VPN:OpenVPN @Dec 16, 2012 1:29:31 PM

To quote from http://openvpn.net/

"OpenVPN is a full-featured SSL VPN which implements OSI layer 2 or 3 secure network extension using the industry standard SSL/TLS protocol"

I'm going to create one VPN server and allow some clients to connect to it. This might be useful if you have one server on the Internet and others that need to create secure Virtual Private Networks to it.

Server

Install on the server. Ubuntu would be like this (my server is Red Hat and I forget how I installed, because it was that long ago)
sudo apt-get -y install openvpn

Copy the easy-rsa scripts from the install directory to /etc/openvpn
sudo cp -ar /usr/share/doc/openvpn-2.0/easy-rsa /etc/openvpn
OR
sudo cp -ar /usr/share/doc/openvpn/examples/easy-rsa /etc/openvpn

Make that directory more secure, as it's going to hold server and client certificates and keys

cd /etc/openvpn/easy-rsa

sudo chmod 700 .

Clean and edit the environment variables, which saves a lot of typing in the next part

sudo init-config

sudo vim vars

sudo . ./vars

Clean out the keys and build the SSL ca certificate

sudo sh ./clean-all

sudo sh ./build-ca

Build the server's keys
sudo sh ./build-key-server server

Build any client's keys

sudo sh ./build-key client1

sudo sh ./build-key client2

Build the Diffie-Hellman parameter (key) file
sudo sh ./build-dh

Copy the server's certificates and keys to /etc/openvpn

sudo cp -a keys/ca.crt ../

sudo cp -a keys/server.crt ../

sudo cp -a keys/server.key ../

sudo cp -a keys/dh1024.pem ../

Copy the default server config file from the install directory to /etc/openvpn
sudo cp /usr/share/doc/openvpn-2.0/sample-config-files/server.conf /etc/openvpn

I suggest you keep those files as secure as you can on the server boxe.

sudo chmod 600 /etc/openvpn/dh1024.pem /etc/openvpn/ca.crt

sudo chmod 600 /etc/openvpn/server.conf /etc/openvpn/server.crt /etc/openvpn/server.key

Edit the Open VPN server's config file
sudo vi /etc/openvpn/server.conf

My server's config file looks like this, if I remove all the comments

port 1194

proto tcp

dev tun

tun-mtu 1200

ca ca.crt

cert server.crt

key server.key  # This file should be kept secret

dh dh1024.pem

server 10.20.30.0 255.255.255.0

ifconfig-pool-persist ipp.txt

client-config-dir ccd

route 10.0.0.0 255.0.0.0

client-to-client

keepalive 10 120

comp-lzo

max-clients 10

user nobody

group nobody

persist-key

persist-tun

status openvpn-status.log

verb 3

Restart the OpenVPN service
sudo /etc/init.d/openvpn restart

OR
sudo service openvpn restart

Client

Securely copy the certificate and keys from your server, where you just built them, to your client boxes. The files are...

/etc/openvpn/easy-rsa/keys/ca.crt
/etc/openvpn/easy-rsa/keys/client1.crt
/etc/openvpn/easy-rsa/keys/client1.key

Copy the default server config file from the install directory to /etc/openvpn

cd /etc/openvpn

sudo cp -a /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/

I suggest you keep those files as secure as you can on the client boxes.

sudo chmod 600 /etc/openvpn/ca.crt

sudo chmod 600 /etc/openvpn/client.conf /etc/openvpn/client.crt /etc/openvpn/client.key

Edit the Open VPN server's config file
sudo vi /etc/openvpn/client.conf

My client's config file looks like this, if I remove all the comments:

client

dev tun

tun-mtu 1200

proto tcp

remote openvpn.server 1194

resolv-retry infinite

nobind

user nobody

group nogroup

persist-key

persist-tun

;socks-proxy socks.proxy.server 1080 # uncomment if connecting via SOCKS

;socks-proxy-retry 30 # uncomment if connecting via SOCKS

;http-proxy www.proxy.server 80 # uncomment if connecting via HTTP

;http-proxy-retry 30 # uncomment if connecting via HTTP

ca ca.crt

cert client.crt

key client.key # This file should be kept secret

ns-cert-type server

comp-lzo

verb 3

route 10.20.30.0 255.255.255.0

Restart the OpenVPN service
sudo /etc/init.d/openvpn restart

OR
sudo service openvpn restart

To quote from http://openvpn.net/

''"OpenVPN is a full-featured SSL VPN which implements OSI layer 2 or 3 secure network extension using the industry standard SSL/TLS protocol"''

I'm going to create one VPN server and allow some clients to connect to it. This might be useful if you have one server on the Internet and others that need to create secure Virtual Private Networks to it.

!Server!
Install on the server. Ubuntu would be like this (my server is Red Hat and I forget how I installed, because it was that long ago)
{{{sudo apt-get -y install openvpn}}}

Copy the easy-rsa scripts from the install directory to /etc/openvpn
{{{sudo cp -ar /usr/share/doc/openvpn-2.0/easy-rsa /etc/openvpn}}}
OR
{{{sudo cp -ar /usr/share/doc/openvpn/examples/easy-rsa /etc/openvpn}}}

Make that directory more secure, as it's going to hold server and client certificates and keys
{{{cd /etc/openvpn/easy-rsa
sudo chmod 700 .}}}

Clean and edit the environment variables, which saves a lot of typing in the next part
{{{sudo init-config
sudo vim vars
sudo . ./vars}}}

Clean out the keys and build the SSL ca certificate
{{{sudo sh ./clean-all
sudo sh ./build-ca}}}

Build the server's keys
{{{sudo sh ./build-key-server server}}}

Build any client's keys
{{{sudo sh ./build-key client1
sudo sh ./build-key client2}}}

Build the Diffie-Hellman parameter (key) file 
{{{sudo sh ./build-dh}}}

Copy the server's certificates and keys to /etc/openvpn
{{{sudo cp -a keys/ca.crt ../
sudo cp -a keys/server.crt ../
sudo cp -a keys/server.key ../
sudo cp -a keys/dh1024.pem ../}}}

Copy the default server config file from the install directory to /etc/openvpn
{{{sudo cp /usr/share/doc/openvpn-2.0/sample-config-files/server.conf /etc/openvpn}}}

I suggest you keep those files as secure as you can on the server boxe.
{{{sudo chmod 600 /etc/openvpn/dh1024.pem /etc/openvpn/ca.crt
sudo chmod 600 /etc/openvpn/server.conf /etc/openvpn/server.crt /etc/openvpn/server.key}}}

Edit the Open VPN server's config file
{{{sudo vi /etc/openvpn/server.conf}}}

My server's config file looks like this, if I remove all the comments
{{{port 1194
proto tcp
dev tun
tun-mtu 1200
ca ca.crt
cert server.crt
key server.key  # This file should be kept secret
dh dh1024.pem
server 10.20.30.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-config-dir ccd
route 10.0.0.0 255.0.0.0
client-to-client
keepalive 10 120
comp-lzo
max-clients 10
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3}}}

Restart the OpenVPN service
{{{sudo /etc/init.d/openvpn restart}}}

OR
{{{sudo service openvpn restart}}}

!Client!

'''Securely''' copy the certificate and keys from your server, where you just built them, to your client boxes. The files are...
@@@@
/etc/openvpn/easy-rsa/keys/ca.crt
/etc/openvpn/easy-rsa/keys/client1.crt
/etc/openvpn/easy-rsa/keys/client1.key

Copy the default server config file from the install directory to /etc/openvpn
{{{cd /etc/openvpn
sudo cp -a /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/}}}

I suggest you keep those files as secure as you can on the client boxes.
{{{sudo chmod 600 /etc/openvpn/ca.crt
sudo chmod 600 /etc/openvpn/client.conf /etc/openvpn/client.crt /etc/openvpn/client.key}}}

Edit the Open VPN server's config file
{{{sudo vi /etc/openvpn/client.conf}}}

My client's config file looks like this, if I remove all the comments:
{{{client
dev tun
tun-mtu 1200
proto tcp
remote openvpn.server 1194
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
;socks-proxy socks.proxy.server 1080 # uncomment if connecting via SOCKS
;socks-proxy-retry 30 # uncomment if connecting via SOCKS
;http-proxy www.proxy.server 80 # uncomment if connecting via HTTP
;http-proxy-retry 30 # uncomment if connecting via HTTP
ca ca.crt
cert client.crt
key client.key # This file should be kept secret
ns-cert-type server
comp-lzo
verb 3
route 10.20.30.0 255.255.255.0}}}

Restart the OpenVPN service
{{{sudo /etc/init.d/openvpn restart}}}

OR
{{{sudo service openvpn restart}}}

mdsh.com/wiki

Server

Client

mdsh.com /wiki