OpenVPN is a full-featured SSL VPN which implements OSI layer 2 or 3 secure network extension using the industry standard SSL/TLS protocol, supports flexible client authentication methods based on certificates, smart cards, and/or username/password credentials, and allows user or group-specific access control policies using firewall rules applied to the VPN virtual interface. OpenVPN is not a web application proxy and does not operate through a web browser.

OpenVPN 2.0 expands on the capabilities of OpenVPN 1.x by offering a scalable client/server mode, allowing multiple clients to connect to a single OpenVPN server process over a single TCP or UDP port.

This Document was written for my own needs as setup notes. It is written with the idea of having a central Fedora Linux OpenVPN Server running inside the Local Area Network (LAN) and allowing clients running ether Linux, Windows 2000, or Windows XP to securely VPN into the LAN with full local network access (File Serving, Printing, Database Apps, ...

-Matt Rude

OpenVPN Server Setup[edit | edit source]

The OpenVPN server

Installing[edit | edit source]

Also See: Installing Openvpn From Source

Via yum

yum -y install openvpn

Via smart

smart install openvpn

Installing from Matt's RPM's[edit | edit source]

My Prebuild OpenVPN RPM's are:

• Openvpn-2.1_rc4.F7.i386.rpm
• Openvpn-2.1_rc4.F7.ppc.rpm
• Openvpn-2.1_rc4.FC6.i386.rpm

Via yum

yum -y localinstall Openvpn-2.1_rc4.F7.i386.rpm

Certificate Authority (CA)[edit | edit source]

From wikipedia

A CA will issue a public key certificate which states that the CA attests that the public key contained in the certificate belongs to the person, organization, server, or other entity noted in the certificate. A CA's obligation in such schemes is to verify an applicant's credentials, so that users (relying parties) can trust the information in the CA's certificates. The usual idea is that if the user trusts the CA and can verify the CA's signature, then they can also verify that a certain public key does indeed belong to whomever is identified in the certificate.

If the CA can be subverted, then the security of the entire system is lost. Suppose an attacker, Mallory (to use the Alice and Bob convention), manages to get a certificate authority to issue a false certificate tying Alice to the wrong public key, which corresponding private key is known to Mallory. If Bob subsequently obtains and uses Alice's public key in this (bogus) certificate, the security of his communications to her could be compromised by Mallory — for example, his messages could be decrypted, or he could be tricked into accepting forged signatures.

Building a Certificate Authority (CA)[edit | edit source]

For more info see here

The first step in building an OpenVPN 2.0 configuration is to establish a PKI (Public Key Infrastructure).

So go to the build directory Mine is /usr/share/openvpn/easy-rsa/2.0

cd /usr/share/openvpn/easy-rsa/2.0

Now we need to update your vars file.

vim vars

At the bottom of the file you will see the below entries edit this info for your own system.

export KEY_COUNTRY="US"
export KEY_PROVINCE="MN"
export KEY_CITY="SaintPaul"
export KEY_ORG="mattrude.com"
export KEY_EMAIL="[email protected]"

After you have updated your vars file you need to source it.

source ./vars

Now clean-all & build-ca to build your CA

./clean-all
./build-ca

The final command (build-ca) will build the certificate authority (CA) certificate and key by invoking the interactive openssl command:

The only parameter which must be explicitly entered is the Common Name. The "Common Name" is the computer name.

Generate certificate & key for server[edit | edit source]

Next, we will generate a certificate and private key for the server.

./build-key-server vpn.mattrude.com

As in the previous step, most parameters can be defaulted. When the Common Name is queried, enter "server". Two other queries require positive responses, "Sign the certificate? [y/n]" and "1 out of 1 certificate requests certified, commit? [y/n]".

Generate certificates & keys for clients[edit | edit source]

Generating client certificates is very similar to the previous step.

./build-key laptop.mattrude.com
./build-key parents.mattrude.com

If you would like to password-protect your client keys, substitute the build-key-pass script.

Remember that for each client, make sure to type the appropriate Common Name when prompted, i.e. "laptop.mattrude.com", "parents.mattrude.com". Always use a unique common name for each client.

Generate Diffie Hellman parameters[edit | edit source]

Diffie Hellman parameters must be generated for the OpenVPN server.

./build-dh

Finishing the CA[edit | edit source]

cp all the files now to your /etc/openvpn directory

cp keys/* /etc/openvpn/

The Server Config File[edit | edit source]

Both the Server and the Client need there own Config files. The two files (Server & Client) should be vary close to each other but must have the users certificate info in it. In this example we are using a Certificate Authority Server so each user will need there own *.crt, *.key, ca.crt files added to there Config files. see the table below for more info.

Filename	Needed By	Purpose	Secret
ca.crt	server + all clients	Root CA certificate	NO
ca.key	key signing machine only	Root CA key	YES
dh{n}.pem	server only	Diffie Hellman parameters	NO
server.crt	server only	Server Certificate	NO
server.key	server only	Server Key	YES
client1.crt	client1 only	Client1 Certificate	NO
client1.key	client1 only	Client1 Key	YES

your OpenVPN config files will be stored in /etc/openvpn.

cd /usr/share/doc/openvpn-2.1/sample-config-files/

Here Is my Server Config File.

# Which local IP address should OpenVPN listen on?
local 192.168.1.2
# Which TCP/UDP port should OpenVPN listen on?
port 1194 # This is the OpenVPN Default Port.
# TCP or UDP server?
proto udp
# "dev tun" will create a routed IP tunnel, "dev tap" will create an ethernet tunnel.
dev tun
# SSL/TLS root certificate (ca), certificate (cert), and private key (key).
# Each client and the server must have their own cert and key file.
ca ca.crt
cert Server.crt
key Server.key  # This file should be kept secret
dh dh1024.pem
# Configure server mode and supply a VPN subnet for OpenVPN to draw client addresses from.
server 192.168.2.0 255.255.255.0 # Must Be Diffent then local subnet.
# Maintain a record of client <-> virtual IP address associations in this file.
ifconfig-pool-persist ipp.txt
# Push routes to the client to allow it to reach other private subnets behind the server.
push "route 192.168.1.0 255.255.255.0"
# to allow different clients to be able to "see" each other.
client-to-client
# The keepalive directive causes ping-like messages to be sent back and forth over the VPN.
keepalive 10 120
# Enable compression on the VPN link.
comp-lzo
# The persist options will try to avoid accessing certain resources on restart,
# that may no longer be accessible because of the privilege downgrade.
persist-key
persist-tun
# It's a good idea to reduce the OpenVPN daemon's privileges after initialization.
user nobody
group nobody
# Output a short status file showing current connections
status openvpn-status.log

Starting and Testing the OpenVPN Server[edit | edit source]

To start Openvpn run.

/usr/sbin/openvpn --config vpn.mattrude.com.conf

To forward network traffic run

echo 1 > /proc/sys/net/ipv4/ip_forward

You can make this command start when ever the system starts like this

echo "echo 1 > /proc/sys/net/ipv4/ip_forward" >> /etc/rc.d/rc.local

OpenVPN Client Setup[edit | edit source]

A Client can be almost any computer that is on the internet and running Linux 2.4 or higher, Windows 2000 or Windows XP, *BSD, and orther *nux systems. you just need to download and install OpenVPN on the client system then copy over the clients config file, Servers ca.crt file, the Clients ???.crt file, & the Clients ???.key file.

The Client Config Files[edit | edit source]

Here's my default client config file, this file works in both Linux (*.conf) or Windows (*.ovpn).

# Telling OpenVPN it will be a client NOT a Server
client
# "dev tun" will create a routed IP tunnel, "dev tap" will create an ethernet tunnel.
dev tun
# TCP or UDP server?
proto udp
# The Remote hostname or IP Address and port
remote vpn.mattrude.com 1194
# Keep trying indefinitely to resolve the host name of the OpenVPN server.
resolv-retry infinite
# Clients don't need to bind to a specific local port number.
nobind
# The persist options will try to avoid accessing certain resources on restart,
# that may no longer be accessible because of the privilege downgrade.
persist-key
persist-tun
# SSL/TLS root certificate (ca), certificate (cert), and private key (key).
# Each client and the server must have their own cert and key file.
# The Server supplyed keys
ca ca.crt
cert Client.crt
key Client.key
# Enable compression on the VPN link.
comp-lzo
# Set log file verbosity.
verb 3
# Silence repeating messages
mute 20

Transporting Required Files[edit | edit source]

Client Connections[edit | edit source]

Windows Clients[edit | edit source]

Revoking a Clients Certificate[edit | edit source]

 cd /usr/share/openvpn/easy-rsa/2.0
. ./vars
./revoke-full client2

Add an user after you have OpenVPN setup[edit | edit source]

First make sure you have a symbolical link between /usr/share/openvpn/easy-rsa/2.0/keys and /etc/openvpn

ln -s /etc/openvpn /usr/share/openvpn/easy-rsa/2.0/keys

If the above is good to go then run:

cd /usr/share/openvpn/easy-rsa/2.0
source ./vars
./build-key <Client Name>
./build-dh

OpenVPN Management Console[edit | edit source]

The OpenVPN Management interface allows OpenVPN to be administratively controlled from an external program via a TCP socket.

The interface has been specifically designed for GUI developers and those who would like to programmatically or remotely control an OpenVPN daemon.

The management interface is implemented using a client/server TCP connection, where OpenVPN will listen on a provided IP address and port for incoming management client connections.

The management protocol is currently cleartext without an explicit security layer. For this reason, it is recommended that the management interface either listen on localhost (127.0.0.1) or on the local VPN address. It's possible to remotely connect to the management interface over the VPN itself, though some capabilities will be limited in this mode, such as the ability to provide private key passwords.

To use the Management Console add a line like this to your server conf file

management 192.168.1.2 7505

This line is used like this

management <Listening IP Address> <Listening Port>

To access the management interface telnet to the IP Address and port you set in your config file.

telnet 192.168.1.2 7505

When you do connect to the management interface you will get a screen like this.

Management Interface for OpenVPN 2.1_beta14 i386-redhat-linux-gnu [SSL] [LZO1] [EPOLL] built on Apr 14 2006
Commands:
auth-retry t           : Auth failure retry mode (none,interact,nointeract).
bytecount n            : Show bytes in/out, update every n secs (0=off).
echo [on|off] [N|all]  : Like log, but only show messages in echo buffer.
exit|quit              : Close management session.
help                   : Print this message.
hold [on|off|release]  : Set/show hold flag to on/off state, or
                         release current hold and start tunnel.
kill cn                : Kill the client instance(s) having common name cn.
kill IP:port           : Kill the client instance connecting from IP:port.
log [on|off] [N|all]   : Turn on/off realtime log display
                         + show last N lines or 'all' for entire history.
mute [n]               : Set log mute level to n, or show level if n is absent.
needok type action     : Enter confirmation for NEED-OK request of 'type',
                         where action = 'ok' or 'cancel'.
net                    : (Windows only) Show network info and routing table.
password type p        : Enter password p for a queried OpenVPN password.
signal s               : Send signal s to daemon,
                         s = SIGHUP|SIGTERM|SIGUSR1|SIGUSR2.
state [on|off] [N|all] : Like log, but show state history.
status [n]             : Show current daemon status info using format #n.
test n                 : Produce n lines of output for testing/debugging.
username type u        : Enter username u for a queried OpenVPN username.
verb [n]               : Set log verbosity level to n, or show if n is absent.
version                : Show current version number.
END

For more info on the Management Interface see: http://openvpn.net/management.html

Other OpenVPN Resources[edit | edit source]

• OpenVPN-GUI for Windows
• OpenVPN User Manager (.net only)
• Webmin OpenVpn Admin Module
• OpenVPN Control
• Net-OpenVPN Manage
• Kvpnc[1] is a KDE Desktop Environment frontend for various vpn clients.
• OpenVPN-Web-Gui
• How to build a secure Wireless Infrastructure with OpenVPN (Multipart)
• A Linux distribution which includes OpenVPN
• Tunnelblick, GUI for Mac OS X

References[edit | edit source]

• http://openvpn.net/howto.html
• http://openvpn.net/management.html
• http://en.wikipedia.org/wiki/Openvpn
• http://en.wikipedia.org/wiki/Certificate_authority
• http://openvpn.se
• OpenVPN and the SSL VPN Revolution