Recent Changes - Search: 
 Welcome to the Cisco Academy for Vision Impaired Linux Wiki.

PmWiki

edit SideBar

Main /

OpenvpnOnABhost

Setting up an Openvpn instance on bhost

Note that you should refer to the howto document on http://www.openvpn.net for all the details.

Server setup:

The machine runs a ubuntu 10.04 minimal install to begin with. Make sure you enable tun/tap in the vps control pannel on bhost and reboot the vps.

Now become the super user and install the openvpn package:
apt-get install openvpn

You'll want to copy the server configuration file from /usr/share/doc/openvpn/examples/sample-config-files to /etc/openvpn and decompress it with
gunzip server.conf.gz
cd /root
or
cd /etc/openvpn
mkdir easy-rsa
cd easy-rsa
rsync -rvt /usr/share/doc/openvpn/examples/easy-rsa/2.0/ .
You now have a copy of the easy-rsa 2.0 files in roots home directory under the easy-rsa folder. Edit the vars file and set the variables so organization name etc are correct. You want to also set the folder where keys are created to something like /etc/openvpn/keys
or the keys folder under the easy-rsa folder.

If you do this you will have to copy the necessary keys and certificates into /etc/openvpn by hand or specify the correct path to the files. Note that if you run the clean script an rm -rf is done on this folder so don't set it to /etc/openvpn or another folder or it might wipe out content in and below that folder.

You might want to up the key size to 2048 if you're paranoid, this will slow down SSL negotiation and the dh parameter generation.

By default keys and certificates expire in 10 years. You can change this.

Fill in the organization email address country state etc so your certificates contain useful information. Now let us initialize the system:
. vars
Note that is dot space vars
./clean-all 

 ./build-ca
Note you'll have to fill in the missing fields and specify a common name which is important.

Various openvpn options match on the common name and you can test for values. Whilst you're initializing the CA state you might as well generate the DH parameters:
./build-dh
This seriously takes a long time, on my bhost box it took 4 minutes 45 seconds.

Now you want to build your first key which is used to secure the server end of the TLS connection:
./build-key-server server
Now answer the questions asked. Note you'll have to confirm the signing of the key and committing the key and certificate to the database.

Build your first client key and certificate.
./build-key home.client
Rince and repeat for as many client certificates and keys as you require however for testing I would recommend sticking with 1 client until it all works.

Now it is time to edit the server.conf and fill in the necessary settings.

  • No need to bind to a specific ip address leave this commented out unless your box has multiple ips and you want to bind to just one.
  • leave the default port on 1194 unless running multiple instances of the daemon
  • You want a UDP server if you don't want to deal with tcp delay pile-up
  • We are setting up a routed vpn here, bridging may require co-operation from your vps provider
  • Remember to prepend the paths with keys/ if using my file layout and fill in the necessary files
  • You need to fill in the ca certificate and the server certificate and key for the servers end of the link.
  • Stick with the defaults for ip addresses unless your home network exists on 10.8.0..x
  • leave a lot of the rest of the file alone changes noted below
  • You might not want to redirect the gateway if you only want to reach the server/proxy on 10.8.0.1 see below.
  • uncomment client-to-client if you want clients to talk to each other over the vpn.
  • Leave the keepalive uncommented it keeps the UDP socket open through nat devices.
  • Tune the settings in keep alive if you want openvpn to notice link drop sooner than 2 minutes.
  • Don't enable the HMAC firewall until your setup works you can go back and do it later by following the comments.
  • might as well have openvpn drop privs for security remove the comment marks on the user and group lines.
  • uncomment the openvpn log line or install the rsyslog package to get logs
  • up verb to 5 for testing drop it later.

Now it is time to get the client key, the client certificate and the ca certificate across to your client. Note that keys are meant to be kept secure however crt files can go over insecure channels. Note the security of the intire CA depends on ca.key being kept secret. If you are serious about this use the intermediate script to generate a master CA key, take that key off-line and use an intermediate signing key. In this way if the CA is compromised you can regenerate the signing key from the master key. Copy these files out with winscp or similar don't email them.

You might want to rename server.conf to something nice like my-vpn.conf or similar. Now start the daemon:
/etc/init.d/openvpn start
Check /var/log/openvpn.log or /var/log/syslog for errors warnings and the like. This will depend on how you configured the logging.

If you see a message that initialisation completed. Move on to client configuration below:

Client Configuration:

Install the openvpn software on your client. You should have a Client certificate and key along with the CA certificate. Place these in the correct folder. Copy the client.conf out of the examples folder into the correct place and edit it filling in the filenames and options. You'll need to set remote to point to your vpn such as:
remote a.b.c.d:1194
which is the ip or dns name of the vps if you have one set up.

Now if under Windows make sure to turn off the firewall on the tun/tap interface.

Launch the openvpn-gui application as administrator and watch the log to see if it connects.

If you get the Error "TLS negotiation failed to occur within 60 seconds" check your firewall and the like on the client.

Once the vpn is connected try see if you can reach it from the client:
ping 10.8.0.1
Remember to allow access to your squid from the ip supnet 10.8.0.0/24 then point your proxy at http://10.8.0.1:3128

If you have comp-lzo enabled on both sides then all traffic over the vpn will be compressed which will result in a potential speed increase as by default encrypted data is incompressible.

If you want to redirect the default gateway so all traffic goes over the vpn watch out you don't prevent your machine from reaching the vpn server in the process. Use tracert and similar utilities to check things are reachable. Note that the vpn will show as an empty hop.

Note if you redirect the default gateway on the client to your vpn server you'll have to most likely tell the vpn host to nat for the vpn subnet doing something like:

  • enable ip forwarding in /etc/sys-ipc.conf.d/
  • execute something like iptables -a forward -S 10.8.0.0/0 -d 0.0.0.0 -j masquerade
    Note you'll need to consult iptables documentation for the correct command arguments then execute iptables-save if you want the configuration to stick.
Edit - History - Print - Recent Changes - Search
Page last modified on October 30, 2012, at 01:17 AM