mdsh.com/wiki


RecentChanges

TextFormattingRules
AllWikiTopics
OrphanedWikiTopics
ToDoWikiTopics
WikiLockList
RSS
Export2HTML

WikiSearch

SetUsername

StartingPoints
Home
VPN:OpenVPN

To quote from http://openvpn.net/

"OpenVPN is a full-featured SSL VPN which implements OSI layer 2 or 3 secure network extension using the industry standard SSL/TLS protocol"

I'm going to create one VPN server and allow some clients to connect to it. This might be useful if you have one server on the Internet and others that need to create secure Virtual Private Networks to it.

Server

Install on the software. Ubuntu would be like this (my server is Red Hat and I forget how I installed, because it was that long ago)
sudo apt-get -y install openvpn

Copy the easy-rsa scripts from the install directory to /etc/openvpn

The source directory is different between Red Hat
sudo cp -ar /usr/share/doc/openvpn-2.0/easy-rsa /etc/openvpn # Red Hat
# OR
sudo cp -ar /usr/share/doc/openvpn/examples/easy-rsa/2.0 /etc/openvpn/easy-rsa # Ubuntu


Make that directory more secure

It's going to hold server and client certificates and keys
cd /etc/openvpn/easy-rsa
sudo -s # gives us a root shell - don't forged to exit when you're finished
chmod 700 .


Clean and edit the environment variables

This saves a lot of typing in the next part, and check the keys folder is clean
init-config # this script does not exist on Ubuntu
vim vars
. ./vars
sh ./clean-all


Build the SSL ca certificate

Take the defaults, which you set in the vars file above
sh ./build-ca

Build the server's keys

Take the defaults, which you set in the vars file above, but make sure you set the Common Name to your servers hostname and answer y to the two questions at the end
sh ./build-key-server server

Build the Diffie-Hellman parameter (key) file

sh ./build-dh

Copy the server's certificates and keys to /etc/openvpn

cp -a keys/ca.crt keys/server.crt keys/server.key keys/dh1024.pem ../

Copy the default server config file from the install directory to /etc/openvpn

cd /etc/openvpn/
cp /usr/share/doc/openvpn-2.0/sample-config-files/server.conf . # Red hat
OR
cp -a /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz . # Ubuntu
gunzip /etc/openvpn/server.conf.gz
mkdir ccd


Keep those files as secure as you can on the server box

chmod 600 /etc/openvpn/dh1024.pem /etc/openvpn/ca.crt
chmod 600 /etc/openvpn/server.conf /etc/openvpn/server.crt /etc/openvpn/server.key


Edit the Open VPN server's config file

vi /etc/openvpn/server.conf

My server's config file looks like this, if I remove all the comments
port 1194
proto tcp
dev tun
tun-mtu 1361
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh1024.pem
server 10.20.30.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-config-dir ccd
route 10.0.0.0 255.0.0.0
client-to-client
keepalive 10 120
comp-lzo
max-clients 10
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3


A note on MTU


My OpenVPN server is on the end of an ADSL circuit. The most efficient size for MTU is 1454 bytes (see http://www.mynetwatchman.com/kb/adsl/pppoemtu.htm).

For a UDP OpenVPN tunnel there is a protocol overhead of 69 bytes per packet (41 bytes for OpenVPN and 28 bytes for UDP/IP), although compression of the data stream may reduce that (see http://openvpn.net/archive/openvpn-users/2004-11/msg00649.html).

Therefore, to ensure no packet fragmentation and to try to maximise ADSL throughput, I set the MTU of UDP based tunnels to 1385 bytes. UDP fragmentation appears to break OpenVPN tunnel to a Tomato OpenLinksys device, and setting 'tun-mtu 1385' fixed that completely.

Similarly for a TCP OpenVPN tunnel there is a protocol overhead of 93 bytes per packet (41 bytes for OpenVPN and 52 bytes for TCP/IP). Therefore I set the MTU of TCP based tunnels, as seen above, to 1361 bytes.

Build any client's keys

The name you give in as the command-line parameter will be the 'Common Name' of the client connection. It does not have to be the hostname, but can be. Use it to describe the connection, such as 'home2work-udp'
Take the defaults, which you set in the vars file above and answer y to the two questions at the end
cd /etc/openvpn/easy-rsa
. ./vars
sh ./build-key client1
sh ./build-key client2


Restart the OpenVPN service

/etc/init.d/openvpn restart # Red Hat
# OR
service openvpn restart # Ubuntu


Did you remember to exit from the root shell on your server?

Client

Install on the client

sudo apt-get -y install openvpn

'''Securely''' copy the certificate and keys

Copy them from your server, where you just built them, to your client boxes. On the server the files are...
/etc/openvpn/easy-rsa/keys/ca.crt
/etc/openvpn/easy-rsa/keys/client1.crt
/etc/openvpn/easy-rsa/keys/client1.key
Put those files into /etc/openvpn

Copy the default client config file from the install directory to /etc/openvpn

cd /etc/openvpn
sudo -s # gives us a root shell - don't forged to exit when you're finished
cp -a /usr/share/doc/openvpn/examples/sample-config-files/client.conf .


Keep those files as secure as you can on the client boxes

chmod 600 /etc/openvpn/client.conf /etc/openvpn/ca.crt
chmod 600 /etc/openvpn/client.crt /etc/openvpn/client.key


Edit the Open VPN server's config file

vi /etc/openvpn/client.conf

My client's config file looks like this, if I remove all the comments:
client
dev tun
proto tcp-client
tun-mtu 1361
remote openvpn.server 1194
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
;socks-proxy socks.proxy.server 1080 # uncomment if connecting via SOCKS
;socks-proxy-retry 30 # uncomment if connecting via SOCKS
;http-proxy www.proxy.server 80 # uncomment if connecting via HTTP
;http-proxy-retry 30 # uncomment if connecting via HTTP
ca ca.crt
cert client.crt
key client.key # This file should be kept secret
ns-cert-type server
comp-lzo
verb 3
route 10.20.30.0 255.255.255.0


If you want to run a script when the tunnel comes up, such as a firewall configuration, then add these two lines:

script-security 2 # Allow calling of built-in executables and user-defined scripts
up /etc/openvpn/client.up


The client.up script could be something like this:

#!/bin/bash

/usr/share/firewall/bin/IPv4 > /tmp/openvpn.client.firewall.log 2>&1



Restart the OpenVPN service

/etc/init.d/openvpn restart # Red Hat
# OR
service openvpn restart # Ubuntu


Did you remember to exit from the root shell on your client?

VPN:OpenVPN is mentioned on: VPN


VeryQuickWiki Version 2.8.1 | Admin

All contents copyright mdsh.com (C) 2011-2023.