This shows you the differences between two versions of the page.
— |
openvpn [2011/10/13 23:55] (current) |
||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ====== Set up OpenVPN ====== | ||
+ | ===== Setup using a certificate authority (CA) ===== | ||
+ | |||
+ | Notice: Make sure you have openssl available. | ||
+ | |||
+ | ==== Server configuration ==== | ||
+ | |||
+ | Build CA and client certificate: | ||
+ | |||
+ | <code> | ||
+ | cp -a /usr/share/doc/openvpn/examples/easy-rsa /etc/openvpn/ | ||
+ | cd /etc/openvpn/easy-rsa/ | ||
+ | vim vars # adjust as needed | ||
+ | source vars | ||
+ | mkdir keys | ||
+ | touch keys/index.txt | ||
+ | echo "01" > keys/serial | ||
+ | ./build-ca | ||
+ | ./build-key-server server | ||
+ | ./build-key client1 # set common name to a useful value! | ||
+ | ./build-dh | ||
+ | cd /etc/openvpn/easy-rsa/keys/ && openvpn --genkey --secret ta.key | ||
+ | mkdir /etc/openvpn/keys/ | ||
+ | cp /etc/openvpn/easy-rsa/keys/dh1024.pem /etc/openvpn/keys/ | ||
+ | cd /etc/openvpn/easy-rsa/keys/ && cp ta.key ca.crt server.crt server.key /etc/openvpn/keys/ | ||
+ | </code> | ||
+ | |||
+ | ==== Adjust server configuration ==== | ||
+ | |||
+ | <code> | ||
+ | zcat /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz > /etc/openvpn/openvpn.conf | ||
+ | vim /etc/openvpn/openvpn.conf | ||
+ | </code> | ||
+ | |||
+ | Reference: /etc/openvpn/openvpn.conf on server: | ||
+ | |||
+ | <code> | ||
+ | port 1194 | ||
+ | proto udp | ||
+ | dev tun | ||
+ | ca keys/ca.crt | ||
+ | cert keys/something.crt | ||
+ | key keys/something.key | ||
+ | dh keys/dh1024.pem | ||
+ | server 10.8.0.0 255.255.255.0 | ||
+ | ifconfig-pool-persist ipp.txt | ||
+ | keepalive 10 120 | ||
+ | tls-auth keys/ta.key 0 | ||
+ | comp-lzo | ||
+ | persist-key | ||
+ | persist-tun | ||
+ | status openvpn-status.log | ||
+ | verb 4 | ||
+ | crl-verify crl.pem | ||
+ | # management 127.0.0.1 1234 | ||
+ | </code> | ||
+ | |||
+ | ==== Provide keys to the client ==== | ||
+ | |||
+ | <code> | ||
+ | cd /etc/openvpn/easy-rsa/keys && cp ta.key ca.crt client1.crt client1.key $USBSTICK/ | ||
+ | </code> | ||
+ | |||
+ | ==== Start openvpn server ==== | ||
+ | |||
+ | <code> | ||
+ | # Start openvpn | ||
+ | </code> | ||
+ | |||
+ | ==== Client configuration ==== | ||
+ | |||
+ | <code> | ||
+ | cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/openvpn.conf | ||
+ | vim /etc/openvpn/openvpn.conf | ||
+ | </code> | ||
+ | |||
+ | ... and adjust 'remote $IP 1194', activate 'tls-auth ta.key 1' and 'ns-cert-type server' and adjust ca/cert/key stuff | ||
+ | |||
+ | Reference: /etc/openvpn/openvpn.conf on client: | ||
+ | |||
+ | <code> | ||
+ | client | ||
+ | dev tun | ||
+ | proto udp | ||
+ | remote 10.12.240.44 1194 | ||
+ | resolv-retry infinite | ||
+ | nobind | ||
+ | persist-key | ||
+ | persist-tun | ||
+ | ca keys/ca.crt | ||
+ | cert keys/somethingclient2.crt | ||
+ | key keys/somethingclient2.key | ||
+ | ns-cert-type server | ||
+ | tls-auth keys/ta.key 1 | ||
+ | comp-lzo | ||
+ | verb 3 | ||
+ | # mssfix 1200 | ||
+ | # fragment 1200 | ||
+ | </code> | ||
+ | |||
+ | ===== Setup with static key ===== | ||
+ | |||
+ | ==== Server configuration ==== | ||
+ | |||
+ | <code> | ||
+ | cd /etc/openvpn | ||
+ | openvpn --genkey --secret secret.key | ||
+ | </code> | ||
+ | |||
+ | Reference: /etc/openvpn/openvpn.conf on server: | ||
+ | |||
+ | <code> | ||
+ | dev tun | ||
+ | proto udp | ||
+ | remote 10.12.240.44 1194 | ||
+ | resolv-retry infinite | ||
+ | nobind | ||
+ | persist-key | ||
+ | persist-tun | ||
+ | comp-lzo | ||
+ | verb 3 | ||
+ | secret secret.key 1 | ||
+ | </code> | ||
+ | |||
+ | ==== Client Configuration ==== | ||
+ | |||
+ | Reference: /etc/openvpn/openvpn.conf on client: | ||
+ | |||
+ | <code> | ||
+ | dev tun | ||
+ | proto udp | ||
+ | remote 10.12.240.44 1194 | ||
+ | resolv-retry infinite | ||
+ | nobind | ||
+ | persist-key | ||
+ | persist-tun | ||
+ | comp-lzo | ||
+ | verb 3 | ||
+ | secret secret.key 1 | ||
+ | # mssfix 1200 | ||
+ | # fragment 1200 | ||
+ | </code> | ||
+ | |||
+ | ===== Tips ===== | ||
+ | |||
+ | * do not forget to source 'vars' before running easy-rsa scripts | ||
+ | * revoke a dummy client so you get a crl.pem and don't have to restart openvpn | ||
+ | * use management interface: management 127.0.0.1 1234 | ||
+ | * use 'push "route 192.168.10.0 255.255.255.0"' to redirect clients... | ||
+ | * example how to revoke a client: | ||
+ | |||
+ | <code> | ||
+ | cd /etc/openvpn/easy-rsa && ./revoke-full client2 | ||
+ | cp keys/crl.pem /etc/openvpn/ | ||
+ | </code> | ||
+ | |||
+ | ===== Ressources ===== | ||
+ | |||
+ | * [[http://openvpn.net/|OpenVPN.net]] | ||
+ | * [[http://openvpn.net/howto.html|OpenVPN Howto]] |