Open VPN

OpenVPN
From ParabolaWiki
This article describes a basic installation and configuration of OpenVPN
(http://openvpn.net), suitable for private and small business use. For more
detailed information, please see the official OpenVPN 2.2 man page
(http://openvpn.net/index.php/manuals/427-openvpn-22.html) and the OpenVPN
documentation (http://openvpn.net/index.php/open-source/documentation).
If your VPN provider gave you credentials (i.e. their cert, your cert and your key)
and you want to use those to connect, much of this page can be ignored. See Airvpn.
OpenVPN is a robust and highly flexible VPN daemon. OpenVPN supports SSL/TLS
security, ethernet bridging, TCP or UDP tunnel transport through proxies or NAT,
support for dynamic IP addresses and DHCP, scalability to hundreds or thousands of
users, and portability to most major OS platforms.
OpenVPN is tightly bound to the OpenSSL (http://http://www.openssl.org) library,
and derives much of its crypto capabilities from it.
OpenVPN supports conventional encryption using a pre-shared secret key (Static Key
mode) or public key security (SSL/TLS mode) using client & server certificates.
OpenVPN also supports non-encrypted TCP/UDP tunnels.
OpenVPN is designed to work with the TUN/TAP virtual networking interface that
exists on most platforms.
Overall, OpenVPN aims to offer many of the key features of IPSec but with a
relatively lightweight footprint.
OpenVPN was written by James Yonan and is published under the GNU General Public
License (GPL).
Contents
1 Installing OpenVPN
2 Configuring the kernel
3 Public Key Infrastructure (PKI)
3.1 Installing the easy-rsa scripts
OpenVPN - ParabolaWiki https://wiki.parabolagnulinux.org/index.php?title=...
1 of 21 04/07/14 08:12
3.2 Creating keys and certificates
4 Configuring OpenVPN
4.1 The server configuration file
4.2 The client configuration file
5 Testing the OpenVPN configuration
6 Starting OpenVPN
7 Advanced OpenVPN configuration
7.1 Routing the LAN of the server to a client
7.2 Routing the LAN of a client to the server
8 Deprecated older wiki content
8.1 Using PAM and passwords to authenticate
8.2 Using certs to authenticate
8.3 Routing traffic through the server
8.4 Setting up the Client
8.4.1 With password authentication
8.4.2 Certs authentication
8.4.3 DNS
8.5 Connecting to the Server
9 Acknowledgement
Installing OpenVPN
Install OpenVPN (https://parabolagnulinux.org/packages/?name=OpenVPN), available in the
Official Repositories.
Note: The software contained in this package supports both server and client
mode, so install it on all machines that need to create vpn connections.
Configuring the kernel
OpenVPN requires the Universal TUN/TAP device driver support. Add the tun module to
the modules array in /etc/rc.conf on both servers and clients.
The default Parabola Linux-libre kernel is already properly configured, but if you
build your own kernel make sure that you enable the TUN/TAP module.
Kernel cong le
Device Drivers --->
Network device support --->
[*]Network device support
<M> Universal TUN/TAP device driver support
2 of 21 04/07/14 08:12
Public Key Infrastructure (PKI)
The first step when setting up OpenVPN is to create a Public Key Infrastructure
(PKI). The PKI consists of:
A public master Certificate Authority (CA) certificate and a private key.
A separate public certificate and private key for each server and each client.
To facilitate the key/certificate creation process, OpenVPN comes with a collection
of RSA key manangement scripts (based on the openssl command line tool) known as
easy-rsa.
Note: Only .key files need to be kept secret, .crt and .csr files can be sent
over insecure channels such as plaintext email.
In this article the needed keys and certificates are created in root's home
directory. This ensures that the generated files have the right ownership and
permissions, thus being safe from other users.
Note: The keys and certificates can be created on any machine. For the highest
security, generate the keys on a physically secure machine disconnected from any
network, and make sure that the generated ca.key private key is backed up and
never accessible to anyone.
Warning: Make sure that the generated files are backed up, especially the ca.key
and ca.crt files, since if lost you will not be able to create any new, nor
revoke any comprised keys and certificates, thus requiring the generation of a
new Certificate Authority (CA) certificate and key, invalidating the entire PKI
infrastructure.
Installing the easy-rsa scripts
Install the scripts by doing the following:
# cp -r /usr/share/openvpn/easy-rsa /root
Creating keys and certificates
Now you need to create the needed keys and certificates.
Change to the directory where you installed the scripts.
# cd /root/easy-rsa
3 of 21 04/07/14 08:12
To ensure the consistent use of values when generating the PKI, set default values
to be used by the PKI generating scripts. Edit /root/easy-rsa/vars and at a minimum
set the KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, and KEY_EMAIL parameters (do
not leave any of these parameters blank). Change the KEY_SIZE parameter to 2048 for
the SSL/TLS to use 2048bit RSA keys for authentication.
/root/easy-rsa/vars
# easy-rsa parameter settings
# NOTE: If you installed from an RPM,
# don't edit this le in place in
# /usr/share/openvpn/easy-rsa --
# instead, you should copy the whole
# easy-rsa directory to another location
# (such as /etc/openvpn) so that your
# edits will not be wiped out by a future
# OpenVPN package upgrade.
# This variable should point to
# the top level of the easy-rsa
# tree.
export EASY_RSA="`pwd`"
#
# the requested executables
#
export OPENSSL="openssl"
export PKCS11TOOL="pkcs11-tool"
export GREP="grep"
# the openssl.cnf le included
# with easy-rsa.
export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
# Edit this variable to point to
# your soon-to-be-created key
# directory.
#
# WARNING: clean-all will do
# a rm -rf on this directory
# so make sure you dene
# it correctly!
export KEY_DIR="$EASY_RSA/keys"
# Issue rm -rf warning
echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
# PKCS11 xes
export PKCS11_MODULE_PATH="dummy"
export PKCS11_PIN="dummy"
# Increase this to 2048 if you
# are paranoid. This will slow
# down TLS negotiation performance
# as well as the one-time DH parms
# generation process.
export KEY_SIZE=2048
4 of 21 04/07/14 08:12
# In how many days should the root CA key expire?
export CA_EXPIRE=3650
# In how many days should certicates expire?
export KEY_EXPIRE=3650
# These are the default values for elds
# which will be placed in the certicate.
# Don't leave any of these elds blank.
export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="Acme Acres"
export KEY_ORG="Acme"
export KEY_EMAIL="roadrunner@acmecorp.org"
#export KEY_EMAIL=mail@host.domain
export KEY_CN=Acme-CA
export KEY_NAME=Acme-CA
export KEY_OU=""
export PKCS11_MODULE_PATH=changeme
export PKCS11_PIN=1234
Export the environment variables.
# source ./vars
Delete any previously created certificates and keys.
Note: Entering a . (dot) when prompted for a value, blanks out the parameter.
The build-ca script generates the Certificate Authority (CA) certificate/key pair.
# ./build-ca
Generating a 2048 bit RSA private key
..............++++++
...++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certicate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few elds but you can leave some blank
For some elds there will be a default value,
If you enter '.', the eld will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [Acme Acres]:
Organization Name (eg, company) [Acme]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [Acme-CA]:
Name [Acme-CA]:
Email Address [roadrunner@acmecorp.org]:
5 of 21 04/07/14 08:12
The build-key-server script (followed by the server name) generates a
certificate/key pair for a server. Make sure that the server name (Common Name when
running the script) is unique.
Note: Do not enter a challenge password or company name when the script prompts
you for one.
# ./build-key-server elmer
.....................++++++
.......................................................++++++
writing new private key to 'elmer.key'
-----
-----
Common Name (eg, your name or your server's hostname) [elmer]:
Name [Acme-CA]:
Please enter the following 'extra' attributes
to be sent with your certicate request
A challenge password []:
An optional company name []:
Using conguration from /root/easy-rsa/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'US'
stateOrProvinceName :PRINTABLE:'CA'
localityName :PRINTABLE:'Acme Acres'
organizationName :PRINTABLE:'Acme'
commonName :PRINTABLE:'elmer'
name :PRINTABLE:'Acme-CA'
emailAddress :IA5STRING:'roadrunner@acmecorp.org'
Certicate is to be certied until Dec 27 19:11:59 2021 GMT (3650 days)
Sign the certicate? [y/n]:y
1 out of 1 certicate requests certied, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
The build-dh script generates the Diffie-Hellman parameters (http://www.rsa.com
/rsalabs/node.asp?id=2248) .pem file needed by the server.
Note: It would be better to generate a new one for each server, but you can use
6 of 21 04/07/14 08:12
the same one for your servers if you want to.
# ./build-dh
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
..+.............................................................................
.
.
.
............+...............+...................................................
..................................................................++*++*
The build-key script (followed by a client name) generates a certificate/key pair
for a client. Make sure that the client name (Common Name when running the script)
is unique.
Note: Do not enter a challenge password or company name when the script prompts
you for one.
# ./build-key bugs
....++++++
.............................................................++++++
writing new private key to 'bugs.key'
-----
-----
Common Name (eg, your name or your server's hostname) [bugs]:
Name [Acme-CA]:
Please enter the following 'extra' attributes
to be sent with your certicate request
A challenge password []:
An optional company name []:
Using conguration from /root/easy-rsa/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'US'
stateOrProvinceName :PRINTABLE:'CA'
localityName :PRINTABLE:'Acme Acres'
organizationName :PRINTABLE:'Acme'
commonName :PRINTABLE:'bugs'
name :PRINTABLE:'Acme-CA'
7 of 21 04/07/14 08:12
emailAddress :IA5STRING:'roadrunner@acmecorp.org'
Certicate is to be certied until Dec 27 19:18:27 2021 GMT (3650 days)
Sign the certicate? [y/n]:y
1 out of 1 certicate requests certied, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Generate a secret Hash-based Message Authentication Code (HMAC) by running:
# openvpn --genkey --secret /root/easy-rsa/keys/ta.key
This will be used to add an additional HMAC signature to all SSL/TLS handshake
packets. In addition any UDP packet not having the correct HMAC signature will be
immidiately dropped, protecting against:
Portscanning.
DOS attacks on the OpenVPN UDP port.
SSL/TLS handshake initiations from unauthorized machines.
Any eventual buffer overflow vulnerabilities in the SSL/TLS implementation.
All the created keys and certificates have been stored in /root/easy-rsa/keys. If
you make a mistake, you can start over by running the clean-all script again.
Warning: This will delete any previously generated keys and certificates stored
in /root/easy-rsa/keys.
# ./clean-all
The final step of the key creation process is to copy the files needed to the
correct machines through a secure channel.
Note: In this article the keys and certificates will be placed into /etc/openvpn
on the server and the client.
The public ca.crt certificate will be needed on all servers and clients. The
private ca.key key is secret and only needed on the key generating machine.
The public server.crt, and dh2048.pem, and private server.key, and ta.key files are
needed on the server.
The public client.crt, and private client.key, and ta.key files are needed on the
client.
Configuring OpenVPN
OpenVPN is an extremely versatile software and many configurations are possible, in
8 of 21 04/07/14 08:12
fact machines can be both "servers" and "clients", blurring the distinction between
server and client.
What really distinguishes a server from a client is the configuration file itself.
The openvpn daemon startup script reads all the .conf configuration files it finds
in /etc/openvpn on startup, and acts accordingly. In fact if it finds more than one
configuration file it will start one OpenVPN processes per configuration file.
This article explains how to setup a machine that is called the server (elmer), and
a machine that connects to it is called the client (bugs). More servers and clients
can easily be added, by creating more key/certificate pairs and adding more server
and client configuration files.
The OpenVPN package comes with a collection of example configuration files for
different purposes. The sample server and client configuration files make an ideal
starting point for a basic OpenVPN setup with the following features:
Uses Public Key Infrastructure (PKI) for authentication.
Creates a VPN using a virtual TUN network interface (OSI L3 IP routing).
Listens for client connections on UDP port 1194 (OpenVPN's official IANA port
number).
Distributes virtual addresses to connecting clients from the 10.8.0.0/24
subnet.
For more advanced configurations, please see the official OpenVPN 2.2 man page
(http://openvpn.net/index.php/manuals/427-openvpn-22.html) and the OpenVPN
documentation (http://openvpn.net/index.php/open-source/documentation).
The server configuration file
Copy the example server configuration file to /etc/openvpn/server.conf
# cp /usr/share/openvpn/examples/server.conf /etc/openvpn/server.conf
Edit the following:
The ca, cert, key, and dh parameters to reflect the path and names of the keys
and certificates. Specifying the paths will allow you to run the OpenVPN
executable from any directory for testing purposes.
Enable the SSL/TLS HMAC handshake protection. Note the use of the parameter 0
for a server.
It is recommended to run OpenVPN with reduced privileges once it has
initialized, do this by uncommenting the user and group directives.
/etc/openvpn/server.conf
9 of 21 04/07/14 08:12
ca /etc/openvpn/ca.crt
cert /etc/openvpn/elmer.crt
key /etc/openvpn/elmer.key
dh /etc/openvpn/dh2048.pem
.
.
tls-auth /etc/openvpn/ta.key 0
.
.
user nobody
group nobody
Note: Note that if the server is behind a firewall or a NAT translating router,
you will have to forward the OpenVPN UDP port (1194) to the server.
The client configuration file
Copy the example client configuration file to /etc/openvpn/client.conf
# cp /usr/share/openvpn/examples/client.conf /etc/openvpn/client.conf
Edit the following:
The remote directive to reflect the server's Fully Qualified Domain Name,
hostname (as known to the client) or IP address.
Uncomment the user and group directives to drop privileges.
The ca, cert, and key parameters to reflect the path and names of the keys and
certificates.
Enable the SSL/TLS HMAC handshake protection. Note the use of the parameter 1
for a client.
/etc/openvpn/client.conf
remote elmer.acmecorp.org 1194
.
.
user nobody
group nobody
.
.
ca /etc/openvpn/ca.crt
cert /etc/openvpn/bugs.crt
key /etc/openvpn/bugs.key
.
.
tls-auth /etc/openvpn/ta.key 1
Testing the OpenVPN configuration
10 of 21 04/07/14 08:12
Run # openvpn /etc/openvpn/server.conf on the server, and # openvpn /etc/openvpn/client.conf on
the client. You should see something similar to this:
# openvpn /etc/openvpn/server.conf
Wed Dec 28 14:41:26 2011 OpenVPN 2.2.1 x86_64-unknown-linux-gnu [SSL] [LZO2] [EPOLL] [eurephia] built on Aug 13 2011
Wed Dec 28 14:41:26 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-dened scripts or executables
Wed Dec 28 14:41:26 2011 Die-Hellman initialized with 2048 bit key
Wed Dec 28 14:41:26 2011 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Wed Dec 28 14:41:26 2011 Socket Buers: R=[126976->131072] S=[126976->131072]
Wed Dec 28 14:41:26 2011 ROUTE default_gateway=10.66.0.1
Wed Dec 28 14:41:26 2011 TUN/TAP device tun0 opened
Wed Dec 28 14:41:26 2011 TUN/TAP TX queue length set to 100
Wed Dec 28 14:41:26 2011 /usr/sbin/ip link set dev tun0 up mtu 1500
Wed Dec 28 14:41:26 2011 /usr/sbin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2
Wed Dec 28 14:41:26 2011 /usr/sbin/ip route add 10.8.0.0/24 via 10.8.0.2
Wed Dec 28 14:41:26 2011 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Wed Dec 28 14:41:26 2011 GID set to nobody
Wed Dec 28 14:41:26 2011 UID set to nobody
Wed Dec 28 14:41:26 2011 UDPv4 link local (bound): [undef]:1194
Wed Dec 28 14:41:26 2011 UDPv4 link remote: [undef]
Wed Dec 28 14:41:26 2011 MULTI: multi_init called, r=256 v=256
Wed Dec 28 14:41:26 2011 IFCONFIG POOL: base=10.8.0.4 size=62
Wed Dec 28 14:41:26 2011 IFCONFIG POOL LIST
Wed Dec 28 14:41:26 2011 Initialization Sequence Completed
Wed Dec 28 14:41:51 2011 MULTI: multi_create_instance called
Wed Dec 28 14:41:51 2011 95.126.136.73:48904 Re-using SSL/TLS context
Wed Dec 28 14:41:51 2011 95.126.136.73:48904 LZO compression initialized
Wed Dec 28 14:41:51 2011 95.126.136.73:48904 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Wed Dec 28 14:41:51 2011 95.126.136.73:48904 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Wed Dec 28 14:41:51 2011 95.126.136.73:48904 Local Options hash (VER=V4): '530fdded'
Wed Dec 28 14:41:51 2011 95.126.136.73:48904 Expected Remote Options hash (VER=V4): '41690919'
Wed Dec 28 14:41:51 2011 95.126.136.73:48904 TLS: Initial packet from 95.126.136.73:48904, sid=163f4a5e e0399137
Wed Dec 28 14:41:53 2011 95.126.136.73:48904 VERIFY OK: depth=1, /C=US/ST=CA/L=Acme Acres/O=Acme/CN=Acme-CA/name=Acme-CA/em
Wed Dec 28 14:41:53 2011 95.126.136.73:48904 VERIFY OK: depth=0, /C=US/ST=CA/L=Acme Acres/O=Acme/CN=bugs/name=Acme-CA/emailA
Wed Dec 28 14:41:54 2011 95.126.136.73:48904 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Dec 28 14:41:54 2011 95.126.136.73:48904 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Dec 28 14:41:54 2011 95.126.136.73:48904 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Dec 28 14:41:54 2011 95.126.136.73:48904 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Dec 28 14:41:54 2011 95.126.136.73:48904 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Wed Dec 28 14:41:54 2011 95.126.136.73:48904 [bugs] Peer Connection Initiated with 95.126.136.73:48904
Wed Dec 28 14:41:54 2011 bugs/95.126.136.73:48904 MULTI: Learn: 10.8.0.6 -> bugs/95.126.136.73:48904
Wed Dec 28 14:41:54 2011 bugs/95.126.136.73:48904 MULTI: primary virtual IP for bugs/95.126.136.73:48904: 10.8.0.6
Wed Dec 28 14:41:57 2011 bugs/95.126.136.73:48904 PUSH: Received control message: 'PUSH_REQUEST'
Wed Dec 28 14:41:57 2011 bugs/95.126.136.73:48904 SENT CONTROL [bugs]: 'PUSH_REPLY,route 10.8.0.1,topology net30,ping 10,ping-restart 1
# openvpn /etc/openvpn/client.conf
Wed Dec 28 14:41:50 2011 OpenVPN 2.2.1 i686-pc-linux-gnu [SSL] [LZO2] [EPOLL] [eurephia] built on Aug 13 2011
Wed Dec 28 14:41:50 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-dened scripts or executables
Wed Dec 28 14:41:50 2011 LZO compression initialized
Wed Dec 28 14:41:50 2011 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Wed Dec 28 14:41:50 2011 Socket Buers: R=[114688->131072] S=[114688->131072]
Wed Dec 28 14:41:51 2011 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Wed Dec 28 14:41:51 2011 Local Options hash (VER=V4): '41690919'
Wed Dec 28 14:41:51 2011 Expected Remote Options hash (VER=V4): '530fdded'
Wed Dec 28 14:41:51 2011 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Wed Dec 28 14:41:51 2011 UDPv4 link local: [undef]
Wed Dec 28 14:41:51 2011 UDPv4 link remote: 85.93.204.250:1194
Wed Dec 28 14:41:51 2011 TLS: Initial packet from 85.93.204.250:1194, sid=5f379f35 50c9ab11
11 of 21 04/07/14 08:12
Wed Dec 28 14:41:52 2011 VERIFY OK: depth=1, /C=US/ST=CA/L=Acme Acres/O=Acme/CN=Acme-CA/name=Acme-CA/emailAddress=roadrunn
Wed Dec 28 14:41:52 2011 VERIFY OK: nsCertType=SERVER
Wed Dec 28 14:41:52 2011 VERIFY OK: depth=0, /C=US/ST=CA/L=Acme Acres/O=Acme/CN=elmer/name=Acme-CA/emailAddress=roadrunner@
Wed Dec 28 14:41:54 2011 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Dec 28 14:41:54 2011 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Dec 28 14:41:54 2011 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Dec 28 14:41:54 2011 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Dec 28 14:41:54 2011 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Wed Dec 28 14:41:54 2011 [elmer] Peer Connection Initiated with 85.93.204.250:1194
Wed Dec 28 14:41:57 2011 SENT CONTROL [elmer]: 'PUSH_REQUEST' (status=1)
Wed Dec 28 14:41:57 2011 PUSH: Received control message: 'PUSH_REPLY,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifcong 10.8.0
Wed Dec 28 14:41:57 2011 OPTIONS IMPORT: timers and/or timeouts modied
Wed Dec 28 14:41:57 2011 OPTIONS IMPORT: --ifcong/up options modied
Wed Dec 28 14:41:57 2011 OPTIONS IMPORT: route options modied
Wed Dec 28 14:41:57 2011 ROUTE default_gateway=10.64.64.64
Wed Dec 28 14:41:57 2011 TUN/TAP device tun1 opened
Wed Dec 28 14:41:57 2011 TUN/TAP TX queue length set to 100
Wed Dec 28 14:41:57 2011 /usr/sbin/ip link set dev tun1 up mtu 1500
Wed Dec 28 14:41:57 2011 /usr/sbin/ip addr add dev tun1 local 10.8.0.6 peer 10.8.0.5
Wed Dec 28 14:41:57 2011 /usr/sbin/ip route add 10.8.0.1/32 via 10.8.0.5
Wed Dec 28 14:41:57 2011 GID set to nobody
Wed Dec 28 14:41:57 2011 UID set to nobody
Wed Dec 28 14:41:57 2011 Initialization Sequence Completed
On the server, find the IP assigned to the tunX device:
# ip addr show
.
.
.
40: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfo_fast state UNKNOWN qlen 100
link/none
inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0
Here we see that the server end of the tunnel has been given the IP address
10.8.0.1.
Do the same on the client:
# ip addr show
.
.
.
37: tun1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfo_fast state UNKNOWN qlen 100
link/none
inet 10.8.0.6 peer 10.8.0.5/32 scope global tun1
And the client side has been given the IP 10.8.0.6.
Now try pinging the interfaces.
On the server:
12 of 21 04/07/14 08:12
# ping 10.8.0.6
PING 10.8.0.6 (10.8.0.6) 56(84) bytes of data.
64 bytes from 10.8.0.6: icmp_req=1 ttl=64 time=238 ms
^C
--- 10.8.0.6 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 205.862/227.266/238.788/15.160 ms
On the client:
# ping 10.8.0.1
PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.
^C
--- 10.8.0.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2001ms
rtt min/avg/max/mdev = 157.426/158.278/158.940/0.711 ms
You now have a working OpenVPN installation, and your client (bugs) will be able to
use services on the server (elmer), and vice versa.
Starting OpenVPN
To start OpenVPN manually run:
# rc.d start openvpn
To have your system run OpenVPN automatically at system start, add openvpn to the
daemon array in /etc/rc.conf.
Advanced OpenVPN configuration
Routing the LAN of the server to a client
Prerequisites:
The server (elmer) is on a LAN using the private class C network range
10.66.0.0/24.
The server's LAN network interface is called eth0.
The client (bugs) is assigned an ip address out of the address pool
10.8.0.0/24, as specified by the server directive in the server's
configuration file (/etc/openvpn/server.conf):
13 of 21 04/07/14 08:12
server 10.8.0.0 255.255.255.0
As OpenVPN will need to forward packets between the tun/tap device and the LAN
device, edit /etc/sysctl.conf to permanently enable ipv4 packet forwarding. Takes
effect at the next boot.
/etc/sysctl.conf
# Enable packet forwarding
net.ipv4.ip_forward=1
To temporarily enable without rebooting do:
# echo 1 > /proc/sys/net/ipv4/ip_forward
As the server will have to accept traffic destined to a different IP than it's LAN
interface (eth0) is configured for, it needs to be set to promiscious mode. Add the
following to /etc/rc.local:
/etc/rc.local
ip link set dev eth0 promisc on
Takes effect at the next boot, to enable it without rebooting do:
# ip link set dev eth0 promisc on .
To inform the client about the available subnet, add a push directive to the server
configuration file:
push "route 10.66.0.0 255.255.255.0"
Note: If the server (elmer) is not the default LAN gateway on the server side,
you will have to do one of the following:
Add a static route to the LAN's default gateway (most likely the LAN's
router), routing the client IP range 10.8.0.0/24 back to the server's eth0
IP address.
Add a static route to each host on the server side LAN that you want to be
able to communicate with the client (bugs).
Use the iptables NAT feature to masquerade the IP packets.
14 of 21 04/07/14 08:12
Routing the LAN of a client to the server
Prerequisites:
You must make sure that any subnets used on the client side (bugs), are unique
and not in use on the server side or by any other client. In this example we
will use 192.168.4.0/24 for the clients LAN.
The client's LAN network interface is called eth0.
Each client's certificate has a unique Common Name, in this case bugs.
The server may not use the duplicate-cn directive in it's config file.
As OpenVPN will need to forward packets between the tun/tap device and the LAN
device, edit /etc/sysctl.conf to permanently enable ipv4 packet forwarding. Takes
effect at the next boot.
/etc/sysctl.conf
# Enable packet forwarding
net.ipv4.ip_forward=1
To temporarily enable without rebooting do:
# echo 1 > /proc/sys/net/ipv4/ip_forward
As the client will have to accept traffic destined to a different IP than the LAN
interface is configured for, you will need to set it to promiscious mode. Add the
following to /etc/rc.local:
/etc/rc.local
ip link set dev eth0 promisc on
Takes effect at the next boot, to enable it without rebooting do:
# ip link set dev eth0 promisc on .
You must now create a client configuration directory on the server (elmer). When a
client connects, the server process will check this directory for a file named the
same as the client certificate's common name, and apply the directives to the
client.
# mkdir -p /etc/openvpn/ccd
Create a file in the client configuration directory called bugs, containing the
directive iroute 192.168.4.0 255.255.255.0. This will tell the server that the
15 of 21 04/07/14 08:12
192.168.4.0/24 subnet should be routed to the client (bugs):
/etc/openvpn/ccd/bugs
iroute 192.168.4.0 255.255.255.0
Then add the directive route 192.168.4.0 255.255.255.0 to the server's
configuration file /etc/openvpn/server.conf. This will tell the server that the
192.168.4.0/24 subnet should be routed from the tun device to the server process.
Both are needed:
route 192.168.4.0 255.255.255.0
Note: If the client (bugs) is not the default LAN gateway on the client side, you
will need to do one of the following:
Add a static route to the client LAN's default gateway (most likely the
client LAN router), routing the server's IP range 10.66.0.0/24 back to the
client's eth0 IP address.
Add a static route to each host on the client side LAN that you want to be
able to respond to the server.
Use the iptables NAT feature to masquerade the IP packets.
Deprecated older wiki content
Using PAM and passwords to authenticate
port 1194
proto udp
dev tap
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/<MYSERVER>.crt
key /etc/openvpn/easy-rsa/keys/<MYSERVER>.key
dh /etc/openvpn/easy-rsa/keys/dh2048.pem
server 192.168.56.0 255.255.255.0
ifcong-pool-persist ipp.txt
;learn-address ./script
client-to-client
;duplicate-cn
keepalive 10 120
;tls-auth ta.key 0
comp-lzo
16 of 21 04/07/14 08:12
;max-clients 100
;user nobody
;group nobody
persist-key
persist-tun
status /var/log/openvpn-status.log
verb 3
client-cert-not-required
username-as-common-name
plugin /usr/lib/openvpn/openvpn-auth-pam.so login
Using certs to authenticate
port 1194
proto tcp
dev tun0
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/<MYSERVER>.crt
key /etc/openvpn/easy-rsa/keys/<MYSERVER>.key
dh /etc/openvpn/easy-rsa/keys/dh2048.pem
server 10.8.0.0 255.255.255.0
ifcong-pool-persist ipp.txt
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status /var/log/openvpn-status.log
verb 3
log-append /var/log/openvpn
status /tmp/vpn.status 10
Routing traffic through the server
Append the following to your server's openvpn.conf configuration file:
push "dhcp-option DNS 192.168.1.1"
push "redirect-gateway def1"
Change "192.168.1.1" to your external DNS IP address.
Use an iptable for NAT forwarding:
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
If running ArchLinux in a OpenVZ VPS environment [1] (http://thecodeninja.net/linux
/openvpn-archlinux-openvz-vps/):
17 of 21 04/07/14 08:12
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j SNAT --to (venet0 ip)
If all is well, make the changes permanent:
Edit /etc/conf.d/iptables and change IPTABLES_FORWARD=1
/etc/rc.d/iptables save
Setting up the Client
The clientside .conf file
With password authentication
client
dev tap
proto udp
remote <address> 1194
resolv-retry innite
nobind
persist-tun
comp-lzo
verb 3
auth-user-pass passwd
ca ca.crt
passwd file (referenced by auth-user-pass) must contain two lines:
first line - username
second - password
Certs authentication
client
remote <MYSERVER> 1194
dev tun0
proto tcp
resolv-retry innite
nobind
persist-key
persist-tun
verb 2
ca ca.crt
cert client1.crt
key client1.key
comp-lzo
Copy three files from server to remote computer.
18 of 21 04/07/14 08:12
ca.crt
client1.crt
client1.key
Install the tunnel/tap module:
# sudo modprobe tun
To have the tun module loaded automatically at boot time add it to the Modules line
in /etc/rc.conf
DNS
The DNS servers used by the system are defined in /etc/resolv.conf. Traditionally,
this file is the responsibility of whichever program deals with connecting the
system to the network (e.g. Wicd, NetworkManager, etc...) However, OpenVPN will
need to modify this file if you want to be able to resolve names on the remote
side. To achieve this in a sensible way, install openresolv, which makes it
possible for more than one program to modify resolv.conf without stepping on
each-other's toes. Before continuing, test openresolv by restarting your network
connection and ensuring that resolv.conf states that it was generated by
"resolvconf", and that your DNS resolution still works as before. You shouldn't
need to configure openresolv; it should be automatically detected and used by your
network system.
Next, save the following script at /usr/share/openvpn/update-resolv-conf:
#!/bin/bash
#
# Parses DHCP options from openvpn to update resolv.conf
# To use set as 'up' and 'down' script in your openvpn *.conf:
# up /etc/openvpn/update-resolv-conf
# down /etc/openvpn/update-resolv-conf
#
# Used snippets of resolvconf script by Thomas Hood <jdthood@yahoo.co.uk>
# and Chris Hanson
# Licensed under the GNU GPL. See /usr/share/common-licenses/GPL.
#
# 05/2006 chlauber@bnc.ch
#
# Example envs set from openvpn:
# foreign_option_1='dhcp-option DNS 193.43.27.132'
# foreign_option_2='dhcp-option DNS 193.43.27.133'
# foreign_option_3='dhcp-option DOMAIN be.bnc.ch'
[ -x /usr/sbin/resolvconf ] || exit 0
case $script_type in
up)
for optionname in ${!foreign_option_*} ; do
19 of 21 04/07/14 08:12
option="${!optionname}"
echo $option
part1=$(echo "$option" | cut -d " " -f 1)
if [ "$part1" == "dhcp-option" ] ; then
if [ "$part2" == "DNS" ] ; then
IF_DNS_NAMESERVERS="$IF_DNS_NAMESERVERS $part3"

if [ "$part2" == "DOMAIN" ] ; then
IF_DNS_SEARCH="$part3"

done
R=""
if [ "$IF_DNS_SEARCH" ] ; then
R="${R}search $IF_DNS_SEARCH
"

for NS in $IF_DNS_NAMESERVERS ; do
R="${R}nameserver $NS
"
done
echo -n "$R" | /usr/sbin/resolvconf -a "${dev}.inet"
;;
down)
/usr/sbin/resolvconf -d "${dev}.inet"
;;
esac
Remember to make the file executable with:
$ chmod +x /usr/share/openvpn/update-resolv-conf
Next, add the following lines to your OpenVPN client configuration file:
script-security 2
up /usr/share/openvpn/update-resolv-conf
down /usr/share/openvpn/update-resolv-conf
Now, when your launch your OpenVPN connection, you should find that your
resolv.conf file is updated accordingly, and also returns to normal when your close
the connection.
Connecting to the Server
You need to start the service on the server
/etc/rc.d/openvpn start
You can add it to rc.conf to make it permanet.
On the client, in the home directory create a folder that will hold your OpenVPN
20 of 21 04/07/14 08:12
client config files along with the .crt/.key files. Assuming your OpenVPN config
folder is called .openvpn and your client config file is vpn1.conf, to connect to
the server issue the following command:
cd ~/.openvpn && sudo openvpn vpn1.conf
Acknowledgement
This wiki article is based on ArchWiki (https://wiki.archlinux.org/). We may have
removed non-FSDG (https://www.gnu.org/philosophy/free-system-distribution-
guidelines.html) bits from it.
Retrieved from "https://wiki.parabolagnulinux.org/index.php?title=OpenVPN&
oldid=3299"
Categories: Virtual Private Network Request:Expansion Request:Correction
This page was last modified on 16 May 2012, at 03:37.
Content is available under GNU Free Documentation License 1.3 (or at your
option, any later version) unless otherwise noted.
21 of 21 04/07/14 08:12

Open VPN

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Open VPN

Uploaded by

Copyright:

Available Formats

OpenVPN

You might also like