Professional Documents
Culture Documents
OpenVPN
This documentation describes how to create a VPN between roadwarriors and your main office
servers. The configuration supports NAT traversal and we assume an UDP portmapping (by
default port 1194) exists from your firewall to the openvpn server.
Server side
Installation
Installation of the server part of the software is fairly simple. In addition to the package itself,
Openvpn uses the LZO-package for compression.
Configuration
port 1194
proto udp
dev tun
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/vpnserver.crt
key /etc/openvpn/easy-rsa/2.0/keys/vpnserver.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
server 192.168.13.0 255.255.255.0
keepalive 10 120
ping-timer-rem
client-to-client
persist-tun
persist-key
push "route 192.168.1.0 255.255.255.0"
push "dhcp-option DNS 192.168.1.254"
comp-lzo
status openvpn-status.log
verb 4
You need to enable IP forwarding on your Openvpn server, so add this line to /etc/sysctl.conf
net.ipv4.ip_forward = 1
/etc/init.d/procps.sh restart
After you'll have created your certficates you can start the Openvpn server. Netstat should show
a listener on UDP port 1194. Also check the file /var/log/daemon.log
/etc/init.d/openvpn start
Certificates
Of course you can create the required certificates on your existing CA. However, the Debian
Openvpn-package conveniently includes a tiny CA called Easy-RSA. We'll use Easy-RSA to
create a CA, our server certificate and the client certificates.
cp -a /usr/share/doc/openvpn/examples/easy-rsa/2.0/ /etc/openvpn
export KEY_COUNTRY="PK"
export KEY_PROVINCE="Sind"
export KEY_CITY="Karachi"
export KEY_ORG="Pakistan"
export KEY_EMAIL="admin@example.com"
After that you have to source in this file and create your CA. You also need to build a Diffie-
Hellman parameter file for the Openvpn server.
cd /etc/openvpn/easy-rsa/2.0
. vars
./clean-all
./build-ca
./build-dh
Now you can build a certificate for your Openvpn server. In our example the hostname is
'vpnserver':
./build-key-server vpnserver
For authentication you'll need a key-pair per Openvpn client. Obviously a unique client_id is
required.
./build-key client1
./build-key client2
/etc/shorewall/interfaces
net eth0 detect noping,dropunclean,blacklist,tcpflags,nosmurfs
loc eth2 192.168.1.255 routeback
ovpn tun+
/etc/shorewall/policy
# Policies for Traffic originating from VPN clients (road)
ovpn loc ACCEPT
loc ovpn ACCEPT
$FW ovpn ACCEPT
ovpn $FW ACCEPT
Modify shorewall masq file and add line bellow. In our case eth2 is our lan
interface.
vim /etc/shorewall/masq
eth2 192.168.13.0/255.255.255.0
vim /etc/shorewall/tunnels
Linux
If CLI-tools are sufficient for you, just install the openvpn package:
Use the openvpn.conf sample from usr/share/doc to create /etc/openvpn/openvpn.conf Add the
correct path/filenames from the three certificate files and add the line below to let you type in
your credentials on execution:
auth-user-pass
Ubuntu GUI
An easy to use graphical client (needs sudo permissions) is available as a plug-in. After:
the configuration and enabling can be done with the regular network configuration. Use the
network dock-icon in the taskbar.
Mac OS X
Download and install Tunnelblick, the OpenVPN GUI for OSX at http://www.tunnelblick.net
and follow the installation instructions.
Afterwards move your client-certificate, private key and the public CA-certificate to the
directory /Users/your_username/Library/openvpn
In the same directory create an 'openvpn.conf' file with content like this:
MS-Win 2000/XP
Download and install the OpenVPN GUI for windows at http://www.openvpn.se and follow the
installation instructions.
After installation let’s assume that we have installed openvpn on default path default
C:\Program Files\OpenVPN\ .For windows client , copy client config file to
C:\Program Files\OpenVPN\config .in our case we will name it
server_example_com.opvn