VPN:OpenVPN @Dec 16, 2012 1:50:48 PM

To quote from http://openvpn.net/

"OpenVPN is a full-featured SSL VPN which implements OSI layer 2 or 3 secure network extension using the industry standard SSL/TLS protocol"

I'm going to create one VPN server and allow some clients to connect to it. This might be useful if you have one server on the Internet and others that need to create secure Virtual Private Networks to it.

Server

Install on the server. Ubuntu would be like this (my server is Red Hat and I forget how I installed, because it was that long ago)
sudo apt-get -y install openvpn

Copy the easy-rsa scripts from the install directory to /etc/openvpn. The source directory is different between Red Hat

sudo cp -ar /usr/share/doc/openvpn-2.0/easy-rsa /etc/openvpn # Red Hat

# OR

sudo cp -ar /usr/share/doc/openvpn/examples/easy-rsa/2.0 /etc/openvpn/easy-rsa # Ubuntu

Make that directory more secure, as it's going to hold server and client certificates and keys

cd /etc/openvpn/easy-rsa

sudo -s # gives us a root shell - don't forged to exit when you're finished

chmod 700 .

Clean and edit the environment variables, which saves a lot of typing in the next part, and check the keys folder is clean

init-config # this script does not exist on Ubuntu

vim vars

. ./vars

sh ./clean-all

and build the SSL ca certificate. Take the defaults, which you set in the vars file above
sh ./build-ca

Build the server's keys. Take the defaults, which you set in the vars file above, but make sure you set the Common Name to your servers hostname and answer y to the two questions at the end
sh ./build-key-server server

Build any client's keys. Take the defaults, which you set in the vars file above and answer y to the two questions at the end

sh ./build-key client1

sh ./build-key client2

Build the Diffie-Hellman parameter (key) file
sh ./build-dh

Copy the server's certificates and keys to /etc/openvpn

cp -a keys/ca.crt ../

cp -a keys/server.crt ../

cp -a keys/server.key ../

cp -a keys/dh1024.pem ../

Copy the default server config file from the install directory to /etc/openvpn
cp /usr/share/doc/openvpn-2.0/sample-config-files/server.conf /etc/openvpn

I suggest you keep those files as secure as you can on the server boxe.

chmod 600 /etc/openvpn/dh1024.pem /etc/openvpn/ca.crt

chmod 600 /etc/openvpn/server.conf /etc/openvpn/server.crt /etc/openvpn/server.key

Edit the Open VPN server's config file
vi /etc/openvpn/server.conf

My server's config file looks like this, if I remove all the comments

port 1194

proto tcp

dev tun

tun-mtu 1200

ca ca.crt

cert server.crt

key server.key  # This file should be kept secret

dh dh1024.pem

server 10.20.30.0 255.255.255.0

ifconfig-pool-persist ipp.txt

client-config-dir ccd

route 10.0.0.0 255.0.0.0

client-to-client

keepalive 10 120

comp-lzo

max-clients 10

user nobody

group nobody

persist-key

persist-tun

status openvpn-status.log

verb 3

Restart the OpenVPN service

/etc/init.d/openvpn restart # Red Hat

# OR

service openvpn restart # Ubuntu

Client

Securely copy the certificate and keys from your server, where you just built them, to your client boxes. The files are...

/etc/openvpn/easy-rsa/keys/ca.crt
/etc/openvpn/easy-rsa/keys/client1.crt
/etc/openvpn/easy-rsa/keys/client1.key

Copy the default server config file from the install directory to /etc/openvpn

cd /etc/openvpn

sudo cp -a /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/

I suggest you keep those files as secure as you can on the client boxes.

sudo chmod 600 /etc/openvpn/ca.crt

sudo chmod 600 /etc/openvpn/client.conf /etc/openvpn/client.crt /etc/openvpn/client.key

Edit the Open VPN server's config file
sudo vi /etc/openvpn/client.conf

My client's config file looks like this, if I remove all the comments:

client

dev tun

tun-mtu 1200

proto tcp

remote openvpn.server 1194

resolv-retry infinite

nobind

user nobody

group nogroup

persist-key

persist-tun

;socks-proxy socks.proxy.server 1080 # uncomment if connecting via SOCKS

;socks-proxy-retry 30 # uncomment if connecting via SOCKS

;http-proxy www.proxy.server 80 # uncomment if connecting via HTTP

;http-proxy-retry 30 # uncomment if connecting via HTTP

ca ca.crt

cert client.crt

key client.key # This file should be kept secret

ns-cert-type server

comp-lzo

verb 3

route 10.20.30.0 255.255.255.0

Restart the OpenVPN service

/etc/init.d/openvpn restart # Red Hat

# OR

service openvpn restart # Ubuntu

To quote from http://openvpn.net/

''"OpenVPN is a full-featured SSL VPN which implements OSI layer 2 or 3 secure network extension using the industry standard SSL/TLS protocol"''

I'm going to create one VPN server and allow some clients to connect to it. This might be useful if you have one server on the Internet and others that need to create secure Virtual Private Networks to it.

!Server!
Install on the server. Ubuntu would be like this (my server is Red Hat and I forget how I installed, because it was that long ago)
{{{sudo apt-get -y install openvpn}}}

Copy the easy-rsa scripts from the install directory to /etc/openvpn. The source directory is different between Red Hat 
{{{sudo cp -ar /usr/share/doc/openvpn-2.0/easy-rsa /etc/openvpn # Red Hat
# OR
sudo cp -ar /usr/share/doc/openvpn/examples/easy-rsa/2.0 /etc/openvpn/easy-rsa # Ubuntu}}}

Make that directory more secure, as it's going to hold server and client certificates and keys
{{{cd /etc/openvpn/easy-rsa
sudo -s # gives us a root shell - don't forged to exit when you're finished
chmod 700 .}}}

Clean and edit the environment variables, which saves a lot of typing in the next part, and check the keys folder is clean
{{{init-config # this script does not exist on Ubuntu
vim vars
. ./vars
sh ./clean-all}}}

and build the SSL ca certificate. Take the defaults, which you set in the vars file above
{{{sh ./build-ca}}}

Build the server's keys. Take the defaults, which you set in the vars file above, but make sure you set the ''Common Name'' to your servers hostname and answer ''y'' to the two questions at the end
{{{sh ./build-key-server server}}}

Build any client's keys. Take the defaults, which you set in the vars file above and answer ''y'' to the two questions at the end
{{{sh ./build-key client1
sh ./build-key client2}}}

Build the Diffie-Hellman parameter (key) file 
{{{sh ./build-dh}}}

Copy the server's certificates and keys to /etc/openvpn
{{{cp -a keys/ca.crt ../
cp -a keys/server.crt ../
cp -a keys/server.key ../
cp -a keys/dh1024.pem ../}}}

Copy the default server config file from the install directory to /etc/openvpn
{{{cp /usr/share/doc/openvpn-2.0/sample-config-files/server.conf /etc/openvpn}}}

I suggest you keep those files as secure as you can on the server boxe.
{{{chmod 600 /etc/openvpn/dh1024.pem /etc/openvpn/ca.crt
chmod 600 /etc/openvpn/server.conf /etc/openvpn/server.crt /etc/openvpn/server.key}}}

Edit the Open VPN server's config file
{{{vi /etc/openvpn/server.conf}}}

My server's config file looks like this, if I remove all the comments
{{{port 1194
proto tcp
dev tun
tun-mtu 1200
ca ca.crt
cert server.crt
key server.key  # This file should be kept secret
dh dh1024.pem
server 10.20.30.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-config-dir ccd
route 10.0.0.0 255.0.0.0
client-to-client
keepalive 10 120
comp-lzo
max-clients 10
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3}}}

Restart the OpenVPN service
{{{/etc/init.d/openvpn restart # Red Hat
# OR
service openvpn restart # Ubuntu}}}

!Client!

'''Securely''' copy the certificate and keys from your server, where you just built them, to your client boxes. The files are...
@@@@
/etc/openvpn/easy-rsa/keys/ca.crt
/etc/openvpn/easy-rsa/keys/client1.crt
/etc/openvpn/easy-rsa/keys/client1.key

Copy the default server config file from the install directory to /etc/openvpn
{{{cd /etc/openvpn
sudo cp -a /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/}}}

I suggest you keep those files as secure as you can on the client boxes.
{{{sudo chmod 600 /etc/openvpn/ca.crt
sudo chmod 600 /etc/openvpn/client.conf /etc/openvpn/client.crt /etc/openvpn/client.key}}}

Edit the Open VPN server's config file
{{{sudo vi /etc/openvpn/client.conf}}}

My client's config file looks like this, if I remove all the comments:
{{{client
dev tun
tun-mtu 1200
proto tcp
remote openvpn.server 1194
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
;socks-proxy socks.proxy.server 1080 # uncomment if connecting via SOCKS
;socks-proxy-retry 30 # uncomment if connecting via SOCKS
;http-proxy www.proxy.server 80 # uncomment if connecting via HTTP
;http-proxy-retry 30 # uncomment if connecting via HTTP
ca ca.crt
cert client.crt
key client.key # This file should be kept secret
ns-cert-type server
comp-lzo
verb 3
route 10.20.30.0 255.255.255.0}}}

Restart the OpenVPN service
{{{/etc/init.d/openvpn restart # Red Hat
# OR
service openvpn restart # Ubuntu}}}

mdsh.com/wiki

Server

Client

mdsh.com /wiki