Distroname and release: Debian Squeeze
OpenVPNDo you need a secure reliable way to connect to your home private or company network? ( Or just to bypass some firewall restrictions ;) )
If this is the case, then you can use OpenVPN, with certificates!
We will use an already created CA. You can read at http://www.linuxlasse.net/linux/howtos/24 on howto create the CA.
The official OpenVPN howto can be found here: http://openvpn.net/index.php/open-source/documentation/howto.html
Since I in this howto asumes that an CA is already installed and ready to use, I will skip the step that describes howto create an CA. If you do not have an CA, please follow the guide provided above, or Copy the new certificate files to the openvpn directory
#cp keys/ca.crt keys/server.crt keys/server.key keys/dh1024.pem /etc/openvpnuse the more simpler CA which is described in the howto from the official OpenVPN site. (link above ).
Prerequirements: An working CA server.This is a little different than the official howto, because I am using an already created CA. BUT, it still works in it owns directory creating certificates and keys in it's own directory!
Test setup example
- Network.: 192.168.100.0/24
- OpenVPN Network for clients.: 192.168.200.0/24
- IP on server running OpenVPN: 192.168.100.2
InstallationWe will start by installing and configuring OpenVPN on the server.
#aptitide install openvpnCopy the RSA directory to a new folder, so we can work with it.
The destination is not important, but if you change it, remember to change it all the way through this howto where it is needed.
#cp /usr/share/doc/openvpn/examples/easy-rsa/2.0 /root/openvpnCreate the "keys" directory, since we do not need to create the CA, where it will normally be created.
#mkdir /root/openvpn/keysCopy already existing CA certificate and CA key to new keys folder
#cp /root/ssl/ca.key /root/ssl/ca.crt /root/openvpn/keysGo to /root/openvpn/
#cd /root/openvpn/Change openssl defaults in the "vars" file so it fits your needs.
/root/openvpn/vars " export KEY_COUNTRY="DK" export KEY_PROVINCE="" export KEY_CITY="Holbæk" export KEY_ORG="" export KEY_EMAIL="email@example.com" "Next we will need to set the variables that is defined the the "vars" file, by running the variables script
If you log off the server, and logon again, you will have to run this variables script, when you creates certificates and key files.
#. ./varsCreate server key files, do not use your servername, but use "server" as written.
#./build-key-server serverGenerate Diffie Hellman Parameters
#./build-dhCopy the CA certificate, the new certificate, the key and DH files to the openvpn directory.
#cp keys/ca.crt keys/server.crt keys/server.key keys/dh1024.pem /etc/openvpnNow setup the openvpn.conf file for the server.
You can use the file below as reference, or create a new one with help from the official site, or example configuration files from the installation which is located in "/usr/share/doc/openvpn/examples/sample-config-files/".
Remember to change the settings, so it matches your configuration.
/etc/openvpn/openvpn.conf local 192.168.100.2 server 192.168.200.0 255.255.255.0 port 1194 proto udp management localhost 7505 chroot /etc/openvpn dev tun0 ca ca.crt cert server.crt key server.key dh dh1024.pem crl-verify crl.pem ifconfig-pool-persist ipp.txt #Forward all traffic to go through here push "redirect-gateway" push "route 192.168.100.0 255.255.255.0" ;push "dhcp-option DNS x.x.x.x" #allow VPN clients to speak. ;client-to-client keepalive 10 120 comp-lzo max-clients 10 user nobody group nogroup persist-key persist-tun status openvpn-status.log verb 3Restart openvpn, and make sure that it starts
Using CRL - Certificate Revoking listYou will revoke a certificate with the below command, so the certificate is not longer being accepted by the OpenVPN server.
That way we can control who have access to the VPN server or not.
#. ./vars #./revoke-full user1You should see an output like this, or this will not work.
user1.crt: /C=DK/L=Holb\xC3\xA6k/CN=user1/emailAddressfirstname.lastname@example.org error 23 at 0 depth lookup:certificate revokedNow copy the crl.pem file to /etc/openvpn, this needs to be done everytime, a change have been made.
It is not needed to restart or reload OpenVPN, because it will read this file, everytime a new connection is requested.
#cp crl.pem /etc/openvpn/
Setup iptables and networksFor hardware router only, where the Internet GW is not running on the same server as OpenVPN, it is required to add a static route on the router. If this is not done, it is not possible to connect to other clients, inside the LAN, or the internet through VPN.
So we will need to set a route on the router for the openvpn network and the correct subnet mask: "network 192.168.200.0/24 gw 192.168.100.2"
I cannot really describe how you do it here, since the way differs from router to router.
If you have specified the push "redirect-gateway", client-to-client, or wants to access other clients on the LAN segment, you must enable forwarding on the server with iptables. If this is not done, it cannot route traffic between the LAN and OpenVPN networks.
If you want your clients to access the internet through the OpenVPN server you must specify redirect-gateway inside the openvpn.conf file. If not, comment it, or remote it.
#echo 1 > /proc/sys/net/ipv4/ip_forward
Client configurationFor clients, you must install openvpn as well, and create a config file.
We will also, from the server have to create a certificate and server key file.
For a debian client, this can be done the same way as we installed the server. The package is the same, only the configuration file is different.
We will start, by creating the certificates on the server to the client. Build password protected user certificate, which forces for a password, everytime a user signs in.
This is needed for every user/client, that needs to connect to the OpenVPN server.
It will also create a key file for the user. In the below example, it will create a user1.crt and user1.key file.
./build-key-pass user1Fill the informations, if you want to, but leave common name to default value, and the challenge password blank.
The pem passphrase is the password the user must type when establishing the VPN connection.
Answers yes to sign the certificate and also yes to commit the certificate.
./build-key-pass user1 Generating a 1024 bit RSA private key ..................++++++ ..............................................................................++++++ writing new private key to 'user1.key' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [DK]: State or Province Name (full name) : Locality Name (eg, city) [Holbæk]: Organization Name (eg, company) :linuxlasse.net, my playground Organizational Unit Name (eg, section) : Common Name (eg, your name or your server's hostname) [user1]: Name :John Joe Email Address [email@example.com]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password : An optional company name : Using configuration from /root/openvpn/openssl.cnf Enter pass phrase for /root/openvpn/keys/ca.key: Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'DK' localityName :T61STRING:'Holb\0xFFFFFFC3\0xFFFFFFA6k' organizationName :PRINTABLE:'linuxlasse.net, my playground' commonName :PRINTABLE:'user1' name :T61STRING:'Lasse M\0xFFFFFFC3\0xFFFFFFB8rk' emailAddress :IA5STRING:'firstname.lastname@example.org' Certificate is to be certified until Apr 4 13:54:54 2021 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base UpdatedNow the user certificate and user key file is created, copy the files to the client in a safe maner. Either over an encrypted connecion, or by a USB stick or similar. Make sure the files are located in /etc/openvpn/ on the client, or change the path in the openvpn.conf file!
The files are: ca.crt, user1.crt and user1.key.
Install openvpn on the client, if not already installed.
#aptitude install openvpnThe client configuration file.
/etc/openvpn/openvpn.conf client remote linuxlasse.net 1194 proto udp dev tun ca ca.crt cert user1.crt key user1.key resolv-retry infinite comp-lzo user nobody group nogroup persist-key persist-tun verb 3Now try to start, and see if you connect as needed with the below command.
It should ask you for a password for the certificate.
#/etc/init.d/openvpn startFor GUI applications, I can recommend the network-manager-openvpn-gnome package and nm-applet. Ref.: http://projects.gnome.org/NetworkManager/