[[openvpn]]
 
Trace:

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

openvpn [2011/10/13 23:55] (current)
Line 1: Line 1:
 +====== Set up OpenVPN ======
  
 +===== Setup using a certificate authority (CA) =====
 +
 +Notice: Make sure you have openssl available.
 +
 +==== Server configuration ====
 +
 +Build CA and client certificate:
 +
 +<code>
 +cp -a /usr/share/doc/openvpn/examples/easy-rsa /etc/openvpn/
 +cd /etc/openvpn/easy-rsa/
 +vim vars    # adjust as needed
 +source vars
 +mkdir keys
 +touch keys/index.txt
 +echo "01" > keys/serial
 +./build-ca
 +./build-key-server server
 +./build-key client1   # set common name to a useful value!
 +./build-dh
 +cd /etc/openvpn/easy-rsa/keys/ && openvpn --genkey --secret ta.key
 +mkdir /etc/openvpn/keys/
 +cp /etc/openvpn/easy-rsa/keys/dh1024.pem /etc/openvpn/keys/
 +cd /etc/openvpn/easy-rsa/keys/ && cp ta.key ca.crt server.crt server.key /etc/openvpn/keys/
 +</code>
 +
 +==== Adjust server configuration ====
 +
 +<code>
 +zcat /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz > /etc/openvpn/openvpn.conf
 +vim /etc/openvpn/openvpn.conf
 +</code>
 +
 +Reference: /etc/openvpn/openvpn.conf on server:
 +
 +<code>
 +port 1194
 +proto udp
 +dev tun
 +ca keys/ca.crt
 +cert keys/something.crt
 +key keys/something.key
 +dh keys/dh1024.pem
 +server 10.8.0.0 255.255.255.0
 +ifconfig-pool-persist ipp.txt
 +keepalive 10 120
 +tls-auth keys/ta.key 0
 +comp-lzo
 +persist-key
 +persist-tun
 +status openvpn-status.log
 +verb 4
 +crl-verify crl.pem
 +# management 127.0.0.1 1234
 +</code>
 +
 +==== Provide keys to the client ====
 +
 +<code>
 +cd /etc/openvpn/easy-rsa/keys && cp ta.key ca.crt client1.crt client1.key $USBSTICK/
 +</code>
 +
 +==== Start openvpn server ====
 +
 +<code>
 +# Start openvpn
 +</code>
 +
 +==== Client configuration ====
 +
 +<code>
 +cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/openvpn.conf
 +vim /etc/openvpn/openvpn.conf
 +</code>
 +
 +... and adjust 'remote $IP 1194', activate 'tls-auth ta.key 1' and 'ns-cert-type server' and adjust ca/cert/key stuff
 +
 +Reference: /etc/openvpn/openvpn.conf on client:
 +
 +<code>
 +client
 +dev tun
 +proto udp
 +remote 10.12.240.44 1194
 +resolv-retry infinite
 +nobind
 +persist-key
 +persist-tun
 +ca keys/ca.crt
 +cert keys/somethingclient2.crt
 +key keys/somethingclient2.key
 +ns-cert-type server
 +tls-auth keys/ta.key 1
 +comp-lzo
 +verb 3
 +# mssfix 1200
 +# fragment 1200
 +</code>
 +
 +===== Setup with static key =====
 +
 +==== Server configuration ====
 +
 +<code>
 +cd /etc/openvpn
 +openvpn --genkey --secret secret.key
 +</code>
 +
 +Reference: /etc/openvpn/openvpn.conf on server:
 +
 +<code>
 +dev tun
 +proto udp
 +remote 10.12.240.44 1194
 +resolv-retry infinite
 +nobind
 +persist-key
 +persist-tun
 +comp-lzo
 +verb 3
 +secret secret.key 1
 +</code>
 +
 +==== Client Configuration ====
 +
 +Reference: /etc/openvpn/openvpn.conf on client:
 +
 +<code>
 +dev tun
 +proto udp
 +remote 10.12.240.44 1194
 +resolv-retry infinite
 +nobind
 +persist-key
 +persist-tun
 +comp-lzo
 +verb 3
 +secret secret.key 1
 +# mssfix 1200
 +# fragment 1200
 +</code>
 +
 +===== Tips =====
 +
 +  * do not forget to source 'vars' before running easy-rsa scripts
 +  * revoke a dummy client so you get a crl.pem and don't have to restart openvpn
 +  * use management interface: management 127.0.0.1 1234
 +  * use 'push "route 192.168.10.0 255.255.255.0"' to redirect clients...
 +  * example how to revoke a client:
 +
 +<code>
 +cd /etc/openvpn/easy-rsa && ./revoke-full client2
 +cp keys/crl.pem /etc/openvpn/
 +</code>
 +
 +===== Ressources =====
 +
 +  * [[http://openvpn.net/|OpenVPN.net]]
 +  * [[http://openvpn.net/howto.html|OpenVPN Howto]]
 
openvpn.txt · Last modified: 2011/10/13 23:55 (external edit)
 
Recent changes RSS feed Creative Commons License Valid XHTML 1.0 Valid CSS Grml homepage Driven by DokuWiki