Part 2: The Restaurant at the End of the VPN
A full course on OpenVPN configuration on Debian Linux

“The meal is a full course, in exquisite detail, from apt-get install openvpn to /etc/init.d/openvpn start and is guaranteed to satisfy all discriminating self-funded companies.”

“We shall start with three appetizers.”

Basic Configuration

192.168.115.21	Server network address for the network adapter connected to the public (Internet). If you are using a physical server, this will be assigned by your ISP and will more likely be something more random, like 125.213.48.116.
192.168.115.2	Gateway network address for the network adapter connected to the public (Internet). If you are using a physical server, this will be given to you by your ISP and will more likely be something more like 125.213.48.1.
192.168.44.37	Server network address for the network adapter physically connected to an existing private subnet on your home network.
192.168.89.x	Subnet generated inside OpenVPN if you are using routing.
192.168.44.x	Subnet that already exists on your home network if you are using bridging.
myserver	Name of the server.
mydomain.com	Name of the domain.
sysadmin	A myserver.mydomain.com user account.
jsmith	An OpenVPN user.
jroberts	An OpenVPN user.
jjones	An OpenVPN user.
My Company	Name of the company that uses the server.
My Organization	Name of the “organization” that uses the server; it could be a company name or some other random identifier.
Dev	Name of the “organizational unit” that uses the server; “Dev” indicates the development team.

Bridging versus Routing

OpenVPN can either use bridging or routing as the networking foundation of the OpenVPN private network.

Bridging makes everything work as expected. It's the safe choice and I recommend it.

Routing works by not supporting the lower level connectivity that bridging supports, such as broadcasts. Many network activities (e.g. using a browser) don't require broadcasts. Those that do (e.g. Windows file sharing) often still work but disable features that require broadcasts (e.g. automatically finding other Windows machines and adding them to “My Network Places”). Routing is more efficient than bridging. But, I think that the efficiency isn't worth the hassle of wondering why certain features don't work that well.

TCP versus UDP

OpenVPN can either use TCP or UDP to communicate between the OpenVPN server and OpenVPN clients.

TCP always works. It's the safe choice and I recommend it.

UDP usually works but, in some cases, your users may have to fiddle with their home networks to ensure that UDP packets get through. UDP can be a bit faster than TCP. But, I think that the speed isn't worth the hassle of fiddling with home networks.

“Your menu, sir.”

Install OpenSSL
Install OpenVPN
Create OpenVPN clients
Route the OpenVPN network
Bridge the OpenVPN network

Create the VM image
Install Debian 4.0
Install VMware Tools
Make a static IP address
Make a second static IP address

“For beginners, I recommend the Appendices first. But, for an expert connoisseur such as yourself, the following sections might be the only ones of interest.”

Install OpenSSL

OpenVPN relies on OpenSSL to provide encryption. So, OpenSSL must be installed first.

Install OpenSSL using apt-get. Then, set OpenSSL to use a persistent directory.

# apt-get install openssl
...
# vi /etc/ssl/openssl.cnf
{Find}
dir     = ./demoCA      # Where everything is kept
{Replace with}
dir     = /etc/ssl      # Where everything is kept
{Save}

Edit the certificate creation defaults so you don't have to type them in for each and every certificate. These values are all up to you; none of them are used internally by OpenSSL.

# vi /etc/ssl/openssl.cnf
{Find}
countryName_default             = AU
{Replace with}
countryName_default             = US
{Find}
stateOrProvinceName_default     = Some-State
{Replace with}
stateOrProvinceName_default     = California
{Find}
localityName                    = Locality Name (eg, city)
{Replace with}
localityName                    = Locality Name (eg, city)
localityName_default            = Silicon Valley
{Find}
0.organizationName_default      = Internet Widgits Pty Ltd
{Replace with}
0.organizationName_default      = My Organization
{Find}
#organizationalUnitName_default =
{Replace with}
organizationalUnitName_default  = Dev
{Find}
unstructuredName                = An optional company name
{Replace with}
unstructuredName                = An optional company name
unstructuredName_default        = My Company
{Save}

Make directories for storing new and revoked certificates. Then, create counters for generating new certificates and the CRL (certificate revocation list). Finally, create an empty, plain text database for tracking certificates, including their active/revoked status.
```
# mkdir /etc/ssl/newcerts
# mkdir /etc/ssl/crl
# echo "01" > /etc/ssl/serial
# echo "01" > /etc/ssl/crlnumber
# touch /etc/ssl/index.txt
```

Create a CA (certificate authority) certificate. Make it valid for a long time (10 years); an expired CA certficate will cause us to regenerate all other certificates. Use its public DNS name as its Common Name. Type any e-mail address; it is only for users and isn't used internally by OpenSSL. Finally, hide the private key (cakey.pem).

# openssl req -new -nodes -days 3650 -x509 -keyout /etc/ssl/private/cakey.pem -out /etc/ssl/cacert.pem
...
Country Name (2 letter code) [US]: {Enter}
State or Province Name (full name) [California]: {Enter}
Locality Name (eg, city) [Silicon Valley]: {Enter}
Organisation Name (eg, company) [My Organization]: {Enter}
Organisational Unit Name (eg, section) [Dev]: {Enter}
Common Name (eg, YOUR name) []: myserver.mydomain.com
Email Address []: sysadmin@mydomain.com
# chmod 0400 /etc/ssl/private/cakey.pem

Install OpenVPN

Next, the basic OpenVPN package must be installed. It'll need additional configuration later, though.

Install OpenVPN. Then, generate a shared secret key; it isn't very secure but better certificate-based security will be added later. Also, generate Diffie-Hellman encryption stuff.

# apt-get install openvpn
...
Do you want to continue? [Y/n] {Enter}
...
# openvpn --genkey --secret /etc/openvpn/secret.key
# openssl dhparam -out /etc/openvpn/dh1024.pem 1024
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
...

Prepare to secure OpenVPN using chroot so our server runs as user “nobody” in group “nobody” and can only access the /etc/openvpn/chroot directory.
```
# mkdir /etc/openvpn/chroot
# addgroup nobody
Adding group 'nobody' (GID 1001) ...
Done.  
```

Create and sign a certficate for the OpenVPN server itself. When OpenVPN runs, it will present itself as both the publicly available “myserver.mydomain.com” and the private “myserver”. Make it valid for only a year for security; in a year, we'll have to create a new one.

# openssl req -new -nodes -days 365 -keyout /etc/openvpn/openvpn.key -out /etc/openvpn/openvpn.csr
...
Country Name (2 letter code) [US]: {Enter}
State or Province Name (full name) [California]: {Enter}
Locality Name (eg, city) [Silicon Valley]: {Enter}
Organisation Name (eg, company) [My Organization]: {Enter}
Organisational Unit Name (eg, section) [Dev]: {Enter}
Common Name (eg, YOUR name) []: myserver
Email Address []: sysadmin@mydomain.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: {Enter}
An optional company name [My Company]: {Enter}
# openssl ca -policy policy_anything -out /etc/openvpn/openvpn.crt -infiles /etc/openvpn/openvpn.csr
...
Sign the certificate? [y/n]:y
...
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

Create an empty CRL so that the OpenVPN access can be revoked remotely by revoking a user's certificate.

# openssl ca -gencrl -keyfile /etc/ssl/private/cakey.pem -cert /etc/ssl/cacert.pem -out /etc/openvpn/chroot/crl.pem
Using configuration from /usr/lib/ssl/openssl.cnf

Create a basic OpenVPN configuration. Use a routed configuration (i.e. “dev tun”). Use TCP, not UDP. Put OpenVPN clients on 192.168.89.x which only exists inside the OpenVPN server.

# vi /etc/openvpn/local.conf
{Insert}
dev tun
port 1194
proto tcp
server 192.168.89.0 255.255.255.0
ifconfig-pool-persist /etc/openvpn/ip_pool
mode server
status /tmp/openvpn.status
tls-auth /etc/openvpn/secret.key 0
keepalive 10 30
client-to-client
max-clients 150
verb 3
tls-server
dh /etc/openvpn/dh1024.pem
ca /etc/ssl/cacert.pem
cert /etc/openvpn/openvpn.crt
key /etc/openvpn/openvpn.key
crl-verify crl.pem
comp-lzo
persist-key
persist-tun
user nobody
group nobody
chroot /etc/openvpn/chroot
{Save}

Here’s a line-by-line description of the /etc/openvpn/local.conf file:

parameter	description
dev tun	be routed, not bridged
port 1194	use standard 1194 port
proto tcp	use TCP, not UDP
server 192.168.89.0 255.255.255.0	create routed 192.168.89.x subnet
ifconfig-pool-persist /etc/openvpn/ip_pool	always assign same IP addresses to clients and store them in ip_pool
mode server	create a server, not a client
status /tmp/openvpn.status	write operational status to openvpn.status
tls-auth /etc/openvpn/secret.key 0	use secret.key
keepalive 10 30	keep clients connected (only useful for UDP)
client-to-client	allow clients to communicate with each other
max-clients 150	prevent the server from being overwhelmed
verb 3	use minimal logging; log to /var/log/syslog by default
tls-server	encrypt all communications
dh /etc/openvpn/dh1024.pem	encrypt all communications
ca /etc/ssl/cacert.pem	use certificate-based security
cert /etc/openvpn/openvpn.crt	use certificate-based security
key /etc/openvpn/openvpn.key	use certificate-based security
crl-verify crl.pem	use CRL (certificate revocation list) so access can be revoked remotely
comp-lzo	use compression to improve speed
persist-key	make keepalive work with chroot (only useful for UDP)
persist-tun	make keepalive work with chroot (only useful for UDP)
user nobody	run as user “nobody”, not root
group nobody	run as group “nobody”
chroot /etc/openvpn/chroot	limit server to files under /etc/openvpn/chroot

Create OpenVPN clients

Each user will need his own special encrypted files to access the VPN.

You'll have to run this process for every user and, later, for any new users.

Each user will have 4 files: a certificate file (.crt), a key file (.key), a key request file (.csr) and an OpenVPN GUI configuration file (.ovpn). The certificate file is the public key; the key file is the private key. Both are used for encryption. The key request file is used to sign the keys; the user doesn't actually need it but we give it to him anyway. The configuration file is for use with OpenVPN GUI on the user's PC. While the user could come up with this himself, it is polite to provide one to him.

Stop the server (if it is running) and prepare a directory to store user files in.

{Click on the VM to capture the mouse}
# /etc/init.d/openvpn stop
Stopping virtual private network daemon:.
# mkdir /etc/openvpn/users
# cd /etc/openvpn/users

Create and sign a certficate for the user. Each user has his own certificate that can be revoked by the server. We make it last 1 year plus 1 month. Since the OpenVPN server key expires before these, the expiration of the server will remind us to re-generate user certificates and distribute them before the user certificates expire.

# openssl req -new -nodes -days 395 -keyout /etc/openvpn/users/jsmith.key -out /etc/openvpn/users/jsmith.csr
...
Country Name (2 letter code) [US]: {Enter}
State or Province Name (full name) [California]: {Enter}
Locality Name (eg, city) [Silicon Valley]: {Enter}
Organisation Name (eg, company) [My Organization]: {Enter}
Organisational Unit Name (eg, section) [Dev]: {Enter}
Common Name (eg, YOUR name) []: jsmith
Email Address []: sysadmin@mydomain.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: {Enter}
An optional company name [My Company]: {Enter}
# openssl ca -policy policy_anything -out /etc/openvpn/users/jsmith.crt -infiles /etc/openvpn/users/jsmith.csr
...
Sign the certificate? [y/n]:y
...
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

Create a basic OpenVPN GUI configuration file for each user.

# vi /etc/openvpn/users/jsmith.ovpn
{Insert}
remote 192.168.115.21
client
dev tun
port 1194
proto tcp
ca "C:\\Program Files\\OpenVPN\\cacert.pem"
cert "C:\\Program Files\\OpenVPN\\jsmith.crt"
key "C:\\Program Files\\OpenVPN\\jsmith.key"
tls-auth "C:\\Program Files\\OpenVPN\\secret.key" 1
persist-tun
persist-key
resolv-retry infinite
ping 10
comp-lzo
verb 4
mute 10
{Save}

Copy all the user-required keys and configurations off the server. These files will be given to the appropriate users for use with their client PCs. These commands will only work if your server is running in VMware Workstation. In other cases, you'll have to use ftp, rcp, Samba or something else to transfer files from your server to your clients.
```
# cp /etc/openvpn/users/* /mnt/hgfs/C/.
# cp /etc/openvpn/secret.key /mnt/hgfs/C/.
# cp /etc/ssl/cacert.pem /mnt/hgfs/C/.
```

Route the OpenVPN network

OpenVPN routing is an alternative to OpenVPN bridging; read the top of this article for a discussion of OpenVPN routing versus OpenVPN bridging. Follow these instructions to configure a new or existing installation with OpenVPN routing.

Stop the server. Reconfigure to routing from bridging. With routing, the server will be on the imaginary 192.168.89.x network. The server itself will be 192.168.89.1; other clients will be 192.168.89.6, 192.168.89.10 and so on.
```
# /etc/init.d/openvpn stop
# vi /etc/openvpn/local.conf
{Find}
dev tap0
{Replace}
dev tun
{Find}
server-bridge 192.168.44.37 255.255.255.0 192.168.44.182 192.168.44.254
{Replace}
server 192.168.89.0 255.255.255.0
```
Edit ip_pool to add the IP addresses of the clients. This is not strictly necessary but it allows you to choose the IP addresses rather than having OpenVPN assign them for you.
```
# rm /etc/openvpn/ip_pool
# vi /etc/openvpn/ip_pool
jsmith,192.168.89.6
jroberts,192.168.89.10
jjones,192.168.89.14
{Save}
```

Start the server.

# /etc/init.d/openvpn start
Starting virtual private network daemon: localtun: Universal TUN/TAP device driver, 1.6
tun: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com>
(OK).

Bridge the OpenVPN network

OpenVPN bridging is an alternative to OpenVPN bridging; read the top of this article for a discussion of OpenVPN routing versus OpenVPN bridging. Follow these instructions to configure a new or existing installation with OpenVPN bridging.

Install the bridge-utils package, used for bridging (blending together) two networks into a single network.
```
# apt-get install bridge-utils
...
```
Stop the server. Reconfigure to bridging from routing. With bridging, the server will actually connect two real networks: the OpenVPN network and a private subnet behind your server. THIS PRIVATE SUBNET MUST ALREADY EXIST. It can be provided by anything, a wireless network or a router, but it must exist and the physical server must be attached to it. This means that your server computer must have two network cards (under VMware, these may be virtual network cards). The computer will be assigned the 192.168.44.37 IP address on this network and OpenVPN clients will be assigned IP addresses between 192.168.44.182 and 192.168.44.254.
```
# /etc/init.d/openvpn stop
Stopping virtual private network daemon:.
# vi /etc/openvpn/local.conf
{Find}
dev tun
{Replace}
dev tap0
{Find}
server 192.168.89.0 255.255.255.0
{Replace}
server-bridge 192.168.44.37 255.255.255.0 192.168.44.182 192.168.44.254
{Save}
```
Edit ip_pool to add the IP addresses of the clients. This is not strictly necessary but it allows you to choose the IP addresses rather than having OpenVPN assign them for you.
```
# rm /etc/openvpn/ip_pool
# vi /etc/openvpn/ip_pool
jsmith,192.168.44.183  
jroberts,192.168.44.185
jjones,192.168.44.187
{Save}
```

For each client, switch to bridging (“tap”) from routing (“tun”).

# vi /etc/openvpn/users/jsmith.ovpn
{Find}
dev tun
{Replace with}
dev tap
{Save}

Create openvpn-devices to start and stop the OpenVPN bridge. The bridge will blend together two networks: the existing 192.168.44.x network and the OpenVPN network. So, OpenVPN clients will appear as if they are directly attached to the 192.168.44.x network. When “openvpn-devices start” is executed, these networks will be patched together.

# vi /etc/init.d/openvpn-devices
{Insert}
#! /bin/sh

N=/etc/init.d/openvpn-devices

set -e

case "$1" in
  start)
    # make the tap0 device
    /usr/sbin/openvpn --mktun --dev tap0
    /usr/sbin/brctl addbr br0
    /usr/sbin/brctl addif br0 eth1
    /usr/sbin/brctl addif br0 tap0
    /sbin/ifconfig tap0 0.0.0.0 promisc up
    /sbin/ifconfig eth1 0.0.0.0 promisc up
    /sbin/ifconfig br0 192.168.44.37 netmask 255.255.255.0 broadcast 192.168.44.255
    ;;
  stop)
    /sbin/ifconfig br0 down
    /usr/sbin/brctl delbr br0
    # remove the tap0 device
    /usr/sbin/openvpn --rmtun --dev tap0
    ;;
  *)
    echo "Usage: $N {start|stop}" >&2
    exit 1
    ;;
esac

exit 0
{Save}

Edit openvpn-devices to use the correct subnet and adapter. You should replace 192.168.44.x with the actual values of the private subnet. You should also replace eth1 with eth0 (or eth2 or whatever) which is actually attached to the 192.168.44.x network.
```
# vi /etc/init.d/openvpn-devices
{Find}
/sbin/ifconfig br0 192.168.44.37 netmask 255.255.255.0 broadcast 192.168.44.255
{Replace}
/sbin/ifconfig br0 192.168.44.37 netmask 255.255.255.0 broadcast 192.168.44.255
{Find}
eth1
{Replace}
eth1
{Save}
```
Make openvpn-devices be run when the machine boots. Ensure that openvpn-devices is called before the OpenVPN server is started. The OpenVPN server needs the bridge to be available before it starts.
```
# update-rc.d openvpn-devices defaults
# cd /etc/rc2.d
# mv S16openvpn S21openvpn
```
Configure the firewall. If your server has a firewall, don't ignore it. If you ignore it, the firewall will reject packets by default.
```
# iptables -A INPUT -i tap0 -j ACCEPT
# iptables -A INPUT -i br0 -j ACCEPT
# iptables -A FORWARD -i br0 -j ACCEPT
# iptables -vL
```

Start the bridge, then start the OpenVPN server.

# /etc/init.d/openvpn-devices start
# /etc/init.d/openvpn start

Install OpenVPN clients

A step-by-step process to install Windows on a physical machine or a VM is beyond the scope of this article. However, once Windows is installed, you can follow these instructions to install OpenVPN GUI on each Windows client.

Download and install OpenVPN GUI.
Copy the CA certificate file (cacert.pem), the secret key (secret.key), the certificate file (e.g jsmith.crt), the key file (e.g. jsmith.key) and the key request file (e.g. jsmith.csr) to C:\Program Files\OpenVPN.
Copy the OpenVPN GUI configuration file (e.g. jsmith.ovpn) to C:\Program Files\OpenVPN\config.
Right-click on the OpenVPN icon in the System Tray and select the “Connect” menu item.
If the icon turned green, it worked.

If it doesn't work, troubleshoot your OpenVPN GUI client by verifying the following:

Make sure the client has a unique IP address.
Make sure the client has a unique name.
Make sure the client has a unique Mac address (i.e. Physical Address).
Make sure the client has the correct dev (tap/tun) setting.
Make sure the client allows traffic through its firewall.
Make sure the client .ovpn file has Windows line endings.

Appendices

These appendices will show how to set up a Debian Linux server from scratch.

VMware Workstation is used because it is the perfect demonstration and testing environment for both Linux and OpenVPN.

Create the VM image

The first step to creating an OpenVPN server is to have a physical or virtual machine.

If you are using a physical machine and already have it, you're done. If you intend to use OpenVPN bridging, verify that your physical machine has two network adapters. If it only has one, you'll need to buy and install another.

If you are using VMware Workstation, create a VM (virtual machine) by doing the following.

Run VMware Workstation.
Select the “File|New|Virtual Machine...” menu item.
Press the “Next” button on the “Welcome” page.
Press the “Next” button on the “Configuration” page.
Choose the “Linux” radio button.
Select “Other Linux 2.6.x kernel” in the “Version” combo box.
Press the “Next” button.
Type “myserver” in the “Virtual machine name” edit box.
Press the “Next” button.
Choose the “Use network address translation (NAT)” radio button.
Press the “Next” button.
Press the “Finish” button.

Install Debian 4.0

The next step is to install an operating system. Install Debian 4.0 by doing the following.

If you are using a physical machine, skip all steps related to the VM and substitute using a physical DVD, instead of an ISO image.

Download the debian-40r3-i386-netinst.iso installation DVD.
Double-click the “CD-ROM (IDE 1:0)” item in the “Devices” list box.
Choose the “Use ISO image:” radio button.
Select the “debian-40r3-i386-netinst.iso” file in the edit box using the “Browse...” button.
Press the “OK” button.
Click the “Start this virtual machine” item in the “Commands” list box.
Wait for the VM to show the Debian welcome screen.

Install Debian 4.0 in the VM.

{Click on the VM to capture the mouse}
{Press the “Enter” key to boot}
{Wait for the installation to boot}
{Press the “Enter” key to accept “English” as the language}
{Press the “Enter” key to accept “United States” as the country}
{Press the “Enter” key to accept “American English” as the keyboard layout}
{Wait for devices to be installed}
{Type “myserver” in the “Hostname:” edit box}
{Press the “Enter” key}
{Type “mydomain.com” in the “Domain name:” edit box}
{Press the “Enter” key}
{Wait while the partitioner starts}
{Press the “Enter” key to accept “Guided - use entire disk” as the partitioning method}
{Press the “Enter” key to accept “SCSI1 (0,0,0) (sda)” as the disk to partition}
{Press the “Enter” key to accept “All files in one partition” as the partitioning scheme}
{Press the “Enter” key to accept “Finish partitioning and write changes to disk” as the action}
{Press the left arrow key to select the “Yes” button}
{Press the “Enter” key to write the changes to disks}
{Wait while partitions are formatted}
{Select the “Pacific” item in the list box}
{Press the “Enter” key to accept the time zone}
{Type a root password in the “Root password:” edit box}
{Press the “Enter” key to accept the password}
{Type the same root password in the “Re-enter password to verify:” edit box}
{Press the “Enter” key to accept the password}
{Type “Sys Admin” in the “Full name for the new user:” edit box}
{Press the “Enter” key to accept the name}
{Type “sysadmin” in the “Username for your account:” edit box}
{Press the “Enter” key to accept the name}
{Type a sysadmin user password in the “Choose a password for the new user:” edit box}
{Press the “Enter” key to accept the password}
{Type the same sysadmin user password in the “Re-enter password to verify:” edit box}
{Press the “Enter” key to accept the password}
{Wait while the base system is installed}
{Press the “Enter” key to use a network mirror}
{Press the “Enter” key to use the “United States” as the mirror country}
{Press the “Enter” key to use “ftp.us.debian.org” as the mirror}
{Press the “Enter” key to indicate no HTTP proxy}
{Wait while packages are installed}
{Press the “Enter” key to NOT participate in the package usage survey}
{Press the space bar to deselect “Desktop environment” item}
{Press the “Enter” key to accept the software selection}
{Wait while packages are retrieved and configured for 15 minutes or so}
{Press the “Enter” key to install the GRUB boot loader}
{Wait until the installation is complete}
{Press the Ctrl-Alt key combo to release the mouse from the VM}

Double-click the “CD-ROM (IDE 1:0)” icon in the lower right corner of the window.
Choose the “Use physical drive:” radio button.
Press the “OK” button.

If you are using VMware Workstation, you can skip this step. If you are using a physical machine that will directly connect to an ISP via cable or DSL, connect the machine to the ISP according to the ISP's instructions. Verify that that the connection works.

# ping yahoo.com
PING yahoo.com (66.94.234.13) 56(84) bytes of data.
64 bytes from w2.rc.vip.scd.yahoo.com (66.94.234.13): icmp_seq=1 ttl=128 time=24.0 ms
64 bytes from w2.rc.vip.scd.yahoo.com (66.94.234.13): icmp_seq=2 ttl=128 time=21.1 ms
{Press Ctrl-C}
--- yahoo.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1013ms
rtt min/avg/max/mdev = 21.186/22.620/24.054/1.434 ms

Upgrade the Debian 4.0 installation to the latest kernel and packages.

{Click on the VM to capture the mouse}
{Press the “Enter” key to continue and reboot}
{Wait while the VM reboots}
...
myserver login: root
Password: {Type the root password}
...
Linux myserver 2.6.18-6-686 #1 SMP Tues Aug 16 13:22:48
...
# apt-get dist-upgrade
...
The following packages will be upgraded:
  linux-image-2.6.18-6-686
...
Do you want to continue [Y/n]? {Press the “Enter” key}
...
{Press the “Tab” key to highlight the “Ok” button}
{Press the “Enter” key to accept the configuring image notice}
...
# shutdown -r now
{Wait while the VM reboots}
...
myserver login: root
Password: {Type the root password}
...
Linux myserver 2.6.18-6-686 #1 SMP Tues Aug 16 13:25:49
...
# apt-get dist-upgrade
Reading package lists... Done
Building dependency tree... Done
Calculating upgrade... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded
{Press Ctrl-Alt to release the mouse from the VM}

Install VMware Tools

VMware Tools allows you to easy copy files between your VM and your physical (host) machine.

If you are using a physical machine, you don't have a host machine so you can skip this section.

Double-click the “CD-ROM (IDE 1:0)” icon in the lower right corner of the window.
Choose the “Use ISO image:” radio button.
Select the “debian-40r3-i386-netinst.iso” file in the edit box using the “Browse...” button.
Press the “OK” button.

Install build tools and the kernel headers so VMware Tools can build the video and network drivers that it needs.

{Click on the VM to capture the mouse}
# apt-get install psmisc make gcc
...
Do you want to continue [Y/n]? {Press the “Enter” key}
...
# apt-cache search headers | less
...
linux-headers-2.6.18-6-686 - Header files for Linux 2.6.18 on PPro/Celeron/PII/PIII/P4
...
{Remember the exact name similar to above so you can use it below}
{Press the "Q" key to quit}
# apt-get install linux-headers-2.6.18-6-686
...
Do you want to continue? [Y/n] {Press the “Enter” key}
...
#
{Press Ctrl-Alt to release the mouse from the VM}

Select the “VM|Settings...” menu item.
Click on the “Options” tab.
Select the “Shared Folders” item on the left.
Press the “Add...” button.
Press the “Next” button on the “Welcome” page.
Type “C” into the “Name” edit box.
Type “C:\” into the “Host folder” edit box.
Press the “Next” button.
Press the “Finish” button.
Press the “OK” button.
Select the “VM|Install VMware Tools...” menu item.
Press the “Install” button.

Install VMware Tools.

{Click on the VM to capture the mouse}
# mount /cdrom
mount: block device /dev/hdc is write-protected, mounting read-only
# cd /tmp
# tar zxvf /cdrom/VMwareTools-5.5.3-34685.tar.gz
...
# cd vmware-tools-distrib
# ./vmware-install.pl
...
In which directory do you want to install the binary files?
[/usr/bin] {Press the “Enter” key}
...
What is the directory that contains the init directories (rc0.d/ to rc6.d/)?
[/etc] {Press the “Enter” key}
...
What is the directory that contains the init scripts?
[/etc/init.d] {Press the “Enter” key}
...
In which directory do you want to install the daemon files?
[/usr/sbin] {Press the “Enter” key}
...
In which directory do you want to install the library files?
[/usr/lib/vmware-tools] {Press the “Enter” key}
...
The path "/usr/lib/vmware-tools" does not exist currently. This program is
going to create it, including needed parent directories. Is this what you want?
[yes] {Press the “Enter” key}
...
In which directory do you want to install the documentation files?
[/usr/share/doc/vmware-tools] {Press the “Enter” key}
...
The path "/usr/share/doc/vmware-tools" does not exist currently. This program
is going to create it, including needed parent directories. Is this what you
want? [yes] {Press the “Enter” key}
...
Before running VMware Tools for the first time, you need to configure it by
invoking the following command: "/usr/bin/vmware-config-tools.pl". Do you want
this program to invoke the command for you now? [yes] {Press the “Enter” key}
...
None of the pre-built vmhgfs modules for VMware Tools is suitable for your
running kernel.  Do you want this program to try to build the vmhgfs module for
your system (you need to have a C compiler installed on your system)? [yes]
{Press the “Enter” key}
...
What is the location of the directory of C header files that match your running
kernel? [/lib/modules/2.6.18-6-686/build/include] {Press the “Enter” key}
...
To use the vmxnet driver, restart networking with the following commands:
/etc/init.d/networking stop
rmmod pcnet32
rmmod vmxnet
depmod -a
modprobe vmxnet
/etc/init.d/networking start

Enjoy,

-- the VMware team

Configure VMware Tools and verify that networking still works.

# /etc/init.d/networking stop
Deconfiguring network interfaces...done.
# rmmod pcnet32
ERROR: Module pcnet32 does not exist in /proc/modules
# rmmod vmxnet
ERROR: Module vmxnet does not exist in /proc/modules
# depmod -a
# modprobe vmxnet
VMware vmxnet virtual NIC driver release 3.1.0 build-19175
ACPI: PCI interrupt 0000:00:11.0[A] -> GSI 18 (level, low) -> IRQ 185
Found vmxnet/PCI at 0x1424, irq 185.
# /etc/init.d/networking start
Configuring network interfaces...done.
# ls /mnt/hgfs
C
# ping yahoo.com
PING yahoo.com (66.94.234.13) 56(84) bytes of data.
64 bytes from w2.rc.vip.scd.yahoo.com (66.94.234.13): icmp_seq=1 ttl=128 time=24.0 ms
64 bytes from w2.rc.vip.scd.yahoo.com (66.94.234.13): icmp_seq=2 ttl=128 time=21.1 ms
{Press Ctrl-C}
--- yahoo.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1013ms
rtt min/avg/max/mdev = 21.186/22.620/24.054/1.434 ms
{Press Ctrl-Alt to release the mouse from the VM}

Make a static IP address

By default, Debian 4.0 will configure itself to use a dynamic IP address using DHCP. Since servers need static IP addresses so it is easy to find them, you should configure Debian 4.0 to use a static IP address.

If you are using a physical machine that will directly connect to an ISP via cable or DSL, skip this step.

Find what subnet the VM is on. The subnet is usually at the top of the “Destination” column (e.g. 192.168.115.x). The “Iface” column on the same row should be eth0.

# netstat -nr
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
192.168.115.0   0.0.0.0         255.255.255.0   U         0 0          0 eth0
0.0.0.0         192.168.115.2   0.0.0.0         UG        0 0          0 eth0

Replace DHCP with a static IP address using the same subnet and make eth0 automatically start when the system boots. Assign any IP (e.g. “.21”) to the machine; the gateway is always “.2”.

{Click on the VM to capture the mouse}
# ifdown eth0
...
DHCPRELEASE on eth0 to 192.168.115.254 port 67
# vi /etc/network/interfaces
{Find}
allow-hotplug eth0
iface eth0 inet dhcp
{Replace with}
auto eth0
allow-hotplug eth0
iface eth0 inet static
        address 192.168.115.21
        netmask 255.255.255.0
        gateway 192.168.115.2
{Save}
# /etc/init.d/networking restart
Reconfiguring network interfaces...done.
# ifup eth0
eth0: link up

Verify that the static IP address is working.

# netstat -nr
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
192.168.115.0   0.0.0.0         255.255.255.0   U         0 0          0 eth0
0.0.0.0         192.168.115.2   0.0.0.0         UG        0 0          0 eth0
# ping yahoo.com
PING yahoo.com (66.94.234.13) 56(84) bytes of data.
64 bytes from w2.rc.vip.scd.yahoo.com (66.94.234.13): icmp_seq=1 ttl=128 time=24.0 ms
64 bytes from w2.rc.vip.scd.yahoo.com (66.94.234.13): icmp_seq=2 ttl=128 time=21.1 ms
{Press Ctrl-C}
--- yahoo.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1013ms
rtt min/avg/max/mdev = 21.186/22.620/24.054/1.434 ms
{Press Ctrl-Alt to release the mouse from the VM}

Make a second static IP address

A second IP address and subnet is needed for OpenVPN bridging. If you only want to use OpenVPN routing, it is harmless but useless to have a second IP address.

If you are using a physical machine, your physical machine must have two network adapters to use OpenVPN bridging. If it only has one, you'll need to buy and install another. Then, follow the steps, ignoring steps related to VMware Workstation.

If you are using VMware Workstation, you can create a second virtual network adapter using a VMware “Custom Networking Configuration”. Set up and configure custom networking by doing the following.

Shutdown the server using the “shutdown” command in the VM:

{Click on the VM to capture the mouse}
# shutdown -h now
{Wait for the VM to shut down}
{Press Ctrl-Alt to release the mouse from the VM}

Click the “Edit virtual machine settings” item in the “Commands” list box.
Press the “Add...” button.
Press the “Next” button on the “Welcome” page.
Select the “Ethernet Adapter” item in the “Hardware types:” list box.
Press the “Next” button.
Choose the “Custom: Specific virtual network” radio button.
Select “VMnet2” in the combo box.
Press the “Finish” button.
Press the “OK” button.
Select the “Edit|Virtual Network Settings...” menu item.
Click the “DHCP” tab.
Press the “Add...” button.
Select “VMnet2” in the “VMnet host:” combo box.
Press the “OK” button.
Press the “Apply” button.
Write down the “Subnet” column of the VMnet2 row (e.g. 192.168.44.0).
Press the “OK” button.
Click the “Start this virtual machine” item in the “Commands” list box.
Wait while the image boots.

Add the second IP address on the subnet that you wrote down above. Assign any IP (e.g. “.37”) to the machine.

{Click on the VM to capture the mouse}
myserver login: root
Password: {Type root password}
...
# vi /etc/network/interfaces
{Append}
auto eth1
allow-hotplug eth1
iface eth1 inet static
        address 192.168.44.37
        netmask 255.255.255.0
{Save}
# /etc/init.d/networking restart
Reconfiguring network interfaces...eth0: link up
eth1: link up
done.

Verify that the /etc/network/interfaces file is correct (using “cat /etc/network/interfaces”).

# This file describes the network interfaces available on your system
# and how to activate them.  For more information, see interfaces(5).
 
# The loopback network interface
auto lo
iface lo inet loopback
 
# The primary network interface
auto eth0
allow-hotplug eth0
iface eth0 inet static
        address 192.168.115.21
        netmask 255.255.255.0
        gateway 192.168.115.2
 
auto eth1
allow-hotplug eth1
iface eth1 inet static
        address 192.168.44.37
        netmask 255.255.255.0

Home

E-mail Dan Howard about this article