Category:OpenVPN
Written for Fedora Linux 5, 6, & 7 with OpenVPN 2.1_rc4
OpenVPN is a full-featured SSL VPN which implements OSI layer 2 or 3 secure network extension using the industry standard SSL/TLS protocol, supports flexible client authentication methods based on certificates, smart cards, and/or username/password credentials, and allows user or group-specific access control policies using firewall rules applied to the VPN virtual interface. OpenVPN is not a web application proxy and does not operate through a web browser.
OpenVPN 2.0 expands on the capabilities of OpenVPN 1.x by offering a scalable client/server mode, allowing multiple clients to connect to a single OpenVPN server process over a single TCP or UDP port.
This Document was written for my own needs as setup notes. It is written with the idea of having a central Fedora Linux OpenVPN Server running inside the Local Area Network (LAN) and allowing clients running ether Linux, Windows 2000, or Windows XP to securely VPN into the LAN with full local network access (File Serving, Printing, Database Apps, ...
-Matt Rude
OpenVPN Server Setup[edit | edit source]
The OpenVPN server
Installing[edit | edit source]
Also See: Installing Openvpn From Source
Via yum
yum -y install openvpn
Via smart
smart install openvpn
Installing from Matt's RPM's[edit | edit source]
My Prebuild OpenVPN RPM's are:
Via yum
yum -y localinstall Openvpn-2.1_rc4.F7.i386.rpm
Certificate Authority (CA)[edit | edit source]
From wikipedia
A CA will issue a public key certificate which states that the CA attests that the public key contained in the certificate belongs to the person, organization, server, or other entity noted in the certificate. A CA's obligation in such schemes is to verify an applicant's credentials, so that users (relying parties) can trust the information in the CA's certificates. The usual idea is that if the user trusts the CA and can verify the CA's signature, then they can also verify that a certain public key does indeed belong to whomever is identified in the certificate.
If the CA can be subverted, then the security of the entire system is lost. Suppose an attacker, Mallory (to use the Alice and Bob convention), manages to get a certificate authority to issue a false certificate tying Alice to the wrong public key, which corresponding private key is known to Mallory. If Bob subsequently obtains and uses Alice's public key in this (bogus) certificate, the security of his communications to her could be compromised by Mallory — for example, his messages could be decrypted, or he could be tricked into accepting forged signatures.
Building a Certificate Authority (CA)[edit | edit source]
For more info see here
The first step in building an OpenVPN 2.0 configuration is to establish a PKI (Public Key Infrastructure).
So go to the build directory Mine is /usr/share/openvpn/easy-rsa/2.0
cd /usr/share/openvpn/easy-rsa/2.0
Now we need to update your vars file.
vim vars
At the bottom of the file you will see the below entries edit this info for your own system.
export KEY_COUNTRY="US" export KEY_PROVINCE="MN" export KEY_CITY="SaintPaul" export KEY_ORG="mattrude.com" export KEY_EMAIL="[email protected]"
After you have updated your vars file you need to source it.
source ./vars
Now clean-all & build-ca to build your CA
./clean-all ./build-ca
The final command (build-ca) will build the certificate authority (CA) certificate and key by invoking the interactive openssl command:
The only parameter which must be explicitly entered is the Common Name. The "Common Name" is the computer name.
Generate certificate & key for server[edit | edit source]
Next, we will generate a certificate and private key for the server.
./build-key-server vpn.mattrude.com
As in the previous step, most parameters can be defaulted. When the Common Name is queried, enter "server". Two other queries require positive responses, "Sign the certificate? [y/n]" and "1 out of 1 certificate requests certified, commit? [y/n]".
Generate certificates & keys for clients[edit | edit source]
Generating client certificates is very similar to the previous step.
./build-key laptop.mattrude.com ./build-key parents.mattrude.com
If you would like to password-protect your client keys, substitute the build-key-pass script.
Remember that for each client, make sure to type the appropriate Common Name when prompted, i.e. "laptop.mattrude.com", "parents.mattrude.com". Always use a unique common name for each client.
Generate Diffie Hellman parameters[edit | edit source]
Diffie Hellman parameters must be generated for the OpenVPN server.
./build-dh
Finishing the CA[edit | edit source]
cp all the files now to your /etc/openvpn directory
cp keys/* /etc/openvpn/
The Server Config File[edit | edit source]
Both the Server and the Client need there own Config files. The two files (Server & Client) should be vary close to each other but must have the users certificate info in it. In this example we are using a Certificate Authority Server so each user will need there own *.crt, *.key, ca.crt files added to there Config files. see the table below for more info.
| Filename | Needed By | Purpose | Secret |
|---|---|---|---|
| ca.crt | server + all clients | Root CA certificate | NO |
| ca.key | key signing machine only | Root CA key | YES |
| dh{n}.pem | server only | Diffie Hellman parameters | NO |
| server.crt | server only | Server Certificate | NO |
| server.key | server only | Server Key | YES |
| client1.crt | client1 only | Client1 Certificate | NO |
| client1.key | client1 only | Client1 Key | YES |
your OpenVPN config files will be stored in /etc/openvpn.
cd /usr/share/doc/openvpn-2.1/sample-config-files/
Here Is my Server Config File.
# Which local IP address should OpenVPN listen on? local 192.168.1.2 # Which TCP/UDP port should OpenVPN listen on? port 1194 # This is the OpenVPN Default Port. # TCP or UDP server? proto udp # "dev tun" will create a routed IP tunnel, "dev tap" will create an ethernet tunnel. dev tun # SSL/TLS root certificate (ca), certificate (cert), and private key (key). # Each client and the server must have their own cert and key file. ca ca.crt cert Server.crt key Server.key # This file should be kept secret dh dh1024.pem # Configure server mode and supply a VPN subnet for OpenVPN to draw client addresses from. server 192.168.2.0 255.255.255.0 # Must Be Diffent then local subnet. # Maintain a record of client <-> virtual IP address associations in this file. ifconfig-pool-persist ipp.txt # Push routes to the client to allow it to reach other private subnets behind the server. push "route 192.168.1.0 255.255.255.0" # to allow different clients to be able to "see" each other. client-to-client # The keepalive directive causes ping-like messages to be sent back and forth over the VPN. keepalive 10 120 # Enable compression on the VPN link. comp-lzo # The persist options will try to avoid accessing certain resources on restart, # that may no longer be accessible because of the privilege downgrade. persist-key persist-tun # It's a good idea to reduce the OpenVPN daemon's privileges after initialization. user nobody group nobody # Output a short status file showing current connections status openvpn-status.log
Starting and Testing the OpenVPN Server[edit | edit source]
To start Openvpn run.
/usr/sbin/openvpn --config vpn.mattrude.com.conf
To forward network traffic run
echo 1 > /proc/sys/net/ipv4/ip_forward
You can make this command start when ever the system starts like this
echo "echo 1 > /proc/sys/net/ipv4/ip_forward" >> /etc/rc.d/rc.local
OpenVPN Client Setup[edit | edit source]
A Client can be almost any computer that is on the internet and running Linux 2.4 or higher, Windows 2000 or Windows XP, *BSD, and orther *nux systems. you just need to download and install OpenVPN on the client system then copy over the clients config file, Servers ca.crt file, the Clients ???.crt file, & the Clients ???.key file.
The Client Config Files[edit | edit source]
Here's my default client config file, this file works in both Linux (*.conf) or Windows (*.ovpn).
# Telling OpenVPN it will be a client NOT a Server client # "dev tun" will create a routed IP tunnel, "dev tap" will create an ethernet tunnel. dev tun # TCP or UDP server? proto udp # The Remote hostname or IP Address and port remote vpn.mattrude.com 1194 # Keep trying indefinitely to resolve the host name of the OpenVPN server. resolv-retry infinite # Clients don't need to bind to a specific local port number. nobind # The persist options will try to avoid accessing certain resources on restart, # that may no longer be accessible because of the privilege downgrade. persist-key persist-tun # SSL/TLS root certificate (ca), certificate (cert), and private key (key). # Each client and the server must have their own cert and key file. # The Server supplyed keys ca ca.crt cert Client.crt key Client.key # Enable compression on the VPN link. comp-lzo # Set log file verbosity. verb 3 # Silence repeating messages mute 20
Transporting Required Files[edit | edit source]
Client Connections[edit | edit source]
Windows Clients[edit | edit source]
Revoking a Clients Certificate[edit | edit source]
cd /usr/share/openvpn/easy-rsa/2.0 . ./vars ./revoke-full client2
Add an user after you have OpenVPN setup[edit | edit source]
First make sure you have a symbolical link between /usr/share/openvpn/easy-rsa/2.0/keys and /etc/openvpn
ln -s /etc/openvpn /usr/share/openvpn/easy-rsa/2.0/keys
If the above is good to go then run:
cd /usr/share/openvpn/easy-rsa/2.0 source ./vars ./build-key <Client Name> ./build-dh
OpenVPN Management Console[edit | edit source]
The OpenVPN Management interface allows OpenVPN to be administratively controlled from an external program via a TCP socket.
The interface has been specifically designed for GUI developers and those who would like to programmatically or remotely control an OpenVPN daemon.
The management interface is implemented using a client/server TCP connection, where OpenVPN will listen on a provided IP address and port for incoming management client connections.
The management protocol is currently cleartext without an explicit security layer. For this reason, it is recommended that the management interface either listen on localhost (127.0.0.1) or on the local VPN address. It's possible to remotely connect to the management interface over the VPN itself, though some capabilities will be limited in this mode, such as the ability to provide private key passwords.
To use the Management Console add a line like this to your server conf file
management 192.168.1.2 7505
This line is used like this
management <Listening IP Address> <Listening Port>
To access the management interface telnet to the IP Address and port you set in your config file.
telnet 192.168.1.2 7505
When you do connect to the management interface you will get a screen like this.
Management Interface for OpenVPN 2.1_beta14 i386-redhat-linux-gnu [SSL] [LZO1] [EPOLL] built on Apr 14 2006
Commands:
auth-retry t : Auth failure retry mode (none,interact,nointeract).
bytecount n : Show bytes in/out, update every n secs (0=off).
echo [on|off] [N|all] : Like log, but only show messages in echo buffer.
exit|quit : Close management session.
help : Print this message.
hold [on|off|release] : Set/show hold flag to on/off state, or
release current hold and start tunnel.
kill cn : Kill the client instance(s) having common name cn.
kill IP:port : Kill the client instance connecting from IP:port.
log [on|off] [N|all] : Turn on/off realtime log display
+ show last N lines or 'all' for entire history.
mute [n] : Set log mute level to n, or show level if n is absent.
needok type action : Enter confirmation for NEED-OK request of 'type',
where action = 'ok' or 'cancel'.
net : (Windows only) Show network info and routing table.
password type p : Enter password p for a queried OpenVPN password.
signal s : Send signal s to daemon,
s = SIGHUP|SIGTERM|SIGUSR1|SIGUSR2.
state [on|off] [N|all] : Like log, but show state history.
status [n] : Show current daemon status info using format #n.
test n : Produce n lines of output for testing/debugging.
username type u : Enter username u for a queried OpenVPN username.
verb [n] : Set log verbosity level to n, or show if n is absent.
version : Show current version number.
END
For more info on the Management Interface see: http://openvpn.net/management.html
Other OpenVPN Resources[edit | edit source]
- OpenVPN-GUI for Windows
- OpenVPN User Manager (.net only)
- Webmin OpenVpn Admin Module
- OpenVPN Control
- Net-OpenVPN Manage
- Kvpnc[1] is a KDE Desktop Environment frontend for various vpn clients.
- OpenVPN-Web-Gui
- How to build a secure Wireless Infrastructure with OpenVPN (Multipart)
- A Linux distribution which includes OpenVPN
- Tunnelblick, GUI for Mac OS X
References[edit | edit source]
Pages in category "OpenVPN"
The following 5 pages are in this category, out of 5 total.
Media in category "OpenVPN"
The following 6 files are in this category, out of 6 total.
-
Deploying a VPN with PKI.pdf ; 81 KB
-
-
Openvpn-2.1 rc4.F7.i386.rpm ; 400 KB
-
Openvpn-2.1 rc4.F7.ppc.rpm ; 424 KB
-
Openvpn-2.1 rc4.FC6.i386.rpm ; 383 KB
-
Openvpn-web-gui-0.3.2b.tgz ; 38 KB