 600 /dev/net/tun

    As this was needed for me. anyway thanks again.

  4. Jay says:

    Martin,
    Great write up. It would be great if you shared your virtual appliance with the prox mox community. I tried following your directions but I managed to mess it up.

    Thanks!

  5. Martin says:

    Sorry for the late reply. Even if I did include it, there are still the mods you need to do to the Proxmox install. In retrospect, I think that maybe installing it as a KVM machine is a better and simpler option.

  6. […] Once Again Theres No Point Re inventing the Wheel here is the method for installing openvpn access server in a promox container all credit to Martin Lanner for this one […]

  7. Kerridge says:

    Thank you for your article.

    I have used this install and for whatever reason I am occasionally getting zombie processes when I do a nightly backup of the VM.

    This means backups are suspended for the whole server, and requires a reboot to fix. This must be manually attended to and with OVH takes 15 minutes or so from request.

    In my case I agree with you Martin and think KVM would be a better fit..

  8. modulistic says:

    On Proxmox VE 2, with the Debian 6 openvz template, the only missing thing for me was the tun device. I had to create it INSIDE the container:

    mkdir -p /dev/net
    mknod /dev/net/tun c 10 200
    chmod 600 /dev/net/tun

    As Colin Crosbie said above — just I don’t understand Colin’s rm -rf

    By the way, Colin, and everybody else, take good care with the “gratis” -r xD

Leave a Reply