Category:OpenVPN

 Written for Fedora Linux 5, 6, & 7 with OpenVPN 2.1_rc4

OpenVPN is a full-featured SSL VPN which implements OSI layer 2 or 3 secure network extension using the industry standard SSL/TLS protocol, supports flexible client authentication methods based on certificates, smart cards, and/or username/password credentials, and allows user or group-specific access control policies using firewall rules applied to the VPN virtual interface. OpenVPN is not a web application proxy and does not operate through a web browser.

OpenVPN 2.0 expands on the capabilities of OpenVPN 1.x by offering a scalable client/server mode, allowing multiple clients to connect to a single OpenVPN server process over a single TCP or UDP port.

This Document was written for my own needs as setup notes. It is written with the idea of having a central Fedora Linux OpenVPN Server running inside the Local Area Network (LAN) and allowing clients running ether Linux, Windows 2000, or Windows XP to securely VPN into the LAN with full local network access (File Serving, Printing, Database Apps, ...

-Matt Rude

= OpenVPN Server Setup = The OpenVPN server

Installing
Also See: Installing Openvpn From Source

Via yum yum -y install openvpn Via smart smart install openvpn

Installing from Matt's RPM's
My Prebuild OpenVPN RPM's are: Via yum yum -y localinstall Openvpn-2.1_rc4.F7.i386.rpm
 * Openvpn-2.1_rc4.F7.i386.rpm
 * Openvpn-2.1_rc4.F7.ppc.rpm
 * Openvpn-2.1_rc4.FC6.i386.rpm

Certificate Authority (CA)
From wikipedia

A CA will issue a public key certificate which states that the CA attests that the public key contained in the certificate belongs to the person, organization, server, or other entity noted in the certificate. A CA's obligation in such schemes is to verify an applicant's credentials, so that users (relying parties) can trust the information in the CA's certificates. The usual idea is that if the user trusts the CA and can verify the CA's signature, then they can also verify that a certain public key does indeed belong to whomever is identified in the certificate.

If the CA can be subverted, then the security of the entire system is lost. Suppose an attacker, Mallory (to use the Alice and Bob convention), manages to get a certificate authority to issue a false certificate tying Alice to the wrong public key, which corresponding private key is known to Mallory. If Bob subsequently obtains and uses Alice's public key in this (bogus) certificate, the security of his communications to her could be compromised by Mallory — for example, his messages could be decrypted, or he could be tricked into accepting forged signatures.

Building a Certificate Authority (CA)
For more info see here

The first step in building an OpenVPN 2.0 configuration is to establish a PKI (Public Key Infrastructure).

So go to the build directory Mine is /usr/share/openvpn/easy-rsa/2.0 cd /usr/share/openvpn/easy-rsa/2.0 Now we need to update your vars file.

vim vars At the bottom of the file you will see the below entries edit this info for your own system. export KEY_COUNTRY="US" export KEY_PROVINCE="MN" export KEY_CITY="SaintPaul" export KEY_ORG="mattrude.com" export KEY_EMAIL="example@example.com" After you have updated your vars file you need to source it. source ./vars Now clean-all & build-ca to build your CA ./clean-all ./build-ca The final command (build-ca) will build the certificate authority (CA) certificate and key by invoking the interactive openssl command:

The only parameter which must be explicitly entered is the Common Name. The "Common Name" is the computer name.

Generate certificate & key for server
Next, we will generate a certificate and private key for the server. ./build-key-server vpn.mattrude.com As in the previous step, most parameters can be defaulted. When the Common Name is queried, enter "server". Two other queries require positive responses, "Sign the certificate? [y/n]" and "1 out of 1 certificate requests certified, commit? [y/n]".

Generate certificates & keys for clients
Generating client certificates is very similar to the previous step. ./build-key laptop.mattrude.com ./build-key parents.mattrude.com If you would like to password-protect your client keys, substitute the build-key-pass script.

Remember that for each client, make sure to type the appropriate Common Name when prompted, i.e. "laptop.mattrude.com", "parents.mattrude.com". Always use a unique common name for each client.

Generate Diffie Hellman parameters
Diffie Hellman parameters must be generated for the OpenVPN server. ./build-dh

Finishing the CA
cp all the files now to your /etc/openvpn directory cp keys/* /etc/openvpn/

The Server Config File
Both the Server and the Client need there own Config files. The two files (Server & Client) should be vary close to each other but must have the users certificate info in it. In this example we are using a Certificate Authority Server so each user will need there own *.crt, *.key, ca.crt files added to there Config files. see the table below for more info.

your OpenVPN config files will be stored in /etc/openvpn. cd /usr/share/doc/openvpn-2.1/sample-config-files/

Here Is my Server Config File. local 192.168.1.2 port 1194 # This is the OpenVPN Default Port. proto udp dev tun ca ca.crt cert Server.crt key Server.key # This file should be kept secret dh dh1024.pem server 192.168.2.0 255.255.255.0 # Must Be Diffent then local subnet. ifconfig-pool-persist ipp.txt push "route 192.168.1.0 255.255.255.0" client-to-client keepalive 10 120 comp-lzo persist-key persist-tun user nobody group nobody status openvpn-status.log
 * 1) Which local IP address should OpenVPN listen on?
 * 1) Which TCP/UDP port should OpenVPN listen on?
 * 1) TCP or UDP server?
 * 1) "dev tun" will create a routed IP tunnel, "dev tap" will create an ethernet tunnel.
 * 1) SSL/TLS root certificate (ca), certificate (cert), and private key (key).
 * 2) Each client and the server must have their own cert and key file.
 * 1) Configure server mode and supply a VPN subnet for OpenVPN to draw client addresses from.
 * 1) Maintain a record of client <-> virtual IP address associations in this file.
 * 1) Push routes to the client to allow it to reach other private subnets behind the server.
 * 1) to allow different clients to be able to "see" each other.
 * 1) The keepalive directive causes ping-like messages to be sent back and forth over the VPN.
 * 1) Enable compression on the VPN link.
 * 1) The persist options will try to avoid accessing certain resources on restart,
 * 2) that may no longer be accessible because of the privilege downgrade.
 * 1) It's a good idea to reduce the OpenVPN daemon's privileges after initialization.
 * 1) Output a short status file showing current connections

Starting and Testing the OpenVPN Server
To start Openvpn run. /usr/sbin/openvpn --config vpn.mattrude.com.conf

To forward network traffic run echo 1 > /proc/sys/net/ipv4/ip_forward You can make this command start when ever the system starts like this echo "echo 1 > /proc/sys/net/ipv4/ip_forward" >> /etc/rc.d/rc.local

= OpenVPN Client Setup = A Client can be almost any computer that is on the internet and running Linux 2.4 or higher, Windows 2000 or Windows XP, *BSD, and orther *nux systems. you just need to download and install OpenVPN on the client system then copy over the clients config file, Servers ca.crt file, the Clients ???.crt file, & the Clients ???.key file.

The Client Config Files
Here's my default client config file, this file works in both Linux (*.conf) or Windows (*.ovpn). client dev tun proto udp remote vpn.mattrude.com 1194 resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert Client.crt key Client.key comp-lzo verb 3 mute 20
 * 1) Telling OpenVPN it will be a client NOT a Server
 * 1) "dev tun" will create a routed IP tunnel, "dev tap" will create an ethernet tunnel.
 * 1) TCP or UDP server?
 * 1) The Remote hostname or IP Address and port
 * 1) Keep trying indefinitely to resolve the host name of the OpenVPN server.
 * 1) Clients don't need to bind to a specific local port number.
 * 1) The persist options will try to avoid accessing certain resources on restart,
 * 2) that may no longer be accessible because of the privilege downgrade.
 * 1) SSL/TLS root certificate (ca), certificate (cert), and private key (key).
 * 2) Each client and the server must have their own cert and key file.
 * 3) The Server supplyed keys
 * 1) Enable compression on the VPN link.
 * 1) Set log file verbosity.
 * 1) Silence repeating messages

Windows Clients
= Revoking a Clients Certificate = cd /usr/share/openvpn/easy-rsa/2.0 . ./vars ./revoke-full client2

= Add an user after you have OpenVPN setup = First make sure you have a symbolical link between /usr/share/openvpn/easy-rsa/2.0/keys and /etc/openvpn ln -s /etc/openvpn /usr/share/openvpn/easy-rsa/2.0/keys If the above is good to go then run: cd /usr/share/openvpn/easy-rsa/2.0 source ./vars ./build-key  ./build-dh

= OpenVPN Management Console =

The OpenVPN Management interface allows OpenVPN to be administratively controlled from an external program via a TCP socket.

The interface has been specifically designed for GUI developers and those who would like to programmatically or remotely control an OpenVPN daemon.

The management interface is implemented using a client/server TCP connection, where OpenVPN will listen on a provided IP address and port for incoming management client connections.

The management protocol is currently cleartext without an explicit security layer. For this reason, it is recommended that the management interface either listen on localhost (127.0.0.1) or on the local VPN address. It's possible to remotely connect to the management interface over the VPN itself, though some capabilities will be limited in this mode, such as the ability to provide private key passwords.

To use the Management Console add a line like this to your server conf file management 192.168.1.2 7505 This line is used like this management   To access the management interface telnet to the IP Address and port you set in your config file. telnet 192.168.1.2 7505 When you do connect to the management interface you will get a screen like this. Management Interface for OpenVPN 2.1_beta14 i386-redhat-linux-gnu [SSL] [LZO1] [EPOLL] built on Apr 14 2006 Commands: auth-retry t          : Auth failure retry mode (none,interact,nointeract). bytecount n           : Show bytes in/out, update every n secs (0=off). echo [on|off] [N|all] : Like log, but only show messages in echo buffer. exit|quit             : Close management session. help                  : Print this message. hold [on|off|release] : Set/show hold flag to on/off state, or                          release current hold and start tunnel. kill cn               : Kill the client instance(s) having common name cn. kill IP:port          : Kill the client instance connecting from IP:port. log [on|off] [N|all]  : Turn on/off realtime log display + show last N lines or 'all' for entire history. mute [n]              : Set log mute level to n, or show level if n is absent. needok type action    : Enter confirmation for NEED-OK request of 'type', where action = 'ok' or 'cancel'. net                   : (Windows only) Show network info and routing table. password type p       : Enter password p for a queried OpenVPN password. signal s              : Send signal s to daemon, s = SIGHUP|SIGTERM|SIGUSR1|SIGUSR2. state [on|off] [N|all] : Like log, but show state history. status [n]            : Show current daemon status info using format #n. test n                : Produce n lines of output for testing/debugging. username type u       : Enter username u for a queried OpenVPN username. verb [n]              : Set log verbosity level to n, or show if n is absent. version               : Show current version number. END

For more info on the Management Interface see: http://openvpn.net/management.html

= Other OpenVPN Resources =
 * OpenVPN-GUI for Windows
 * OpenVPN User Manager (.net only)
 * Webmin OpenVpn Admin Module
 * OpenVPN Control
 * Net-OpenVPN Manage
 * Kvpnc is a KDE Desktop Environment frontend for various vpn clients.
 * OpenVPN-Web-Gui
 * How to build a secure Wireless Infrastructure with OpenVPN (Multipart)
 * A Linux distribution which includes OpenVPN
 * Tunnelblick, GUI for Mac OS X

= References =
 * http://openvpn.net/howto.html
 * http://openvpn.net/management.html
 * http://en.wikipedia.org/wiki/Openvpn
 * http://en.wikipedia.org/wiki/Certificate_authority
 * http://openvpn.se