This installation of OpenVPN applies to Ubuntu 9.10
sudo apt-get install openvpn # to intall the openvpn server
Copy the required example files to /etc/openvpn
cp -r /usr/share/doc/openvpn/examples/easy-rsa /etc/openvpn/
cd /etc/openvpn/easy-rsa/2.0
Build the Certificate Server
. ./vars
./clean-all
./build-ca
The final command (build-ca) will build the certificate authority (CA) certificate and key by invoking the interactive openssl command:
# ./build-ca
Generating a 1024 bit RSA private key
............++++++
...........++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [MN]:
State or Province Name (full name) [Minnesota]:
Locality Name (eg, city) [Andover]:
Organization Name (eg, company) [OpenVPN-TEST]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:openvpn1.sysxperts.com
Email Address [me@myhost.mydomain]:
Note that in the above sequence, most queried parameters were defaulted to the values set in the vars or vars.bat files. The only parameter which must be explicitly entered is the Common Name. In the example above, I used "openvpn1.sysxperts.com".
Now build the OpenVPN server certificate and key
./build-key-server openvpn1
As in the previous step, most parameters can be defaulted. When the Common Name is queried, enter "openvpn1". Two other queries require positive YES responses, "Sign the certificate? [y/n]" and "1 out of 1 certificate requests certified, commit? [y/n]".
Build client certificates and keys
./build-key pvalentino
./build-key user2
Remember to type the appropriate Common Name for each client when prompted, i.e. "username1", "client2", or "server3". Always use a unique common name for each client.
For greater security, instead of generating the client certificate and keys on the server, we could have had the client generate its own private key locally, and then submit a Certificate Signing Request (CSR) to the key-signing machine. In turn, the key-signing machine could have processed the CSR and returned a signed certificate to the client.
Build the required Diffie-Hellman parameters for the OpenVPN server
./build-dh
Now we will find our newly-generated keys and certificates in the keys subdirectory (/etc/openvpn/easy-rsa/2.0/keys). Here is an explanation of the relevant files:
Filename | Needed By | Purpose | Secret |
ca.crt | server + all clients | Root CA certificate | NO |
ca.key | key signing machine only | Root CA key | YES |
dh{n}.pem | server only | Diffie Hellman parameters | NO |
openvpn1.crt | server only | Server Certificate | NO |
openvpn1.key | server only | Server Key | YES |
pvalentino.crt | pvalentino only | pvalentino Certificate | NO |
pvalentino.key | pvalentino only | pvalentino Key | YES |
user2.crt | user2 only | user2 Certificate | NO |
user2.key | user2 only | user2 Key | YES |
server3.crt | server3 only | server3 Certificate | NO |
server3.key | server3 only | server3 Key | YES |
-rw-r--r-- 1 root root 4003 2010-01-22 17:41 openvpn1.crt
-rw------- 1 root root 887 2010-01-22 17:41 openvpn1.key
Copy sample configuration files to /etc/openvpn for server side configurationcd /usr/share/doc/openvpn/examples/sample-config-files
gzip -d server.conf.gz
cp server.conf /etc/openvpn/
Edit /etc/openvpn/server.conf as follows:
In my environment I'm using the following:
192.168.1.206 is the OpenVPN server interface and my internet access device is configured to NAT forward port 1194 udp to that address. These settings can typically be found under Port Forwarding on a Netgear router or under Applications and Gaming Settings on a Linksys router.
10.8.18.0 is my VPN subnet
10.1.1.0 is another private subnet on my network
# Which local IP address should OpenVPN
# listen on? (optional)
local 192.168.1.206
port 1194
# TCP or UDP server?
;proto tcp
proto udp
;dev tap
dev tun
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key # This file should be kept secret
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
server 10.8.18.0 255.255.255.0
ifconfig-pool-persist /etc/openvpn/ipp.txt
# Push routes to the client to allow it
# to reach other private subnets behind
# the server. Remember that these
# private subnets will also need
# to know to route the OpenVPN client
# address pool (10.8.0.0/255.255.255.0)
# back to the OpenVPN server.
push "route 10.1.1.0 255.255.255.0"
push "route 192.168.1.0 255.255.255.0"
keepalive 10 120
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status /etc/openvpn/openvpn-status.log
verb 3
mute 20
OpenVPN iptables rules to allow traffic to local subnets attached to eth0 and eth1 on the OpenVPN server without the need for a bridging config
iptables --append FORWARD --in-interface tun0 -j ACCEPT
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
iptables --table nat --append POSTROUTING --out-interface eth1 -j MASQUERADE
iptables-save > /etc/iptables.rules
Then modify /etc/network/interfaces like so in my case (NOTE the pre-up line)
This restores my iptables nat rules after a reboot:
auto eth0
iface eth0 inet static
address 192.168.1.206
netmask 255.255.255.0
network 192.168.1.0
gateway 192.168.1.1
pre-up iptables-restore < /etc/iptables.rules
auto eth1
iface eth1 inet static
address 10.1.1.200
netmask 255.255.255.0
network 10.1.1.0
For client configuration email, scp, or sftp a copy of client.conf to yourself for editing and providing to the clients ensuring that configuration is compatible with server side. Below is example Tunnelblick client.conf which works with the server.conf above. This client.conf is for a Mac using Tunnelblick with it's config stored under /Users/pvalentino/Library/Application Support/Tunnelblick/Configurations/client.conf. Be sure to secure your private key on each client as well by removing group and other access with chmod go-rwx client.conf.
client
;dev tap
dev tun
;dev-node MyTap
;proto tcp
proto udp
# for me i use dyndns.org dyndns updater to keep my dhcp comcast address in sync with domain name
# you can get a free dyndns.org hostname and download the updater for free as well
remote openvpn1.sysxperts.com 1194
nobind
user nobody
group nogroup
persist-key
persist-tun
mute-replay-warnings
# Note that these files must be provided - ca.crt and client cert must come from openvpn server and key may come from server or from client depending on how you generate csr
ca /Users/pvalentino/ca.crt
cert /Users/pvalentino/pvalentino.crt
key /Users/pvalentino/pvalentino.key
ns-cert-type server
;tls-auth ta.key 1
;cipher x
comp-lzo
verb 3
mute 20
For example, on Windows 7 64bit client install the OpenVPN client with default options, change the network connection name to MyTap under change adapter settings for the TAP-Win32 Adapter V9 interface. Then create and save the file below into c:\Program Files(x86)\openvpn\config as client.ovpn.
client
;dev tap
dev tun
dev-node MyTap
;proto tcp
proto udp
remote openvpn1.sysxperts.com 1194
nobind
# Not valid on windows
;user nobody
;group nogroup
persist-key
persist-tun
mute-replay-warnings
# Note the use of double backslashes on a windows client and I put them in a folder I manually created under my users folder
ca C:\\Users\\pvalentino\\openvpncerts\\ca.crt
cert C:\\Users\\pvalentino\\openvpncerts\\client2.crt
key C:\\Users\\pvalentino\\openvpncerts\\client2.key
ns-cert-type server
comp-lzo
verb 3
mute 20
When you run the openvpn client on windows be sure to right-click and select run as administrator or the software will not be able to create necessary routing configurations for the tunnel.
After saving config and starting the application with administrator privileges you will have a new icon in your system tray. Simply right-click and select connect to establish the tunnel.
If there are problems right-click the same icon and choose View Log to start the troubleshooting process.