Openvpn Server Installation on Debian

squeeze with Shorewall configuration and

windows XP gui Client configuration
Several open source solutions are available to build your own virtual private network. These
solutions have different ways to do their job. E.g. some use ipsec, others use plain TCP/IP.
Anyway, we chose the Openvpn software to build our vpn. It does not require an ipsec-
supporting network infrastructure, but it is save nontheless as it supports all of the encryption,
authentication, and certification features of the Openssl library (any cipher, key size, or HMAC
digest). Openvpn supplies our functional needs, is able to create vpn tunnels between datacenters
as well as to support roadwarriors. It just does it's job. Openvpn is available for GNU/Linux,
Apple MacOSX and Microsoft Windows.

Further information is available at the openvpn homepage.

OpenVPN
This documentation describes how to create a VPN between roadwarriors and your main office
servers. The configuration supports NAT traversal and we assume an UDP portmapping (by
default port 1194) exists from your firewall to the openvpn server.

Server side
Installation

Installation of the server part of the software is fairly simple. In addition to the package itself,
Openvpn uses the LZO-package for compression.

apt-get install openvpn lzop openssl

Configuration

Create a server side configuration file /etc/openvpn/server.conf:

port 1194
proto udp
dev tun
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/vpnserver.crt
key /etc/openvpn/easy-rsa/2.0/keys/vpnserver.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
server 192.168.13.0 255.255.255.0
keepalive 10 120
ping-timer-rem
client-to-client
persist-tun
persist-key
push "route 192.168.1.0 255.255.255.0"
push "dhcp-option DNS 192.168.1.254"
comp-lzo
status openvpn-status.log
verb 4

You need to enable IP forwarding on your Openvpn server, so add this line to /etc/sysctl.conf

net.ipv4.ip_forward = 1

Activate this option by running:

/etc/init.d/procps.sh restart

After you'll have created your certficates you can start the Openvpn server. Netstat should show
a listener on UDP port 1194. Also check the file /var/log/daemon.log

/etc/init.d/openvpn start

Certificates

Of course you can create the required certificates on your existing CA. However, the Debian
Openvpn-package conveniently includes a tiny CA called Easy-RSA. We'll use Easy-RSA to
create a CA, our server certificate and the client certificates.

Copy the software to the desired location:

cp -a /usr/share/doc/openvpn/examples/easy-rsa/2.0/ /etc/openvpn

Adjust the file /etc/openvpn/easy-rsa/vars to your situation.

export KEY_COUNTRY="PK"

export KEY_PROVINCE="Sind"

export KEY_CITY="Karachi"

export KEY_ORG="Pakistan"

export KEY_EMAIL="admin@example.com"
After that you have to source in this file and create your CA. You also need to build a Diffie-
Hellman parameter file for the Openvpn server.

cd /etc/openvpn/easy-rsa/2.0
. vars
./clean-all
./build-ca
./build-dh

Now you can build a certificate for your Openvpn server. In our example the hostname is
'vpnserver':

./build-key-server vpnserver

For authentication you'll need a key-pair per Openvpn client. Obviously a unique client_id is
required.

./build-key client1
./build-key client2

Shorewall configuration at Server side.

/etc/shorewall/zones
net ipv4
loc ipv4
ovpn ipv4 #

/etc/shorewall/interfaces
net eth0 detect noping,dropunclean,blacklist,tcpflags,nosmurfs
loc eth2 192.168.1.255 routeback
ovpn tun+

/etc/shorewall/policy
# Policies for Traffic originating from VPN clients (road)
ovpn loc ACCEPT
loc ovpn ACCEPT
$FW ovpn ACCEPT
ovpn $FW ACCEPT

Modify shorewall masq file and add line bellow. In our case eth2 is our lan
interface.

vim /etc/shorewall/masq

eth2 192.168.13.0/255.255.255.0

now to allow openvpn tunnel, modify another file in shorewall directory

vim /etc/shorewall/tunnels

openvpnserver:1194 net 0.0.0.0/0

Client side
The Openvpn client configuration requires three certificate files beside the main configuration
file. A CA-root cert, a client cert and a client key file. These certificates have to be provided by
the OpenVPN-server administrator (for instance by usage of the easy-rsa software as described
earlier in this chapter).

Linux

Generic cli (including Asus EeePC)

If CLI-tools are sufficient for you, just install the openvpn package:

apt-get install openvpn

Use the openvpn.conf sample from usr/share/doc to create /etc/openvpn/openvpn.conf Add the
correct path/filenames from the three certificate files and add the line below to let you type in
your credentials on execution:

auth-user-pass

Ubuntu GUI

An easy to use graphical client (needs sudo permissions) is available as a plug-in. After:

sudo apt-get install network-manager-openvpn

the configuration and enabling can be done with the regular network configuration. Use the
network dock-icon in the taskbar.

Mac OS X

Download and install Tunnelblick, the OpenVPN GUI for OSX at http://www.tunnelblick.net
and follow the installation instructions.

Afterwards move your client-certificate, private key and the public CA-certificate to the
directory /Users/your_username/Library/openvpn

In the same directory create an 'openvpn.conf' file with content like this:

MS-Win 2000/XP

Download and install the OpenVPN GUI for windows at http://www.openvpn.se and follow the
installation instructions.
After installation let’s assume that we have installed openvpn on default path default
C:\Program Files\OpenVPN\ .For windows client , copy client config file to
C:\Program Files\OpenVPN\config .in our case we will name it
server_example_com.opvn

copy ca.crt , client1.crt and client1.key to config folder.

# client configuration file for client1
client
dev tun
proto udp
remote server.example.com 1194
# in above line replace server.example.com with your server public ip address
# or hostname.
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
comp-lzo
verb 3