[TriLUG] OpenVPN for Home

jason at monsterjam.org jason at monsterjam.org
Wed Oct 11 20:45:57 EDT 2006


im trying to set this up myself as well, and im getting lost with the ip addresses in this 
example.. i.e. which is the address that the client gets when he connects? which network is 
the server on? i.e. is the server interface thats listening for the vpn connections on 
10.1.0.0/16 ? what is this 10.2.0.0 network?

regards,
Jason 


On Wed, Oct 11, 2006 at 
01:30:13PM -0400, Alan Porter wrote:
> 
> >does anyone consider openVPN (or any VPN solution) to be simple to set up?
> >  
> 
> Yes, it's very simple. To me, the hardest part was deciding what IP's to use
> and what naming convention to use for my keys.
> 
> The following is my "how-to" file (which I keep handy in 
> /etc/openvpn/HOW-TO).
> While it does not really explain what is going on, it *does* list all of the
> necessary steps to create a server, create a client key, install a 
> client key
> on a client.
> 
> Alan
> 
> 
> 
> --
> 
> NOTE - in all cases below, replace the word SERVER with the host name of 
> the server.
> Likewise, replace CLIENT with the host name of the client. In my example 
> files,
> there is a server called "mysrv" and a client called "myclient".
> 
> 
> OUR NAMING CONVENTION FOR CERTIFICATES, DIRECTORIES AND "COMMON NAMES"
> 
> server configuration
> --------------------
> The server keys, certificates, and accounting files are in 
> /etc/openvpn/keys/SERVER/
> The "common name" for the certificate authority is "SERVER".
> The "common name" for the server certificate is "SERVER".
> 
> client certificates
> -------------------
> Files are called /etc/openvpn/keys/SERVER/SERVER-CLIENT.{crt,csr,key}
> The "common name" is "SERVER-CLIENT".
> 
> OpenVPN configuration files
> ---------------------------
> Server config files are /etc/openvpn/SERVER.conf
> Client-specific config files (on server) 
> /etc/openvpn/client_config/SERVER-CLIENT
> Client config files are /etc/openvpn/SERVER-CLIENT.conf
> 
> CREATING THE SERVER KEYS
> 
> . ./vars
> ./tools/clean-all
> ./tools/build-ca
> ./tools/build-key-server mysrv
> ./tools/build-dh
> 
> CREATING CLIENT KEYS
> 
> . ./vars
> ./tools/build-key clientname
> 
> (then copy clientname.crt clientname.key and ca.crt to the client machine)
> (create a conf file for the client)
> 
> REVOKING A CLIENT KEY
> 
> . ./vars
> ./tools/revoke-full bad_client
> 
> (and then read http://openvpn.net/howto.html#quick)
> 
> EXAMPLE SERVER CONF FILE
> 
> # the basics
> port 1194
> proto udp
> dev tun
> 
> # certificate stuff
> ca /etc/openvpn/keys/mysrv/ca.crt
> cert /etc/openvpn/keys/mysrv/mysrv.crt
> key /etc/openvpn/keys/mysrv/mysrv.key
> dh /etc/openvpn/keys/mysrv/dh1024.pem
> 
> # address range to use
> server 10.99.1.0 255.255.255.0
> ifconfig-pool-persist ipp.txt
> 
> # advertise our own subnet to clients
> push "route 10.1.0.0 255.255.0.0"
> 
> # client 'myclient' will route 10.2.0.0/16
> # only necessary if you're bridging two networks,
> # not if you're just handling the "road warrior"
> client-config-dir client_config
> route 10.2.0.0 255.255.0.0
> 
> # lower-layers
> keepalive 10 120
> comp-lzo
> persist-key
> persist-tun
> 
> # for better security
> user nobody
> group nogroup
> 
> # logging
> status openvpn-status.log
> log-append /var/log/openvpn.log
> verb 3
> 
> EXAMPLE CLIENT CONF FILE
> 
> # the basics
> dev tun
> proto udp
> client
> remote servers.address.com 1194
> 
> # retries, etc
> resolv-retry infinite
> nobind
> persist-key
> persist-tun
> 
> # for security
> user nobody
> group nogroup
> 
> # certificate stuff
> ca /etc/openvpn/keys/mysrv/ca.crt
> cert /etc/openvpn/keys/mysrv/mysrv-myclient.crt
> key /etc/openvpn/keys/mysrv/mysrv-myclient.key
> 
> # low layers
> comp-lzo
> 
> # logging
> log-append /var/log/openvpn.log
> verb 3
> 
> END
> 
> 
> 
> 
> -- 
> TriLUG mailing list        : http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ  : http://trilug.org/faq/
> TriLUG Member Services FAQ : http://members.trilug.org/services_faq/

-- 
================================================
|    Jason Welsh   jason at monsterjam.org        |
| http://monsterjam.org    DSS PGP: 0x5E30CC98 |
|    gpg key: http://monsterjam.org/gpg/       |
================================================




More information about the TriLUG mailing list