www.annoying.dk

Heres a small text on how to set up OpenVPN on linux debian, nothing fancy at all, and most likely missing a lot of small things. but that will be updated later on when i got time. Any suggestions are of course welcome. This is however, just as much a little reminder for myself since i got a memory as a goldfish with alzheimer’s.

Lets start with installing OpenVPN. for this we need ->

apt-get install openvpn
apt-get install openssl

which in the end should say something like…

Setting up openvpn (2.0.9-8) …
Starting virtual private network daemon:.

and it will fail, since there’s no default configuration and certificates and stuff.

The first thing we need to do, is to create them, so find the easy-rsa folder, which is most likely located at

/usr/share/doc/openvpn/examples/easy-rsa

if this is not the case, do updatedb; locate easy-rsa

and it should output its location.

Lets move this folder to a better location

cp -R /usr/share/doc/openvpn/examples/easy-rsa /etc/openvpn/

now change directory to /etc/openvpn/easy-rsa/2.0

Now with your favorite editor, edit the file in easy-rsa called vars (nano vars) for example.

In the bottom of this file, it should look something like

export KEY_COUNTRY=DK
export KEY_PROVINCE=NA
export KEY_CITY=foocity
export KEY_ORG=”OpenVPN”
export KEY_EMAIL=”foo@annoying.dk”

except that i changed a few of the values so it fits my need. This isn’t really necessarily but will save you some time in the end, since you otherwise would have to enter it all manually multiple times later in this howto.

Save the file, and lets get on to the next step.

initialize the PKI

. ./vars

yes..there’s 2 dots, its supposed to be like that, so type it exactly like that. (i cant recommend using screen at this point, since it fucks up the env)

now do

./clean-all

and finally

./build-ca

The command (build-ca) will build the certificate authority (CA) certificate.

and should look something like..

foo:/etc/openvpn/easy-rsa/2.0# ./build-ca
Generating a 1024 bit RSA private key
…++++++
…………………….++++++
writing new private key to ‘ca.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [DK]:
State or Province Name (full name) [NA]:
Locality Name (eg, city) [foocity]:
Organization Name (eg, company) [OpenVPN]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server’s hostname) []:foo-server-ca
Email Address [foo@annoying.dk]:

Note that in the above sequence, most queried parameters were defaulted to the values set in the vars file.
The only parameter which must be explicitly entered is the Common Name. In the example above, I used “foo-server-ca”. as marked with bold

Next, we will generate a certificate and private key for the server.
./build-key-server server

which again, will output something similar to this.

foo:/etc/openvpn/easy-rsa/2.0# ./build-key-server server
Generating a 1024 bit RSA private key
………++++++
…………………++++++
writing new private key to ’server.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [DK]:
State or Province Name (full name) [NA]:
Locality Name (eg, city) [foocity]:
Organization Name (eg, company) [OpenVPN]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server’s hostname) []:server

As again, the only value that had to be explicitly entered was Comon Name. Enter server here.

Now we will generate certificates & keys for 1 client. you can create as many as you like, as long as they got unique names.

this example, we create it without password auth. if you wish to force your clients to use a password of your desire, simply use ./build-key-pass instead.

./build-key foo1

should give us

foo:/etc/openvpn/easy-rsa/2.0# ./build-key foo1
Generating a 1024 bit RSA private key
…………………..++++++
…………..++++++
writing new private key to ‘foo1.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [DK]:
State or Province Name (full name) [NA]:
Locality Name (eg, city) [foocity]:
Organization Name (eg, company) [OpenVPN]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server’s hostname) []:foo1
Email Address [foo@annoying.dk]:

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject’s Distinguished Name is as follows
countryName RINTABLE:’DK’
stateOrProvinceName RINTABLE:’NA’
localityName RINTABLE:’foocity’
organizationName RINTABLE:’OpenVPN’
commonName RINTABLE:’foo1′
emailAddress :IA5STRING:’foo@annoying.dk’
Certificate is to be certified until Oct 11 15:56:29 2017 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

Again, the “Common Name” is the name of the client, in this case foo1.

When it asks for A challenge password , just hit enter.

Generate Diffie Hellman parameters.

./build-dh

This command can take a little time, depending on your hardware.

foo:/etc/openvpn/easy-rsa/2.0# ./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
……………………+……………………………………..+…….
………………….+..+……………………………………………
…………………………….+………..+…………..+……………
……………………………………………………….+…………
…………………………………………………………………..
…………………………………+………..++*++*++*

We should now have a new folder inside of easy-rsa called keys (/etc/openvpn/easy-rsa/keys/)

it contains a bunch of files, some for the server and others for the clients.

Copy ca.crt ca.key dh1024.pem server.crt server.key into openvpn root folder

cd /etc/openvpn/easy-rsa/2.0/keys

cp ca.crt ca.key dh1024.pem server.crt server.key /etc/openvpn

now jump back to the openvpn root folder (/etc/openvpn/)

and use your editor, in this case nano, to edit/create the server configuration file.

nano openvpn.conf

and copy past

port 1194
proto tcp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
server 172.16.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
user nobody
group users
persist-key
persist-tun
status openvpn-status.log
verb 3
client-to-client

Remove the last line “client-to-client” if you don’t wish your clients to be able to communicate together.

save the file. and lets see if we can get it up running.

/etc/init.d/openvpn start
Starting virtual private network daemon: openvpn(OK).

perfect. lets just double check by running ifconfig. (it might take a few seconds before it appears in ifconfig)

ifconfig

tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:172.16.0.1 P-t-P:172.16.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

hooray. seems like its up running

Now, if you got a client machine, which you installed openvpn on, copy the files down below to its /etc/openvpn/ folder.

ca.crt foo1.crt foo1.key

(they should be located in the folder /etc/openvpn/easy-rsa/2.0/keys/ on the server)

now, on the client machine, lets create/edit the configuration file.

nano /etc/openvpn/openvpn.conf

and copy past this

client
dev tun
proto tcp
remote ip-or-hostname-of-your-openvpn-server 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert foo1.crt
key foo1.key
comp-lzo
verb 3

and save it. and as on the server, lets try and start it.

/etc/init.d/openvpn start
Starting virtual private network daemon: openvpn(OK).

hooray!

and like before,lets check again (it might take a few seconds before it appears in ifconfig)

ifconfig

tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:172.16.0.2 P-t-P:172.16.0.5 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

and test if we can ping it.

ping 172.16.0.1

PING 172.16.0.1 (172.16.0.1) 56(84) bytes of data.
64 bytes from 172.16.0.1: icmp_seq=1 ttl=64 time=56.1 ms

perfect.

Now, for your clients to be able to reach the other machines on your network, do;

echo 1 > /proc/sys/net/ipv4/ip_forward

(you might want to include this in your boot script, or firewall script)

and on your linux box do;

route add -net 172.16.0.0 netmask 255.255.255.0 gw 192.168.1.7

and your windows box

route -p add 172.16.0.0 mask 255.255.255.0 192.168.1.7

remember to replace 192.168.1.7 with your servers real ip.

Your done!

A little sitenote..

If you want, you easily set up a windows based client instead. So either grab the installation from OpenVPN.net
or if you fantasize in the night about sexy gui’s, grab the gui version from OpenVPN.se

All you really need to do after installing it, is to place your certs and configuration file in C:\Program Files\OpenVPN\config\

now you can either start it from services, or if you use the gui version, right click it and choose connect