OpenVPNQuickstart
From Hinterlands
Contents |
An OpenVPN quickstart guide
Overview
Setting up a full-featured VPN can be a complicated procedure. Luckily OpenVPN supports simpler VPN setups for people who don't want to get into SSL certificate or Two Factor token management. This HOWTO is a short simple route to getting a simple password-based point-to-WAN virtual private network up and running.
Configuring the server
Install OpenVPN, create a CA and server certificate
OpenVPN is available for a wide selection of platforms. For the server, I will be using Debian Squeeze, for the example clients, we'll use Ubuntu and Windows 7. To install OpenVPN, type:
sudo aptitude install openvpn
The Debian package includes a couple of helper scripts to help automate configuring the server. Make a copy of all these in a suitable location. For ease, I suggest /etc/openvpn.
cd /etc/openvpn/
sudo cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0/* .
One of the copied files is called "vars". This contains variables used by many of the helper scripts, take a moment to edit this file and provide the right settings. The ones you should definitely change are EASY_RSA and all the KEY_ settings. Mine are:
export EASY_RSA="/etc/openvpn"
export KEY_COUNTRY="GB"
export KEY_PROVINCE="Essex"
export KEY_CITY="Romford"
export KEY_ORG="Hinterlands"
export KEY_EMAIL="martin@hinterlands.org"
Next use the scripts to generate a DH key, a server CA and a server certificate. To make things a tiny bit easy, I run the follow commands directly as root:
cd /etc/openvpn
source ./vars
./clean-all
./build-ca
./build-dh
./build-key-server olga.hinterlands.org
You'll be prompted for some certificate information mostly pre-populated from what you put in the vars file. Obviously you should replace my server name with your server name.
Create a basic server configuration
Each VPN you wish to create needs a separate configuration file, usually placed in /etc/openvpn. If you read the documentation there are a dizzying array of possibilities for VPNs but, as stated above, we're just going to make a simple password authenticated VPN. Thus the configuration is relatively simple and I've included a basic explanation of the options used. Read the documentation for full details of each option. I called this file hinterlands.conf.
dev tun # Use a TUN device
port 1194 # Bind to this port
proto udp # Use UDP
comp-lzo # Enable compression
user nobody # Drop privileges
group nogroup
server 10.119.49.0 255.255.255.0 # Define a network to contain the VPN.
push "redirect-gateway def1" # Tell clients to send all traffic via the VPN
push "dhcp-option DNS 10.119.49.1" # Tell clients to use the VPN endpoint for DNS.
dh /etc/openvpn/keys/dh1024.pem # Generated by ./build-dh above
ca /etc/openvpn/keys/ca.crt # Generated by ./build-ca above
cert /etc/openvpn/keys/olga.hinterlands.org.crt # Generated by ./build-key-server olga.hinterlands.org above
key /etc/openvpn/keys/olga.hinterlands.org.key # ..
client-cert-not-required # We're not going to use certificates for clients.
username-as-common-name # Use the presented username as the CN.
keepalive 10 120 # Try to keep the tunnel alive
persist-tun # Options for session durability
persist-key
verb 3 # Be a little bit noisy
plugin /usr/lib/openvpn/openvpn-auth-pam.so service-type # Load the OpenVPN PAM module
plugin /usr/lib/openvpn/openvpn-auth-pam.so "login login USERNAME password PASSWORD"
You can now test that the configuration works by starting up the daemon:
root@vpnhowto:/etc/openvpn# openvpn hinterlands.conf
Mon Apr 5 20:01:58 2010 OpenVPN 2.1.0 x86_64-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [MH] [PF_INET6] [eurephia] built on Dec 11 2009
Mon Apr 5 20:01:58 2010 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Mon Apr 5 20:01:58 2010 PLUGIN_INIT: POST /usr/lib/openvpn/openvpn-auth-pam.so '[/usr/lib/openvpn/openvpn-auth-pam.so] [service-type]' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY
Mon Apr 5 20:01:58 2010 PLUGIN_INIT: POST /usr/lib/openvpn/openvpn-auth-pam.so '[/usr/lib/openvpn/openvpn-auth-pam.so] [login] [login] [USERNAME] [password] [PASSWORD]' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY
Mon Apr 5 20:01:58 2010 Diffie-Hellman initialized with 1024 bit key
Mon Apr 5 20:01:58 2010 WARNING: POTENTIALLY DANGEROUS OPTION --client-cert-not-required may accept clients which do not present a certificate
Mon Apr 5 20:01:58 2010 /usr/bin/openssl-vulnkey -q -b 1024 -m <modulus omitted>
Mon Apr 5 20:01:58 2010 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Mon Apr 5 20:01:58 2010 ROUTE default_gateway=10.119.48.1
Mon Apr 5 20:01:58 2010 TUN/TAP device tun0 opened
Mon Apr 5 20:01:58 2010 TUN/TAP TX queue length set to 100
Mon Apr 5 20:01:58 2010 /sbin/ifconfig tun0 10.119.49.1 pointopoint 10.119.49.2 mtu 1500
Mon Apr 5 20:01:58 2010 /sbin/route add -net 10.119.49.0 netmask 255.255.255.0 gw 10.119.49.2
Mon Apr 5 20:01:58 2010 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Mon Apr 5 20:01:58 2010 GID set to nogroup
Mon Apr 5 20:01:58 2010 UID set to nobody
Mon Apr 5 20:01:58 2010 Socket Buffers: R=[124928->131072] S=[124928->131072]
Mon Apr 5 20:01:58 2010 UDPv4 link local (bound): [undef]
Mon Apr 5 20:01:58 2010 UDPv4 link remote: [undef]
Mon Apr 5 20:01:58 2010 MULTI: multi_init called, r=256 v=256
Mon Apr 5 20:01:58 2010 IFCONFIG POOL: base=10.119.49.4 size=62
Mon Apr 5 20:01:58 2010 Initialization Sequence Completed
Make the VPN endpoint start automatically
Edit the file /etc/default/openvpn and add a line like AUTOSTART="hinterlands". You can now restart OpenVPN via init.d.
root@vpnhowto:/etc/openvpn# /etc/init.d/openvpn restart
Stopping virtual private network daemon:.
Starting virtual private network daemon: hinterlands.
Configure IP tables and packet forwarding
As we want clients to be able to get to the regular internet via the VPN, we need to add a simple NAT to the server's firewall rules.
Create a file called /etc/network/openvpn.sh containing these two lines:
/sbin/iptables -t nat -A POSTROUTING -s 10.119.49.0/24 -o eth0 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
Make the script executable and add it to your network configuration as an up script. For example, in /etc/network/interfaces I have:
auto eth0
iface eth0 inet static
address 212.13.195.161
netmask 255.255.254.0
gateway 212.13.194.1
up /etc/network/openvpn.sh
If you don't wish to reboot your server or restart networking at this point, you can just manually run the script.
The OpenVPN client
The OpenVPN client is effectively exactly the same as the server, just with a different configuration. Configuration files are mostly portable, there's no difference between the file I use here for both Windows and Ubuntu clients with the exception of the path to the CA certificate.
Distributing the CA certificate
Although we're using just username and passwords, OpenVPN clients still need the server's CA certificate to work. This certificate is not secret, I store mine on my website so I can easily get hold of it via wget or curl, you can find it here.
Client configuration
The client configuration for our setup is nice and simple:
client # I'm a client
dev tun # Use a TUN device
proto udp # Use UDP
remote olga.hinterlands.org 1194 # The VPN endpoint
resolv-retry infinite # Keep retrying to resolve the remote hostname.
nobind # Don't bind to any specific client port
persist-key
auth-user-pass # Use username and passwords, not certificates.
ca /etc/openvpn/hinterlandsovpn-ca.crt # The location of the CA certificate
comp-lzo # Use compression
verb 3 # Be a little bit noisy
Ubuntu
To connect an Ubuntu client, I installed the OpenVPN package and then copied the above configuration into the file /etc/openvpn/hinterlands.conf. I downloaded the CA certficate from my website using wget into the same directory. You can then test the connection works as follows (note, I am prompted to enter my username and password).
root@ubuntudesktop:~# openvpn /etc/openvpn/hinterlands.conf
Mon Apr 5 20:42:55 2010 OpenVPN 2.1_rc19 x86_64-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Oct 13 2009
Enter Auth Username:martin
Enter Auth Password:
Mon Apr 5 20:43:00 2010 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Mon Apr 5 20:43:00 2010 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Mon Apr 5 20:43:00 2010 LZO compression initialized
Mon Apr 5 20:43:00 2010 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Mon Apr 5 20:43:00 2010 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Mon Apr 5 20:43:00 2010 Local Options hash (VER=V4): '41690919'
Mon Apr 5 20:43:00 2010 Expected Remote Options hash (VER=V4): '530fdded'
Mon Apr 5 20:43:00 2010 Socket Buffers: R=[129024->131072] S=[129024->131072]
Mon Apr 5 20:43:00 2010 UDPv4 link local: [undef]
Mon Apr 5 20:43:00 2010 UDPv4 link remote: 212.13.195.161:1194
Mon Apr 5 20:43:00 2010 TLS: Initial packet from 212.13.195.161:1194, sid=f78f6411 ccd98f5d
Mon Apr 5 20:43:00 2010 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Mon Apr 5 20:43:00 2010 VERIFY OK: depth=1, /C=GB/ST=Essex/L=Romford/O=Hinterlands/CN=Hinterlands_CA/emailAddress=martin@hinterlands.org
Mon Apr 5 20:43:00 2010 VERIFY OK: depth=0, /C=GB/ST=Essex/L=Romford/O=Hinterlands/CN=olga.hinterlands.org/emailAddress=martin@hinterlands.org
Mon Apr 5 20:43:00 2010 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Mon Apr 5 20:43:00 2010 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Apr 5 20:43:00 2010 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Mon Apr 5 20:43:00 2010 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Apr 5 20:43:00 2010 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Mon Apr 5 20:43:00 2010 [olga.hinterlands.org] Peer Connection Initiated with 212.13.195.161:1194
Mon Apr 5 20:43:02 2010 SENT CONTROL [olga.hinterlands.org]: 'PUSH_REQUEST' (status=1)
Mon Apr 5 20:43:02 2010 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.119.49.1,route 10.119.49.1,topology net30,ping 10,ping-restart 120,ifconfig 10.119.49.6 10.119.49.5'
Mon Apr 5 20:43:02 2010 OPTIONS IMPORT: timers and/or timeouts modified
Mon Apr 5 20:43:02 2010 OPTIONS IMPORT: --ifconfig/up options modified
Mon Apr 5 20:43:02 2010 OPTIONS IMPORT: route options modified
Mon Apr 5 20:43:02 2010 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Mon Apr 5 20:43:02 2010 ROUTE default_gateway=192.168.22.2
Mon Apr 5 20:43:02 2010 TUN/TAP device tun0 opened
Mon Apr 5 20:43:02 2010 TUN/TAP TX queue length set to 100
Mon Apr 5 20:43:02 2010 /sbin/ifconfig tun0 10.119.49.6 pointopoint 10.119.49.5 mtu 1500
Mon Apr 5 20:43:02 2010 /sbin/route add -net 212.13.195.161 netmask 255.255.255.255 gw 192.168.22.2
Mon Apr 5 20:43:02 2010 /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.119.49.5
Mon Apr 5 20:43:02 2010 /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.119.49.5
Mon Apr 5 20:43:02 2010 /sbin/route add -net 10.119.49.1 netmask 255.255.255.255 gw 10.119.49.5
Mon Apr 5 20:43:02 2010 Initialization Sequence Completed
Open a web browser and go to a site such as http://www.whatismyip.com/ - you should see the IP of your VPN server, not your regular IP.
Windows
Download and install the OpenVPN client for Windows. Setup is practically identical to Ubuntu except the locations for the configuration file and CA certificate will be different. For example, on Windows 7 (64 bit), the suggested location is C:\Program Files (x86)\OpenVPN\config. A GUI launcher is provided that sits in your tool tray, right click and click "Connect". You'll be prompted to enter the username and password and then you'll see similar log messages as per above. Again, verify it's all working by visiting an IP address information page.
External Links
- OpenVPN - http://openvpn.net/
- OpenVPN's "community" downloads page - http://openvpn.net/index.php/open-source/downloads.html
- Server configuration file.
- Client configuration file.
