RecentChanges TextFormattingRules AllWikiTopics OrphanedWikiTopics ToDoWikiTopics WikiLockList RSS Export2HTML WikiSearch SetUsername StartingPoints Home |
VPN:OpenVPN
To quote from http://open vpn.net/
"OpenVPN is a full-featured SSL VPN which implements OSI layer 2 or 3 secure network extension using the industry standard SSL/TLS protocol" I'm going to create one VPN server and allow some clients to connect to it. This might be useful if you have one server on the Internet and others that need to create secure Virtual Private Networks to it. ServerInstall on the software. Ubuntu would be like this (my server is Red Hat and I forget how I installed, because it was that long ago)sudo apt-get -y install open vpn Copy the easy-rsa scripts from the install directory to /etc/open vpnThe source directory is different between Red Hatsudo cp -ar /usr/share/doc/open vpn-2.0/easy-rsa /etc/open vpn # Red Hat Make that directory more secureIt's going to hold server and client certificates and keyscd /etc/open vpn/easy-rsa Clean and edit the environment variablesThis saves a lot of typing in the next part, and check the keys folder is cleaninit-config # this script does not exist on Ubuntu Build the SSL ca certificateTake the defaults, which you set in the vars file abovesh ./build-ca Build the server's keysTake the defaults, which you set in the vars file above, but make sure you set the Common Name to your servers hostname and answer y to the two questions at the endsh ./build-key-server server Build the Diffie-Hellman parameter (key) filesh ./build-dh Copy the server's certificates and keys to /etc/open vpncp -a keys/ca.crt keys/server.crt keys/server.key keys/dh1024.pem ../ Copy the default server config file from the install directory to /etc/open vpncd /etc/open vpn/ Keep those files as secure as you can on the server boxchmod 600 /etc/open vpn/dh1024.pem /etc/open vpn/ca.crt Edit the Open VPN server's config filevi /etc/open vpn/server.conf My server's config file looks like this, if I remove all the comments port 1194 A note on MTUMy OpenVPN server is on the end of an ADSL circuit. The most efficient size for MTU is 1454 bytes (see http://www.mynetwatchman.com/kb/adsl/pppoemtu.htm). For a UDP OpenVPN tunnel there is a protocol overhead of 69 bytes per packet (41 bytes for OpenVPN and 28 bytes for UDP/IP), although compression of the data stream may reduce that (see http://open vpn.net/archive/open vpn-users/2004-11/msg00649.html). Therefore, to ensure no packet fragmentation and to try to maximise ADSL throughput, I set the MTU of UDP based tunnels to 1385 bytes. UDP fragmentation appears to break OpenVPN tunnel to a Tomato OpenLinksys device, and setting 'tun-mtu 1385' fixed that completely. Similarly for a TCP OpenVPN tunnel there is a protocol overhead of 93 bytes per packet (41 bytes for OpenVPN and 52 bytes for TCP/IP). Therefore I set the MTU of TCP based tunnels, as seen above, to 1361 bytes. Build any client's keysThe name you give in as the command-line parameter will be the 'Common Name' of the client connection. It does not have to be the hostname, but can be. Use it to describe the connection, such as 'home2work-udp'Take the defaults, which you set in the vars file above and answer y to the two questions at the end cd /etc/open vpn/easy-rsa Restart the OpenVPN service/etc/init.d/open vpn restart # Red Hat Did you remember to exit from the root shell on your server? ClientInstall on the clientsudo apt-get -y install open vpn '''Securely''' copy the certificate and keysCopy them from your server, where you just built them, to your client boxes. On the server the files are.../etc/open vpn/easy-rsa/keys/ca.crt /etc/open vpn/easy-rsa/keys/client1.crt /etc/open vpn/easy-rsa/keys/client1.keyPut those files into /etc/open vpn Copy the default client config file from the install directory to /etc/open vpncd /etc/open vpn Keep those files as secure as you can on the client boxeschmod 600 /etc/open vpn/client.conf /etc/open vpn/ca.crt Edit the Open VPN server's config filevi /etc/open vpn/client.conf My client's config file looks like this, if I remove all the comments: client If you want to run a script when the tunnel comes up, such as a firewall configuration, then add these two lines: script-security 2 # Allow calling of built-in executables and user-defined scripts The client.up script could be something like this: #!/bin/bash Restart the OpenVPN service/etc/init.d/open vpn restart # Red Hat Did you remember to exit from the root shell on your client? VPN:OpenVPN is mentioned on: VPN |