Distroname and release: Debian Squeeze

OpenVPN

Do you need a secure reliable way to connect to your home private or company network? ( Or just to bypass some firewall restrictions ;) )
If this is the case, then you can use OpenVPN, with certificates!

We will use an already created CA. You can read at http://www.linuxlasse.net/linux/howtos/24 on howto create the CA.
The official OpenVPN howto can be found here: http://openvpn.net/index.php/open-source/documentation/howto.html

Since I in this howto asumes that an CA is already installed and ready to use, I will skip the step that describes howto create an CA. If you do not have an CA, please follow the guide provided above, or Copy the new certificate files to the openvpn directory
#cp keys/ca.crt keys/server.crt keys/server.key keys/dh1024.pem /etc/openvpn
use the more simpler CA which is described in the howto from the official OpenVPN site. (link above ).

Prerequirements: An working CA server.

This is a little different than the official howto, because I am using an already created CA. BUT, it still works in it owns directory creating certificates and keys in it's own directory!

Test setup example

  • Network.: 192.168.100.0/24
  • OpenVPN Network for clients.: 192.168.200.0/24
  • IP on server running OpenVPN: 192.168.100.2

Installation

We will start by installing and configuring OpenVPN on the server.
#aptitide install openvpn
Copy the RSA directory to a new folder, so we can work with it.
The destination is not important, but if you change it, remember to change it all the way through this howto where it is needed.
#cp /usr/share/doc/openvpn/examples/easy-rsa/2.0 /root/openvpn
Create the "keys" directory, since we do not need to create the CA, where it will normally be created.
#mkdir /root/openvpn/keys
Copy already existing CA certificate and CA key to new keys folder
#cp /root/ssl/ca.key /root/ssl/ca.crt /root/openvpn/keys
Go to /root/openvpn/
#cd /root/openvpn/
Change openssl defaults in the "vars" file so it fits your needs.
/root/openvpn/vars
"
export KEY_COUNTRY="DK"
export KEY_PROVINCE=""
export KEY_CITY="Holbęk"
export KEY_ORG=""
export KEY_EMAIL="admin@linuxlasse.net"
"
Next we will need to set the variables that is defined the the "vars" file, by running the variables script
If you log off the server, and logon again, you will have to run this variables script, when you creates certificates and key files.
#. ./vars
Create server key files, do not use your servername, but use "server" as written.
#./build-key-server server
Generate Diffie Hellman Parameters
#./build-dh
Copy the CA certificate, the new certificate, the key and DH files to the openvpn directory.
#cp keys/ca.crt keys/server.crt keys/server.key keys/dh1024.pem /etc/openvpn
Now setup the openvpn.conf file for the server.
You can use the file below as reference, or create a new one with help from the official site, or example configuration files from the installation which is located in "/usr/share/doc/openvpn/examples/sample-config-files/".
Remember to change the settings, so it matches your configuration.
/etc/openvpn/openvpn.conf
local 192.168.100.2
server 192.168.200.0 255.255.255.0
port 1194
proto udp
management localhost 7505
chroot /etc/openvpn
dev tun0
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
crl-verify crl.pem
ifconfig-pool-persist ipp.txt
#Forward all traffic to go through here
push "redirect-gateway"
push "route 192.168.100.0 255.255.255.0"
;push "dhcp-option DNS x.x.x.x"
#allow VPN clients to speak.
;client-to-client
keepalive 10 120
comp-lzo
max-clients 10
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
Restart openvpn, and make sure that it starts
#/etc/init.d/openvpn restart

Using CRL - Certificate Revoking list

You will revoke a certificate with the below command, so the certificate is not longer being accepted by the OpenVPN server.
That way we can control who have access to the VPN server or not.
#. ./vars
#./revoke-full user1
You should see an output like this, or this will not work.
user1.crt: /C=DK/L=Holb\xC3\xA6k/CN=user1/emailAddress=admin@linuxlasse.net
error 23 at 0 depth lookup:certificate revoked
Now copy the crl.pem file to /etc/openvpn, this needs to be done everytime, a change have been made.
It is not needed to restart or reload OpenVPN, because it will read this file, everytime a new connection is requested.
#cp crl.pem /etc/openvpn/

Setup iptables and networks

For hardware router only, where the Internet GW is not running on the same server as OpenVPN, it is required to add a static route on the router. If this is not done, it is not possible to connect to other clients, inside the LAN, or the internet through VPN.

So we will need to set a route on the router for the openvpn network and the correct subnet mask: "network 192.168.200.0/24 gw 192.168.100.2"
I cannot really describe how you do it here, since the way differs from router to router.

If you have specified the push "redirect-gateway", client-to-client, or wants to access other clients on the LAN segment, you must enable forwarding on the server with iptables. If this is not done, it cannot route traffic between the LAN and OpenVPN networks.

If you want your clients to access the internet through the OpenVPN server you must specify redirect-gateway inside the openvpn.conf file. If not, comment it, or remote it.
#echo 1 > /proc/sys/net/ipv4/ip_forward

Client configuration

For clients, you must install openvpn as well, and create a config file.
We will also, from the server have to create a certificate and server key file.
For a debian client, this can be done the same way as we installed the server. The package is the same, only the configuration file is different.

We will start, by creating the certificates on the server to the client. Build password protected user certificate, which forces for a password, everytime a user signs in.
This is needed for every user/client, that needs to connect to the OpenVPN server.
It will also create a key file for the user. In the below example, it will create a user1.crt and user1.key file.
./build-key-pass user1
Fill the informations, if you want to, but leave common name to default value, and the challenge password blank.

The pem passphrase is the password the user must type when establishing the VPN connection.

Answers yes to sign the certificate and also yes to commit the certificate.
./build-key-pass user1
Generating a 1024 bit RSA private key
..................++++++
..............................................................................++++++
writing new private key to 'user1.key'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [DK]:
State or Province Name (full name) []:
Locality Name (eg, city) [Holbęk]:
Organization Name (eg, company) []:linuxlasse.net, my playground
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [user1]:
Name []:John Joe
Email Address [admin@linuxlasse.net]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /root/openvpn/openssl.cnf
Enter pass phrase for /root/openvpn/keys/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'DK'
localityName          :T61STRING:'Holb\0xFFFFFFC3\0xFFFFFFA6k'
organizationName      :PRINTABLE:'linuxlasse.net, my playground'
commonName            :PRINTABLE:'user1'
name                  :T61STRING:'Lasse M\0xFFFFFFC3\0xFFFFFFB8rk'
emailAddress          :IA5STRING:'admin@linuxlasse.net'
Certificate is to be certified until Apr  4 13:54:54 2021 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Now the user certificate and user key file is created, copy the files to the client in a safe maner. Either over an encrypted connecion, or by a USB stick or similar. Make sure the files are located in /etc/openvpn/ on the client, or change the path in the openvpn.conf file!
The files are: ca.crt, user1.crt and user1.key.

Install openvpn on the client, if not already installed.
#aptitude install openvpn
The client configuration file.
/etc/openvpn/openvpn.conf
client
remote linuxlasse.net 1194
proto udp
dev tun
ca ca.crt
cert user1.crt
key user1.key
resolv-retry infinite
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
verb 3
Now try to start, and see if you connect as needed with the below command.

It should ask you for a password for the certificate.
#/etc/init.d/openvpn start
For GUI applications, I can recommend the network-manager-openvpn-gnome package and nm-applet. Ref.: http://projects.gnome.org/NetworkManager/
Copyright LinuxLasse.net 2009 - 2017 All Rights Reserved.

Valid HTML 4.01 Strict Valid CSS!