Tuesday, February 9, 2010

OpenVPN Howto

Scope:  

1.  Installation of OpenVPN was completed with apt

apt-get install openvpn

The following extra packages were installed when the above command was initiated.

libpkcs11-helper1 
openvpn-blacklist
 
2.  Next determine whether you will use a routed or bridged VPN.  OpenVPN has a more in depth write up of differences here. Each will require a different set of parameters in the openvpn configuration file but it is well documented. I configured my installation first as routed and then transitioned to a bridged model.

Bridging advantages
  • Broadcasts traverse the VPN -- this allows software that depends on LAN broadcasts such as Windows NetBIOS file sharing and network neighborhood browsing to work.
  • No route statements to configure.
  • Works with any protocol that can function over ethernet, including IPv4, IPv6, Netware IPX, AppleTalk, etc.
  • Relatively easy-to-configure solution for road warriors.

Bridging disadvantages

  • Less efficient than routing, and does not scale well.

Routing advantages

  • Efficiency and scalability.
  • Allows better tuning of MTU for efficiency.

Routing disadvantages

  • Clients must use a WINS server (such as samba) to allow cross-VPN network browsing to work.
  • Routes must be set up linking each subnet.
  • Software that depends on broadcasts will not "see" machines on the other side of the VPN.
  • Works only with IPv4 in general, and IPv6 in cases where tun drivers on both ends of the connection support it explicitly.

3.  Certificates need to be generated for both the server and clients.

NOTE:  You must place the key & crt files for the server and client in the same directory as your .conf files unless you explicitly state otherwise it the conf file.

mkdir /etc/openvpn/easy-rsa
cp /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa

3a.  Edit the default values necessary for the certificates.

vi /etc/openvpn/easy-rsa/vars

3b. Generate the Certificate Authority that will be used to sign the certificates.

cd /etc/openvpn/easy-rsa
source ./vars
./clean-all
./build-ca

3c. Create server keys.

./build-key-server server

3d.  Generate the diffie-hellman parameters.

./build-dh 

3e. Create client keys.

./build-key client1

4. Configure server.conf file.  OpenVPN example found at http://openvpn.net/index.php/open-source/documentation/howto.html#examples

NOTE: For the logging, it will require that you create the /var/log/openvpn directory and I went ahead and created the two logfiles.This example is specifically for a bridged configuration.  Please see the example above for detailed explanations of the various settings and options. 

 

################## 
# server.conf 
##################
local 192.168.0.10 
port 1194 
proto udp 
dev tap0 
ca ca.crt 
cert server.crt 
key server.key 
dh dh2048.pem 
client-config-dir ccd 
server-bridge 192.168.0.10 255.255.255.0 192.168.0.150 192.168.0.160 
ifconfig-pool-persist ipp.txt 
route 192.168.0.0 255.255.255.0 
client-to-client 
keepalive 10 120 
#comp-lzo 
max-clients 15 
#user nobody 
#group nobody 
persist-key 
persist-tun 
status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log 
verb 3

 5. Acquire the necessary package for bridged configuration script.

apt-get install bridge-utils

6. Configure the openvpn-bridge script.  I did not have good luck with the example script included on the openvpn.net site.  I opted to utilize the one listed here and it has been successful on multiple systems.  

Edit based on your network settings.

#!/bin/bash

#################################
# OpenVPN Bridge 
#################################

# Define Bridge Interface
br="br0"

# Define list of TAP interfaces to be bridged,
# for example tap="tap0 tap1 tap2".
tap="tap0"

# Define physical ethernet interface to be bridged
# with TAP interface(s) above.
eth="eth0"

eth_ip="192.168.0.10"
eth_netmask="255.255.255.0"
eth_broadcast="192.168.0.255"
gw="192.168.0.1"

case "$1" in
  start)
  for t in $tap; do
      openvpn --mktun --dev $t
  done

  brctl addbr $br
  brctl addif $br $eth

  for t in $tap; do
      brctl addif $br $t
  done

  for t in $tap; do
      ifconfig $t 0.0.0.0 promisc up
  done

  ifconfig $eth 0.0.0.0 promisc up

  ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast
  route add default gw $gw
  ;;
  stop)
  ifconfig $br down
  brctl delbr $br

  for t in $tap; do
      openvpn --rmtun --dev $t
  done
  ifconfig $eth $eth_ip netmask $eth_netmask broadcast $eth_broadcast
  route add default gw $gw
  ;;
  *)
  echo "usage openvpn-bridge {start|stop}"

  exit 1
  ;;
esac
exit 0

7. Set openvpn-bridge script to run at startup. (Please test first.)

update-rc.d openvpn-bridge defaults

8. Once the bridge is up and functional you can proceed to start OpenVPN.

/etc/init.d/openvpn start

9. Firewall. Make the necessary firewall changes to allow your clients to connect on the specified port.

10. Client review and configuration to follow....

 

 


Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)