Set up OpenVPN

Setup using a certificate authority (CA)

Notice: Make sure you have openssl available.

Server configuration

Build CA and client certificate:

cp -a /usr/share/doc/openvpn/examples/easy-rsa /etc/openvpn/
cd /etc/openvpn/easy-rsa/
vim vars    # adjust as needed
source vars
mkdir keys
touch keys/index.txt
echo "01" > keys/serial
./build-ca
./build-key-server server
./build-key client1   # set common name to a useful value!
./build-dh
cd /etc/openvpn/easy-rsa/keys/ && openvpn --genkey --secret ta.key
mkdir /etc/openvpn/keys/
cp /etc/openvpn/easy-rsa/keys/dh1024.pem /etc/openvpn/keys/
cd /etc/openvpn/easy-rsa/keys/ && cp ta.key ca.crt server.crt server.key /etc/openvpn/keys/

Adjust server configuration

zcat /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz > /etc/openvpn/openvpn.conf
vim /etc/openvpn/openvpn.conf

Reference: /etc/openvpn/openvpn.conf on server:

port 1194
proto udp
dev tun
ca keys/ca.crt
cert keys/something.crt
key keys/something.key
dh keys/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
tls-auth keys/ta.key 0
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 4
crl-verify crl.pem
# management 127.0.0.1 1234

Provide keys to the client

cd /etc/openvpn/easy-rsa/keys && cp ta.key ca.crt client1.crt client1.key $USBSTICK/

Start openvpn server

# Start openvpn

Client configuration

cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/openvpn.conf
vim /etc/openvpn/openvpn.conf

… and adjust 'remote $IP 1194', activate 'tls-auth ta.key 1' and 'ns-cert-type server' and adjust ca/cert/key stuff

Reference: /etc/openvpn/openvpn.conf on client:

client
dev tun
proto udp
remote 10.12.240.44 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca keys/ca.crt
cert keys/somethingclient2.crt
key keys/somethingclient2.key
ns-cert-type server
tls-auth keys/ta.key 1
comp-lzo
verb 3
# mssfix 1200
# fragment 1200

Setup with static key

Server configuration

cd /etc/openvpn
openvpn --genkey --secret secret.key

Reference: /etc/openvpn/openvpn.conf on server:

dev tun
proto udp
remote 10.12.240.44 1194
resolv-retry infinite
nobind
persist-key
persist-tun
comp-lzo
verb 3
secret secret.key 1

Client Configuration

Reference: /etc/openvpn/openvpn.conf on client:

dev tun
proto udp
remote 10.12.240.44 1194
resolv-retry infinite
nobind
persist-key
persist-tun
comp-lzo
verb 3
secret secret.key 1
# mssfix 1200
# fragment 1200

Tips

  • do not forget to source 'vars' before running easy-rsa scripts
  • revoke a dummy client so you get a crl.pem and don't have to restart openvpn
  • use management interface: management 127.0.0.1 1234
  • use 'push “route 192.168.10.0 255.255.255.0”' to redirect clients…
  • example how to revoke a client:
cd /etc/openvpn/easy-rsa && ./revoke-full client2
cp keys/crl.pem /etc/openvpn/

Ressources

 
openvpn.txt · Last modified: 2011/10/13 23:55 (external edit)
 
Recent changes RSS feed Creative Commons License Valid XHTML 1.0 Valid CSS Grml homepage Driven by DokuWiki