I've just configured OpenVPN, downloaded the Windows client, and attempted to enable the service.

Enabling the OpenVPN service failed with:
openvpn[24562]: OpenVPN 2.0.1 i686-pc-linux [CRYPTO] [LZO] [EPOLL] built on Jun 13 2006
openvpn[24562]: WARNING: file '/usr/local/psa/var/modules/vpn/vpn-key' is group or others
openvpn[24562]: LZO compression initialized
openvpn[24562]: Note: Cannot open TUN/TAP dev /dev/net/tun: Permission denied (errno=13)
openvpn[24562]: Note: Attempting fallback to kernel 2.2 TUN/TAP interface
openvpn[24562]: Cannot allocate TUN/TAP dev dynamically
openvpn[24562]: Exiting

The download of the Windows client in a ZIP file is nice but there should be basic installation instructions included in it, because it isn't obvious what to do.

0. Ensure Windows allows installation of Unsigned drivers, and you're running with Administrators group permissions

1. Extract contents of openvpn-package.zip to a logical location: C:\Program Files\OpenVPN
2. Execute "C:\Program Files\OpenVPN\install TAP device.bat"
3. Approve installation of the two device drivers.
4. "Press any key to continue..." to complete installation.

5. To connect, execute "C:\Program Files\OpenVPN\Connect to VPN.bat"

No DNS PTR record?
The OpenVPN client is also failing with:
RESOLVE: Cannot resolve host address: 72-4-174-160.ptr.primarydns.com: [NO_DATA] The requested name is valid but does not have an IP address.

I've done some DNS lookups through my own DNS server, and directly to ns1.primarydns.com and cannot resolve the name either.

Hello Teej,
Please log into your account at https://my.gate.com/login/login.htm and submit a ticket so that we can add the PTR (reverse) record for your account. Unfortunately however, Gate.com does not support issues with VPN connections.

It seems like there are a few bugs to iron out of your systems!

I can't log-in to the VPS because I'm asked to enter a Membership Number and Verification Code, neither of which I have.

So I follow Option 3 "I need both my Membership Number and my Verification Code"

Here I'm asked for both my domain name and credit card number.

As I signed up for an account without a domain name I tried both leaving this blank, and entering the IP address included in the Welcome email.

I'm unable to progress further without this information.

After waiting a few weeks I put in another support request to have this resolved.

I know what commands to issue to fix the problem but I thought I'd use this as a test of the technical competence of the gate.com support service.

Imagine my surprise to find that it had somehow been interpreted as a reboot request!

Here's the details:

17:41 20th December
Subject: Hardware Issue

When trying to start the VPN in Plesk it reports:

-----
Error: There was a problem starting or stopping the OpenVPN daemon:

psa-vpn: OpenVPN failed to start
-----

and the log shows:

openvpn[15488]: OpenVPN 2.0.1 i686-pc-linux [CRYPTO] [LZO] [EPOLL] built on Jun 13 2006
openvpn[15488]: WARNING: file \'/usr/local/psa/var/modules/vpn/vpn-key\' is group or others accessible
openvpn[15488]: LZO compression initialized
openvpn[15488]: Note: Cannot open TUN/TAP dev /dev/net/tun: Permission denied (errno=13)
openvpn[15488]: Note: Attempting fallback to kernel 2.2 TUN/TAP interface
openvpn[15488]: Cannot allocate TUN/TAP dev dynamically
openvpn[15488]: Exiting

This occurs because the VE hasn't been correctly configured (using vzctl).

Could you please fix this.
14:50 21st December
Dear TJ,

Thank you for contacting Gate.com Dedicated technical support.

The reboot request has been made. You will receive an e-mail when it has been completed and they have looked into your error.

If you have any questions, please feel free to ask. Also please visit FAQ's at http://support.gate.com

Thank you,
Ray K.
Gate.com Technical Support
Phone Support: 24/7
800.522.0342

15:41 21st December
Subject: Notification of Incident Closure
Dear Gate.com Customer,

Please be advised that the following incident reported by 'gate.com@******.net' has been successfully resolved:

Incident #: 4062889
Description: 1481 Restart - VPS

SERIAL NUM: 000000
Date Opened: 12/21/2006 09:33
Date Closed: 12/21/2006 09:49

Dear Valued Customer,
Your VPS has been successfully restarted.

19:24 21st December
I'm not sure whether to laugh or cry! How can my report of a problem in enabling the VPN (Virtual Private Network) service be mistaken for a
request to reboot?

I included a full description of the problem and also told you what the solution is - to correct the configuration of the VE using Virtuozzo's vzctl so that openVPN will start. You may need to read the Virtuozzo administrators guide.

Please re-open the incident and apply the fix.
In my incident report I gave the 'support engineers' a clue as to how to solve the problem, but they totally missed it.

The issue is a bad configuration of the VE. It can be fixed on the host server using the Virtuozzo tool vzctl.

You'd hardly credit it, but even after what has gone before the response from Gate support suggests that no-one in the organisation knows what they're doing when it comes to operating and managing a Virtuozzo VPS server!

03:26 22nd December
Dear TJ,

The Technician Ray had to leave a reboot request to have the server reset. He also left a detailed ticket with the problem you are having. The administrator got that ticket and did further investigation after the reboot was completed. The administrator reported the VPS server and services are back up and running fine.

Thank you for contacting Gated dedicated Technical Support

Tim M.
08:40 29 December (From me to Gate support)
This *still* hasn't been fixed, and from the text of the most recent reply it is clear that the server administrator either hasn't bothered to read the problem, or doesn't know the difference between a VPS and a VPN!

For the avoidance of doubt I'll restate the issue:

The VPN (Virtual Private Network) configured using the Plesk Control Panel fails to start, and the report in /var/log/messages shows a couple of errors. The problem is caused by the HOST server (the one that hosts the VEs) not being correctly configured to support openVPN. openVPN is the package used by Plesk to provide the VPN service.

Note: I said V.P.N. *not* V.P.S.

If your administrator doesn't know the commands to issue on the HOST using vzctl I'll provide them here:

1) Allow the VPS to use the tun/tap device:
vzctl set <MyVPSnode> --devices c:10:200:rw --save

2) Create the device in the VPS:
vzctl exec <MyVPSnode> mkdir -p /dev/net
vzctl exec <MyVPSnode> mknod /dev/net/tun c 10 200

3) Set proper permissions for /dev/net/tun:
vzctl exec <MyVPSNode> chmod 600 /dev/net/tun

Finally, restart the psa-vpn.

I'll also note that your 'support request' form is totally inadequate in terms of the limited number of categories available to file incidents - as witnessed by the best category being "hardware" for me to file this incident against.

TJ.

Finally OpenVPN is up and working, after almost 2 1/2 months!!. I still had to correct issues caused by the continued bad configuration of the Virtuozzo VEs.

I received this email today:
Dear Gate.com Customer,

Please be advised that the following incident reported by 'gate.com@xxxx.tld' has been successfully resolved:

Description: 1480 VPS - System Admin Escallation
Date Opened: 12/30/2006 03:41
Date Closed: 1/12/2007 11:17

Commands have been run on your VPS #231 according to your instructions and SWSoft's KB article @ http://kb.swsoft.com/article_130_696_en.html
I have started your psa-vpn daemon w/ pid 11873.

Please let me know if there are any issues.
Regards,
Dan
I accessed the server via ssh and confirmed that openvpn service is now running:
$ ps aux | grep vpn
root 11873 0.0 0.2 2916 1384 ? Ss 16:12 0:00 /usr/local/psa/admin/sbin/modules/vpn/openvpn --config /usr/local/psa/var/modules/vpn/openvpn.conf
From the Virtuozzo control panel add rules to the firewall's input and output chains:

Virtuozzo > VPS Services > Firewall
Input - Add Rule = "OpenVPN" accept UDP destination-port 1194
Output - Add Rule = "OpenVPN" accept UDP source-port 1194

Next, you need to manually add rules to the netfilters configuration using iptables which allow all traffic to flow between the two hosts on whichever interface openvpn uses (tun or tap), and then saved the changes:
$ sudo su
$ /sbin/iptables -I INPUT -i tun+ -j ACCEPT
$ /sbin/iptables -I INPUT -i tap+ -j ACCEPT
$ /sbin/iptables -I OUTPUT -o tun+ -j ACCEPT
$ /sbin/iptables -I OUTPUT -o tap+ -j ACCEPT
$ /sbin/iptables-save > /etc/sysconfig/iptables
Note: ensure that when you save new firewall rules from the Virtuozzo control panel, that these have not been removed!!

This is what the INPUT table should look like (OUTPUT will be similar)
$ /sbin/iptables -L INPUT -v
Chain INPUT (policy DROP 22 packets, 1800 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- tun+ any anywhere anywhere
52 7421 ACCEPT all -- tap+ any anywhere anywhere
19 1159 ACCEPT icmp -- any any anywhere anywhere
5270 368K VZ_INPUT all -- any any anywhere anywhere
You'll need the same rules adding to the openvpn client PC. Additionally, if you want other PCs on the local LAN to be able to use the tunnel, you'll need to add additional local rules:
$ sudo iptables -A FORWARD -i tun+ -j ACCEPT
$ sudo iptables -A FORWARD -i tap+ -j ACCEPT
As always, you'll need to fix the error introduced by Gate having badly configured IP addresses for the VPS.
If your VPS shows two IP addresses and the first is marked as faulty, then you need to keep in mind that many application configurations will use that first IP, which is actually the IP of the Hardware Node (HN).

In the case of openvpn this IP will be inserted in the auto-generated openvpn.conf file which you download along with the vpn-key from Plesk > Modules > Virtual Private Networking - "Download client packages".

When you've downloaded and extracted the contents of the archives, you'll need to edit openvpn.conf and replace the incorrect HN IP address, with your VPS IP address:
#
# Automatically generated by Plesk VPN module
#
remote 72-4-174-160.ptr.primarydns.com
In my case I had to replace the hostname 72-4-174-160 (the HN IP) with 72-4-174-168 (the VPS IP) so it reads:
remote 72-4-174-168.ptr.primarydns.com
Now, on your local PC in the directory where the openvpn.conf and vpn-key are, set correct permissions on vpn-key and create a user-accessible log file:
$ chmod 400 vpn-key
$ touch openvpn.log
Now start openvpn and attempt the connection:
$ sudo openvpn --config openvpn.conf --log openvpn.log
If you now examine the log you should, if everything was successful, see something similar to this:
$ cat openvpn.log
Fri Jan 12 19:19:50 2007 OpenVPN 2.0.7 i486-pc-linux-gnu [SSL] [LZO] [EPOLL] built on Sep 13 2006
Fri Jan 12 19:19:50 2007 LZO compression initialized
Fri Jan 12 19:19:50 2007 TUN/TAP device tap0 opened
Fri Jan 12 19:19:50 2007 ifconfig tap0 10.254.250.10 netmask 255.255.255.252 mtu 1500 broadcast 10.254.250.11
Fri Jan 12 19:19:50 2007 UDPv4 link local (bound): [undef]:1194
Fri Jan 12 19:19:50 2007 UDPv4 link remote: 72.4.174.168:1194
Fri Jan 12 19:20:00 2007 Peer Connection Initiated with 72.4.174.168:1194
Fri Jan 12 19:20:00 2007 Initialization Sequence Completed
Now check the tunnel is working by pinging the far end:
$ ping 10.254.251.9
PING 10.254.250.9 (10.254.250.9) 56(84) bytes of data.
64 bytes from 10.254.250.9: icmp_seq=1 ttl=64 time=286 ms
64 bytes from 10.254.250.9: icmp_seq=2 ttl=64 time=156 ms
64 bytes from 10.254.250.9: icmp_seq=3 ttl=64 time=140 ms