Table of Contents
Installation
Install necessary packages
- Debian
# apt-get install openvpn liblzo1 zip
- Gentoo
# emerge -av openvpn zip
Install easy-rsa for key management
# cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0 /etc/openvpn/easy-rsa
Customize scripts
- edit /etc/openvpn/easy-rsa/build-key and add:
mkdir /tmp/$1 cp $KEY_DIR/$1.key /tmp/$1/ cp $KEY_DIR/$1.crt /tmp/$1/ cp $KEY_DIR/ca.crt /tmp/$1/ cp /etc/openvpn/ta.key /tmp/$1/ cp /etc/openvpn/README.txt /tmp/$1/ sed s/%NAME%/${1}/g /etc/openvpn/client.dummy > /tmp/$1/client.ovpn cd /tmp zip -r $1_vpn.zip $1 rm -rf /tmp/$1
- edit /etc/openvpn/easy-rsa/openssl.cnf and comment the pkcs11 section:
#[ pkcs11_section ] #engine_id = pkcs11 #dynamic_path = /usr/lib/engines/engine_pkcs11.so #MODULE_PATH = $ENV::PKCS11_MODULE_PATH #PIN = $ENV::PKCS11_PIN #init = 0
- create /etc/openvpn/client.dummy:
############################################## # Sample client-side OpenVPN 2.0 config file # # for connecting to multi-client server. # # # # This configuration can be used by multiple # # clients, however each client should have # # its own cert and key files. # # # # On Windows, you might want to rename this # # file so it has a .ovpn extension # ############################################## # Specify that we are a client and that we # will be pulling certain config file directives # from the server. client # Use the same setting as you are using on # the server. # On most systems, the VPN will not function # unless you partially or fully disable # the firewall for the TUN/TAP interface. dev tap ;dev tun # Windows needs the TAP-Win32 adapter name # from the Network Connections panel # if you have more than one. On XP SP2, # you may need to disable the firewall # for the TAP adapter. ;dev-node tap tls-client # Are we connecting to a TCP or # UDP server? Use the same setting as # on the server. ;proto tcp proto udp # The hostname/IP and port of the server. # You can have multiple remote entries # to load balance between the servers. remote XXX.XXX.XXX.XXX 1194 remote XXX.XXX.XXX.XXX 1194 # Choose a random host from the remote # list for load-balancing. Otherwise # try hosts in the order specified. ;remote-random # Keep trying indefinitely to resolve the # host name of the OpenVPN server. Very useful # on machines which are not permanently connected # to the internet such as laptops. resolv-retry infinite # Most clients don't need to bind to # a specific local port number. nobind # Downgrade privileges after initialization (non-Windows only) ;user nobody ;group nobody # Try to preserve some state across restarts. persist-key persist-tun # If you are connecting through an # HTTP proxy to reach the actual OpenVPN # server, put the proxy server/IP and # port number here. See the man page # if your proxy server requires # authentication. ;http-proxy-retry # retry on connection failures ;http-proxy [proxy server] [proxy port #] # Wireless networks often produce a lot # of duplicate packets. Set this flag # to silence duplicate packet warnings. ;mute-replay-warnings # SSL/TLS parms. # See the server config file for more # description. It's best to use # a separate .crt/.key file pair # for each client. A single ca # file can be used for all clients. ca ca.crt cert %NAME%.crt key %NAME%.key tls-auth ta.key 1 # Verify server certificate by checking # that the certicate has the nsCertType # field set to "server". This is an # important precaution to protect against # a potential attack discussed here: # http://openvpn.net/howto.html#mitm # # To use this feature, you will need to generate # your server certificates with the nsCertType # field set to "server". The build-key-server # script in the easy-rsa folder will do this. ns-cert-type server # If a tls-auth key is used on the server # then every client must also have the key. ;tls-auth ta.key 1 # Select a cryptographic cipher. # If the cipher option is used on the server # then you must also specify it here. ;cipher x # Enable compression on the VPN link. # Don't enable this unless it is also # enabled in the server config file. comp-lzo # Set log file verbosity. verb 1 # Silence repeating messages ;mute 20 ;fragment 1400 mssfix
Create server config
- Edit/create /etc/openvpn/server.conf
port 1194
proto udp
dev tap
tls-server
crl-verify easy-rsa/keys/crl.pem
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key # This file should be kept secret
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
; if you need clients to use a particular range of IPs
;server-bridge <vpn server IP> <netmask> <first IP> <last IP>
push "dhcp-option DNS 192.168.1.53"
push "dhcp-option DNS 192.168.1.54"
push "dhcp-option DOMAIN .priv"
; Default gateway of local (server) network
push "route-gateway 192.168.1.254"
; if you need routes to additional subnets, add them here
push "route 192.168.2.0 255.255.255.0"
push "route 192.168.3.0 255.255.255.0"
client-to-client
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn-status.log
;log verbosity (1 to 9)
verb 4
tls-auth ta.key 0
Build server keys
Enter the easy-rsa directory previously created as root
# cd /etc/openvpn/easy-rsa
Edit vars file and set variables at the end of the file as follow:
export KEY_COUNTRY="FR" export KEY_PROVINCE="NA" export KEY_CITY="Paris" export KEY_ORG="Example" export KEY_UNIT="VPN" export KEY_EMAIL="example@example.com"
Prepare the keys environnement:
# source ./vars # ./clean-all
Initialise the PKI:
#./build-ca
Generate a certificate and private key for the server:
# ./build-key-server server
Generate Diffie Hellman parameters:
# ./build-dh
NOTE: for more help, please see http://openvpn.net/howto.html#pki
Enable access to local network
By default, only the openvpn host is accessible from the client. To enable access to all local hosts, you have to add a firewall forward rule.
edit/create /etc/init.d/fw, and make sure it is executable:
# /sbin/iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
and launch it
# /etc/init.d/fw
Build certificate
Change directory and prepare environment:
# cd /etc/openvpn/easy-rsa # source ./vars
Build certificate:
# ./build-key <user>
NOTE: usual format for user is [first letter of first name].[last name]
You will have to enter some information for the user's cerficate. For most of the fields, press <enter> for default value, except for Organizational Unit Name (VPN), Common Name (complete name) and Email Address:
host:/etc/openvpn/easy-rsa# ./build-key j.doe
Generating a 1024 bit RSA private key
.........++++++
.....................................++++++
writing new private key to 'j.doe.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [FR]:
State or Province Name (full name) [NA]:
Locality Name (eg, city) [Paris]:
Organization Name (eg, company) [Example]:
Organizational Unit Name (eg, section) []:VPN
Common Name (eg, your name or your server's hostname) [j.doe]:John Doe
Email Address [example@example.com]:j.doe@example.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/openssl.cnf
DEBUG[load_index]: unique_subject = "yes"
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'FR'
stateOrProvinceName :PRINTABLE:'NA'
localityName :PRINTABLE:'Paris'
organizationName :PRINTABLE:'Example'
organizationalUnitName:PRINTABLE:'VPN'
commonName :PRINTABLE:'John Doe'
emailAddress :IA5STRING:'j.doe@example.com'
Certificate is to be certified until Oct 19 09:27:26 2017 GMT (3650 days)
Sign the certificate? [y/n]:y
A zip file name j.doe_vpn.zip will the be created in /tmp/ with all necessary files, send it to the user via encrypted channel; if you really do want to send it over e-mail, you can use SendEmail:
# sendEmail -f vpn@example.com -t j.doe@example.com -u "VPN certificate" -m "here it is." -a /tmp/j.doe_vpn.zip
Revoke certificate
Change directory and prepare environment:
# cd /etc/openvpn/easy-rsa # source ./vars
Revoke certificate:
# ./revoke-full <user>
NOTE: usual format for user is [first letter of first name].[last name] you can check existing certificates in the current directory.
Troubleshooting
If Routing does not work on the client side, you will have to manually add a route; example on a Windows machine:
# route ADD 192.168.1.0 MASK 255.255.0.0 192.168.1.254
this issue should mostly occur on Windows Vista & Windows 7 with pre-2.1rc2 OpenVPN versions.