OpenVPN a full-featured SSL VPN solution

From CLUG Wiki

Jump to: navigation, search

OpenVPN is extremely useful in cases where you want to say, ssh into a NATd box behind a firewall; actually the uses for a VPN connection are numerous and varied, and more insight can be gained by reading the openvpn howto

Izak contributed the following method to the clug mailing list, and with his permission it is reproduced here, slightly edited to fix a few things.


Contents

How to set up an OpenVPN connection:

Here is the howto I made, slightly adapted to hide our internal workings. I also removed the stuff that routes stuff between the two private networks at both ends of the vpn.

I will assume that your vpn server is called vpn.yourdomain.co.za and is reachable by that name. You can call the client whatever you want, but I prefer to use a similar naming scheme for that.

Install openvpn 

# apt-get install openvpn

CA & Keys

Use the tools in /usr/share/doc/openvpn/examples/easy-rsa to generate ca and keys:

  • Edit "vars" file 
$ source vars
$ ./clean-all
$ ./build-ca
$ ./build-key-server vpn.yourdomain.co.za         <--remember to use the fully qualified hostname as the CN
$ ./build-key client.yourdomain.co.za             <--remember to use the fully qualified hostname as the CN
$ ./build-dh

Copy ca.crt, vpn.yourdomain.co.za.{crt,key} and dh1024.pem to /etc/openvpn/ssl on the vpn server (the external box).

Copy client.yourdomain.co.za.{key,crt} and ca.crt to /etc/openvpn/ssl on the internal nat'ed box.

Configuration files:

Server side: /etc/openvpn/vpn.yourdomain.co.za 

# Network settings
port 1194
proto udp
dev tun
# SSL settings
ca ssl/ca.crt
cert ssl/vpn.yourdomain.co.za.crt
key ssl/vpn.yourdomain.co.za.key
dh ssl/dh1024.pem
server 192.168.1.0 255.255.255.0
keepalive 10 120
comp-lzo
user nobody
group nogroup
persist-key
persist-tun=20
status vpn.yourdomain.co.za.status
verb 3

Client side: /etc/openvpn/client.yourdomain.co.za.conf 

client
dev tun
proto udp
remote vpn.yourdomain.co.za 1194
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
ca ssl/ca.crt
cert ssl/client.yourdomain.co.za.crt
key ssl/client.yourdomain.co.za.key
ns-cert-type server
comp-lzo
verb 3

Running it

Start it al up, first server, then client(s): 

# /etc/init.d/openvpn start
Retrieved from "http://wiki.clug.org.za/wiki/OpenVPN_a_full-featured_SSL_VPN_solution"