OpenVPN
OpenVPN uses Public Key Infrastructure (PKI) to encrypt VPN traffic between nodes. A simple way of setting up a VPN with OpenVPN is to connect the clients through a bridge interface on the VPN server. This guide will assume that one VPN node, the server in this case, has a bridge interface configured. For more information on setting up a bridge see the section called “Bridging”.
Installation
To install openvpn in a terminal enter:
sudo apt-get install openvpn
Server Certificates
Now that the openvpn package is installed, the certificates for the VPN server need to be created.
First, copy the easy-rsa
directory to /etc/openvpn
. This will ensure that any changes to the scripts will not be lost when the package is updated. You will also need to adjust permissions in the easy-rsa
directory to allow the current user permission to create files. From a terminal enter:
sudo mkdir /etc/openvpn/easy-rsa/ sudo cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa/ sudo chown -R $USER /etc/openvpn/easy-rsa/
Next, edit /etc/openvpn/easy-rsa/vars
adjusting the following to your environment:
export KEY_COUNTRY="US" export KEY_PROVINCE="NC" export KEY_CITY="Winston-Salem" export KEY_ORG="Example Company" export KEY_EMAIL="steve@example.com"
Enter the following to create the server certificates:
cd /etc/openvpn/easy-rsa/ source vars ./clean-all ./build-dh ./pkitool --initca ./pkitool --server server cd keys openvpn --genkey --secret ta.key sudo cp server.crt server.key ca.crt dh1024.pem ta.key /etc/openvpn/
Client Certificates
The VPN client will also need a certificate to authenticate itself to the server. To create the certificate, enter the following in a terminal:
cd /etc/openvpn/easy-rsa/ source vars ./pkitool hostname
Replace hostname with the actual hostname of the machine connecting to the VPN. |
Copy the following files to the client:
- /etc/openvpn/ca.crt
- /etc/openvpn/easy-rsa/keys/hostname.crt
- /etc/openvpn/easy-rsa/keys/hostname.key
- /etc/openvpn/ta.key
Remember to adjust the above file names for your client machine’s hostname. |
It is best to use a secure method to copy the certificate and key files. The scp utility is a good choice, but copying the files to removable media then to the client, also works well.
Configuration
Server Configuration
Now configure the openvpn server by creating /etc/openvpn/server.conf
from the example file. In a terminal enter:
sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/ sudo gzip -d /etc/openvpn/server.conf.gz
Edit /etc/openvpn/server.conf
changing the following options to:
local 172.18.100.101 dev tap0 up "/etc/openvpn/up.sh br0" down "/etc/openvpn/down.sh br0" ;server 10.8.0.0 255.255.255.0 server-bridge 172.18.100.101 255.255.255.0 172.18.100.105 172.18.100.200 push "route 172.18.100.1 255.255.255.0" push "dhcp-option DNS 172.18.100.20" push "dhcp-option DOMAIN example.com" tls-auth ta.key 0 # This file is secret user nobody group nogroup
- local: is the IP address of the bridge interface.
- server-bridge: needed when the configuration uses bridging. The 172.18.100.101 255.255.255.0 portion is the bridge interface and mask. The IP range 172.18.100.105 172.18.100.200 is the range of IP addresses that will be assigned to clients.
- push: are directives to add networking options for clients.
- user and group: configure which user and group the openvpn daemon executes as.
Replace all IP addresses and domain names above with those of your network. |
Next, create a couple of helper scripts to add the tap interface to the bridge. Create /etc/openvpn/up.sh
:
#!/bin/sh BR=$1 DEV=$2 MTU=$3 /sbin/ifconfig $DEV mtu $MTU promisc up /usr/sbin/brctl addif $BR $DEV
And /etc/openvpn/down.sh
:
#!/bin/sh BR=$1 DEV=$2 /usr/sbin/brctl delif $BR $DEV /sbin/ifconfig $DEV down
Then make them executable:
sudo chmod 755 /etc/openvpn/down.sh sudo chmod 755 /etc/openvpn/up.sh
After configuring the server, restart openvpn by entering:
sudo /etc/init.d/openvpn restart
Client Configuration
First, install openvpn on the client:
sudo apt-get install openvpn
Then with the server configured and the client certificates copied to the /etc/openvpn/
directory, create a client configuration file by copying the example. In a terminal on the client machine enter:
sudo cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn
Now edit /etc/openvpn/client.conf
changing the following options:
dev tap remote vpn.example.com 1194 cert hostname.crt key hostname.key tls-auth ta.key 1
Replace vpn.example.com with the hostname of your VPN server, and hostname.* with the actual certificate and key filenames. |
Finally, restart openvpn:
sudo /etc/init.d/openvpn restart
You should now be able to connect to the remote LAN through the VPN.
Artical Source: Ubuntu.com