Filed
in: fedora, internet, linux, network, security, vpn Add comments
OpenVPN
maybe free and open source, but it sure challenges the enterprise stuff out
there. It is a full featured SSL VPN which can be used to create a VPN over a redily available public network. It has Linux and Windows
clients, which means you are not limited to Linux alone when using OpenVPN. Ok lets dive in to
installation and setup:
1. Install openvpn.
# yum install openvpn
2. Copy the necessary configuration files to generate RSA keys and
Initialize PKI.
# cp -R /usr/share/openvpn/easy-rsa/ /etc/openvpn/
# cd
/etc/openvpn/easy-rsa/2.0/
3. Make the /etc/openvpn/keys direcotory and edit the /etc/openvpn/easy-rsa/2.0/vars
file:
# mkdir /etc/openvpn/keys
# vi vars
now set the parameters for
KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG and KEY_MAIL. Here is a sample:
export KEY_COUNTRY="MV"
export KEY_PROVINCE="Kaafu"
export KEY_CITY="Male"
export KEY_ORG="Fourthirty
Inc."
export KEY_EMAIL="typos@fourthirty.rog"
also set the KEY_DIR parameter line to
read as:
export KEY_DIR="/etc/openvpn/keys"
4. Initialize PKI.
# . ./vars
the above line is very tricky (dot
space dot/vars)
# ./clean-all
# ./build-ca
5. Build the server key.
# ./build-key-server server
6. Generate certificates and keys for clients. You can do this for as
many clients you want to joing your VPN. I am
demonstrating the setup of only one client.
# ./build-key client1
7. Generate Diffie Hellman
parameters/
# ./build-dh
8. Copy server.conf file from the
/usr/share/doc/openvpn-2.1/sample-config-files/ to /etc/openvpn/
and make the following changes:
# cp
/usr/share/doc/openvpn-2.1/sample-config-files/server.conf /etc/openvpn/
ca keys/ca.crt
cert keys/server.crt
key keys/server.key
dh keys/dh1024.pem
server 172.16.0.0 255.255.255.0
9. That’s it ! You have successfully set
up the OpenVPN server. Now start the service and set
it to start automatically on start.
# service openvpn start
# chkconfig openvpn on
10. Setup the client in Linux. Copy the client.conf
to /etc/openvpn
# cp
/usr/share/doc/openvpn-2.1/sample-config-files/client.conf /etc/openvpn/
from the server system copy ca.crt, client1.crt and client1.key over to the
client machine. Use a secure method to do this. The files are located in /etc/openvpn/keys/
edit the client.conf
to include:
remote <ip of server> 1194
ca keys/ca.crt
cert keys/client.crt
key keys/client.key
ns-cert-type server
start the client service now.
# service openvpn start
ping to 172.16.0.1 from client
machine. If it succeeds…congrats !
Then issue these commands, each
line is a new command, anything beginning with "#" are
comments so dont try to execute those.
Code:
yum update
yum install openssl openssl-devel
# openssl and openssl-devel may be installed already… so don’t worry
2. Right, now you want to install OpenVPN, here are
the commands,
Code:
yum install openvpn -y
#Now check that it works service openvpn start
service openvpn stop
3. A few things to setup before you can make certificates, issue these
commands,
Code:
find / -name "easy-rsa"
#you should get an output like this… /usr/share/doc/openvpn-2.0.7/easy-rsa #Now, make a copy of the easy-rsa directory, to /etc/openvpn/ ( make sure you #have put the right version number in i.e. mine was -2.0.7, change if needed) cp -R /usr/share/doc/openvpn-2.0.7/easy-rsa /etc/openvpn/
cd /etc/openvpn/easy-rsa
chmod 777 *
mkdir /etc/openvpn/keys
4. You need to edit the vars file, located in /etc/openvpn/easy-rsa
You can use any editor you like, I used vi.
Change the line
Code:
export KEY_DIR=$D/keys
to
Code:
export KEY_DIR=/etc/openvpn/keys
Also at the bottom of this file
you will see something similar to this,
Code:
export KEY_COUNTRY=US
export KEY_PROVINCE=CA
export KEY_CITY=SOMEWHERE
export KEY_ORG="My Org"
export KEY_EMAIL=me@mydomain.com
Change this to your own values.
5. Now its time to make the
certificates, enter these commands
Code:
. ./varsCode:
./clean-all
Code:
./build-ca
# just hit enter to the defaults
apart from Common Name, this must be unique
# call it something like mydomain-ca
Code:
./build-key-server server
Code:
./build-key client1
# remember
that common name must be unique e.g. use mydomain-client1
# and YES you want to sign the keys
Code:
./build-key client2
# do this
step for as many clients as you need.
Code:
./build-dh
6. We are almost done now… right we need to create a few config files, you can download my
template from here,
Code:
cd /etc/openvpnCode:
wget www.designpc.co.uk/downloads/server.conf# make
sure you change a few things in the server.conf file,
like DNS
# servers
Code:
touch server-tcp.log
~ this
makes the log file..
Code:
touch ipp.txt
this
makes the IP reservation list.
7. You need to make a few changes to OpenVPN itself. Go
to..
Code:
cd /etc/init.d/
edit the openvpn
file
#Uncomment this line (line 119)
Code:
echo 1 > /proc/sys/net/ipv4/ip_forward
Add these lines below it, changing
123.123.123.123 to your public IP address,
Code:
iptables -t nat -A POSTROUTING -s 192.168.2.3 -j SNAT --to 123.123.123.123
iptables -t nat -A POSTROUTING -s 192.168.2.4 -j SNAT --to 123.123.123.123 iptables -t nat -A POSTROUTING -s 192.168.2.5 -j SNAT --to 123.123.123.123 iptables -t nat -A POSTROUTING -s 192.168.2.6 -j SNAT --to 123.123.123.123 iptables -t nat -A POSTROUTING -s 192.168.2.7 -j SNAT --to 123.123.123.123 iptables -t nat -A POSTROUTING -s 192.168.2.8 -j SNAT --to 123.123.123.123 iptables -t nat -A POSTROUTING -s 192.168.2.9 -j SNAT --to 123.123.123.123 iptables -t nat -A POSTROUTING -s 192.168.2.10 -j SNAT --to 123.123.123.123Now install iptables
if you don’t have it already,
Code:
yum install iptables
#test it service iptables start
service iptables stop
8. Now for the client config files. If your client is
a Windows machine, make sure you have installed OpenVPN,
use the gui version, downloadable from here;
http://www.designpc.co.uk/downloads/openvpn-2.0.9-gui-1.0.3-install.exe
You need to copy a few files from the server to your client machine, here is
the list, located in /etc/openvpn/keys/
## WARNING ## Use a secure way of transferring these files off the server,
something like WinSCP.
ca.crt
client1.csr
client1.key
client1.crt
Put these files in this directory C:\Program Files\OpenVPN\config\
Now you need to make a client config, here is an
example..
PHP Code:
client
dev tun
proto tcp
#Change my.publicdomain.com to your public domain or IP address
remote my.publicdomain.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
ns-cert-type server
#DNS Options here, CHANGE THESE !!
push "dhcp-option DNS 123.123.123.123"
push "dhcp-option DNS 123.123.123.124"
comp-lzo
verb 3
Make sure you edit any of the lines with comments above them.
Call this file client1.opvn and put it in C:\Program Files\OpenVPN\config\
Make sure the file extension is .opvn not .txt
To connect right click on OpenVPN
in the taskbar >> Connect
To test ping 192.168.2.1
If you get a response, you in business