[TriLUG] Need quick openvpn setup help

Alan Porter porter at trilug.org
Tue Dec 4 11:26:09 EST 2007


A few folks asked for this, so here it is.  It's still a little 
incomplete, but I think it's a good starting point.  Email me with 
questions or suggestions.

OPENVPN HOW-TO
--------------

First of all, you need to plan a few things.

--------------------------------------------------------------------------------

(1) Are you doing "point-to-point" or "road warrior"?

Openvpn can be used in two ways.  You can connect two networks together,
such as two offices (point-to-point).  Or you can allow one remote PC to
connect to a larger network (road warrior).  In both cases, a link is
established between the two.  The only difference is in the routing.
For a point-to-point connection, you want each side to be aware of the
other side's network address space, and packets destined for the other
side need to go over the link.  The road warrior case is a little different,
since it is just a single PC attached to the larger network, and there
is no need to route a whole subnet's traffic through the road warrior's
PC (after all, he is not allowing everyone in the hotel to use his
office's internet connection, he's just attaching his own PC).

This document addresses "road warrior" mode first.  Then I'll talk about
point-to-point mode.

--------------------------------------------------------------------------------

(2) Plan your address space.  In my example, I use the following addresses:

172.31.1.0 - my home network
172.31.2.0 - addresses used by openvpn to connect everything

Openvpn uses two addresses for each client.  It creates a point to point
link between those two addresses, and then uses routes to tie it all
together.  Like this:

SERVER                                        CLIENTS
----------                                    ----------
172.31.1.1
172.31.2.1 - point-to-point link to client1 - 172.31.2.2
172.31.2.3 - point-to-point link to client2 - 172.31.3.4

--------------------------------------------------------------------------------

(3) Plan where you keep your config files.

Openvpn uses certificates to authenticate connections.  They are all
stored in a config directory (/etc/openvpn).  It's pretty easy to get
confused, so I devised this naming scheme to keep them straight.

MY NAMING CONVENTION FOR CERTIFICATES, DIRECTORIES AND "COMMON NAMES"
Replace "SERVER" with your server's hostname.
Replace "CLIENT" with your client's hostname.

server configuration
--------------------
The "common name" for the certificate authority is "SERVER".
The "common name" for the server certificate is "SERVER".
Server config files are /etc/openvpn/SERVER.conf
The server keys, certificates, and accounting files are in 
/etc/openvpn/keys/SERVER/
Client-specific config files /etc/openvpn/client_config/SERVER-CLIENT 
(not used here).

client certificates
-------------------
The "common name" is "SERVER-CLIENT".
Client config files are /etc/openvpn/SERVER-CLIENT.conf
Keys are in /etc/openvpn/keys/SERVER/SERVER-CLIENT.{crt,csr,key}

--------------------------------------------------------------------------------

(4) Let's take a look at the config files on my server.  I have one server
called "buster" and two clients called "tmiolaptop" and "tekelec".

Note, the "tools" directory might also be called "easy-rsa".

$ ssh root at buster find /etc/openvpn

/etc/ipp.txt
/etc/keys
/etc/keys/buster
/etc/keys/buster/index.txt
/etc/keys/buster/serial
/etc/keys/buster/ca.key
/etc/keys/buster/ca.crt
/etc/keys/buster/buster.key
/etc/keys/buster/buster.csr
/etc/keys/buster/buster.crt
/etc/keys/buster/index.txt.attr
/etc/keys/buster/dh1024.pem
/etc/keys/buster/index.txt.attr.old
/etc/keys/buster/01.pem
/etc/keys/buster/serial.old
/etc/keys/buster/index.txt.old
/etc/keys/buster/buster-tmiolaptop.key
/etc/keys/buster/buster-tmiolaptop.csr
/etc/keys/buster/buster-tmiolaptop.crt
/etc/keys/buster/buster-tekelec.key
/etc/keys/buster/buster-tekelec.csr
/etc/keys/buster/buster-tekelec.crt
/etc/keys/buster/02.pem
/etc/keys/buster/03.pem
/etc/keys/buster/04.pem
/etc/openvpn-status.log
/etc/vars
/etc/tools
/etc/tools/openssl.cnf
/etc/tools/clean-all
/etc/tools/build-key
/etc/tools/build-ca
/etc/tools/build-dh
/etc/tools/build-key-server
/etc/tools/build-inter
/etc/tools/build-key-pass
/etc/tools/build-key-pkcs12
/etc/tools/build-req
/etc/tools/build-req-pass
/etc/tools/list-crl
/etc/tools/make-crl
/etc/tools/revoke-crt
/etc/tools/revoke-full
/etc/tools/sign-req
/etc/buster.conf

--

$ ssh root at buster cat /etc/openvpn/buster.conf

# the basics
port 1194
proto udp
dev tun

# certificate stuff
ca    "/etc/openvpn/keys/buster/ca.crt"
cert  "/etc/openvpn/keys/buster/buster.crt"
key   "/etc/openvpn/keys/buster/buster.key"  # This file should be kept 
secret
dh    "/etc/openvpn/keys/buster/dh1024.pem"

# address ranges
server 172.31.2.0 255.255.255.0
ifconfig-pool-persist ipp.txt

# advertize our routes to clients
push "route 172.31.1.0 255.255.255.0"

# lower layers
keepalive 10 120
comp-lzo
persist-key
persist-tun

# for better security
user nobody
group nogroup

# logging, etc
status openvpn-status.log
log-append  /var/log/openvpn.log
verb 3

--------------------------------------------------------------------------------

(5) Now we'll need to generate some keys (certificates).

There are some scripts included in the openvpn installation that help
you create and manage certificates.  The "tools" directory might also
be called "easy-rsa".

CREATING THE SERVER KEYS

  . ./vars
  ./tools/clean-all
  ./tools/build-ca
  ./tools/build-key-server
  ./tools/build-dh

  You may need to move the newly-generated files around to match our
  config file layout plan from above.

CREATING CLIENT KEYS

  NOTE - I automated this process in a script called 
"generate_openvpn_client_key.sh".

  . ./vars
  ./tools/build-key clientname

  Move these files into the appropriate directories (on the server) 
according to our
  config file layout plan from above.  (Below, we will also copy two of 
these files
  to the client).

REVOKING A CLIENT KEY

   . ./vars
   ./tools/revoke-full bad_client
   (you should see an error on the last line as the cert is tested)

   (and then read http://openvpn.net/howto.html#quick)

--------------------------------------------------------------------------------

(6) Config files on the client

$ find /etc/openvpn

/etc/openvpn/buster-tekelec.conf
/etc/openvpn/keys
/etc/openvpn/keys/buster
/etc/openvpn/keys/buster/ca.crt
/etc/openvpn/keys/buster/buster-tekelec.key
/etc/openvpn/keys/buster/buster-tekelec.crt

--

$ cat /etc/openvpn/buster-tekelec.conf

# the basics
dev tun
#proto udp
proto tcp
client
remote buster.alanporter.com 1194

# retries, etc
resolv-retry infinite
nobind
persist-key
persist-tun

# for security
user nobody
group nogroup

# certificate stuff
ca    "/etc/openvpn/keys/buster/ca.crt"
cert  "/etc/openvpn/keys/buster/buster-tekelec.crt"
key   "/etc/openvpn/keys/buster/buster-tekelec.key"

# low layers
comp-lzo

# logging
log-append   /var/log/openvpn.log
verb 3

--------------------------------------------------------------------------------

(7) Now copy the certificates to the client.

Copy these three files from the server to the client.  The paths will be
the same, because we have our config file layout plan.

/etc/openvpn/keys/buster/ca.rt
/etc/openvpn/keys/buster/buster-tekelec.crt
/etc/openvpn/keys/buster/buster-tekelec.key

--------------------------------------------------------------------------------

(8) For added security...

If you would like the client to be prompted for a password when they 
connect,
add a passphrase to the key file like this:

--------------------------------------------------------------------------------

(9) Point to point mode, for tying together to offices.  In my example, if
I wanted to tie my home network to my neighbor's, I could do this.  His
openvpn client would be named "neighbor".

The only difference is that we need to specify some more routing info.

On the server, add this to the conf file:
   # client 'neighbor' will route 10.1.1.0/24
   client-config-dir client_config
   route 10.1.1.0 255.255.255.0

And create a directory /etc/openvpn/client_config.  Create a config file 
called
"buster-neighbor" with this one line in it:
   iroute 10.1.1.0 255.255.255.0

(I *think* that's all there is to it, but I do not have access to my config
file for my office's openvpn client.)

--------------------------------------------------------------------------------

TO DO

Document Windows clients (pretty easy stuff).
Where to download the Windows client with the nice GUI (openvpn.se).
Same config files, add ^M, change path names.
Rename config file c:\program files\openvpn\config\server-client.ovpn.
Put keys in c:\program files\openvpn\config\keys\server\server-client.*









More information about the TriLUG mailing list