OpenVPN on Fedora 9


Filed in: fedora, internet, linux, network, security, vpn Add comments

OpenVPN maybe free and open source, but it sure challenges the enterprise stuff out there. It is a full featured SSL VPN which can be used to create a VPN over a redily available public network. It has Linux and Windows clients, which means you are not limited to Linux alone when using OpenVPN. Ok lets dive in to installation and setup:

1. Install openvpn.

# yum install openvpn

2. Copy the necessary configuration files to generate RSA keys and Initialize PKI.

# cp -R /usr/share/openvpn/easy-rsa/ /etc/openvpn/
# cd /etc/openvpn/easy-rsa/2.0/

3. Make the /etc/openvpn/keys direcotory and edit the /etc/openvpn/easy-rsa/2.0/vars file:

# mkdir /etc/openvpn/keys
# vi vars

now set the parameters for KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG and KEY_MAIL. Here is a sample:

export KEY_COUNTRY="MV"
export KEY_PROVINCE="Kaafu"
export KEY_CITY="Male"
export KEY_ORG="Fourthirty Inc."
export KEY_EMAIL="typos@fourthirty.rog"

also set the KEY_DIR parameter line to read as:

export KEY_DIR="/etc/openvpn/keys"

4. Initialize PKI.

# . ./vars

the above line is very tricky (dot space dot/vars)

# ./clean-all
# ./build-ca

5. Build the server key.

# ./build-key-server server

6. Generate certificates and keys for clients. You can do this for as many clients you want to joing your VPN. I am demonstrating the setup of only one client.

# ./build-key client1

7. Generate Diffie Hellman parameters/

# ./build-dh

8. Copy server.conf file from the /usr/share/doc/openvpn-2.1/sample-config-files/ to /etc/openvpn/ and make the following changes:

# cp /usr/share/doc/openvpn-2.1/sample-config-files/server.conf /etc/openvpn/

ca keys/ca.crt
cert keys/server.crt
key keys/server.key
dh keys/dh1024.pem
server 172.16.0.0 255.255.255.0

9. That’s it ! You have successfully set up the OpenVPN server. Now start the service and set it to start automatically on start.

# service openvpn start
# chkconfig openvpn on

10. Setup the client in Linux. Copy the client.conf to /etc/openvpn

# cp /usr/share/doc/openvpn-2.1/sample-config-files/client.conf /etc/openvpn/

from the server system copy ca.crt, client1.crt and client1.key over to  the client machine. Use a secure method to do this. The files are located in /etc/openvpn/keys/

edit the client.conf to include:

remote <ip of server> 1194
ca keys/ca.crt
cert keys/client.crt
key keys/client.key
ns-cert-type server

start the client service now.

# service openvpn start

ping to 172.16.0.1 from client machine. If it succeeds…congrats !

 

OpenVPN on Fedora 9

 

Then issue these commands, each line is a new command, anything beginning with "#" are comments so dont try to execute those.

Code:

yum update
 
yum install openssl openssl-devel
 
# openssl and openssl-devel may be installed already… so don’t worry




2. Right, now you want to install OpenVPN, here are the commands,

Code:

yum install openvpn -y
 
#Now check that it works
 
service openvpn start
service openvpn stop


3. A few things to setup before you can make certificates, issue these commands,

Code:

find / -name "easy-rsa"
 
#you should get an output like this…
 
/usr/share/doc/openvpn-2.0.7/easy-rsa
 
#Now, make a copy of the easy-rsa directory, to /etc/openvpn/ ( make sure you #have put the right version number in i.e. mine was -2.0.7, change if needed)
 
cp -R /usr/share/doc/openvpn-2.0.7/easy-rsa /etc/openvpn/
 
cd /etc/openvpn/easy-rsa
 
chmod 777 *
 
mkdir /etc/openvpn/keys



4. You need to edit the vars file, located in /etc/openvpn/easy-rsa
You can use any editor you like, I used vi.

Change the line

Code:

export KEY_DIR=$D/keys

to

Code:

export KEY_DIR=/etc/openvpn/keys

Also at the bottom of this file you will see something similar to this,

Code:

 
export KEY_COUNTRY=US
export KEY_PROVINCE=CA
export KEY_CITY=SOMEWHERE
export KEY_ORG="My Org"
export KEY_EMAIL=me@mydomain.com
 

 

Change this to your own values.


5. Now its time to make the certificates, enter these commands

 

Code:

. ./vars

 

Code:

./clean-all

 

Code:

./build-ca

 

# just hit enter to the defaults apart from Common Name, this must be unique
# call it something like mydomain-ca

Code:

./build-key-server server

Code:

./build-key client1

# remember that common name must be unique e.g. use mydomain-client1
# and YES you want to sign the keys

Code:

./build-key client2

# do this step for as many clients as you need.

Code:

./build-dh


6. We are almost done now… right we need to create a few config files, you can download my template from here,

Code:

cd /etc/openvpn

 

Code:

wget www.designpc.co.uk/downloads/server.conf

 

# make sure you change a few things in the server.conf file, like DNS
# servers

Code:

touch server-tcp.log

 

~ this makes the log file..

 

Code:

touch ipp.txt

this makes the IP reservation list.


7. You need to make a few changes to OpenVPN itself. Go to..

Code:

cd /etc/init.d/

 

edit the openvpn file

#Uncomment this line (line 119)

 

Code:

echo 1 > /proc/sys/net/ipv4/ip_forward

Add these lines below it, changing 123.123.123.123 to your public IP address,

 

Code:

iptables -t nat -A POSTROUTING -s 192.168.2.3 -j SNAT --to 123.123.123.123
                 iptables -t nat -A POSTROUTING -s 192.168.2.4 -j SNAT --to 123.123.123.123
                 iptables -t nat -A POSTROUTING -s 192.168.2.5 -j SNAT --to 123.123.123.123
                 iptables -t nat -A POSTROUTING -s 192.168.2.6 -j SNAT --to 123.123.123.123
                 iptables -t nat -A POSTROUTING -s 192.168.2.7 -j SNAT --to 123.123.123.123
                 iptables -t nat -A POSTROUTING -s 192.168.2.8 -j SNAT --to 123.123.123.123
                 iptables -t nat -A POSTROUTING -s 192.168.2.9 -j SNAT --to 123.123.123.123
                 iptables -t nat -A POSTROUTING -s 192.168.2.10 -j SNAT --to 123.123.123.123

Now install iptables if you don’t have it already,

 

Code:

yum install iptables
 
#test it
 
service iptables start
service iptables stop


8. Now for the client config files. If your client is a Windows machine, make sure you have installed OpenVPN, use the gui version, downloadable from here;

http://www.designpc.co.uk/downloads/openvpn-2.0.9-gui-1.0.3-install.exe

You need to copy a few files from the server to your client machine, here is the list, located in /etc/openvpn/keys/

## WARNING ## Use a secure way of transferring these files off the server, something like WinSCP.

ca.crt
client1.csr
client1.key
client1.crt

Put these files in this directory C:\Program Files\OpenVPN\config\

Now you need to make a client config, here is an example..

PHP Code:

client
dev tun
proto tcp

#Change my.publicdomain.com to your public domain or IP address
remote my.publicdomain.com 1194

resolv-retry infinite
nobind
persist-key
persist-tun


ca ca.crt
cert client1
.crt
key client1
.key

ns-cert-type server

#DNS Options here, CHANGE THESE !!
push "dhcp-option DNS 123.123.123.123"
push "dhcp-option DNS 123.123.123.124"

comp-lzo

verb 3 

Make sure you edit any of the lines with comments above them.

Call this file client1.opvn and put it in C:\Program Files\OpenVPN\config\

Make sure the file extension is .opvn not .txt

To connect right click on OpenVPN in the taskbar >> Connect

To test ping 192.168.2.1

If you get a response, you in business