Virtual Private Networks
OpenVPN
Intro
- Reference: OpenVPN Howto
- OpenVPN GUI for Windows
- apt-get install openvpn
- transport is done with TLS over tcp or udp, default port 1194
Setup of a VPN server for multiple dynamic clients with certificates
Thanks to Thierry Walrant for his contribution!
Characteristics of this setup
- Ethernet tunneling (tap) over TCP port 1194
- Full redirection of the traffic (redirection of the default gateway and DNS server), NATed by server towards Internet
- Security by certificates
- Works with Linux or Windows clients
- Dynamic handling (à la DHCP) of the clients
- Allows other ipsec VPN softwares to run on top (e.g. enterprise ipsec VPN for Windows)
Setup of the Certificate Authority (CA)
The CA should be another computer than the server!
cp -a /usr/share/doc/openvpn/examples/easy-rsa /etc/openvpn cd /etc/openvpn/easy-rsa
Edit the file called vars and adapt the last KEY_xxx vars to your needs
. vars ./clean-all ./build-ca
To create a certificate and sign it in one single step (do that only if the certificate can be transferred to the client via a secure channel, otherwise generate the certificate and the request on the client and sign it on the CA), without password:
- For the server, use (don't forget to give a Common Name):
./build-key-server server-cert
- For a client: (don't forget to give a Common Name)
./build-key client-cert
For other situations, see easy-rsa/README.gz
To see content of a certificate:
openssl x509 -in cert.crt -text
Setup on the Linux server
Setup of ip forward
- Uncomment the following line in /etc/sysctl.conf
net/ipv4/ip_forward=1
- To try immediately
echo 1 >/proc/sys/net/ipv4/ip_forward
Import the server certificate and its key (securely!) as well as the CA certificate
- CA:/etc/openvpn/easy-rsa/keys/ca.crt -> server:/etc/openvpn/ca.crt
- CA:/etc/openvpn/easy-rsa/keys/server-cert.crt -> server:/etc/openvpn/server-cert.crt
- CA:/etc/openvpn/easy-rsa/keys/server-cert.key -> server:/etc/openvpn/server-cert.key
Create the DH keys via etc-rsa/build-dh or directly with
openssl dhparam -out dh2048.pem 2048
Create /etc/openvpn/iptables.up and make it executable:
#!/bin/sh SOURCE=$1 DEV=$2 /sbin/iptables -t nat -A POSTROUTING -s $SOURCE -d 0.0.0.0/0 -j SNAT --to-source=<ext_ip> /sbin/iptables -I FORWARD -i <ext_if> -o $DEV -m state --state ESTABLISHED,RELATED -j ACCEPT /sbin/iptables -I FORWARD -i $DEV -o <ext_if> -j ACCEPT
Create /etc/openvpn/iptables.down and make it executable:
#!/bin/sh SOURCE=$1 DEV=$2 /sbin/iptables -D FORWARD -i $DEV -o <ext_if> -j ACCEPT /sbin/iptables -D FORWARD -i <ext_if> -o $DEV -m state --state ESTABLISHED,RELATED -j ACCEPT /sbin/iptables -t nat -D POSTROUTING -s $SOURCE -d 0.0.0.0/0 -j SNAT --to-source=<ext_ip>
Create /etc/openvpn/server.conf:
proto tcp dev tap0 ca /etc/openvpn/ca.crt cert /etc/openvpn/server-cert.crt key /etc/openvpn/server-cert.key dh /etc/openvpn/dh2048.pem server 172.16.0.0 255.255.0.0 ifconfig-pool-persist /etc/openvpn/ipp.txt push "redirect-gateway" push "dhcp-option DNS <primary_DNS>" push "dhcp-option DNS <secondary_DNS>" keepalive 10 120 comp-lzo max-clients 10 status /var/log/openvpn-status.log verb 3 mute 20 up "/etc/openvpn/iptables.up 172.16.0.0/16" down "/etc/openvpn/iptables.down 172.16.0.0/16"
It will start at boot time, for a first try: /etc/init.d/openvpn start
With option ifconfig-pool-persist, clients will always get the same IP.
IPs are stored in /etc/openvpn/ipp.txt
You can modify IP attributions by editing the file after having stopped the openvpn daemon, this is very important otherwise openvpn will overwrite your changes when it's stopped.
Setup on a Windows client
Setup on a Linux client
To avoid automatic starting of the tunnel at boot time, edit /etc/default/openvpn:
AUTOSTART="none"
Bring the needed certificate files in e.g.:
- /etc/openvpn/cacerts/cacert.pem
- /etc/openvpn/certs/openvpn-myclient.crt.pem
- /etc/openvpn/private/openvpn-myclient.key.pem
Give read access to them only to root, especially the key file!
Create a configuration file to join the server "myserver": /etc/openvpn/myserver.conf
See the howto for an explanation of the different options.
client proto tcp remote <IP_or_FQDN_of_myserver> 1194 dev tap resolv-retry infinite nobind http-proxy-retry http-proxy <local_http_proxy_we_have_to_passthrough> <proxy_port> ca /etc/openvpn/cacerts/cacert.pem cert /etc/openvpn/certs/openvpn-myclient.crt.pem key /etc/openvpn/private/openvpn-myclient.key.pem ns-cert-type server comp-lzo verb 3 status /var/log/openvpn.log
To run it manually
/etc/init.d/openvpn start myserver
There is no automatic redefinition of the DNS servers under Linux, so we need a little trick (as seen here):
Be sure to have the resolvconf package.
Add the following to the config file of the client:
up /etc/openvpn/domain.up plugin /usr/lib/openvpn/openvpn-down-root.so /etc/openvpn/domain.down
Create /etc/openvpn/domain.up and make it executable:
#!/bin/sh # really naff script to add nameserver entry on up DEV=$1 set | sed -n " s/^foreign_option_.* DNS \(.*\)'/nameserver \1/; T next; p; :next; s/^foreign_option_.* DOMAIN \(.*\)'/domain \1/; T; p; " | resolvconf -a $DEV resolvconf -u
Create /etc/openvpn/domain.down and make it executable:
#!/bin/sh # really naff script to delete nameserver entry on down DEV=$1 resolvconf -d $DEV resolvconf -u
If you are not using Debian, see http://forums.gentoo.org/viewtopic-t-233080.html#1655552
Setup of a VPN server in a vserver
- cf http://linux-vserver.org/Frequently_Asked_Questions#Can_I_run_an_OpenVPN_Server_in_a_guest.3F
- You've to use persistent tun/tap, cf Vserver administration
- You cannot dynamically modify iptables, this has to be done on the host.
- You've to create manually /dev/net/tun in the vserver:
cd <vserver>/dev; ./MAKEDEV tun
- I had also to give NET_ADMIN capability to the vserver
echo NET_ADMIN >> /etc/vservers/<vserver>/bcapabilities
vtun
Older and with less features than openvpn but very easy to use for basic tunneling (tun or tap)
- apt-get install vtun
- transport is done over tcp or udp, default port 5000