Menu

YfiTechOpenVPN

Anonymous

Introduction

  • Open VPN is an Open Source VPN server which is very popular.
  • It can scale to many clients and is typically used in the enterprise.
  • It creates a virtual network interface. (TUN or TAP device)
  • This device can then be bridged with a physical interface in order to connect two geographically separate locations as if they are part of one LAN.

Server Installation

Ensure the following is installed 

sudo apt-get install openvpn bridge-utils

Server Set-Up

  • Generate certificates for the server.
  • In order to do this we configure our own Certificate Authority using the provided easy-rsa scripts in the /usr/share/doc/openvpn/examples/easy-rsa/ directory.

Step 1

  • Copy files to the /etc/openvpn/easy-rsa/ directory 

    sudo mkdir /etc/openvpn/easy-rsa/ 
sudo cp -R /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa/

Step 2

  • Edit /etc/openvpn/easy-rsa/vars 

    sudo vi /etc/openvpn/easy-rsa/vars

  • Change these lines at the bottom so that they reflect your new CA. 

    export KEY_COUNTRY="ZA"
export KEY_PROVINCE="Gauteng"
export KEY_CITY="Pretoria"
export KEY_ORG="YFi"
export KEY_EMAIL="dvdwalt@ri.co.za"

Step 3

  • Initialize the PKI: 

    cd /etc/openvpn/easy-rsa
sudo su
. ./vars
./clean-all
./build-ca

  • The final command (build-ca) will build the certificate authority (CA) certificate and key by invoking the interactive openssl command: 

    ai:easy-rsa # ./build-ca
Generating a 1024 bit RSA private key
............++++++
...........++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [ZA]:
State or Province Name (full name) [Gauteng]:
Locality Name (eg, city) [Pretoria]:
Organization Name (eg, company) [YFi]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:OpenVPN-CA
Email Address [dvdwalt@ri.co.za]:

  • Note that in the above sequence, most queried parameters were defaulted to the values set in the vars file.

  • The only parameter which must be explicitly entered is the Common Name. In the example above, we used "OpenVPN-CA".

Step 4

  • Generate a certificate and private key for the server 

    ./build-key-server server

  • As in the previous step, most parameters can be defaulted.

  • When the Common Name is queried, enter "server".
  • No challenge password or company name is required
  • Two other queries require positive responses, "Sign the certificate? [y/n]" and "1 out of 1 certificate requests certified, commit? [y/n]".

Step 5

  • Generate client certificate and private keys for clients.

  • Generating client certificates is very similar to the previous step. 

    ./build-key client-1
./build-key client-2

  • Remember that for each client, make sure to type the appropriate Common Name when prompted, i.e. "client1", "client2", or "client3".

  • Always use a unique common name for each client.

Step 6

  • Diffie Hellman parameters must be generated for the OpenVPN server. 

    ./build-dh

  • Do not forget to type exit, to exit root admin mode

Important files

  • The newly-generated keys and certificates are in the keys subdirectory.
  • Here is an explanation of the relevant files:

Filename
Needed By
Purpose
Secret

ca.crt
server + all clients
Root CA certificate
NO

ca.key
key signing machine only
Root CA key
YES

dh{n}.pem
server only
Diffie Hellman parameters
NO

server.crt
server only
Server Certificate
NO

server.key
server only
Server Key
YES

client1.crt
client1 only
Client1 Certificate
NO

client1.key
client1 only
Client1 Key
YES

  • The final step in the key generation process is to copy all files to the machines which need them, taking care to copy secret files over a secure channel.

Prepare Scripts

  • Now configure the OpenVPN server by creating /etc/openvpn/server.conf from the example file. In a terminal enter: 

    sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
sudo gzip -d /etc/openvpn/server.conf.gz

  • We need to configure the server's configuration file in order that clients can connect to it. See the following example file (/etc/openvpn/server.conf) and change to suit your environment. 

    local 100.7.37.100
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key  # This file should be kept secret
dh dh1024.pem
server 10.8.0.0 255.255.0.0
ifconfig-pool-persist ipp.txt
client-config-dir ccd
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3

  • important is the client-config-dir ccd. This will be a sub directory under /etc/openvpn/ which we will put specific settings per client connection to the server (Like the IP which has to be handed to that client)

  • The following is an example of the client-1 configuration (file /etc/openvpm/ccd/client-1). 

    ifconfig-push 10.8.0.5 10.8.0.6

  • This will configure 'client-1' to have an IP of 10.8.0.5

  • Please check out which 'pairs' are available for the ifconfig-push option on the following link:
    http://openvpn.net/index.php/open-source/documentation/howto.html#policy

Copy certificates to openvpn root

  • Be sure to copy the keys you just created to the /etc/openvpn directory or openvpn will not start 

    sudo cp ca.crt /etc/openvpn
sudo cp server.crt /etc/openvpn
sudo cp server.key /etc/openvpn
sudo cp dh1024.pem /etc/openvpn

Server start-up

  • You can check if the openvpn server starts up usining the following command: 

    sudo openvpn --config /etc/openvpn/server.conf

  • If everything seems OK, Ctrl-c the process and start the daemon. 

    sudo /etc/init.d/openvpn start

Related

Wiki: Home