Category:OpenVPN

From MattWiki
(Redirected from Openvpn)
Jump to: navigation, search

Written for Fedora Linux 5, 6, & 7 with OpenVPN 2.1_rc4

OpenVPN is a full-featured SSL VPN which implements OSI layer 2 or 3 secure network extension using the industry standard SSL/TLS protocol, supports flexible client authentication methods based on certificates, smart cards, and/or username/password credentials, and allows user or group-specific access control policies using firewall rules applied to the VPN virtual interface. OpenVPN is not a web application proxy and does not operate through a web browser.

OpenVPN 2.0 expands on the capabilities of OpenVPN 1.x by offering a scalable client/server mode, allowing multiple clients to connect to a single OpenVPN server process over a single TCP or UDP port.

This Document was written for my own needs as setup notes. It is written with the idea of having a central Fedora Linux OpenVPN Server running inside the Local Area Network (LAN) and allowing clients running ether Linux, Windows 2000, or Windows XP to securely VPN into the LAN with full local network access (File Serving, Printing, Database Apps, ...

-Matt Rude


OpenVPN Server Setup

The OpenVPN server

Installing

Also See: Installing Openvpn From Source

Via yum

yum -y install openvpn

Via smart

smart install openvpn

Installing from Matt's RPM's

My Prebuild OpenVPN RPM's are:

Via yum

yum -y localinstall Openvpn-2.1_rc4.F7.i386.rpm

Certificate Authority (CA)

From wikipedia

A CA will issue a public key certificate which states that the CA attests that the public key contained in the certificate belongs to the person, organization, server, or other entity noted in the certificate. A CA's obligation in such schemes is to verify an applicant's credentials, so that users (relying parties) can trust the information in the CA's certificates. The usual idea is that if the user trusts the CA and can verify the CA's signature, then they can also verify that a certain public key does indeed belong to whomever is identified in the certificate.

If the CA can be subverted, then the security of the entire system is lost. Suppose an attacker, Mallory (to use the Alice and Bob convention), manages to get a certificate authority to issue a false certificate tying Alice to the wrong public key, which corresponding private key is known to Mallory. If Bob subsequently obtains and uses Alice's public key in this (bogus) certificate, the security of his communications to her could be compromised by Mallory — for example, his messages could be decrypted, or he could be tricked into accepting forged signatures.

Building a Certificate Authority (CA)

For more info see here

The first step in building an OpenVPN 2.0 configuration is to establish a PKI (Public Key Infrastructure).

So go to the build directory Mine is /usr/share/openvpn/easy-rsa/2.0

cd /usr/share/openvpn/easy-rsa/2.0

Now we need to update your vars file.

vim vars

At the bottom of the file you will see the below entries edit this info for your own system.

export KEY_COUNTRY="US"
export KEY_PROVINCE="MN"
export KEY_CITY="SaintPaul"
export KEY_ORG="mattrude.com"
export KEY_EMAIL="example@example.com"

After you have updated your vars file you need to source it.

source ./vars

Now clean-all & build-ca to build your CA

./clean-all
./build-ca

The final command (build-ca) will build the certificate authority (CA) certificate and key by invoking the interactive openssl command:

The only parameter which must be explicitly entered is the Common Name. The "Common Name" is the computer name.

Generate certificate & key for server

Next, we will generate a certificate and private key for the server.

./build-key-server vpn.mattrude.com

As in the previous step, most parameters can be defaulted. When the Common Name is queried, enter "server". Two other queries require positive responses, "Sign the certificate? [y/n]" and "1 out of 1 certificate requests certified, commit? [y/n]".

Generate certificates & keys for clients

Generating client certificates is very similar to the previous step.

./build-key laptop.mattrude.com
./build-key parents.mattrude.com

If you would like to password-protect your client keys, substitute the build-key-pass script.

Remember that for each client, make sure to type the appropriate Common Name when prompted, i.e. "laptop.mattrude.com", "parents.mattrude.com". Always use a unique common name for each client.

Generate Diffie Hellman parameters

Diffie Hellman parameters must be generated for the OpenVPN server.

./build-dh

Finishing the CA

cp all the files now to your /etc/openvpn directory

cp keys/* /etc/openvpn/

The Server Config File

Both the Server and the Client need there own Config files. The two files (Server & Client) should be vary close to each other but must have the users certificate info in it. In this example we are using a Certificate Authority Server so each user will need there own *.crt, *.key, ca.crt files added to there Config files. see the table below for more info.


Filename Needed By Purpose Secret
ca.crt server + all clients Root CA certificate NO
ca.key key signing machine only Root CA key YES
dh{n}.pem server only Diffie Hellman parameters NO
server.crt server only Server Certificate NO
server.key server only Server Key YES
client1.crt client1 only Client1 Certificate NO
client1.key client1 only Client1 Key YES

your OpenVPN config files will be stored in /etc/openvpn.

cd /usr/share/doc/openvpn-2.1/sample-config-files/

Here Is my Server Config File.

# Which local IP address should OpenVPN listen on?
local 192.168.1.2
# Which TCP/UDP port should OpenVPN listen on?
port 1194 # This is the OpenVPN Default Port.
# TCP or UDP server?
proto udp
# "dev tun" will create a routed IP tunnel, "dev tap" will create an ethernet tunnel.
dev tun
# SSL/TLS root certificate (ca), certificate (cert), and private key (key).
# Each client and the server must have their own cert and key file.
ca ca.crt
cert Server.crt
key Server.key  # This file should be kept secret
dh dh1024.pem
# Configure server mode and supply a VPN subnet for OpenVPN to draw client addresses from.
server 192.168.2.0 255.255.255.0 # Must Be Diffent then local subnet.
# Maintain a record of client <-> virtual IP address associations in this file.
ifconfig-pool-persist ipp.txt
# Push routes to the client to allow it to reach other private subnets behind the server.
push "route 192.168.1.0 255.255.255.0"
# to allow different clients to be able to "see" each other.
client-to-client
# The keepalive directive causes ping-like messages to be sent back and forth over the VPN.
keepalive 10 120
# Enable compression on the VPN link.
comp-lzo
# The persist options will try to avoid accessing certain resources on restart,
# that may no longer be accessible because of the privilege downgrade.
persist-key
persist-tun
# It's a good idea to reduce the OpenVPN daemon's privileges after initialization.
user nobody
group nobody
# Output a short status file showing current connections
status openvpn-status.log

Starting and Testing the OpenVPN Server

To start Openvpn run.

/usr/sbin/openvpn --config vpn.mattrude.com.conf

To forward network traffic run

echo 1 > /proc/sys/net/ipv4/ip_forward

You can make this command start when ever the system starts like this

echo "echo 1 > /proc/sys/net/ipv4/ip_forward" >> /etc/rc.d/rc.local

OpenVPN Client Setup

A Client can be almost any computer that is on the internet and running Linux 2.4 or higher, Windows 2000 or Windows XP, *BSD, and orther *nux systems. you just need to download and install OpenVPN on the client system then copy over the clients config file, Servers ca.crt file, the Clients ???.crt file, & the Clients ???.key file.

The Client Config Files

Here's my default client config file, this file works in both Linux (*.conf) or Windows (*.ovpn).

# Telling OpenVPN it will be a client NOT a Server
client
# "dev tun" will create a routed IP tunnel, "dev tap" will create an ethernet tunnel.
dev tun
# TCP or UDP server?
proto udp
# The Remote hostname or IP Address and port
remote vpn.mattrude.com 1194
# Keep trying indefinitely to resolve the host name of the OpenVPN server.
resolv-retry infinite
# Clients don't need to bind to a specific local port number.
nobind
# The persist options will try to avoid accessing certain resources on restart,
# that may no longer be accessible because of the privilege downgrade.
persist-key
persist-tun
# SSL/TLS root certificate (ca), certificate (cert), and private key (key).
# Each client and the server must have their own cert and key file.
# The Server supplyed keys
ca ca.crt
cert Client.crt
key Client.key
# Enable compression on the VPN link.
comp-lzo
# Set log file verbosity.
verb 3
# Silence repeating messages
mute 20

Transporting Required Files

Client Connections

Windows Clients

Revoking a Clients Certificate

 cd /usr/share/openvpn/easy-rsa/2.0
. ./vars
./revoke-full client2

Add an user after you have OpenVPN setup

First make sure you have a symbolical link between /usr/share/openvpn/easy-rsa/2.0/keys and /etc/openvpn

ln -s /etc/openvpn /usr/share/openvpn/easy-rsa/2.0/keys

If the above is good to go then run:

cd /usr/share/openvpn/easy-rsa/2.0
source ./vars
./build-key <Client Name>
./build-dh

OpenVPN Management Console

The OpenVPN Management interface allows OpenVPN to be administratively controlled from an external program via a TCP socket.

The interface has been specifically designed for GUI developers and those who would like to programmatically or remotely control an OpenVPN daemon.

The management interface is implemented using a client/server TCP connection, where OpenVPN will listen on a provided IP address and port for incoming management client connections.

The management protocol is currently cleartext without an explicit security layer. For this reason, it is recommended that the management interface either listen on localhost (127.0.0.1) or on the local VPN address. It's possible to remotely connect to the management interface over the VPN itself, though some capabilities will be limited in this mode, such as the ability to provide private key passwords.

To use the Management Console add a line like this to your server conf file

management 192.168.1.2 7505

This line is used like this

management <Listening IP Address> <Listening Port>

To access the management interface telnet to the IP Address and port you set in your config file.

telnet 192.168.1.2 7505

When you do connect to the management interface you will get a screen like this.

Management Interface for OpenVPN 2.1_beta14 i386-redhat-linux-gnu [SSL] [LZO1] [EPOLL] built on Apr 14 2006
Commands:
auth-retry t           : Auth failure retry mode (none,interact,nointeract).
bytecount n            : Show bytes in/out, update every n secs (0=off).
echo [on|off] [N|all]  : Like log, but only show messages in echo buffer.
exit|quit              : Close management session.
help                   : Print this message.
hold [on|off|release]  : Set/show hold flag to on/off state, or
                         release current hold and start tunnel.
kill cn                : Kill the client instance(s) having common name cn.
kill IP:port           : Kill the client instance connecting from IP:port.
log [on|off] [N|all]   : Turn on/off realtime log display
                         + show last N lines or 'all' for entire history.
mute [n]               : Set log mute level to n, or show level if n is absent.
needok type action     : Enter confirmation for NEED-OK request of 'type',
                         where action = 'ok' or 'cancel'.
net                    : (Windows only) Show network info and routing table.
password type p        : Enter password p for a queried OpenVPN password.
signal s               : Send signal s to daemon,
                         s = SIGHUP|SIGTERM|SIGUSR1|SIGUSR2.
state [on|off] [N|all] : Like log, but show state history.
status [n]             : Show current daemon status info using format #n.
test n                 : Produce n lines of output for testing/debugging.
username type u        : Enter username u for a queried OpenVPN username.
verb [n]               : Set log verbosity level to n, or show if n is absent.
version                : Show current version number.
END

For more info on the Management Interface see: http://openvpn.net/management.html

Other OpenVPN Resources

References

Pages in category "OpenVPN"

The following 5 pages are in this category, out of 5 total.

Media in category "OpenVPN"

The following 6 files are in this category, out of 6 total.