====== Installation ====== ===== Install necessary packages ===== * Debian # apt-get install openvpn liblzo1 zip * Gentoo # emerge -av openvpn zip ===== Install easy-rsa for key management ===== # cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0 /etc/openvpn/easy-rsa ===== Customize scripts ===== * edit /etc/openvpn/easy-rsa/build-key and add: mkdir /tmp/$1 cp $KEY_DIR/$1.key /tmp/$1/ cp $KEY_DIR/$1.crt /tmp/$1/ cp $KEY_DIR/ca.crt /tmp/$1/ cp /etc/openvpn/ta.key /tmp/$1/ cp /etc/openvpn/README.txt /tmp/$1/ sed s/%NAME%/${1}/g /etc/openvpn/client.dummy > /tmp/$1/client.ovpn cd /tmp zip -r $1_vpn.zip $1 rm -rf /tmp/$1 * edit /etc/openvpn/easy-rsa/openssl.cnf and comment the pkcs11 section: #[ pkcs11_section ] #engine_id = pkcs11 #dynamic_path = /usr/lib/engines/engine_pkcs11.so #MODULE_PATH = $ENV::PKCS11_MODULE_PATH #PIN = $ENV::PKCS11_PIN #init = 0 * create /etc/openvpn/client.dummy: ############################################## # Sample client-side OpenVPN 2.0 config file # # for connecting to multi-client server. # # # # This configuration can be used by multiple # # clients, however each client should have # # its own cert and key files. # # # # On Windows, you might want to rename this # # file so it has a .ovpn extension # ############################################## # Specify that we are a client and that we # will be pulling certain config file directives # from the server. client # Use the same setting as you are using on # the server. # On most systems, the VPN will not function # unless you partially or fully disable # the firewall for the TUN/TAP interface. dev tap ;dev tun # Windows needs the TAP-Win32 adapter name # from the Network Connections panel # if you have more than one. On XP SP2, # you may need to disable the firewall # for the TAP adapter. ;dev-node tap tls-client # Are we connecting to a TCP or # UDP server? Use the same setting as # on the server. ;proto tcp proto udp # The hostname/IP and port of the server. # You can have multiple remote entries # to load balance between the servers. remote XXX.XXX.XXX.XXX 1194 remote XXX.XXX.XXX.XXX 1194 # Choose a random host from the remote # list for load-balancing. Otherwise # try hosts in the order specified. ;remote-random # Keep trying indefinitely to resolve the # host name of the OpenVPN server. Very useful # on machines which are not permanently connected # to the internet such as laptops. resolv-retry infinite # Most clients don't need to bind to # a specific local port number. nobind # Downgrade privileges after initialization (non-Windows only) ;user nobody ;group nobody # Try to preserve some state across restarts. persist-key persist-tun # If you are connecting through an # HTTP proxy to reach the actual OpenVPN # server, put the proxy server/IP and # port number here. See the man page # if your proxy server requires # authentication. ;http-proxy-retry # retry on connection failures ;http-proxy [proxy server] [proxy port #] # Wireless networks often produce a lot # of duplicate packets. Set this flag # to silence duplicate packet warnings. ;mute-replay-warnings # SSL/TLS parms. # See the server config file for more # description. It's best to use # a separate .crt/.key file pair # for each client. A single ca # file can be used for all clients. ca ca.crt cert %NAME%.crt key %NAME%.key tls-auth ta.key 1 # Verify server certificate by checking # that the certicate has the nsCertType # field set to "server". This is an # important precaution to protect against # a potential attack discussed here: # http://openvpn.net/howto.html#mitm # # To use this feature, you will need to generate # your server certificates with the nsCertType # field set to "server". The build-key-server # script in the easy-rsa folder will do this. ns-cert-type server # If a tls-auth key is used on the server # then every client must also have the key. ;tls-auth ta.key 1 # Select a cryptographic cipher. # If the cipher option is used on the server # then you must also specify it here. ;cipher x # Enable compression on the VPN link. # Don't enable this unless it is also # enabled in the server config file. comp-lzo # Set log file verbosity. verb 1 # Silence repeating messages ;mute 20 ;fragment 1400 mssfix ===== Create server config ===== * Edit/create /etc/openvpn/server.conf port 1194 proto udp dev tap tls-server crl-verify easy-rsa/keys/crl.pem ca /etc/openvpn/easy-rsa/keys/ca.crt cert /etc/openvpn/easy-rsa/keys/server.crt key /etc/openvpn/easy-rsa/keys/server.key # This file should be kept secret dh /etc/openvpn/easy-rsa/keys/dh1024.pem ; if you need clients to use a particular range of IPs ;server-bridge push "dhcp-option DNS 192.168.1.53" push "dhcp-option DNS 192.168.1.54" push "dhcp-option DOMAIN .priv" ; Default gateway of local (server) network push "route-gateway 192.168.1.254" ; if you need routes to additional subnets, add them here push "route 192.168.2.0 255.255.255.0" push "route 192.168.3.0 255.255.255.0" client-to-client ifconfig-pool-persist ipp.txt keepalive 10 120 comp-lzo user nobody group nogroup persist-key persist-tun status /var/log/openvpn-status.log ;log verbosity (1 to 9) verb 4 tls-auth ta.key 0 ===== Build server keys ===== Enter the easy-rsa directory previously created as root # cd /etc/openvpn/easy-rsa Edit vars file and set variables at the end of the file as follow: export KEY_COUNTRY="FR" export KEY_PROVINCE="NA" export KEY_CITY="Paris" export KEY_ORG="Example" export KEY_UNIT="VPN" export KEY_EMAIL="example@example.com" Prepare the keys environnement: # source ./vars # ./clean-all Initialise the PKI: #./build-ca Generate a certificate and private key for the server: # ./build-key-server server Generate Diffie Hellman parameters: # ./build-dh NOTE: for more help, please see http://openvpn.net/howto.html#pki ===== Enable access to local network ===== By default, only the openvpn host is accessible from the client. To enable access to all local hosts, you have to add a firewall forward rule. edit/create /etc/init.d/fw, and make sure it is executable: # /sbin/iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE and launch it # /etc/init.d/fw ====== Build certificate ====== Change directory and prepare environment: # cd /etc/openvpn/easy-rsa # source ./vars Build certificate: # ./build-key NOTE: usual format for user is [first letter of first name].[last name] You will have to enter some information for the user's cerficate. For most of the fields, press for default value, except for Organizational Unit Name (VPN), Common Name (complete name) and Email Address: host:/etc/openvpn/easy-rsa# ./build-key j.doe Generating a 1024 bit RSA private key .........++++++ .....................................++++++ writing new private key to 'j.doe.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [FR]: State or Province Name (full name) [NA]: Locality Name (eg, city) [Paris]: Organization Name (eg, company) [Example]: Organizational Unit Name (eg, section) []:VPN Common Name (eg, your name or your server's hostname) [j.doe]:John Doe Email Address [example@example.com]:j.doe@example.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /etc/openvpn/easy-rsa/openssl.cnf DEBUG[load_index]: unique_subject = "yes" Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'FR' stateOrProvinceName :PRINTABLE:'NA' localityName :PRINTABLE:'Paris' organizationName :PRINTABLE:'Example' organizationalUnitName:PRINTABLE:'VPN' commonName :PRINTABLE:'John Doe' emailAddress :IA5STRING:'j.doe@example.com' Certificate is to be certified until Oct 19 09:27:26 2017 GMT (3650 days) Sign the certificate? [y/n]:y A zip file name j.doe_vpn.zip will the be created in /tmp/ with all necessary files, send it to the user via encrypted channel; if you **really** do want to send it over e-mail, you can use [[http://caspian.dotconf.net/menu/Software/SendEmail/|SendEmail]]: # sendEmail -f vpn@example.com -t j.doe@example.com -u "VPN certificate" -m "here it is." -a /tmp/j.doe_vpn.zip ====== Revoke certificate ====== Change directory and prepare environment: # cd /etc/openvpn/easy-rsa # source ./vars Revoke certificate: # ./revoke-full NOTE: usual format for user is [first letter of first name].[last name] you can check existing certificates in the current directory. ======= Troubleshooting ======= If Routing does not work on the client side, you will have to manually add a route; example on a Windows machine: # route ADD 192.168.1.0 MASK 255.255.0.0 192.168.1.254 this issue should mostly occur on Windows Vista & Windows 7 with pre-2.1rc2 OpenVPN versions.