# apt-get install openvpn liblzo1 zip
# emerge -av openvpn zip
# cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0 /etc/openvpn/easy-rsa
mkdir /tmp/$1 cp $KEY_DIR/$1.key /tmp/$1/ cp $KEY_DIR/$1.crt /tmp/$1/ cp $KEY_DIR/ca.crt /tmp/$1/ cp /etc/openvpn/ta.key /tmp/$1/ cp /etc/openvpn/README.txt /tmp/$1/ sed s/%NAME%/${1}/g /etc/openvpn/client.dummy > /tmp/$1/client.ovpn cd /tmp zip -r $1_vpn.zip $1 rm -rf /tmp/$1
#[ pkcs11_section ] #engine_id = pkcs11 #dynamic_path = /usr/lib/engines/engine_pkcs11.so #MODULE_PATH = $ENV::PKCS11_MODULE_PATH #PIN = $ENV::PKCS11_PIN #init = 0
############################################## # Sample client-side OpenVPN 2.0 config file # # for connecting to multi-client server. # # # # This configuration can be used by multiple # # clients, however each client should have # # its own cert and key files. # # # # On Windows, you might want to rename this # # file so it has a .ovpn extension # ############################################## # Specify that we are a client and that we # will be pulling certain config file directives # from the server. client # Use the same setting as you are using on # the server. # On most systems, the VPN will not function # unless you partially or fully disable # the firewall for the TUN/TAP interface. dev tap ;dev tun # Windows needs the TAP-Win32 adapter name # from the Network Connections panel # if you have more than one. On XP SP2, # you may need to disable the firewall # for the TAP adapter. ;dev-node tap tls-client # Are we connecting to a TCP or # UDP server? Use the same setting as # on the server. ;proto tcp proto udp # The hostname/IP and port of the server. # You can have multiple remote entries # to load balance between the servers. remote XXX.XXX.XXX.XXX 1194 remote XXX.XXX.XXX.XXX 1194 # Choose a random host from the remote # list for load-balancing. Otherwise # try hosts in the order specified. ;remote-random # Keep trying indefinitely to resolve the # host name of the OpenVPN server. Very useful # on machines which are not permanently connected # to the internet such as laptops. resolv-retry infinite # Most clients don't need to bind to # a specific local port number. nobind # Downgrade privileges after initialization (non-Windows only) ;user nobody ;group nobody # Try to preserve some state across restarts. persist-key persist-tun # If you are connecting through an # HTTP proxy to reach the actual OpenVPN # server, put the proxy server/IP and # port number here. See the man page # if your proxy server requires # authentication. ;http-proxy-retry # retry on connection failures ;http-proxy [proxy server] [proxy port #] # Wireless networks often produce a lot # of duplicate packets. Set this flag # to silence duplicate packet warnings. ;mute-replay-warnings # SSL/TLS parms. # See the server config file for more # description. It's best to use # a separate .crt/.key file pair # for each client. A single ca # file can be used for all clients. ca ca.crt cert %NAME%.crt key %NAME%.key tls-auth ta.key 1 # Verify server certificate by checking # that the certicate has the nsCertType # field set to "server". This is an # important precaution to protect against # a potential attack discussed here: # http://openvpn.net/howto.html#mitm # # To use this feature, you will need to generate # your server certificates with the nsCertType # field set to "server". The build-key-server # script in the easy-rsa folder will do this. ns-cert-type server # If a tls-auth key is used on the server # then every client must also have the key. ;tls-auth ta.key 1 # Select a cryptographic cipher. # If the cipher option is used on the server # then you must also specify it here. ;cipher x # Enable compression on the VPN link. # Don't enable this unless it is also # enabled in the server config file. comp-lzo # Set log file verbosity. verb 1 # Silence repeating messages ;mute 20 ;fragment 1400 mssfix
port 1194 proto udp dev tap tls-server crl-verify easy-rsa/keys/crl.pem ca /etc/openvpn/easy-rsa/keys/ca.crt cert /etc/openvpn/easy-rsa/keys/server.crt key /etc/openvpn/easy-rsa/keys/server.key # This file should be kept secret dh /etc/openvpn/easy-rsa/keys/dh1024.pem ; if you need clients to use a particular range of IPs ;server-bridge <vpn server IP> <netmask> <first IP> <last IP> push "dhcp-option DNS 192.168.1.53" push "dhcp-option DNS 192.168.1.54" push "dhcp-option DOMAIN .priv" ; Default gateway of local (server) network push "route-gateway 192.168.1.254" ; if you need routes to additional subnets, add them here push "route 192.168.2.0 255.255.255.0" push "route 192.168.3.0 255.255.255.0" client-to-client ifconfig-pool-persist ipp.txt keepalive 10 120 comp-lzo user nobody group nogroup persist-key persist-tun status /var/log/openvpn-status.log ;log verbosity (1 to 9) verb 4 tls-auth ta.key 0
Enter the easy-rsa directory previously created as root
# cd /etc/openvpn/easy-rsa
Edit vars file and set variables at the end of the file as follow:
export KEY_COUNTRY="FR" export KEY_PROVINCE="NA" export KEY_CITY="Paris" export KEY_ORG="Example" export KEY_UNIT="VPN" export KEY_EMAIL="example@example.com"
Prepare the keys environnement:
# source ./vars # ./clean-all
Initialise the PKI:
#./build-ca
Generate a certificate and private key for the server:
# ./build-key-server server
Generate Diffie Hellman parameters:
# ./build-dh
NOTE: for more help, please see http://openvpn.net/howto.html#pki
By default, only the openvpn host is accessible from the client. To enable access to all local hosts, you have to add a firewall forward rule.
edit/create /etc/init.d/fw, and make sure it is executable:
# /sbin/iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
and launch it
# /etc/init.d/fw
Change directory and prepare environment:
# cd /etc/openvpn/easy-rsa # source ./vars
Build certificate:
# ./build-key <user>
NOTE: usual format for user is [first letter of first name].[last name]
You will have to enter some information for the user's cerficate. For most of the fields, press <enter> for default value, except for Organizational Unit Name (VPN), Common Name (complete name) and Email Address:
host:/etc/openvpn/easy-rsa# ./build-key j.doe Generating a 1024 bit RSA private key .........++++++ .....................................++++++ writing new private key to 'j.doe.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [FR]: State or Province Name (full name) [NA]: Locality Name (eg, city) [Paris]: Organization Name (eg, company) [Example]: Organizational Unit Name (eg, section) []:VPN Common Name (eg, your name or your server's hostname) [j.doe]:John Doe Email Address [example@example.com]:j.doe@example.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /etc/openvpn/easy-rsa/openssl.cnf DEBUG[load_index]: unique_subject = "yes" Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'FR' stateOrProvinceName :PRINTABLE:'NA' localityName :PRINTABLE:'Paris' organizationName :PRINTABLE:'Example' organizationalUnitName:PRINTABLE:'VPN' commonName :PRINTABLE:'John Doe' emailAddress :IA5STRING:'j.doe@example.com' Certificate is to be certified until Oct 19 09:27:26 2017 GMT (3650 days) Sign the certificate? [y/n]:y
A zip file name j.doe_vpn.zip will the be created in /tmp/ with all necessary files, send it to the user via encrypted channel; if you really do want to send it over e-mail, you can use SendEmail:
# sendEmail -f vpn@example.com -t j.doe@example.com -u "VPN certificate" -m "here it is." -a /tmp/j.doe_vpn.zip
Change directory and prepare environment:
# cd /etc/openvpn/easy-rsa # source ./vars
Revoke certificate:
# ./revoke-full <user>
NOTE: usual format for user is [first letter of first name].[last name] you can check existing certificates in the current directory.
If Routing does not work on the client side, you will have to manually add a route; example on a Windows machine:
# route ADD 192.168.1.0 MASK 255.255.0.0 192.168.1.254
this issue should mostly occur on Windows Vista & Windows 7 with pre-2.1rc2 OpenVPN versions.