Article by Khaled
Openvpn is an open source software, allows us to create a Virtual Private Network.
1. Installing openvpn
install these packages openvpn openssh-server openssl:
laptop:~$ sudo apt-get install openvpn openssh-server openssl
Now the ssh server is installed we can control it and access to it from anywhere on the web using the IP and port 22.
In reality 22 is for SSH The best port for OpenVPN (http://www.iana.org/assignments/port-numbers) is 1194.
There is special web interfaces to can interact and configure openVPN through a browser like webmin,
so we should install apache, php and mysql with this command:
laptop:~$ sudo apt-get install apache2 mysql-server-5.0 libapache2-mod-php5 php5 php5-common php5-mysql
To install webmin:
laptop:~$ sudo apt-get install webmin
2. VPN configuration:
The openvpn use Private Key Infrastructure (PKI):
1. One Public key for server and Private keys for each client.
2. It uses Certification for more security each Certification is valid for one couple (Server, Client)
The authentication With OpenVPN is a bidirectional, means the sever identify the client before trusting on and client identify the server too.
Key Generation:
To generate a Key we can use scripts provided by OpenVPN
We create openvpn/ in /home to manipulate and create keys there:
laptop:~$ sudo cp /usr/share/doc/openvpn/examples/easy-rsa /home/openvpn/ -R
All commands are in /home/openvpn/2.0/ file
laptop:~$ cd /home/openvpn/2.0
Edit vars file:
laptop:~$ sudo nano vars ————–// (nano is a text editor you can use others: gedit, …)
Setup these variables KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, and KEY_EMAIL
EX:
export KEY_COUNTRY=DZ
export KEY_PROVINCE=ALGER
export KEY_CITY=alger
export KEY_ORG=alger
export KEY_EMAIL=xxxxxxxxx@xxx.dz
* We can find other variables like:
* KEY_SIZE by default set to 1024 in some countries there is limit that you
should respect for this KEY_SIZE you can’t go over the limitation.
* CA_EXPIRE : In how many days your certification will expire?
Save and close (in nano ctrl+x)
To set these variables we run this:
laptop:~$ . ./vars ——————– //first dot isn’t a mistake
We should clean all existing certification we have to not have conflits (run this command):
laptop:~$ sudo ./clean-all ———————-// will delete /home/openvpn/2.0/keys
If you do’nt have certification set before nothing will be done.
Now we create our Certification and key with CA (master Certification Authority) with this command:
laptop:~$ sudo ./build-ca
The certification now are created in keys directory: ca.crt ca.key
Generate a certification and key to the SERVER:
laptop:~$ sudo ./build-key-server SERVER ——————- //we suppose that server’s named SERVER
When common name is required type the name OS the server (here SERVER)
Generate certification and key for client:
laptop:~$ sudo ./build-key client1
when common name is required type the name of the client (client1)
this common name MUST be different if you have many clients.
To protect your key with a password use ./build-key-pass instead of ./build-key
NB: We were able to generate the client key on its own end to avoid transfer through the network
Diffie Hellman parameters should be generated for the openvpn server:
laptop:~$ sudo ./build-dh
these parameters are copied in keys directory dh1024.pem
So now all Certifications and keys are in /home/openvpn/2.0/keys directory:
name Utile for Role Secret
ca.crt servers and all clients root Certification CA no
ca.key key signing the machine (both) root key CA yes
dh1024.pem server Diffie Hellman parameters no
SERVER.crt server server certification no
SERVER.key server server key yes
client1.crt Client1 Client1 certification no
client1.key Client1 Client1 key yes
We copy files to the client machines using a secured tunel
3. Creation of the file configuration for clients and server
There is samples of this configuration in /usr/share/doc/openvpn/examples/sample-config-files/ client.conf and server.conf.gz
1. Server configuration:
We should gunzip the server.conf.gz
laptop:~$ sudo gunzip server.conf.gz
and then copy this file to /home/openvpn using:
laptop:~$ sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf /etc/openvpn/
Edit server.conf:
laptop:~$ sudo nano /home/openvpn/server.conf
this would create a VPN with virtual interface and listen to the connections in 1194 port and distribute
virtual addresses to clients that connect through 10.8.0.0/24
By default this server.conf is useful but we can set more parameters(directives) like (IP, PORT, KEY_SIZE etc…)
Client configuration and server one must be coherent.
1. Client configuration:
Edit the client.conf:
laptop:~$ sudo nano /home/openvpn/client.conf
Verify the name of certification and key of each client:
ca ca.crt
cert client.crt
key client.key
Go to the remote parameter and set up the server IP
remote my-server-1 1194
save the file
Now we verify if client parameters if they correspond to the server one:
dev (tun ou tap)
proto (udp ou tcp)
comp-lzo
fragment
4. Starting the VPN:
4.1. Before we start we should copy all file in keys directory and .conf to /etc/openvpn:
4.1.1 SERVER:
laptop:~$ sudo cp /home/openvpn/keys/SERVER.crt /etc/openvpn
laptop:~$ sudo cp /home/openvpn/keys/SERVER.key /etc/openvpn
laptop:~$ sudo cp /home/openvpn/keys/dh1024.pem /etc/openvpn
laptop:~$ sudo cp /home/openvpn/server.conf /etc/openvpn
laptop:~$ sudo cp /home/openvpn/keys/ca.crt /etc/openvpn
4.1.2 Client:
laptop:~$ sudo cp /home/openvpn/keys/client1.crt /etc/openvpn
laptop:~$ sudo cp /home/openvpn/keys/client1.key /etc/openvpn
laptop:~$ sudo cp /home/openvpn/keys/ca.crt /etc/openvpn
laptop:~$ sudo cp /home/openvpn/client1.conf /etc/openvpn
4.2 Start the server:
laptop:~$ cd /etc/openvpn
laptop:/etc/openvpn$ sudo openvpn server.conf
4.3 Start the client1:
aptop:~$ cd /etc/openvpn
laptop:/etc/openvpn$ sudo openvpn client1.conf
4.4 Test the VPN:
From the client terminal try to ping the server which has the 10.8.0.1 by default:
ping 10.8.0.1
To can communicate with other client through the network with the VPN you have to uncomment the client-to-client parameter in server.conf
and then you would be able to ping the other clients.
6 Responses to OpenVPN Tutorial
uberVU - social comments
February 18th, 2010 at 2:25 am
Social comments and analytics for this post…
This post was mentioned on Twitter by megcox22: OpenVPN tutorial from HA: #linux #openvpn http://bit.ly/asrSiC…
CAMERON
June 24th, 2010 at 7:43 am
Medicamentspot.com International Legal RX Medications. Special Internet Prices (up to 40% off average US price). NO PRIOR PRESCRIPTION REQUIRED!…
Combivir@buy.online” rel=”nofollow”>.…
Abzanka
August 16th, 2010 at 9:22 am
BssTracing…
Watch live sports and entertainment [...]I have been waiting for this info for weeks![...]…
Axiotiss
August 19th, 2010 at 1:50 pm
Entrancemagazine…
online mlb [...]In this post, their[...]…
Ahardy
August 24th, 2010 at 5:55 am
LiveTVNFL…
online nfl [...]This post discribes some[...]…
DANNY
September 6th, 2010 at 9:30 am
Buy:Tramadol.Cialis.Viagra Soft Tabs.Viagra Super Force.Viagra Professional.Soma.Zithromax.VPXL.Levitra.Cialis Professional.Super Active ED Pack.Cialis Super Active+.Cialis Soft Tabs.Viagra Super Active+.Viagra.Maxaman.Propecia….