Difference between revisions of "OpenVPN"
(New page: ==Maintainer== This contrib has been developed by Jesper Knudsen (username Knuddi) which can be reached via email at mailto:contribs@swerts-knudsen.dk Website http://sme.swerts-knudsen.dk ...) |
(No difference)
|
Revision as of 10:34, 1 September 2008
Maintainer
This contrib has been developed by Jesper Knudsen (username Knuddi) which can be reached via email at mailto:contribs@swerts-knudsen.dk Website http://sme.swerts-knudsen.dk
Description
OpenVPN is an excellent way to provide remote access to users from home or on the road.OpenVPN provides a complete replacement of the time to time unreliable PPTP VPN which is a part of the standard SME distribution. This Howto is focused on using OpenVPN as a Windows 2k/XP/Vista Client to Server VPN connection. The installation consists of two steps, first the the portion which resides on the server and then the Client. I the following setup it is assumed that the local IP range for the private network is 192.168.1.0/24 and that the tunneled VPN network will be 192.168.100.0/24.
OpenVPN Server Configuration
First Collect and install the rpm`s as indicated below. The RPM are taken from DAG's repository which is pretty extensive.
cd /root mkdir openvpn cd openvpn wget http://dag.wieers.com/rpm/packages/lzo2/lzo2-2.02-3.el4.rf.i386.rpm wget http://dag.wieers.com/rpm/packages/openvpn/openvpn-2.0.9-1.el4.rf.i386.rpm rpm -Uvh *.rpm
Now its time to create the keys. The openvpn configs live in /etc/openvpn. First we need to edit the file with default values to match our installation. Open the file "vars" and Edit the default values to reflect your setup at the bottom of the file. The paths should be correct.
cd /etc/openvpn/easy-rsa pico vars
Now we can create the master certificate. Choose the defaults as entered into the vars file. You will need to enter values for the "Organizational Unit Name" which you can set to "VPN" and"Common Name" could be set to "Server"
. vars ./clean-all ./build-ca Using configuration from /etc/openvpn/easy-rsa/openssl.cnf Generating a 1024 bit RSA private key
Now we can build the certificate/private-key pairs for both the server and clients. Again choose choose "Organizational Unit Name" and "Common Name" as above. Do not add "A Challenge password" when asked, just press <ENTER>. The same goes for "An optional company name". Sign the certificate in the end.
/build-key server Using configuration from /etc/openvpn/easy-rsa/openssl.cnf Generating a 1024 bit RSA private key
Now its time for the Client certificate which is pretty much the same as before. Use "Client" as "Common Name" and "VPN" for "Organizational Unit Name". Do not add "A Challenge password" when asked, just press <ENTER>. The same goes for "An optional company name". Sign the certificate in the end.
./build-key client Using configuration from /etc/openvpn/easy-rsa/openssl.cnf Generating a 1024 bit RSA private key
Finally we build the Diffie Hellman parameters.
./build-dh Generating DH parameters, 1024 bit long safe prime, generator 2 This is going to take a long time ..................
And it can take a long time. Your generated keys will be in /etc/openvpn/easy-rsa/keys. The key names - "Server" and "Client" are simply descriptive. Choose names that suit your setup. You can create as many keys as you like using the above method. ./clean-all will clean out your keys directory - so be careful.
The newly generated keys needs to be copied to the the OpenVPN directory.
cp keys/ca.crt .. cp keys/server.crt .. cp keys/server.key .. cp keys/dh1024.pem ..
The OpenVPN configuration along with authentication scripts file can be downloaded from my site. Download them and make the executable for root. There will be log files created in /var/log/openvpn indicating when users have logged in and out as well as login failures.
cd .. wget -N http://sme.swerts-knudsen.dk/downloads/OpenVPN/server.conf mkdir -p /var/log/openvpn wget -N http://sme.swerts-knudsen.dk/downloads/OpenVPN/logoff.sh wget -N http://sme.swerts-knudsen.dk/downloads/OpenVPN/logoff_user.pl wget -N http://sme.swerts-knudsen.dk/downloads/OpenVPN/validate.sh wget -N http://sme.swerts-knudsen.dk/downloads/OpenVPN/validate_user.pl wget -N http://sme.swerts-knudsen.dk/downloads/OpenVPN/openvpn.up chmod 755 *.pl chmod 755 *.sh chmod 700 *.up
Now you need to make a few changes to the /etc/openvpn/server.conf. You need to change the red parameters to match your network configuration.
port 1194 dev tap
tls-server
dh dh1024.pem ca ca.crt cert server.crt key server.key
auth-user-pass-verify ./validate.sh via-env client-disconnect ./logoff.sh
up ./openvpn.up
mode server duplicate-cn ifconfig 192.168.100.1 255.255.255.0
ifconfig-pool 192.168.100.100 192.168.100.200 255.255.255.0 # IP range for OpenVPN clients
mtu-test tun-mtu 1500 tun-mtu-extra 32 mssfix 1450 ping 10 ping-restart 120
push "ping 10" push "ping-restart 60"
push "dhcp-option DOMAIN yourdomain.com" # push the DNS domain suffix push "dhcp-option DNS 192.168.1.1" # push primary DNS entry to the openvpn clients. push "route 192.168.1.0 255.255.255.0 192.168.100.1" # add route to to protected network
comp-lzo status-version 2 status openvpn-status.log verb 3
If you are running this server is "server-gateway mode" you now need to open port 1194 for UDP traffic as this is the default tunnel for OpenVPN. Now go into the Server Manager panel under port forwarding and forward UDP/1194 to "localhost". If your server is in "server mode" nothing needs to be done here.