OpenVPN

OpenVPN

This installation of OpenVPN applies to Ubuntu 9.10

sudo apt-get install openvpn  # to intall the openvpn server


Copy the required example files to /etc/openvpn 
cp -r /usr/share/doc/openvpn/examples/easy-rsa /etc/openvpn/
cd /etc/openvpn/easy-rsa/2.0

Build the Certificate Server
. ./vars
./clean-all
./build-ca

The final command (build-ca) will build the certificate authority (CA) certificate and key by invoking the interactive openssl command:

# ./build-ca
Generating a 1024 bit RSA private key
............++++++
...........++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [MN]:
State or Province Name (full name) [Minnesota]:
Locality Name (eg, city) [Andover]:
Organization Name (eg, company) [OpenVPN-TEST]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:openvpn1.sysxperts.com
Email Address [me@myhost.mydomain]:
Note that in the above sequence, most queried parameters were defaulted to the values set in the vars or vars.bat files. The only parameter which must be explicitly entered is the Common Name. In the example above, I used "openvpn1.sysxperts.com".

Now build the OpenVPN server certificate and key
./build-key-server openvpn1
As in the previous step, most parameters can be defaulted. When the Common Name is queried, enter "openvpn1".  Two other queries require positive YES responses, "Sign the certificate? [y/n]" and "1 out of 1 certificate requests certified, commit? [y/n]".

Build client certificates and keys
./build-key pvalentino
./build-key user2
Remember to type the appropriate Common Name for each client when prompted, i.e. "username1", "client2", or "server3". Always use a unique common name for each client.

For greater security, instead of generating the client certificate and keys on the server, we could have had the client generate its own private key locally, and then submit a Certificate Signing Request (CSR) to the key-signing machine. In turn, the key-signing machine could have processed the CSR and returned a signed certificate to the client.

Build the required Diffie-Hellman parameters for the OpenVPN server
./build-dh

Now we will find our newly-generated keys and certificates in the keys subdirectory (/etc/openvpn/easy-rsa/2.0/keys). Here is an explanation of the relevant files:
FilenameNeeded ByPurposeSecret
ca.crtserver + all clientsRoot CA certificateNO
ca.keykey signing machine onlyRoot CA keyYES
dh{n}.pemserver onlyDiffie Hellman parametersNO
openvpn1.crtserver onlyServer CertificateNO
openvpn1.keyserver onlyServer KeyYES
pvalentino.crtpvalentino onlypvalentino CertificateNO
pvalentino.keypvalentino onlypvalentino KeyYES
user2.crtuser2 onlyuser2 CertificateNO
user2.keyuser2 onlyuser2 KeyYES
server3.crtserver3 onlyserver3 CertificateNO
server3.keyserver3 onlyserver3 KeyYES

-rw-r--r-- 1 root       root 4003 2010-01-22 17:41 openvpn1.crt
-rw------- 1 root       root  887 2010-01-22 17:41 openvpn1.key


Copy sample configuration files to /etc/openvpn for server side configuration
cd /usr/share/doc/openvpn/examples/sample-config-files
gzip -d server.conf.gz
cp server.conf /etc/openvpn/

Edit /etc/openvpn/server.conf as follows:
In my environment I'm using the following:
192.168.1.206 is the OpenVPN server interface and my internet access device is configured to NAT forward port 1194 udp to that address.  These settings can typically be found under Port Forwarding on a Netgear router or under Applications and Gaming Settings on a Linksys router.
10.8.18.0  is my VPN subnet
10.1.1.0 is another private subnet on my network

# Which local IP address should OpenVPN
# listen on? (optional)
local 192.168.1.206

port 1194

# TCP or UDP server?
;proto tcp
proto udp

;dev tap
dev tun

ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key  # This file should be kept secret

dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem

server 10.8.18.0 255.255.255.0

ifconfig-pool-persist /etc/openvpn/ipp.txt


# Push routes to the client to allow it
# to reach other private subnets behind
# the server.  Remember that these
# private subnets will also need
# to know to route the OpenVPN client
# address pool (10.8.0.0/255.255.255.0)
# back to the OpenVPN server.
push "route 10.1.1.0 255.255.255.0"
push "route 192.168.1.0 255.255.255.0"

keepalive 10 120

comp-lzo

user nobody
group nogroup

persist-key
persist-tun

status /etc/openvpn/openvpn-status.log

verb 3

mute 20


OpenVPN iptables rules to allow traffic to local subnets attached to eth0 and eth1 on the OpenVPN server
without the need for a bridging config

iptables --append FORWARD --in-interface tun0 -j ACCEPT
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
iptables --table nat --append POSTROUTING --out-interface eth1 -j MASQUERADE

iptables-save > /etc/iptables.rules

Then modify /etc/network/interfaces like so in my case (NOTE the pre-up line)
This restores my iptables nat rules after a reboot:

auto eth0
iface eth0 inet static
    address 192.168.1.206
    netmask 255.255.255.0
    network 192.168.1.0
    gateway 192.168.1.1
        pre-up iptables-restore < /etc/iptables.rules
auto eth1
iface eth1 inet static
    address 10.1.1.200
    netmask 255.255.255.0
    network 10.1.1.0


For client configuration email, scp, or sftp a copy of client.conf to yourself for editing and providing to the clients ensuring that configuration is compatible with server side.  Below is example Tunnelblick client.conf which works with the server.conf above.  This client.conf is for a Mac using Tunnelblick with it's config stored under /Users/pvalentino/Library/Application Support/Tunnelblick/Configurations/client.conf.  Be sure to secure your private key on each client as well by removing group and other access with chmod go-rwx client.conf.

Tunnelblick for OSX client example: 
client

;dev tap

dev tun
;dev-node MyTap

;proto tcp
proto udp



# for me i use dyndns.org dyndns updater to keep my dhcp comcast address in sync with domain name
# you can get a free dyndns.org hostname and download the updater for free as well
remote openvpn1.sysxperts.com 1194

nobind

user nobody
group nogroup

persist-key
persist-tun


mute-replay-warnings

# Note that these files must be provided - ca.crt and client cert must come from openvpn server and key may come from server or from client depending on how you generate csr
ca /Users/pvalentino/ca.crt
cert /Users/pvalentino/pvalentino.crt
key /Users/pvalentino/pvalentino.key

ns-cert-type server

;tls-auth ta.key 1

;cipher x

comp-lzo

verb 3
mute 20

OpenVPN Windows client example:
For example, on Windows 7 64bit client install the OpenVPN client with default options, change the network connection name to MyTap under change adapter settings for the TAP-Win32 Adapter V9 interface.  Then create and save the file below into c:\Program Files(x86)\openvpn\config as client.ovpn.

client

;dev tap
dev tun

dev-node MyTap

;proto tcp
proto udp

remote openvpn1.sysxperts.com 1194

nobind

# Not valid on windows
;user nobody
;group nogroup

persist-key
persist-tun


mute-replay-warnings

# Note the use of double backslashes on a windows client and I put them in a folder I manually created under my users folder
ca C:\\Users\\pvalentino\\openvpncerts\\ca.crt
cert C:\\Users\\pvalentino\\openvpncerts\\client2.crt
key C:\\Users\\pvalentino\\openvpncerts\\client2.key

ns-cert-type server


comp-lzo

verb 3
mute 20

When you run the openvpn client on windows be sure to right-click and select run as administrator or the software will not be able to create necessary routing configurations for the tunnel.

After saving config and starting the application with administrator privileges you will have a new icon in your system tray.  Simply right-click and select connect to establish the tunnel.

If there are problems right-click the same icon and choose View Log to start the troubleshooting process.

No comments: