OpenVPN
Contents
Certificate Revocation
./build-key-pkcs12 revoked ./revoke-full revoked crl-verify /path/name/crl.pem
Notes
this is from a CRL file, dumped with: openssl -in <crl> -noout -text
iptables/route
Setup
Copied From: http://www.monkeedev.co.uk/blog/2009/03/06/setting-up-openvpn-in-debianubuntu/
This is little bit later than I originally intended but I finally got around to setting up OpenVPN, and here’s how I did it.
This guide is pretty simple to follow and should have an OpenVPN server on debian or ubuntu working within half an hour. I’ll also explain how to connect to the VPN from a windows PC.
First, install OpenVPN on the server (you’ll need to be root for all of this guide)
apt-get install openvpn
Next, we need to configure the server. You need to make a decision here whether you want tun (routed) or tap (bridged) connections. The main difference is that tap will give the client a network address on the server network, whereas tun creates a private network managed by the server. In this guide I will use tap because I find that it works better with windows clients.
Now you need to create certificates for the server and client for authentication purposes (which is much more secure than the passwords used in pptp). This is done through a number of steps:
Preparing to generate the keys
mkdir /etc/openvpn/easy-rsa cp /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa
Now you need to edit /etc/openvpn/easy-rsa/vars with your required settings. You only really need to change the last section which is the default values for the fields in the certificates.
Generate the certificate authority (CA) which will be used to sign the server and client certificates.
cd /etc/openvpn/easy-rsa
source ./vars ./clean-all ./build-ca
Next, we need to create the server keys
./build-key-server servername
Answer ‘yes’ when asked to sign the certificate and commit to the database, and then you’ll need to generate the diffie-hellman parameters which are used for key exchange between the client and server.
./build-dh
For further security it is recommended that you also do a tls-auth key.
openvpn --genkey --secret ta.key
This command will generate an OpenVPN static key and write it to the file ta.key. This key should be copied over a pre-existing secure channel to the server and all client machines. It can be placed in the same directory as the RSA .key and .crt files.
In the server configuration, add:
tls-auth ta.key 0
In the client configuration, add:
tls-auth ta.key 1
And finally, create some client keys which will be used to allow clients to authenticate with the server. I prefer to use pkcs12 which stores the client public key and certificate in one passworded file.
./build-key-pkcs12 client1
As before, sign the key and commit to the database. You will be asked for a password which the client will use to connect to the server.
Now all the keys are created, we need to configure the server.
vim /etc/openvpn/server.conf (add the following lines) port 443 proto tcp dev tap ca /etc/openvpn/easy-rsa/keys/ca.crt cert /etc/openvpn/easy-rsa/keys/servername.crt key /etc/openvpn/easy-rsa/keys/servername.key dh /etc/openvpn/easy-rsa/keys/dh1024.pem ifconfig-pool-persist ipp.txt server-bridge 10.1.0.1 255.255.255.0 10.1.0.236 10.1.0.245 push “route 10.0.0.0 255.0.0.0″ keepalive 10 120 comp-lzo persist-key persist-tun status /var/log/openvpn-status.log verb 3
Created by me:
port 11111 prote tcp dev tun
ca /etc/openvpn/easy-rsa/keys/ca.crt cert /etc/openvpn/easy-rsa/keys/bla.crt key /etc/openvpn/easy-rsa/keys/bla.key dh /etc/openvpn/easy-rsa/keys/dh2048.pem
server 10.xxx.xxx.0 255.255.255.0 #client-to-client cipher AES-256-CBC keepalive 10 120 comp-lzo max-clients 20 verb 11
client-config-dir ccd log-append openvpn.log status openvpn-status.log
ifconfig-pool-persist ipp.txt route 192.168.0.0 255.255.255.0 #crl-verify crl.pem max-routes-per-client 3000 management localhost 11111
The only lines which you will need to change are ‘server-bridge’, which is simply the default gateway, subnet mask, and the start and end IP’s to assign the clients, and the push route, which pushes specific routes to all clients.
Now we need to create an ethernet bridge. First, we need to install bridge-utils:
apt-get install bridge-utils
Rather than explain how to set up a network bridge, I found a shell script which will do it for you. This can be found here. Just edit this with your network settings and execute it. You will also need to set it to create the bridge at boot time:
update-rc.d bridge defaults
Now you can start the openvpn server
/etc/init.d/openvpn start
Now we need to set up the windows client. First, download the OpenVPN client from here (at the time of writing, select 2.1 RC15). Install it, and create a file ‘client.conf’ in the config directory with the following parameters
client dev tap proto tcp remote x.x.x.x 443 # (replace with your server IP) resolv-retry infinite nobind pkcs12 client1.p12 # (replace with the client name) ns-cert-type server comp-lzo verb 3
You can also add ‘redirect-gateway’ to the client configuration to pass all traffic down the VPN tunnel (rather than just traffic intended for the VPN itself).
Now copy the client1.p12 certificate file to the config directory on the client, start the gui, and connect. Everything should now work.
If you need to create any clients in the future, do the following:
cd /etc/openvpn/easy-rsa source ./vars ./build-key-pkcs12 clientx
If one of your certificates is compromised, you can revoke it using the guide here.
This guide has been written from my notes and what I remember, so there may be a couple of things which aren’t 100% right. If anything goes wrong then post a comment or contact me and I’ll update the guide.
Notes
Enable and Setup IP Forwarding Linux/Debian
Check if IP Forwarding is enabled
#sysctl net.ipv4.ip_forward net.ipv4.ip_forward = 0 or cat /proc/sys/net/ipv4/ip_forward 0
As we can see in both the above examples this was disabled (as show by the value 0).
Enable IP Forwarding on the fly
#sysctl -w net.ipv4.ip_forward=1 or #echo 1 > /proc/sys/net/ipv4/ip_forward
Permanent setting using /etc/sysctl.conf
- /etc/sysctl.conf:
net.ipv4.ip_forward = 1 #sysctl -p /etc/sysctl.conf
TUN/TAP forwarding: Allow TUN interface connections to OpenVPN server
# iptables -A INPUT -i tun+ -j ACCEPT
Allow TUN interface connections to be forwarded through other interfaces
# iptables -A FORWARD -i tun+ -j ACCEPT
Allow TAP interface connections to OpenVPN server
# iptables -A INPUT -i tap+ -j ACCEPT
Allow TAP interface connections to be forwarded through other interfaces
# iptables -A FORWARD -i tap+ -j ACCEPT
- rule iptables for internet sharing from eth1 to eth0.
#iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
#iptables-save
iptables -t nat -A POSTROUTING -s 10.234.134.0/24 -o eth0 -j MASQUERADE
or the real way
http://wiki.debian.org/iptables
add route perm make a exe file /etc/init.d/vpnroute and add the route to file
route add -net 10.37.161.0 netmask 255.255.255.0 gw 10.37.161.1
Notes
- http://www.cyberciti.biz/faq/flush-iptables-ubuntu-linux/
- https://forums.openvpn.net/topic9465.html
- http://www.linuxquestions.org/questions/linux-networking-3/how-to-add-a-persistent-route-in-debian-linux-623771/
Creating an additional OpenVPN interface in Windows
It was bitching about being not having an additional tun interface. I still had tun0 and tun1 in the config files and did not test if something more generic would work like just tun.
A command from a forum post:
C:\>"C:\Program Files (x86)\OpenVPN\bin\tapinstall.exe" install "C:\Program Files (x86)\OpenVPN\driver\OemWin2k.inf" tap0901
https://forums.openvpn.net/topic8236.html
I have to figure out what the tap0901 means but it looks like if you pass help install that it is a hardware id. It most likely identifies what to pull from the driver.
Found it in official docs: http://openvpn.net/index.php/open-source/documentation/install.html?start=1
Notes -- Manual Install/Update/Uninstall of the TAP-Win32 kernel driver
This is best done using tapinstall.exe, a utility based on a DDK sample which is distributed with the self-installing form of OpenVPN on Windows. Cd to the directory which contains OemWin2k.inf and tap0801.sys.
To install:
tapinstall install OemWin2k.inf TAP0801
To update:
tapinstall update OemWin2k.inf TAP0801
To uninstall:
tapinstall remove TAP0801
By installing multiple times, you will create additional TAP-Win32 adapter instances, which can be used for multiple concurrent VPN tunnels.
It is also possible to install using Control Panel -> Add New Hardware, and it is possible to uninstall using Control Panel -> System -> Hardware -> Device Manager.
OpenVPN Access Server Install Debian 6.0 AKA Squeeze
- wget the proper file
- install instructions: