OpenVPN

There are many tutorials about OpenVPN, the most I've found where either too detailed to get something running real quick or way to short to actually understand what's going on. I like finding docs that get the crap running real quick and then going back over it with more detailed articles and such. Anyway, the goal here is to get something running and understand some basic stuff.

On the server as well as the clients, the first step would be installing openvpn (same package for both):

apt-get install openvpn

Server setup

Create keys

  • CA (Certificat Authority)
  • server key
  • client key (1 set per client)
cp -rp /usr/share/doc/openvpn/examples/easy-rsa/2.0 /etc/openvpn/keymaker cd /etc/openvpn/keymaker

The file "vars" contains stuff about the keys we'll create like, country, email etc. Might as well edit "vars" to make things easier.

vi vars

and edit

export KEY_COUNTRY="US" export KEY_PROVINCE="CA" export KEY_CITY="SanFrancisco" export KEY_ORG="Fort-Funston" export KEY_EMAIL="me@myhost.mydomain"

You may also edit things like

export KEY_SIZE=1024

in case of paranoia it can be changed to

export KEY_SIZE=2048

There are some other options like expiration date etc, it's all well commented. you needn't change anything for this to just work.

once your done we need to source the file

. ./vars

The following are intended for a first setup (or at least per specific vpn setup, you can have more than one VPN... you'll check that out another time)

this will delete any keys previously created keys

./clean-all

Generate the CA, the Certificate Authority is what's used to sign all the other certificates for the question "Common Name" you may answer something like "My-VPN-CA".

./build-ca

This will be the certifcate for the server, be sure to answer "server" to the question "common name" (yes, you may change it to something more original if you want, in this doc it's "server") I think the "challenge password" is useless, it is without use...

./build-key-server server

Now let's make a key for the client.

./build-key client1

If you want to oblige the client to enter a password to use their key you may use

./build-key-pass client1

another crypto thing to generate, a Diffie Hellman, (like whatever).. . . this can really take a long time.

./build-dh

You will need (secret means, don't share this file and make it chmod 400 or something),

  • on the vpn server:
    • dh1024.pem - secret (or dh2048.pem)
    • server.crt - public
    • server.key - secret
  • on client1:
    • client1.crt (see note below)
    • client1.key - secret
  • the signing machine:
    • ca.key - secret
  • on all machines: you will need:
    • ca.crt - public

Note about client1.crt: I just noticed this seems to be needed on the server in order to revoke a VPN access ! This should be in the 'keys' directory.

For more information check this out search for "keys"

now copy the server keys, for example, in /etc/openvpn/keys

Server config

Get a new base config file by doing:

zcat /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz > /etc/openvpn/server.conf

now edit that file, the most important crap will be the paths to the keys, it's relative to this config file:

ca keys/ca.crt cert keys/server.crt key keys/server.key dh keys/dh1024.pem # read the comments for this one, in my case i want all the client's # traffic to go through the server, this will require some configs that # we'll see later. If all you want to do is be on the same LAN then # don't touch this push "redirect-gateway" # another option you can push, useful if you set the above setting (but not only) # AND if you are running a DNS server, otherwise you can/should put # the IP of the vpn server's DNS server (the thing in /etc/resolv.conf) or some # other DNS server you may use. # OTHERWISE, as noted in the config files comment for the previous setting # you can also bypass DNS queries push "dhcp-option DNS 10.8.0.1" # If you are still paranoid or just want to use more electricty you can # change the default cipher to something a bit stronger cipher AES-256-CBC

Everything else can be left at default for now.

Start/stop the server

NOTE: This goes as well for the server as the client:

When you start openvpn via /etc/init.d/openvpn start it will start a VPN service for each file called something.conf in /etc/openvpn/ check out /etc/default/openvpn and set AUTOSTART="all" to AUTOSTART="server" or if you don't want it to start automatically upon boot AUTOSTART="none"

Forwarding traffic

If you chose the "redirect-gateway", meaning client's traffic will be routed through the server then you will need to setup some routing capapbilities on the VPN server, this is a long and complicated process "lol":

Lets consider eth0 is your main NIC, That'll be 3 iptable rules and one echo to a proc file.

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE iptables -A FORWARD -i eth0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT echo 1 > /proc/sys/net/ipv4/ip_forward

voilĂ .

NOTE: If you intend on setting up multiple VPNs you might want to forward all TUN interfaces (tun0, tun1), in that case replace tun0 with tun+ in the above iptables rules set.

Client configuration

now for the client, you'll need the same openvpn package, but also resolvconf if you want to accept new DNS settings from the vpn server: apt-get install openvpn resolvconf

after that you can probally let the user connect to the VPN via network-manager-openvpn or other such lol tools, otherwise this can be done through the startup script, it's just the config file that needs to be different.

The simplest way to go would be to put all the required keys in a special "keys" directory, for example /etc/openvpn/keys

Next copy a default client config

cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/client.conf

You could name it to something more specific maybe, useful if you are a client to multiple servers

cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/client_server1.conf

Some of the things you'll need to edit:

remote YOUR_VPN_SERVER_IP 1194 ca keys/ca.crt cert keys/client1.crt key keys/client1.key # this setting should be the same as on the server cipher AES-256-CBC

That is all for now. To try the connection, see the note about the startup script, by default:

/etc/init.d/openvpn start or openvpn --config client.conf

If you required the client to provide a password you will be asked for it at this moment.

This is where things should work, you can check with /sbin/route to see how things are.

Per user settings

To have certain settings applied to specific users only you can use the client-config-dir parameter, this will indicate a directory which should hold an additional configuration file for each user. The file should use the name of the client and nothing more (no .conf suffix, nothing). For example:

  • in server.conf add: ("ccd" is the name of the directory where client's configuration files will be stored) client-config-dir ccd
  • in the ccd directory create a file per client to append user specific settings to. cd ccd vi client1

Example settings

  • static IPs: to assign a specific IP to a client use the following syntax: ifconfig-push 10.8.0.3 10.8.0.4

    Both IPs are required, the first one will be used by the client and the second will be the end point on the VPN server. This is actually a bit strange but hec, that's how it works.

  • Client specific routing: You can assign routes on a per client basis, in this case it's probably better to not assign the value push "redirect-gateway" in the main configuration but to add it to any client's configuration file that would need it. You can also do some fancier things like route only specific IPs or IP ranges, use the example:

    push "route 74.125.0.0 74.125.255.255" This will add a route to the clients routing table for a /16 of googleips

    NOTE: Clients may add the routes they want outside of the configuration of OpenVPN.

Revoking a client's access

It's as much fun as it sounds.. For this, go to the keymaker directory and source the vars file and then revoke teh access:

cd /etc/openvpn/keymaker . ./vars ./revoke-full KEYTOREVOKE

This will update/create a CRL file that you will need to add the VPN's configuration file:

vi /etc/openvpn/server.conf add crl-verify keymaker/keys/crl.pem

Of course check to make sure this file exists and has the correct path according to your config... Then restart the VPN server and it's done.

Now you might want to get into more details, you can goto the OpenVPN howto and find out so much more.. ..

comments:
avatar

rike

Great, this makes things a bit clearer. Maybe you could also indicate the forwarding configuration for IPtables.
Also, I believe that on the client one may have to \"modprobe tun\" module. A thing I didn\'t quite get is that pki-tool also generates a .csr file. What is this file? do I need it?
avatar

manu

Check the section "Forwarding traffic" (or ctrl-f "iptables), I think you missed that.

As for the module, it should load automatically when required, if that's not the case tell me and I'll retest/edit/etc.

The csr file, that is quite interesting, it's useful for generating keys on different computers, for example the client can generate their own key and csr and send the csr (Certificate Signing Request) to the signing machine that will make a crt without the having to send the key. (If I understood well)

In short, once you got your key and crt you don't need the csr anymore. It would be nice to get an example of this, I'll see what I can do.
avatar

manu

Actually, I just updated the "Forwarding traffic" part, the rules I provided weren't quite correct. I just tested it (without arno-iptables) and it works.

As for the module, it is auto loaded on the server as well as the client.

: ]
avatar

rike

apparently clients may also use netwok-manager-openvpn to configure the connection in a GUI.
Leave a comment
You may use the following HTML tags: <p> <a> <strong> <b> <em> <i> <cite> <blockquote> <code> <pre>

Your comments WILL NOT be submitted to any third party (not even for anti spam verification).