Installing and Using OpenVPN On Linux

Installing and Using OpenVPN* on Linux*
For use with Intel EP80579 Software for Security Applications on Intel QuickAssist Technology Application Note
December 2008
Order Number: 321165-001US
INFORMATION IN THIS DOCUMENT IS PROVIDED IN CONNECTION WITH INTEL PRODUCTS. NO LICENSE, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, TO ANY INTELLECTUAL PROPERTY RIGHTS IS GRANTED BY THIS DOCUMENT. EXCEPT AS PROVIDED IN INTELS TERMS AND CONDITIONS OF SALE FOR SUCH PRODUCTS, INTEL ASSUMES NO LIABILITY WHATSOEVER, AND INTEL DISCLAIMS ANY EXPRESS OR IMPLIED WARRANTY, RELATING TO SALE AND/OR USE OF INTEL PRODUCTS INCLUDING LIABILITY OR WARRANTIES RELATING TO FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, OR INFRINGEMENT OF ANY PATENT, COPYRIGHT OR OTHER INTELLECTUAL PROPERTY RIGHT. Intel products are not intended for use in medical, life saving, life sustaining, critical control or safety systems, or in nuclear facility applications.
Legal Lines and Disclaimers
Intel may make changes to specifications and product descriptions at any time, without notice. Designers must not rely on the absence or characteristics of any features or instructions marked reserved or undefined. Intel reserves these for future definition and shall have no responsibility whatsoever for conflicts or incompatibilities arising from future changes to them. The information here is subject to change without notice. Do not finalize a design with this information. The products described in this document may contain design defects or errors known as errata which may cause the product to deviate from published specifications. Current characterized errata are available on request. Contact your local Intel sales office or your distributor to obtain the latest specifications and before placing your product order. Copies of documents which have an order number and are referenced in this document, or other Intel literature, may be obtained by calling 1-800-5484725, or by visiting Intels Web Site. Any software source code reprinted in this document is furnished under a software license and may only be used or copied in accordance with the terms of that license. Intel processor numbers are not a measure of performance. Processor numbers differentiate features within each processor family, not across different processor families. See http://www.intel.com/products/processor_number for details. Code Names are only for use by Intel to identify products, platforms, programs, services, etc. (products) in development by Intel that have not been made commercially available to the public, i.e., announced, launched or shipped. They are never to be used as commercial names for products. Also, they are not intended to function as trademarks. BunnyPeople, Celeron, Celeron Inside, Centrino, Centrino logo, Core Inside, FlashFile, i960, InstantIP, Intel, Intel logo, Intel386, Intel486, Intel740, IntelDX2, IntelDX4, IntelSX2, Intel Core, Intel Inside, Intel Inside logo, Intel. Leap ahead., Intel. Leap ahead. logo, Intel NetBurst, Intel NetMerge, Intel NetStructure, Intel SingleDriver, Intel SpeedStep, Intel StrataFlash, Intel Viiv, Intel vPro, Intel XScale, Itanium, Itanium Inside, MCS, MMX, Oplus, OverDrive, PDCharm, Pentium, Pentium Inside, skoool, Sound Mark, The Journey Inside, VTune, Xeon, and Xeon Inside are trademarks of Intel Corporation in the U.S. and other countries. *Other names and brands may be claimed as the property of others. Copyright 2008, Intel Corporation. All rights reserved.
Installing and Using OpenVPN* on Linux* AN 2
December 2008 Order Number: 321165-001US
Contents
1.0 Introduction .............................................................................................................. 5 1.1 Required Software ............................................................................................... 5 1.2 References ......................................................................................................... 5 1.3 Related Documents ............................................................................................. 5 Building OpenVPN ..................................................................................................... 5 Configuring OpenVPN ................................................................................................ 6 Bringing up a VPN Tunnel .......................................................................................... 7 4.1 Client Side ......................................................................................................... 7 4.2 Server Side ........................................................................................................ 7 Testing the VPN Tunnel ............................................................................................. 8 Further Information .................................................................................................. 9
2.0 3.0 4.0
5.0 6.0
Figures
1 OpenVPN Setup ......................................................................................................... 8
Tables
1 2 Related Documents .................................................................................................... 5 Key and Certificate Details .......................................................................................... 7
Revision History
Date December 2008
Revision 001
Description Initial release
1.0
Introduction
This application note describes how to install OpenVPN and set up a simple Accelerated SSL VPN tunnel. Information in this document pertains to the Intel EP80579 Integrated Processor with Intel QuickAssist Technology. The OCF driver enables OpenSSL to accelerate cryptographic operations using the integrated cryptographic accelerator.
Note:
It is assumed that OpenSSL has been installed and patched with OCF according to the Intel EP80579 Software for Security Applications on Intel QuickAssist Technology for Linux* Getting Started Guide.
1.1
Required Software
http://www.openvpn.net/release/openvpn-2.0.9.tar.gz
1.2
References
http://www.openvpn.net
1.3
Table 1.
Related Documents
Related Documents
Title Installing Accelerated OpenSSL (OCF) and Apache* on Linux* Application Note For use with Intel EP80579 Software for Security Applications on Intel QuickAssist Technology Intel EP80579 Software for Security Applications on Intel QuickAssist Technology for Linux* Getting Started Guide Reference Number 320507
320182
2.0
Building OpenVPN
1. Download openvpn-2.0.9 from: http://www.openvpn.net/release/openvpn-2.0.9.tar.gz to: a working directory of choice 2. Extract the source tarball and change directory into the source directory tar -zxvf openvpn-2.0.9.tar.gz cd openvpn-2.0.9 3. Run the "autoconfigure" script with some additional parameters specifying the OCF patched OpenSSL for shared objects and headers. ./configure --with-ssl-headers=/usr/local/ssl_0.9.8g/include --with-ssllib=/usr/local/ssl_0.9.8g/lib/ --disable-lzo 4. Compile and install the package make make install ldconfig
3.0
Configuring OpenVPN
Configuration which involves generating certificates & keys only needs to be carried out on the Server side of the VPN. The necessary certificates and keys are then copied to the remote Client side of the VPN in order to bring up a tunnel.
Note:
Please make sure the correct date is set on Client and Server, using this command: date If the date is incorrect, update it using the following format: date MMddhhmmyear For example, date 120314002008 sets the date to 14:00hrs, Dec 03, 2008. The configuration scripts are in the easy-rsa directory contained in the OpenVPN source directory. These scripts generate and sign certificates needed to bring up a VPN tunnel.
Note:
Check the Release Notes for the software release you are using. There may be an open issue about a case where generating rsa1024 certificates fails. If the issue is open, you must modify the scripts build-ca, build-key-server, and build-key adding "-sha256" to every "openssl req" command and "-md sha256" to every "openssl ca" command before completing the following steps. 1. Enter the directory with the configuration scripts, and source the environmental file: cd openvpn-2.0.9/easy-rsa/ source vars 2. Execute the clean-all script which creates a keys directory to store the keys and certificates generated during configuration: ./clean-all Note: The clean-all script deletes the easy-rsa/keys/ directory, this is the default folder in which the keys and certificates are generated and stored. 3. Generate the certificate authority (CA) certificate and key, execute the following command: ./build-ca when asked for common name enter: OpenVPN-CA 4. Generate a certificate and private key for the server, execute the following command: ./build-key-server server When asked for common name, enter: server When asked for challenge password, leave it blank and hit return. When asked to sign the certificate, enter y and hit return (twice). 5. Generate a certificate for the client, execute the following command: ./build-key client When asked for common name, enter: client When asked for challenge password, leave it blank and hit return. When asked to sign the certificate, enter y and hit return (twice). 6. Generate Diffie-Hellman parameters for OpenVPN server: ./build-dh 7. The keys and certificates have been generated in the openvnp-2.0.9/easy-rsa/keys directory. On the server side: copy dh.pem, server.key, server.crt, ca.crt, ca.key to /root/ openvpn_keys/
On the client side: copy ca.crt, client.crt, client.key to /root/openvpn_keys/ Table 2 describes details about keys and certificates used in the OpenVPN configuration. Table 2. Key and Certificate Details
Filename ca.crt ca.key dh1024.pem server.crt server.key client.key client.crt Needed By server + client Key signing machine Server only Server only Server only Client only Client only Purpose Root CA certificate Root CA key Diffie-Hellman parameters Server Certificate Server Key Client Certificate Client Key Secret NO YES NO NO YES NO YES
4.0
4.1
Bringing up a VPN Tunnel

Client Side
1. The user must load the OCF stack for the cryptodev engine to appear. This involves inserting the following modules into the kernel: ocf.ko, cryptodev.ko & icp_ocf.ko. Please refer to the Intel EP80579 Software for Security Applications on Intel QuickAssist Technology for Linux* Getting Started Guide for further details. modprobe ocf modprobe cryptodev insmod /EP80579_release/StagingArea/icp_ocf.ko 2. Bring up onboard GigE interfaces and enable forwarding: ifconfig eth0 192.168.10.1 up ifconfig eth1 192.168.1.2 up echo 1 > /proc/sys/net/ipv4/ip_forward 3. Add the following routes: route add 9.0.0.3 dev eth1 4. Change directory to wherever the server keys are stored: cd /root/openvpn_keys/ 5. Start Openvpn on the client side: openvpn --remote 192.168.10.2 --dev tun1 --ifconfig 12.0.0.1 12.0.0.2 -tls-client --ca ca.crt --cert client.crt --key client.key --reneg-sec 60 -engine cryptodev --cipher des-ede3-cbc --auth sha1 6. On another terminal on the client, add the following route: route add -net 11.0.0.0/24 gw 12.0.0.2
4.2
Server Side
1. The user must load the OCF stack for the cryptodev engine to appear. This involves inserting the following modules into the kernel: ocf.ko, cryptodev.ko & icp_ocf.ko. Please refer to the Intel EP80579 Software for Security Applications on Intel QuickAssist Technology for Linux* Getting Started Guide for further details. modprobe ocf
modprobe cryptodev insmod /EP80579_release/StagingArea/icp_ocf.ko 2. Bring up onboard GigE interfaces and enable forwarding: ifconfig eth0 192.168.10.2 up ifconfig eth1 192.168.2.2 up echo 1 > /proc/sys/net/ipv4/ip_forward 3. Add the following routes: route add 11.0.0.3 dev eth1 4. Change directory to wherever the server keys are stored: cd /root/openvpn_keys/ 5. Start OpenVPN on the server side: openvpn --remote 192.168.10.1 --dev tun1 --ifconfig 12.0.0.2 12.0.0.1 -tls-server --dh dh1024.pem --ca ca.crt --cert server.crt --key server.key -reneg-sec 60 --engine cryptodev --cipher des-ede3-cbc --auth sha1 6. On another terminal on the server, add the following route: route add -net 9.0.0.0/24 gw 12.0.0.1 7. When an OpenVPN tunnel has been established, the following message will appear on Client and Server side: Tue Dec 2 18:35:26 2008 [client] Peer Connection Initiated with 192.168.10.1:1194 Tue Dec 2 18:35:27 2008 Initialization Sequence Completed
5.0
Figure 1.
Testing the VPN Tunnel

Figure 1 describes the network configuration required to set up OpenVPN. OpenVPN Setup
Client
192.168.10.1
Server
192.168.10.2
OpenVPN Tunnel 12.0.0.1 12.0.0.2
192.168.1.2
192.168.2.2
9.0.0.3
11.0.0.3
1. An OpenVPN should now be present between Client and Server. Running ifconfig on either Client or Server should reveal a new interface "tun1", this is a virtual interface the VPN exists across. ifconfig 2. On the Client side Laptop, add the following IP address and route: ifconfig eth0 9.0.0.3 up route add default gw 192.168.1.2 3. On the Server side Laptop, add the following IP address and route: ifconfig eth0 11.0.0.3 up route add default gw 192.168.2.2 4. The OpenVPN tunnel is now setup for a secure connection between the 9.0.0.0 and 11.0.0.0 networks. It should be possible for one laptop to ping the other. Client side Laptop: ping 11.0.0.3 Server side Laptop: ping 9.0.0.3
6.0
Further Information
For more information on configuring a VPN tunnel, please consult the OpenVPN documentation found at: http://www.openvpn.net/index.php/documentation/howto.html

Installing and Using OpenVPN On Linux

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Installing and Using OpenVPN On Linux

Uploaded by

Copyright:

Available Formats

Installing and Using OpenVPN* on Linux*

Order Number: 321165-001US