OpenVPN
From LinodeWiki
Setting up OpenVPN Server and Client
My example server is Debian 4.0, and the client machine is Windows XP. This should remain true on any distro, but slight changes in file locations may exist.
First, I started with a clean install of Debian, and I configured both of my ethernet interfaces. In this example, I used 192.168.1.186 for eth0 (external interface) and 10.0.3.1 for eth1 (internal interface).
Contents |
[edit] Install Software
Issue the following commands to install all the packages needed and to get started
apt-get install openvpn openssl ca-certificates bridge-utils; cd /etc/openvpn; mv /usr/share/doc/openvpn/examples/easy-rsa ./; cd easy-rsa/2.0; mkdir keys;
[edit] Create Certificate Authority, Server and Client Certificates
At this point, you should already be in the easy-rsa/2.0 directory. You will want to edit the vars file. vars sets up all the defaults when generating keys for your clients and server. The last five lines of this file are what we're concerned with. For this example, I made them the following:
export KEY_COUNTRY="US" export KEY_PROVINCE="State" export KEY_CITY="City" export KEY_ORG="Organization" export KEY_EMAIL="support@domain.tld"
Save the file, and then run the following comands. The source is important, otherwise the variables will not persist across script executions. **** DO NOT RUN clean-all ON A WORKING INSTALL YOU DON'T WANT TO BREAK!!! See below for generating additional certs for new users ****
source ./vars; ./clean-all; ./build-ca;
build-ca will generate a bunch of output, and it will ask you to enter some information. Most of it will be the same information you added to the vars file, so you can push enter to use the default. The only info you'll need to explicitly define is the CN or Common Name of the server. For this example, I used "vpn.domain.tld." Provided this all completes, you will now have your very own certificate authority. This sounds a lot cooler than it really is, and is actually quite anti-climatic.
Next, we need to build the certificate for the server itself. This can be done by issuing the command:
./build-key-server vpn.domain.tld
Again, your server will probably have a different name, so edit as needed.
Next, we will issue a certificate for a client machine. This is pretty simple. For this example, we're using the seperate client certificate for each client, plus forcing them to authenticate against the PAM database. Issue the following command:
./build-key user
Again, this will use the defaults from vars, so you can accept those, except for common name and email. For my examples, I am using the name of the client (user) for the CN. For email, I used user@domain.tld. I did not use a challenge password. Once you've entered everything in, it will show the summary of the key to be created. Make sure you verify all of this info. If it is correct, answer yes to sign the key. To generate additional certificates later, you need only run "source ./vars; ./build-key <user>"
Once you have signed the key, it will ask you to commit the certificate request. Answer yes here. At this point, you can verify the key is there by typing:
ls -lah keys/user*
This should present the following output:
-rw-r--r-- 1 root root 3.8K 2008-02-21 11:41 keys/user.crt -rw-r--r-- 1 root root 688 2008-02-21 11:39 keys/user.csr -rw------- 1 root root 887 2008-02-21 11:39 keys/user.key
Finally, Diffie Hellman parameters must be generated for the OpenVPN server. This is done by:
./build-dh
This will take a minute or two. Have a Cokeā¢.
[edit] Configure Server
Next, create your server configuration file located at /etc/openvpn/server.conf
port 1194 proto udp dev tap1 plugin /usr/lib/openvpn/openvpn-auth-pam.so login client-to-client ca /etc/openvpn/server-keys/keys/ca.crt cert /etc/openvpn/server-keys/keys/vpn.domain.tld.crt dh /etc/openvpn/server-keys/keys/dh1024.pem ifconfig-pool-persist ipp.txt server-bridge 192.168.1.1 255.255.255.0 192.168.1.50 192.168.1.60 keepalive 10 120 comp-lzo user nobody group nogroup persist-key persist-tun status openvpn-status.log verb 3
You can find a fully commented file explaining all of these options in the sample configuration, which is located at /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz.
This configuration says that we are using the standard port number, udp transport, and a bridged ethernet configuration. We define the CA, Server Certificate, and Diffie Hellman files.
The following line is important.
server-bridge 192.168.1.1 255.255.255.0 192.168.1.50 192.168.1.60
This defines the pool of IP addresses that will be used for clients. For this example, I have 10 addresses defined, which might not be enough for a large office. Adjust as needed.
[edit] Ethernet to Tunnel Bridging
Since we are setting up an example where your client machine is assigned an address local to the trusted side of the VPN, we must bridge the physical ethernet interface to the virtual VPN interface. This is done with a couple of scripts and the bridge-utils package that we installed earlier. There are two scripts for this, they are aptly named bridge-start and bridge-stop. There is also a small amount of config needed to be done with iptables. Issuing the following commands will setup iptables for this. These rules should be saved across reboots.
iptables -A INPUT -i tap0 -j ACCEPT iptables -A INPUT -i br0 -j ACCEPT iptables -A FORWARD -i br0 -j ACCEPT
bridge-start
#!/bin/bash ################################# # Set up Ethernet bridge on Linux # Requires: bridge-utils ################################# # Define Bridge Interface br="br0" # Define list of TAP interfaces to be bridged, # for example tap="tap0 tap1 tap2". tap="tap1" # Define physical ethernet interface to be bridged # with TAP interface(s) above. eth="eth1" eth_ip="192.168.1.1" eth_netmask="255.255.255.0" eth_broadcast="192.168.1.255" for t in $tap; do openvpn --mktun --dev $t done brctl addbr $br brctl addif $br $eth for t in $tap; do brctl addif $br $t done for t in $tap; do ifconfig $t 0.0.0.0 promisc up done ifconfig $eth 0.0.0.0 promisc up ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast
bridge-stop
#!/bin/bash #################################### # Tear Down Ethernet bridge on Linux #################################### # Define Bridge Interface br="br0" # Define list of TAP interfaces to be bridged together tap="tap1" ifconfig $br down brctl delbr $br for t in $tap; do openvpn --rmtun --dev $t done
Finally, make them executable.
chmod +x /etc/openvpn/bridge-*;
[edit] Making it all go
At this point in the game, all of the config is done. Now we get to test that it will actually start...
The OpenVPN bridge can now be started and stopped using this sequence::
* run /etc/openvpn/bridge-start * run /etc/init.d/openvpn start * stop /etc/init.d/openvpn stop * run /etc/openvpn/bridge-stop
The default init script /etc/init.d/openvpn script has not concept or provision for our bridge-start/stop scripts, so we will need to edit it to do so. Open the file in your text editor and change this:
start_vpn () {
if grep -q '^[ ]*daemon' $CONFIG_DIR/$NAME.conf ; then
To:
start_vpn () {
/etc/openvpn/bridge-start
if grep -q '^[ ]*daemon' $CONFIG_DIR/$NAME.conf ; then
The next change is similar. Change:
stop_vpn () {
kill `cat $PIDFILE` || true
To:
stop_vpn () {
kill `cat $PIDFILE` || true
/etc/openvpn/bridge-stop
I like to reboot to test.
[edit] XP Client Configuration
The client configuration is not so different from the server side.
Once you have your server in place and running, go ahead and install the client software. As a side note, the windows version is client and server, so should you decide you need to deploy a VPN server on your Windows Laptop, you have that option. You can download the client from http://www.openvpn.org/ , for my example I am using version 2.1 rc7 [1].
While the software has a "GUI", all config is done in text files. You will need your key files from the server install. Security of the private key is very important, if it is disclosed, anyone with it can connect to the VPN, until the key is revoked. So make sure to use secure transport methods and best security practices in protecting the key.
For this, I used WinSCP. I retrieved ca.crt, user.crt and user.key from vpn.domain.tld:/etc/openvpn/server-keys/keys. I placed these files in C:\Program Files\OpenVPN\keys\
Using the sample client config file (client.ovpn) available with the install, located in C:\Program Files\OpenVPN\sample-config, I built this config file.
C:\Program Files\OpenVPN\config\client.ovpn
client auth-user-pass dev tap dev-node TAP proto udp remote vpn.domain.tld 1194 resolv-retry infinite nobind persist-key persist-tun ca "C:\\Program Files\\OpenVPN\\keys\\ca.crt" cert "C:\\Program Files\\OpenVPN\\keys\\user.crt" key "C:\\Program Files\\OpenVPN\\keys\\user.key" comp-lzo verb 3
When you installed the OpenVPN software, it created a TAP network device. The original name of that interface was something along the lines of "Local Area Connection 3", so for my example, I renamed it to simply "TAP". This device name must match the dev-node line in the config. You can rename the connection by clicking Start -> Control Panel -> Network Connections.
Identify the interface by the "Device Name" which is different than just "name", The device name should be TAP-Win32 Adapter V9, select it, Press F2, rename to TAP.
Once this is done, you should be able to start the software. It will create a icon in the system tray, right click it, choose Connect.
It will prompt you for your username and password.
If you did it all right, you should be connected. It will popup, telling you your VPN IP address. You should now be able to connect to all the of the stuff in the VPN network, just as if you were there.
