There are many tutorials about OpenVPN, the most I've found where either too detailed to get something running real quick or way to short to actually understand what's going on. I like finding docs that get the crap running real quick and then going back over it with more detailed articles and such. Anyway, the goal here is to get something running and understand some basic stuff.
On the server as well as the clients, the first step would be installing openvpn (same package for both):
apt-get install openvpn
- CA (Certificat Authority)
- server key
- client key (1 set per client)
cp -rp /usr/share/doc/openvpn/examples/easy-rsa/2.0 /etc/openvpn/keymaker cd /etc/openvpn/keymaker
The file "vars" contains stuff about the keys we'll create like, country, email etc. Might as well edit "vars" to make things easier.
export KEY_COUNTRY="US" export KEY_PROVINCE="CA" export KEY_CITY="SanFrancisco" export KEY_ORG="Fort-Funston" export KEY_EMAIL="firstname.lastname@example.org"
You may also edit things like
in case of paranoia it can be changed to
There are some other options like expiration date etc, it's all well commented. you needn't change anything for this to just work.
once your done we need to source the file
The following are intended for a first setup (or at least per specific vpn setup, you can have more than one VPN... you'll check that out another time)
this will delete any keys previously created keys
Generate the CA, the Certificate Authority is what's used to sign all the other certificates for the question "Common Name" you may answer something like "My-VPN-CA".
This will be the certifcate for the server, be sure to answer "server" to the question "common name" (yes, you may change it to something more original if you want, in this doc it's "server") I think the "challenge password" is useless, it is without use...
Now let's make a key for the client.
If you want to oblige the client to enter a password to use their key you may use
another crypto thing to generate, a Diffie Hellman, (like whatever).. . . this can really take a long time.
You will need (secret means, don't share this file and make it chmod 400 or something),
- on the vpn server:
- dh1024.pem - secret (or dh2048.pem)
- server.crt - public
- server.key - secret
- on client1:
- client1.crt (see note below)
- client1.key - secret
- the signing machine:
- ca.key - secret
- on all machines: you will need:
- ca.crt - public
Note about client1.crt: I just noticed this seems to be needed on the server in order to revoke a VPN access ! This should be in the 'keys' directory.For more information check this out search for "keys"
now copy the server keys, for example, in /etc/openvpn/keys
Get a new base config file by doing:
zcat /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz > /etc/openvpn/server.conf
now edit that file, the most important crap will be the paths to the keys, it's relative to this config file:
ca keys/ca.crt cert keys/server.crt key keys/server.key dh keys/dh1024.pem # read the comments for this one, in my case i want all the client's # traffic to go through the server, this will require some configs that # we'll see later. If all you want to do is be on the same LAN then # don't touch this push "redirect-gateway" # another option you can push, useful if you set the above setting (but not only) # AND if you are running a DNS server, otherwise you can/should put # the IP of the vpn server's DNS server (the thing in /etc/resolv.conf) or some # other DNS server you may use. # OTHERWISE, as noted in the config files comment for the previous setting # you can also bypass DNS queries push "dhcp-option DNS 10.8.0.1" # If you are still paranoid or just want to use more electricty you can # change the default cipher to something a bit stronger cipher AES-256-CBC
Everything else can be left at default for now.
Start/stop the server
NOTE: This goes as well for the server as the client:
When you start openvpn via /etc/init.d/openvpn start it will start a VPN service for each file called something.conf in /etc/openvpn/ check out /etc/default/openvpn and set
AUTOSTART="server" or if you don't want it to start automatically upon boot
If you chose the "redirect-gateway", meaning client's traffic will be routed through the server then you will need to setup some routing capapbilities on the VPN server, this is a long and complicated process "lol":
Lets consider eth0 is your main NIC, That'll be 3 iptable rules and one echo to a proc file.
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE iptables -A FORWARD -i eth0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT echo 1 > /proc/sys/net/ipv4/ip_forward
NOTE: If you intend on setting up multiple VPNs you might want to forward all TUN interfaces (tun0, tun1), in that case replace tun0 with tun+ in the above iptables rules set.
Client configurationnow for the client, you'll need the same openvpn package, but also resolvconf if you want to accept new DNS settings from the vpn server: apt-get install openvpn resolvconf
after that you can probally let the user connect to the VPN via network-manager-openvpn or other such lol tools, otherwise this can be done through the startup script, it's just the config file that needs to be different.
The simplest way to go would be to put all the required keys in a special "keys" directory, for example /etc/openvpn/keys
Next copy a default client config
cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/client.conf
You could name it to something more specific maybe, useful if you are a client to multiple servers
cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/client_server1.conf
Some of the things you'll need to edit:
remote YOUR_VPN_SERVER_IP 1194 ca keys/ca.crt cert keys/client1.crt key keys/client1.key # this setting should be the same as on the server cipher AES-256-CBC
That is all for now. To try the connection, see the note about the startup script, by default:
openvpn --config client.conf
If you required the client to provide a password you will be asked for it at this moment.
This is where things should work, you can check with /sbin/route to see how things are.
Per user settings
To have certain settings applied to specific users only you can use the client-config-dir parameter, this will indicate a directory which should hold an additional configuration file for each user. The file should use the name of the client and nothing more (no .conf suffix, nothing). For example:
- in server.conf add: ("ccd" is the name of the directory where client's configuration files will be stored)
- in the ccd directory create a file per client to append user specific settings to.
cd ccd vi client1
- static IPs: to assign a specific IP to a client use the following syntax:
ifconfig-push 10.8.0.3 10.8.0.4
Both IPs are required, the first one will be used by the client and the second will be the end point on the VPN server. This is actually a bit strange but hec, that's how it works.
Client specific routing: You can assign routes on a per client basis, in this case it's probably better to not assign the value push "redirect-gateway" in the main configuration but to add it to any client's configuration file that would need it. You can also do some fancier things like route only specific IPs or IP ranges, use the example:
push "route 184.108.40.206 220.127.116.11"This will add a route to the clients routing table for a /16 of googleips
NOTE: Clients may add the routes they want outside of the configuration of OpenVPN.
Revoking a client's access
It's as much fun as it sounds.. For this, go to the keymaker directory and source the vars file and then revoke teh access:
cd /etc/openvpn/keymaker . ./vars ./revoke-full KEYTOREVOKE
This will update/create a CRL file that you will need to add the VPN's configuration file:
Of course check to make sure this file exists and has the correct path according to your config... Then restart the VPN server and it's done.
Now you might want to get into more details, you can goto the OpenVPN howto and find out so much more.. ..