Sign in to follow this  
Followers 0
BINREV SPYD3R

HPR - HPR1498: Personal OpenVPN

1 post in this topic

Personal OpenVPN

This guide will walk you through setting up an OpenVPN server as well as a client.

OpenVPN Server Setup

Here is how to install OpenVPN on Centos6. Other RedHat derivatives should be similar.

wget http://dl.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm

rpm -Uvh epel-release-6-8.noarch.rpm

yum install openvpn -y

Here is how to install OpenVPN on a Debian server. Other Debian derivatives should be similar.

apt-get install openvpn

After the server is installed, the server certificate authority and keys must be generated.

This will be followed by the client keys, and then the server configuration file.

Copy the easy-rsa scripts into /etc/openvpn

cp -rf /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa # on Debian

cp -rf /usr/share/openvpn/easy-rsa/2.0/* /etc/openvpn/easy-rsa # on Centos6

Set Environmental variables

cd /etc/openvpn/easy-rsa

vim vars

Change the following variables to meet your needs. These are used for your

convenience. They will be used as the defaults during the interactive key

generation session to set the keys attributes.

export KEY_COUNTRY="US"

export KEY_PROVINCE="CA"

export KEY_CITY="SanFrancisco"

export KEY_ORG="Fort-Funston"

export KEY_EMAIL="me@myhost.mydomain"

Source the variables to the current shell

. ./vars

Create certificate authority

./clean-all

./build-ca

./build-dh

Create keys for the server and clients

./build-key-server server

./build-key client1

./build-key client2

Setup the server configuration file

cd /etc/openvpn

gunzip /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz # on Debian

vim /etc/openvpn/server.conf

Server settings

port 1194

proto udp

dev tun

ca /etc/openvpn/easy-rsa/keys/ca.crt

cert /etc/openvpn/easy-rsa/keys/server.crt

key /etc/openvpn/easy-rsa/keys/server.key

dh /etc/openvpn/easy-rsa/keys/dh2048.pem

server 10.10.42.0 255.255.255.0

ifconfig-pool-persist ipp.txt

client-config-dir ccd

route 10.10.42.0 255.255.255.0

client-to-client

keepalive 10 120

cipher AES-256-CBC # AES

comp-lzo

user nobody

group nogroup

persist-key

persist-tun

status openvpn-status.log

verb 3

Restart VPN Service

service openvpn restart

If the service fails to start, try starting openVPN manually.

The resulting errors will allow you to see what item in the

configuration file is incorrect.

openvpen server.conf

Once you are able to get openVPN to start without error,

kill it and restart it using the service command above.

You can verify that the vpn is successfully running by

looking at the configured interfaces using the following

command.

ifconfig

You should now see an entry like the following:

tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00

inet addr:10.10.42.1 P-t-P:10.10.42.2 Mask:255.255.255.255

UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1

RX packets:622255 errors:0 dropped:0 overruns:0 frame:0

TX packets:986993 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:100

RX bytes:40649523 (38.7 MiB) TX bytes:1344026670 (1.2 GiB)

OpenVPN Client Setup

The installation of OpenVPN for linux is the same as described above for

the server. For Windows, Download and run the OpenVPN installer from the

OpenVPN Community Downloads.

NOTE: On Windows, User Account Control (UAC) must be turned

off in order to allow OpenVPN to execute the necessary network

commands to bring up the VPN. Open Start > Control Panel >

User Accounts and Family Safety > User Accounts > Change User

Account Control Settings. Set to Never Notify, click OK,

and reboot the machine.

Client Configuration file

For linux, the client config file would go in `/etc/openvpn` just like

the server config. We will name it `client.conf` to clarify that the

device is being configured as an OpenVPN client.

On Windows, the keys and client config files go in the

`C:Program Files (x86)OpenVPNconfig`. The config file has

to have an `.ovpn` suffix.

client

dev tun

proto udp

remote myvpn.example.org 1194

resolv-retry infinite

nobind

user nobody

group nogroup

persist-key

persist-tun

ca /etc/openvpn/keys/ca.crt

# on Windows, the format is:

# ca "C:Program Files (x86)OpenVPNconfigca.crt"

# Windows may also change the file suffix on the crt files to cer.

# So, If Windows complains that it cannot find the file,

# examine its properties to verify the suffix.

# The logs are stored at C:Program Files (x86)OpenVPNlog

cert /etc/openvpn/keys/client1.crt

key /etc/openvpn/keys/client1.key

ns-cert-type server

cipher AES-256-CBC

comp-lzo

verb 3

Copy client key and server ca files onto client

scp ca.crt user@client1:.openvpn/

scp client1.crt user@client1:.openvpn/

scp client1.key user@client1:.openvpn/

On the server create the ccd directory to assign static addresses to clients.

mkdir /etc/openvpn/ccd

For each device, add a file with the CN name of the key.

In that file, you will indicate the static address to be used and the server IP

For linux, the server IP will be the VPN address of your VPN server. On Windows, the VPN client

will set up a local TAP interface that must be used as the server IP. See the OpenVPN docs for available

client and TAP server IP pairs.

Examples:

cat /etc/openvpn/ccd/linux-client

ifconfig-push 10.10.42.10 10.10.42.1

cat /etc/openvpn/ccd/windows-client

ifconfig-push 10.10.42.13 10.10.42.14

References:

Hacker Public Radio episode 0297

Debian OpenVPN Docs

OpenVPN HowTo

OpenVPN Windows Downloads

OpenVPN Windows Guide

Go to this episode

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0