OpenVPN Tutorial

Article by Khaled

Openvpn is an open source software, allows us to create a Virtual Private Network.

1. Installing openvpn

install these packages openvpn openssh-server openssl:

laptop:~$ sudo apt-get install openvpn openssh-server openssl

Now the ssh server is installed we can control it and access to it from anywhere on the web using the IP and port 22.

In reality 22 is for SSH The best port for OpenVPN (http://www.iana.org/assignments/port-numbers) is 1194.

There is special web interfaces to can interact and configure openVPN through a browser like webmin,

so we should install apache, php and mysql with this command:

laptop:~$ sudo apt-get install apache2 mysql-server-5.0 libapache2-mod-php5 php5 php5-common php5-mysql

To install webmin:

laptop:~$ sudo apt-get install webmin

2. VPN configuration:

The openvpn use Private Key Infrastructure (PKI):

1. One Public key for server and Private keys for each client.

2. It uses Certification for more security each Certification is valid for one couple (Server, Client)

The authentication With OpenVPN is a bidirectional, means the sever identify the client before trusting on and client identify the server too.

Key Generation:

To generate a Key we can use scripts provided by OpenVPN

We create openvpn/ in /home to manipulate and create keys there:

laptop:~$ sudo cp /usr/share/doc/openvpn/examples/easy-rsa /home/openvpn/ -R

All commands are in /home/openvpn/2.0/ file

laptop:~$ cd /home/openvpn/2.0

Edit vars file:

laptop:~$ sudo nano vars ————–// (nano is a text editor you can use others: gedit, …)

Setup these variables KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, and KEY_EMAIL

EX:

export KEY_COUNTRY=DZ

export KEY_PROVINCE=ALGER

export KEY_CITY=alger

export KEY_ORG=alger

export KEY_EMAIL=xxxxxxxxx@xxx.dz

* We can find other variables like:

* KEY_SIZE by default set to 1024 in some countries there is limit that you

should respect for this KEY_SIZE you can’t go over the limitation.

* CA_EXPIRE : In how many days your certification will expire?

Save and close (in nano ctrl+x)

To set these variables we run this:

laptop:~$ . ./vars ——————– //first dot isn’t a mistake

We should clean all existing certification we have to not have conflits (run this command):

laptop:~$ sudo ./clean-all ———————-// will delete /home/openvpn/2.0/keys

If you do’nt have certification set before nothing will be done.

Now we create our Certification and key with CA (master Certification Authority) with this command:

laptop:~$ sudo ./build-ca

The certification now are created in keys directory: ca.crt ca.key

Generate a certification and key to the SERVER:

laptop:~$ sudo ./build-key-server SERVER ——————- //we suppose that server’s named SERVER

When common name is required type the name OS the server (here SERVER)

Generate certification and key for client:

laptop:~$ sudo ./build-key client1

when common name is required type the name of the client (client1)

this common name MUST be different if you have many clients.

To protect your key with a password use ./build-key-pass instead of ./build-key

NB: We were able to generate the client key on its own end to avoid transfer through the network

Diffie Hellman parameters should be generated for the openvpn server:

laptop:~$ sudo ./build-dh

these parameters are copied in keys directory dh1024.pem

So now all Certifications and keys are in /home/openvpn/2.0/keys directory:

name Utile for Role Secret

ca.crt servers and all clients root Certification CA no

ca.key key signing the machine (both) root key CA yes

dh1024.pem server Diffie Hellman parameters no

SERVER.crt server server certification no

SERVER.key server server key yes

client1.crt Client1 Client1 certification no

client1.key Client1 Client1 key yes

We copy files to the client machines using a secured tunel

3. Creation of the file configuration for clients and server

There is samples of this configuration in /usr/share/doc/openvpn/examples/sample-config-files/ client.conf and server.conf.gz

1. Server configuration:

We should gunzip the server.conf.gz

laptop:~$ sudo gunzip server.conf.gz

and then copy this file to /home/openvpn using:

laptop:~$ sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf /etc/openvpn/

Edit server.conf:

laptop:~$ sudo nano /home/openvpn/server.conf

this would create a VPN with virtual interface and listen to the connections in 1194 port and distribute

virtual addresses to clients that connect through 10.8.0.0/24

By default this server.conf is useful but we can set more parameters(directives) like (IP, PORT, KEY_SIZE etc…)

Client configuration and server one must be coherent.

1. Client configuration:

Edit the client.conf:

laptop:~$ sudo nano /home/openvpn/client.conf

Verify the name of certification and key of each client:

ca ca.crt

cert client.crt

key client.key

Go to the remote parameter and set up the server IP

remote my-server-1 1194

save the file

Now we verify if client parameters if they correspond to the server one:

dev (tun ou tap)

proto (udp ou tcp)

comp-lzo

fragment

4. Starting the VPN:

4.1. Before we start we should copy all file in keys directory and .conf to /etc/openvpn:

4.1.1 SERVER:

laptop:~$ sudo cp /home/openvpn/keys/SERVER.crt /etc/openvpn

laptop:~$ sudo cp /home/openvpn/keys/SERVER.key /etc/openvpn

laptop:~$ sudo cp /home/openvpn/keys/dh1024.pem /etc/openvpn

laptop:~$ sudo cp /home/openvpn/server.conf /etc/openvpn

laptop:~$ sudo cp /home/openvpn/keys/ca.crt /etc/openvpn

4.1.2 Client:

laptop:~$ sudo cp /home/openvpn/keys/client1.crt /etc/openvpn

laptop:~$ sudo cp /home/openvpn/keys/client1.key /etc/openvpn

laptop:~$ sudo cp /home/openvpn/keys/ca.crt /etc/openvpn

laptop:~$ sudo cp /home/openvpn/client1.conf /etc/openvpn

4.2 Start the server:

laptop:~$ cd /etc/openvpn

laptop:/etc/openvpn$ sudo openvpn server.conf

4.3 Start the client1:

aptop:~$ cd /etc/openvpn

laptop:/etc/openvpn$ sudo openvpn client1.conf

4.4 Test the VPN:

From the client terminal try to ping the server which has the 10.8.0.1 by default:

ping 10.8.0.1

To can communicate with other client through the network with the VPN you have to uncomment the client-to-client parameter in server.conf
and then you would be able to ping the other clients.

Related Posts:

• No Related Posts