Table of Contents
Installation
Install necessary packages
- Debian
# apt-get install openvpn liblzo1 zip
- Gentoo
# emerge -av openvpn zip
Install easy-rsa for key management
# cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0 /etc/openvpn/easy-rsa
Customize scripts
- edit /etc/openvpn/easy-rsa/build-key and add:
mkdir /tmp/$1 cp $KEY_DIR/$1.key /tmp/$1/ cp $KEY_DIR/$1.crt /tmp/$1/ cp $KEY_DIR/ca.crt /tmp/$1/ cp /etc/openvpn/ta.key /tmp/$1/ cp /etc/openvpn/README.txt /tmp/$1/ sed s/%NAME%/${1}/g /etc/openvpn/client.dummy > /tmp/$1/client.ovpn cd /tmp zip -r $1_vpn.zip $1 rm -rf /tmp/$1
- edit /etc/openvpn/easy-rsa/openssl.cnf and comment the pkcs11 section:
#[ pkcs11_section ] #engine_id = pkcs11 #dynamic_path = /usr/lib/engines/engine_pkcs11.so #MODULE_PATH = $ENV::PKCS11_MODULE_PATH #PIN = $ENV::PKCS11_PIN #init = 0
- create /etc/openvpn/client.dummy:
##############################################
# Sample client-side OpenVPN 2.0 config file #
# for connecting to multi-client server. #
# #
# This configuration can be used by multiple #
# clients, however each client should have #
# its own cert and key files. #
# #
# On Windows, you might want to rename this #
# file so it has a .ovpn extension #
##############################################
# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client
# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
dev tap
;dev tun
# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one. On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node tap
tls-client
# Are we connecting to a TCP or
# UDP server? Use the same setting as
# on the server.
;proto tcp
proto udp
# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote XXX.XXX.XXX.XXX 1194
remote XXX.XXX.XXX.XXX 1194
# Choose a random host from the remote
# list for load-balancing. Otherwise
# try hosts in the order specified.
;remote-random
# Keep trying indefinitely to resolve the
# host name of the OpenVPN server. Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite
# Most clients don't need to bind to
# a specific local port number.
nobind
# Downgrade privileges after initialization (non-Windows only)
;user nobody
;group nobody
# Try to preserve some state across restarts.
persist-key
persist-tun
# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here. See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
# Wireless networks often produce a lot
# of duplicate packets. Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings
# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
ca ca.crt
cert %NAME%.crt
key %NAME%.key
tls-auth ta.key 1
# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server". This is an
# important precaution to protect against
# a potential attack discussed here:
# http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server". The build-key-server
# script in the easy-rsa folder will do this.
ns-cert-type server
# If a tls-auth key is used on the server
# then every client must also have the key.
;tls-auth ta.key 1
# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
;cipher x
# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
comp-lzo
# Set log file verbosity.
verb 1
# Silence repeating messages
;mute 20
;fragment 1400
mssfix
Create server config
- Edit/create /etc/openvpn/server.conf
port 1194 proto udp dev tap tls-server crl-verify easy-rsa/keys/crl.pem ca /etc/openvpn/easy-rsa/keys/ca.crt cert /etc/openvpn/easy-rsa/keys/server.crt key /etc/openvpn/easy-rsa/keys/server.key # This file should be kept secret dh /etc/openvpn/easy-rsa/keys/dh1024.pem ; if you need clients to use a particular range of IPs ;server-bridge <vpn server IP> <netmask> <first IP> <last IP> push "dhcp-option DNS 192.168.1.53" push "dhcp-option DNS 192.168.1.54" push "dhcp-option DOMAIN .priv" ; Default gateway of local (server) network push "route-gateway 192.168.1.254" ; if you need routes to additional subnets, add them here push "route 192.168.2.0 255.255.255.0" push "route 192.168.3.0 255.255.255.0" client-to-client ifconfig-pool-persist ipp.txt keepalive 10 120 comp-lzo user nobody group nogroup persist-key persist-tun status /var/log/openvpn-status.log ;log verbosity (1 to 9) verb 4 tls-auth ta.key 0
Build server keys
Enter the easy-rsa directory previously created as root
# cd /etc/openvpn/easy-rsa
Edit vars file and set variables at the end of the file as follow:
export KEY_COUNTRY="FR" export KEY_PROVINCE="NA" export KEY_CITY="Paris" export KEY_ORG="Example" export KEY_UNIT="VPN" export KEY_EMAIL="example@example.com"
Prepare the keys environnement:
# source ./vars # ./clean-all
Initialise the PKI:
#./build-ca
Generate a certificate and private key for the server:
# ./build-key-server server
Generate Diffie Hellman parameters:
# ./build-dh
NOTE: for more help, please see http://openvpn.net/howto.html#pki
Enable access to local network
By default, only the openvpn host is accessible from the client. To enable access to all local hosts, you have to add a firewall forward rule.
edit/create /etc/init.d/fw, and make sure it is executable:
# /sbin/iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
and launch it
# /etc/init.d/fw
Build certificate
Change directory and prepare environment:
# cd /etc/openvpn/easy-rsa # source ./vars
Build certificate:
# ./build-key <user>
NOTE: usual format for user is [first letter of first name].[last name]
You will have to enter some information for the user's cerficate. For most of the fields, press <enter> for default value, except for Organizational Unit Name (VPN), Common Name (complete name) and Email Address:
host:/etc/openvpn/easy-rsa# ./build-key j.doe
Generating a 1024 bit RSA private key
.........++++++
.....................................++++++
writing new private key to 'j.doe.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [FR]:
State or Province Name (full name) [NA]:
Locality Name (eg, city) [Paris]:
Organization Name (eg, company) [Example]:
Organizational Unit Name (eg, section) []:VPN
Common Name (eg, your name or your server's hostname) [j.doe]:John Doe
Email Address [example@example.com]:j.doe@example.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/openssl.cnf
DEBUG[load_index]: unique_subject = "yes"
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'FR'
stateOrProvinceName :PRINTABLE:'NA'
localityName :PRINTABLE:'Paris'
organizationName :PRINTABLE:'Example'
organizationalUnitName:PRINTABLE:'VPN'
commonName :PRINTABLE:'John Doe'
emailAddress :IA5STRING:'j.doe@example.com'
Certificate is to be certified until Oct 19 09:27:26 2017 GMT (3650 days)
Sign the certificate? [y/n]:y
A zip file name j.doe_vpn.zip will the be created in /tmp/ with all necessary files, send it to the user via encrypted channel; if you really do want to send it over e-mail, you can use SendEmail:
# sendEmail -f vpn@example.com -t j.doe@example.com -u "VPN certificate" -m "here it is." -a /tmp/j.doe_vpn.zip
Revoke certificate
Change directory and prepare environment:
# cd /etc/openvpn/easy-rsa # source ./vars
Revoke certificate:
# ./revoke-full <user>
NOTE: usual format for user is [first letter of first name].[last name] you can check existing certificates in the current directory.
Troubleshooting
If Routing does not work on the client side, you will have to manually add a route; example on a Windows machine:
# route ADD 192.168.1.0 MASK 255.255.0.0 192.168.1.254
this issue should mostly occur on Windows Vista & Windows 7 with pre-2.1rc2 OpenVPN versions.