Modified on 16 February 2010
OpenVPN
There are many tutorials about OpenVPN, the most I've found where either too detailed to get something running real quick or way to short to actually understand what's going on. I like finding docs that get the crap running real quick and then going back over it with more detailed articles and such. Anyway, the goal here is to get something running and understand some basic stuff.
On the server as well as the clients, the first step would be installing openvpn (same package for both):
apt-get install openvpn
Server setup
Create keys
- CA (Certificat Authority)
- server key
- client key (1 set per client)
cp -rp /usr/share/doc/openvpn/examples/easy-rsa/2.0 /etc/openvpn/keymaker
cd /etc/openvpn/keymaker
The file "vars" contains stuff about the keys we'll create like, country, email etc. Might as well edit "vars" to make things easier.
vi vars
and edit
export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="SanFrancisco"
export KEY_ORG="Fort-Funston"
export KEY_EMAIL="me@myhost.mydomain"
You may also edit things like
export KEY_SIZE=1024
in case of paranoia it can be changed to
export KEY_SIZE=2048
There are some other options like expiration date etc, it's all well commented. you needn't change anything for this to just work.
once your done we need to source the file
. ./vars
The following are intended for a first setup (or at least per specific vpn setup, you can have more than one VPN... you'll check that out another time)
this will delete any keys previously created keys
./clean-all
Generate the CA, the Certificate Authority is what's used to sign all the other certificates for the question "Common Name" you may answer something like "My-VPN-CA".
./build-ca
This will be the certifcate for the server, be sure to answer "server" to the question "common name" (yes, you may change it to something more original if you want, in this doc it's "server") I think the "challenge password" is useless, it is without use...
./build-key-server server
Now let's make a key for the client.
./build-key client1
If you want to oblige the client to enter a password to use their key you may use
./build-key-pass client1
another crypto thing to generate, a Diffie Hellman, "like whatever".. . . (this can really take a long time)
./build-dh
You will need (secret means, don't share this file and make it chmod 400 or something),
- on the vpn server:
- dh1024.pem - secret (or dh2048.pem)
- server.crt - public
- server.key - secret
- on client1:
- client1.crt
- client1.key - secret
- the signing machine:
- ca.key - secret
- on all machines: you will need:
- ca.crt - public
For more information check this out
now copy the server keys, for example, in /etc/openvpn/keys
Server config
Get a new base config file by doing:
zcat /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz > /etc/openvpn/server.conf
now edit that file, the most important crap will be the paths to the keys, it's relative to this config file:
ca keys/ca.crt
cert keys/server.crt
key keys/server.key
dh keys/dh1024.pem
# read the comments for this one, in my case i want all the client's
# traffic to go through the server, this will require some configs that
# we'll see later. If all you want to do is be on the same LAN then
# don't touch this
push "redirect-gateway"
# another option you can push, useful if you set the above setting (but not only)
# AND if you are running a DNS server, otherwise you can/should put
# the IP of the vpn server's DNS server (the thing in /etc/resolv.conf) or some
# other DNS server you may use.
# OTHERWISE, as noted in the config files comment for the previous setting
# you can also bypass DNS queries
push "dhcp-option DNS 10.8.0.1"
# If you are still paranoid or just want to use more electricty you can
# change the default cipher to something a bit stronger
cipher AES-256-CBC
Everything else can be left at default for now.
Start/stop the server
NOTE: This goes as well for the server as the client:
When you start openvpn via /etc/init.d/openvpn start it will start a VPN service for each file called something.conf in /etc/openvpn/ check out /etc/default/openvpn and set AUTOSTART="all" to AUTOSTART="server" or if you don't want it to start automatically upon boot AUTOSTART="none"
Forwarding traffic
If you chose the "redirect-gateway", meaning client's traffic will be routed through the server then you will need to setup some routing capapbilities on the VPN server, this is a long and complicated process "lol":
Lets consider eth0 is your main NIC, That'll be 3 iptable rules and one echo to a proc file.
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward
voilĂ .
NOTE: If you intend on setting up multiple VPNs you might want to forward all TUN interfaces (tun0, tun1), in that case replace tun0 with tun+ in the above iptables rules set.
Client configuration
now for the client, you'll need the same openvpn package, but also resolvconf if you want to accept new DNS settings from the vpn server: apt-get install openvpn resolvconfafter that you can probally let the user connect to the VPN via network-manager-openvpn or other such lol tools, otherwise this can be done through the startup script, it's just the config file that needs to be different.
The simplest way to go would be to put all the required keys in a special "keys" directory, for example /etc/openvpn/keys
Next copy a default client config
cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/client.conf
You could name it to something more specific maybe, useful if you are a client to multiple servers
cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/client_server1.conf
Some of the things you'll need to edit:
remote YOUR_VPN_SERVER_IP 1194
ca keys/ca.crt
cert keys/client1.crt
key keys/client1.key
# this setting should be the same as on the server
cipher AES-256-CBC
That is all for now. To try the connection, see the note about the startup script, by default:
/etc/init.d/openvpn start
or
openvpn --config client.conf
If you required the client to provide a password you will be asked for it at this moment.
This is where things should work, you can check with /sbin/route to see how things are.
Now you might want to get into the details of a particular setting or two, you can goto the OpenVPN howto and find out so much more.. ..
Published by:
date: 10 January 2010 at 10:24 PM
Comment:
Check the section "Forwarding traffic" (or ctrl-f "iptables), I think you missed that.
As for the module, it should load automatically when required, if that's not the case tell me and I'll retest/edit/etc.
The csr file, that is quite interesting, it's useful for generating keys on different computers, for example the client can generate their own key and csr and send the csr (Certificate Signing Request) to the signing machine that will make a crt without the having to send the key. (If I understood well)
In short, once you got your key and crt you don't need the csr anymore. It would be nice to get an example of this, I'll see what I can do.
Published by:
date: 12 January 2010 at 4:03 AM
Comment:
Actually, I just updated the "Forwarding traffic" part, the rules I provided weren't quite correct. I just tested it (without arno-iptables) and it works.
As for the module, it is auto loaded on the server as well as the client.
: ]
Published by: rike
date: 10 January 2010 at 4:05 PM
Comment:
Great, this makes things a bit clearer. Maybe you could also indicate the forwarding configuration for IPtables.
Also, I believe that on the client one may have to "modprobe tun" module. A thing I didn't quite get is that pki-tool also generates a .csr file. What is this file? do I need it?