-
Notifications
You must be signed in to change notification settings - Fork 42
How to connect to ground zero
This article documents the necessary steps to configure an OpenVPN gateway and respective clients. The configuration described here is geared towards simplicity, therefore ignoring possible security issues that would complicate client configuration (eg. client certificate generation).
To install OpenVPN on the server, install the openvpn package:
# apt-get install openvpn
The configuration below sets up an OpenVPN server listening on TCP port 443. This choice of port was done due to the fact that many public networks block outgoing traffic to non-HTTP(s) ports, so using the HTTPS port for the server ensures most clients will be able to connect to it.
The OpenVPN initialization script will load any *.conf files found in /etc/openvpn as VPN configurations, so the name of this file does not matter, as long as it has the correct extension. For our purposes, we'll refer to this file as /etc/openvpn/server.conf or simply server.conf.
local MY_SERVER_IP_ADDRESS server MY_VPN_NETWORK MY_VPN_NETMASK push "route MY_NETWORK MY_NETMASK" push "dhcp-option DNS MY_DNS_SERVER_ADDRESS" port 443 dev tun proto tcp-server script-security 3 persist-key persist-tun ca ca.crt cert server.crt key server.key comp-lzo verb 4 dh dh2048.pem status openvpn-status.log mute 20 keepalive 10 120 auth-user-pass-verify auth.sh via-env client-cert-not-required username-as-common-name
The four topmost directives contain text that must be adapted so that the server can work. Replace the MY_* with appropriate values:
- MY_SERVER_IP_ADDRESS: the IP address of the OpenVPN server.
- MY_VPN_NETWORK: the network to be used for the VPN. The server will use the first address of the network, while the remaining ones will be allocated to connected clients.
- MY_VPN_NETMASK: the netmask of the VPN network, in dotted quad notation.
- MY_NETWORK: the network that connected clients will be given access to via the VPN tunnel.
- MY_NETMASK: the netmask of that network, in dotted quad notation.
- MY_DNS_SERVER_ADDRESS: the IP address of your network's DNS server. This is optional and is only really necessary if you're tunneling to an internal network whose node names cannot be resolved from the internet (eg. an RFC 1918 network).
#!/bin/sh exit 0
Once all configuration files are in place, the OpenVPN daemon can be started:
service openvpn start
Client configuration is simpler than its server counterpart. Install the OpenVPN package with
# apt-get install openvpn
just as it was done for the server. Once again, the configuration file can be named arbitrarily, as long as it has a .conf extension. We'll refer to it as client.conf in this documentation. The contents of client.conf are as follows.
remote MY_SERVER_IP_ADDRESS client dev tun proto tcp-client port 443 resolv-retry infinite nobind persist-key persist-tun ca ca.crt comp-lzo verb 4 ns-cert-type server auth-user-pass passwd
The only value to be edited in client.conf is MY_SERVER_IP_ADDRESS which must match the server's address in server.conf, although here you can use its DNS name too.
Two extra files are required in addition to client.conf in /etc/openvpn. The ca.crt file is the same as the one used for the server configuration. The passwd file must contain two lines, the first being the username and the second being the password. Since our authentication script in the server always returns successfully, the content of these lines is arbitrary. The file can therefore be generated with the command below.
# echo -ne "a\nb\n" > /etc/openvpn/passwd
Once all configuration files are in place, the OpenVPN daemon can be started:
service openvpn start
The public key infrastructure is generated by a set of helper scripts called "easy-rsa", provided in a separate package. This package creates scripts in /usr/share/easy-rsa. It is recommended that a copy of them is made, where the PKI building procedure will be executed.
# apt-get install easy-rsa $ cp -a /usr/share/easy-rsa .
In the directory where the copy of "easy-rsa" was created, execute the following steps. The first task is to edit the easy-rsa/vars file. Open it with a text editor and replace the following variables: KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, KEY_EMAIL. Next, initialize the PKI running the commands below.
cd easy-rsa . ./vars ./clean-all ./build-ca
The build-ca script will run OpenSSL in interactive mode, which will require the user to input data to complete the process. Most of the required information will be set to default values fetched from the variables edited in the vars file above. Only the Common Name parameter must be explicitly filled in.
Next, generate the server certificate and key:
./build-key-server server
As above, most parameters can be set to their default values. Only the Common Name must be typed. When it is queried, type server. Next, two other questions require positive reponses so that the process can be finished. Simply type y to both.
The final step is to generate the Diffie-Hellman parameters:
./build-dh
At the end of this procedure the following files will have been generated in the keys directory:
- ca.crt: the root CA certificate (server + client)
- ca.key: the root CA key (only needed to generate client certificates, not used in this setup)
- dh2048.pem: Diffie Hellman parameters (server)
- server.crt: server certificate (server)
- server.key: server key (server)
All grants that have generously supported the development of Linux XIA are listed on our Funding page.