OpenVPN Server on EL6

From Alteeve Wiki
Jump to navigation Jump to search

 Alteeve Wiki :: How To :: OpenVPN Server on EL6

Install

OpenVPN is not in the normal repo, so you need access to the DAG repo. You may need to install this repo on your clients.

To install the DAG repository on EL6, please run the following commands:

Add the DAG repository key.

rpm -Uvh http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm
Retrieving http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm
warning: /var/tmp/rpm-tmp.5paPdJ: Header V3 DSA/SHA1 Signature, key ID 6b8d79e6: NOKEY
Preparing...                ########################################### [100%]
   1:rpmforge-release       ########################################### [100%]

Now install the openvpn package.

yum install openvpn

This will drag in a couple dependencies, which is expected and fine.

If you don't want to install the DAG repository on the clients, you can download just the OpenVPN RPM.

# Check http://pkgs.repoforge.org/ for the latest packages.
wget -c http://pkgs.repoforge.org/openvpn/openvpn-2.2.0-3.el6.rf.x86_64.rpm
wget -c http://pkgs.repoforge.org/pkcs11-helper/pkcs11-helper-1.08-1.el6.rf.x86_64.rpm
rpm -Uvh openvpn-2.2.0-3.el6.rf.x86_64.rpm pkcs11-helper-1.08-1.el6.rf.x86_64.rpm

You are now ready to setup the OpenVPN server.

Setup

OpenVPN v2 Setup; 1 Server to Many Clients:

For a more complete version of this setup, please see this excellent tutorial. This tutorial is aimed to be more of a "quick recipe" type tutorial.

Setting up a local PKI (Private Key Infrastructure) involves:

  • Creating;
    • A separate certificate (aka: Public Key) for the server.
    • A private key for the Server and each client.
    • A master CA (Certificate Authority) certificate and key which will be used to sign the Server's and clients' public certificates.
Note: OpenVPN uses bi-directional authentication. Both the server and the client must authenticate one another for a successful connection to be established.

Generate the Master CA Certificate and Key

Switch to the default config file directory and copy the files into /etc/openvpn.

Warning: The directory below assumes that you installed the same version as listed here. If you got a different version, you will need to change the openvpn-2.2.0 to match your installation's location.
cd /etc/openvpn/
rsync -av /usr/share/doc/openvpn-2.2.0/easy-rsa/2.0/* /etc/openvpn/
sending incremental file list
Makefile
README
build-ca
build-dh
build-inter
build-key
build-key-pass
build-key-pkcs12
build-key-server
build-req
build-req-pass
clean-all
inherit-inter
list-crl
openssl-0.9.6.cnf
openssl.cnf
pkitool
revoke-full
sign-req
vars
whichopensslcnf

sent 46661 bytes  received 411 bytes  94144.00 bytes/sec
total size is 45452  speedup is 0.97

Next, edit the /etc/openvpn/vars file and set the following values (change the entries here if needed):

cp /etc/openvpn/vars /etc/openvpn/vars.orig
vim /etc/openvpn/vars
diff -u /etc/openvpn/vars.orig /etc/openvpn/vars
--- /etc/openvpn/vars.orig	2011-09-29 00:13:32.074414343 -0400
+++ /etc/openvpn/vars	2011-09-29 00:18:56.877164906 -0400
@@ -61,8 +61,8 @@
 # These are the default values for fields
 # which will be placed in the certificate.
 # Don't leave any of these fields blank.
-export KEY_COUNTRY="US"
-export KEY_PROVINCE="CA"
-export KEY_CITY="SanFrancisco"
-export KEY_ORG="Fort-Funston"
-export KEY_EMAIL="me@myhost.mydomain"
+export KEY_COUNTRY="CA"
+export KEY_PROVINCE="ON"
+export KEY_CITY="Toronto"
+export KEY_ORG="Alteeve's Niche!"
+export KEY_EMAIL="admin@alteeve.ca"

Now to initialize the PKI.

  • Make the script executable.
chmod 755 whichopensslcnf clean-all build-ca pkitool build-key-server build-key build-dh
total 136K
drwxr-xr-x    2 root root 4.0K Sep 29 00:18 .
drwxr-xr-x. 116 root root  12K Sep 28 23:55 ..
-rwxr-xr-x    1 root root  119 Apr  6 12:05 build-ca
-rwxr-xr-x    1 root root  352 Apr  6 12:05 build-dh
-rw-r--r--    1 root root  188 Apr  6 12:05 build-inter
-rwxr-xr-x    1 root root  163 Apr  6 12:05 build-key
-rw-r--r--    1 root root  157 Apr  6 12:05 build-key-pass
-rw-r--r--    1 root root  249 Apr  6 12:05 build-key-pkcs12
-rwxr-xr-x    1 root root  268 Apr  6 12:05 build-key-server
-rw-r--r--    1 root root  213 Apr  6 12:05 build-req
-rw-r--r--    1 root root  158 Apr  6 12:05 build-req-pass
-rwxr-xr-x    1 root root  428 Apr  6 12:05 clean-all
-rw-r--r--    1 root root 1.5K Apr  6 12:05 inherit-inter
-rw-r--r--    1 root root  295 Apr  6 12:05 list-crl
-rw-r--r--    1 root root  389 Oct 21  2010 Makefile
-rw-r--r--    1 root root 7.6K Oct 21  2010 openssl-0.9.6.cnf
-rw-r--r--    1 root root 8.2K Oct 21  2010 openssl.cnf
-rwxr-xr-x    1 root root  13K Apr  6 12:05 pkitool
-rw-r--r--    1 root root 9.1K Oct 21  2010 README
-rw-r--r--    1 root root  918 Apr  6 12:05 revoke-full
-rw-r--r--    1 root root  178 Apr  6 12:05 sign-req
-rw-r--r--    1 root root 1.7K Sep 29 00:18 vars
-rw-r--r--    1 root root 1.7K Sep 29 00:13 vars.orig
-rwxr-xr-x    1 root root  190 Oct 21  2010 whichopensslcnf
  • Load the ./vars file.
. ./vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/keys
  • Clean everything up
./clean-all

Now we will generate the certificate authority. This will prompt you for values, but if you edited ./vars properly, you should be able to accept the defaults.

./build-ca
Generating a 1024 bit RSA private key
....++++++
.....................................................++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CA]:
State or Province Name (full name) [ON]:
Locality Name (eg, city) [Toronto]:
Organization Name (eg, company) [Alteeve's Niche!]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [Alteeve's Niche! CA]:
Name []:
Email Address [admin@alteeve.ca]:

Generate the Server's Key and Certificate

Run the following, substituting daimon.alteeve.ca with the name of the server you are using:

./build-key-server daimon.alteeve.ca

As with the last step, you will need to press <enter> after confirming that each prompt is what you want. This time though you will be asked to set an optional password and company name; Leave them blank. Then you will be asked if you want to sign the certificate and then commit the changes; Enter y for both if you are happy with the output.

It should look like this:

./build-key-server daimon.alteeve.ca
Generating a 1024 bit RSA private key
..................................++++++
..................................................++++++
writing new private key to 'daimon.alteeve.ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CA]:
State or Province Name (full name) [ON]:
Locality Name (eg, city) [Toronto]:
Organization Name (eg, company) [Alteeve's Niche!]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [daimon.alteeve.ca]:
Name []:
Email Address [admin@alteeve.ca]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'CA'
stateOrProvinceName   :PRINTABLE:'ON'
localityName          :PRINTABLE:'Toronto'
organizationName      :T61STRING:'Alteeve's Niche!'
commonName            :PRINTABLE:'daimon.alteeve.ca'
emailAddress          :IA5STRING:'admin@alteeve.ca'
Certificate is to be certified until Sep 26 04:30:26 2021 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

Generate Keys and Certificates for Clients

Note: You will need to do this for each client device! Not just once per user. Well, there is a way to do that, but we want to be safe so pretend there isn't.

For each client device, pick a somewhat descriptive name and run the following. In this example, I will create a certificate for my main laptop (called lework). When you follow this section, replace digimer-lework with the descriptive name of the client's device this new key will be for.

The next steps will be similar to how we created the server's key. We'll load vars and the call build-key followed by the name of the device we're creating the key for.

cd /etc/openvpn
. ./vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/keys
./build-key digimer-lework
Generating a 2048 bit RSA private key
.................................+++
................................................+++
writing new private key to 'digimer-lework.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CA]:
State or Province Name (full name) [ON]:
Locality Name (eg, city) [Toronto]:
Organization Name (eg, company) [Alteeve's Niche!]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [digimer-lework]:
Email Address [admin@alteeve.ca]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'CA'
stateOrProvinceName   :PRINTABLE:'ON'
localityName          :PRINTABLE:'Toronto'
organizationName      :PRINTABLE:'Alteeve's Niche!'
commonName            :T61STRING:'digimer-lework'
emailAddress          :IA5STRING:'admin@alteeve.ca'
Certificate is to be certified until Nov  3 03:33:58 2019 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

Repeat this step for every client device you want to give access to your network.

Generating Diffie Hellman Parameters

To learn more about this, read this.

In short, it is what allows keys to be safely passed over an insecure network.

Run:

cd /etc/openvpn
./build-dh

The output should look like this:

Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
.........+............................................(many more dots and +).......++*++*++*

Enabling Access

If you are running a firewall, you will need to open up UDP port 1194. How you do this will depend entirely on the firewall you are using. As an example though, if you are using the stock iptables firewall that come with EL6, you will need to edit the /etc/sysconfig/iptables file.

cp /etc/sysconfig/iptables /etc/sysconfig/iptables.orig
vim /etc/sysconfig/iptables
diff -u /etc/sysconfig/iptables.orig /etc/sysconfig/iptables
--- /etc/sysconfig/iptables.orig	2011-09-29 00:50:04.311413922 -0400
+++ /etc/sysconfig/iptables	2011-09-29 00:50:44.470165140 -0400
@@ -14,6 +14,7 @@
 -A INPUT -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT
 -A INPUT -m state --state NEW -m tcp -p tcp --dport 953 -j ACCEPT
 -A INPUT -m state --state NEW -m udp -p udp --dport 953 -j ACCEPT
+-A INPUT -m state --state NEW -m udp -p udp --dport 1194 -j ACCEPT
 -A INPUT -j REJECT --reject-with icmp-host-prohibited
 -A FORWARD -j REJECT --reject-with icmp-host-prohibited
 COMMIT

Once updated, restart the firewall.

/etc/init.d/iptables restart
iptables: Flushing firewall rules:                         [  OK  ]
iptables: Setting chains to policy ACCEPT: filter          [  OK  ]
iptables: Unloading modules:                               [  OK  ]
iptables: Applying firewall rules:                         [  OK  ]

Now confirm that the new rule is active.

iptables-save
# Generated by iptables-save v1.4.7 on Thu Sep 29 00:52:24 2011
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [73:22576]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -p icmp -j ACCEPT 
-A INPUT -i lo -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT 
-A INPUT -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 953 -j ACCEPT 
-A INPUT -p udp -m state --state NEW -m udp --dport 953 -j ACCEPT 
-A INPUT -p udp -m state --state NEW -m udp --dport 1194 -j ACCEPT 
-A INPUT -j REJECT --reject-with icmp-host-prohibited 
-A FORWARD -j REJECT --reject-with icmp-host-prohibited 
COMMIT
# Completed on Thu Sep 29 00:52:24 2011

Configure The Server

This controls how the server works and will need to be created.

vim /etc/openvpn/server.conf
###############################################################################
# OpenVPN 2.0 config file the for the Alteeve's Niche! 'daimon.alteeve.ca'    #
# server.                                                                     #
#                                                                             #
# This file is for the server side of a many-clients <-> one-server OpenVPN   #
# configuration.                                                              #
#                                                                             #
# Comments are preceded with '#' or ';'                                       #
###############################################################################

# Which local IP address should OpenVPN listen on? (optional)
;local a.b.c.d

# Which TCP/UDP port should OpenVPN listen on?
# If you want to run multiple OpenVPN instances on the same machine, use a
# different port number for each one. You will need to open up this port on
# your firewall.
port 1194

# TCP or UDP server?
;proto tcp
proto udp

# "dev tun" will create a routed IP tunnel,
# "dev tap" will create an ethernet tunnel.
# Use "dev tap0" if you are ethernet bridging and have precreated a tap0
# virtual interface and bridged it with your ethernet interface. If you want to
# control access policies over the VPN, you must create firewall rules for the
# the TUN/TAP interface.
# You can give an explicit unit number, such as tun0.
# On most systems, the VPN will not function unless you partially or fully
# disable the firewall for the TUN/TAP interface.
;dev tap
dev tun

# SSL/TLS root certificate (ca), certificate (cert), and private key (key).
# Each client and the server must have their own cert and key file. The server
# and all clients will use the same ca file.
#
# See:
# https://alteeve.ca/w/OpenVPN_Server_on_EL6#Generate_the_Master_CA_Certificate_and_Key
# for instructions on generating RSA certificates and private keys. Remember
# to use a unique Common Name for the server and each of the client certificates.
#
# Any X509 key management system can be used. OpenVPN can also use a PKCS #12
# formatted key file (see "pkcs12" directive in man page).
;ca keys/ca.crt
;cert keys/server.crt
;key keys/server.key  # This file should be kept secret
ca keys/ca.crt
cert keys/daimon.alteeve.ca.crt
key keys/daimon.alteeve.ca.key

# Diffie hellman parameters.
# Generate your own with:
#   openssl dhparam -out dh1024.pem 1024
# Substitute 2048 for 1024 if you are using
# 2048 bit keys. 
;dh dh2048.pem
dh keys/dh1024.pem

# Configure server mode and supply a VPN subnet for OpenVPN to draw client
# addresses from. The server will take 192.168.20.1 (was: 10.8.0.1) for itself,
# the rest will be made available to clients.
# Each client will be able to reach the server on 192.168.20.1 (was: 10.8.0.1).
# Comment this line out if you are ethernet bridging. See the man page for more
# info.
server 10.30.0.0 255.255.0.0

# Maintain a record of client <-> virtual IP address associations in this file.
# If OpenVPN goes down or is restarted, reconnecting clients can be assigned
# the same virtual IP address from the pool that was previously assigned.
ifconfig-pool-persist ipp.txt

# Configure server mode for ethernet bridging. You must first use your OS's
# bridging capability to bridge the TAP interface with the ethernet NIC
# interface. Then you must manually set the IP/netmask on the bridge interface,
# here we assume 10.30.0.1/255.255.0.0.
# Finally we must set aside an IP range in this subnet (start=10.30.0.20
# end=10.30.0.250 to allocate to connecting clients. Leave this line commented
# out unless you are ethernet bridging.
;server-bridge 10.30.0.1 255.255.0.0 10.30.0.20 10.30.0.250

# Push routes to the client to allow it to reach other private subnets behind
# the server. Remember that these private subnets will also need to know to
# route the OpenVPN client address pool. In this example, we're routing to an
# example subnet at 10.30.0.0/255.255.0.0.
;push "route 10.40.0.0 255.255.0.0"

# To assign specific IP addresses to specific clients or if a connecting client
# has a private subnet behind it that should also have VPN access, use the
# subdirectory "ccd" for client-specific configuration files (see man page for
# more info).

# EXAMPLE:
# Suppose the client having the certificate common name "Thelonious" also has a
# small subnet behind their connecting machine, such as;
# 192.168.40.128/255.255.255.248.
# First, uncomment out these lines:
;client-config-dir ccd
;route 192.168.40.128 255.255.255.248
# Then create a file ccd/Thelonious with this line:
#   iroute 192.168.40.128 255.255.255.248
# This will allow Thelonious' private subnet to access the VPN. This example
# will only work if you are routing, not bridging, i.e. you are using "dev tun"
# and "server" directives.

# EXAMPLE:
# Suppose you want to give Thelonious a fixed VPN IP address of 10.9.0.1.
# First uncomment out these lines:
;client-config-dir ccd
;route 10.9.0.0 255.255.255.252
# Then add this line to ccd/Thelonious:
#   ifconfig-push 10.9.0.1 10.9.0.2

# Suppose that you want to enable different firewall access policies for
# different groups of clients. There are two methods:
# (1) Run multiple OpenVPN daemons, one for each group, and firewall the
#     TUN/TAP interface for each group/daemon appropriately.
# (2) (Advanced) Create a script to dynamically modify the firewall in
#     response to access from different clients. See man page for more info on
#     learn-address script.
;learn-address ./script

# If enabled, this directive will configure all clients to redirect their
# default network gateway through the VPN, causing all IP traffic such as web
# browsing and and DNS lookups to go through the VPN (The OpenVPN server
# machine may need to NAT the TUN/TAP interface to the internet in order for
# this to work properly).
# CAVEAT:
# May break client's network config if client's local DHCP server packets get
# routed through the tunnel.
# Solution:
# Make sure client's local DHCP server is reachable via a more specific route
# than the default route of 0.0.0.0/0.0.0.0.
;push "redirect-gateway"

# Certain Windows-specific network settings can be pushed to clients, such as
# DNS or WINS server addresses.
# CAVEAT:
# http://openvpn.net/faq.html#dhcpcaveats
;push "dhcp-option DNS 10.30.0.1"
;push "dhcp-option WINS 10.30.0.1"

# Uncomment this directive to allow different clients to be able to "see" each
# other. By default, clients will only see the server. To force clients to only
# see the server, you will also need to appropriately firewall the server's
# TUN/TAP interface. In my case, I need this.
client-to-client

# Uncomment this directive if multiple clients might connect with the same
# certificate/key files or common names. This is recommended only for testing
# purposes. For production use, each client should have its own certificate/key
# pair.
#
# IF YOU HAVE NOT GENERATED INDIVIDUAL CERTIFICATE/KEY PAIRS FOR EACH CLIENT,
# EACH HAVING ITS OWN UNIQUE "COMMON NAME", UNCOMMENT THIS LINE OUT.
;duplicate-cn

# The keepalive directive causes ping-like messages to be sent back and forth
# over the link so that each side knows when the other side has gone down. Ping
# every 10 seconds, assume that remote peer is down if no ping received during
# a 120 second time period.
keepalive 10 120

# For extra security beyond that provided by SSL/TLS, create an "HMAC firewall"
# to help block DoS attacks and UDP port flooding.
#
# Generate with:
#   openvpn --genkey --secret ta.key
#
# The server and each client must have a copy of this key. The second parameter
# should be '0' on the server and '1' on the clients.
;tls-auth ta.key 0 # This file is secret

# Select a cryptographic cipher. This config item must be copied to the client
# config file as well.
;cipher BF-CBC        # Blowfish (default)
;cipher AES-128-CBC   # AES
;cipher DES-EDE3-CBC  # Triple-DES

# Enable compression on the VPN link. If you enable it here, you must also
# enable it in the client config file.
comp-lzo

# The maximum number of concurrently connected clients we want to allow.
;max-clients 100

# It's a good idea to reduce the OpenVPN daemon's privileges after
# initialization.
#
# You can uncomment this on non-Windows systems.
;user nobody
;group nobody

# The persist options will try to avoid accessing certain resources on restart
# that may no longer be accessible because of the privilege downgrade.
persist-key
persist-tun

# Output a short status file showing current connections, truncated and
# rewritten every minute.
status openvpn-status.log

# By default, log messages will go to the syslog. Use log or log-append to
# override this default. "log" will truncate the log file on OpenVPN startup,
# while "log-append" will append to it. Use one or the other (but not both).
;log         openvpn.log
;log-append  openvpn.log

# Set the appropriate level of log file verbosity.
#
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
;verb 3
verb 4

# Silence repeating messages. At most 20 sequential messages of the same
# message category will be output to the log.
;mute 20

Starting The Server

You should now be able to start the OpenVPN daemon!

/etc/init.d/openvpn start
Starting openvpn:                                          [  OK  ]

If the start fails, look in /var/log/messages for clues to the problem.

To confirm that the server is up, check the interfaces and you should now see a tun0 device.

Note: If you have anything already using tun0, the '0' will be incremented to the first free integer.
ifconfig tun0
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.30.0.1  P-t-P:10.30.0.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:34 errors:0 dropped:0 overruns:0 frame:0
          TX packets:42 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:4621 (4.5 KiB)  TX bytes:4997 (4.8 KiB)

Client Setup

You will need to setup keys for all clients that will connect to this server. Once done, you will copy

Creating The Client Keys

This should look familiar by now. Remember to change digimer-lework to the name of the keys you want to create.

cd /etc/openvpn
. ./vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/keys
./build-key digimer-lework
Generating a 1024 bit RSA private key
.........++++++
.............++++++
writing new private key to 'digimer-lework.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CA]:
State or Province Name (full name) [ON]:
Locality Name (eg, city) [Toronto]:
Organization Name (eg, company) [Alteeve's Niche!]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [digimer-lework]:
Name []:
Email Address [admin@alteeve.ca]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'CA'
stateOrProvinceName   :PRINTABLE:'ON'
localityName          :PRINTABLE:'Toronto'
organizationName      :T61STRING:'Alteeve's Niche!'
commonName            :PRINTABLE:'digimer-lework'
emailAddress          :IA5STRING:'admin@alteeve.ca'
Certificate is to be certified until Oct 13 01:24:21 2021 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

client.conf

This file can be created on the server and then sent to the client, or created directly on the client device if you have access to it.

The most important lines to change for each new client device are:

  • cert client_dev.crt
  • key client_dev.key
Note: This file needs to be created on the client machine.
vim /etc/openvpn/client.conf
################################################################################
# Client-side OpenVPN 2.0 config file for client devices connecting to the     #
# Alteeve's Niche! -> 'daimon.alteeve.ca' multi-client OpenVPN server.         #
#                                                                              #
# This configuration can be used by multiple clients, however each client      #
# should have its own cert and key files.                                      #
#                                                                              #
# BE SURE TO SET:                                                              #
# - cert digimer-lework.crt                                                    #
# - key digimer-lework.key                                                     #
# To the name of the key you generated for the client device BEFORE sending    #
# this config file to the client!                                              #
################################################################################

# Specify that we are a client and that we will be pulling certain config file
# directives from the server.
client

# Use the same setting as you are using on the server. On most systems, the VPN
# will not function unless you partially or fully disable the firewall for the
# TUN/TAP interface.
;dev tap
dev tun

# Are we connecting to a TCP or UDP server? Use the same setting as on the
# server.
;proto tcp
proto udp

# The hostname/IP and port of the server. You can have multiple remote entries
# to load balance between the servers.
;remote my-server-2 1194
remote daimon.alteeve.ca 1194

# Choose a random host from the remote list for load-balancing. Otherwise try
# hosts in the order specified.
;remote-random

# Keep trying indefinitely to resolve the host name of the OpenVPN server. Very
# useful on machines which are not permanently connected to the internet such
# as laptops.
resolv-retry infinite

# Most clients don't need to bind to a specific local port number.
nobind

# Downgrade privileges after initialization.
;user nobody
;group nobody

# Try to preserve some state across restarts.
persist-key
persist-tun

# If you are connecting through an HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and port number here. See the man page if
# your proxy server requires authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]

# Wireless networks often produce a lot of duplicate packets. Set this flag to
# silence duplicate packet warnings.
;mute-replay-warnings

# SSL/TLS parms.
# See the server config file for more description. It's best to use a separate
# .crt/.key file pair for each client. A single ca file can be used for all
# clients.
ca keys/ca.crt
;cert digimer-lework.crt
;key digimer-lework.key
cert keys/digimer-lework.crt
key keys/digimer-lework.key

# Verify server certificate by checking that the certicate has the nsCertType
# field set to "server".  This is an important precaution to protect against a
# potential attack discussed here: http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate your server certificates with
# the nsCertType field set to "server". The build-key-server script in the
# easy-rsa folder will do this.
;ns-cert-type server

# If a tls-auth key is used on the server then every client must also have the
# key.
;tls-auth ta.key 1

# Select a cryptographic cipher. If the cipher option is used on the server
# then you must also specify it here.
;cipher x

# Enable compression on the VPN link. Don't enable this unless it is also
# enabled in the server config file.
comp-lzo

# Set log file verbosity.
;verb 3
verb 4

# Silence repeating messages
;mute 20

OpenVPN Client Software Install

How the client installs the OpenVPN software depends on the specifics of their operating system.

On RPM based systems, you can install the OpenVPN package. On EL6 machines, this will require installing from the DAG repositories as was done for the server.

On Ubuntu and other Debian-derivative distributions, run:

apt-get install openvpn

Files to Send to the Client

Now that you've generated the keys, switch into the /etc/openvpn/keys directory. You will need to send the following to the client.

Warning: Be sure to send these files to the user over secure channels, preferably directly to their device!

We'll create a tarball of the keys we're going to send to the client. Be sure not to include the keys/digimer-lework.csr file!

cd /etc/openvpn
tar -cvzf digimer-lework_vpn-keys.tar.gz keys/ca.crt keys/digimer-lework.crt keys/digimer-lework.key
keys/ca.crt
keys/digimer-lework.crt
keys/digimer-lework.key

How you get this file to the client is up to you. Again though, use secure channels! Otherwise you have poked a big hole in your security.

Setting Up The Client

On the client's device, install OpenVPN if needed and then copy or extract their files to:

/etc/openvpn/

They should now have:

/etc/openvpn/client.conf
/etc/openvpn/keys/ca.crt
/etc/openvpn/keys/digimer-lework.crt
/etc/openvpn/keys/digimer-lework.key

Obviously, substitute digimer-lework for the name you used for the given client.

Now (re)start the client's openvpn daemon:

/etc/init.d/openvpn restart

How you make sure this starts with the user's machine depends on the particular distro they are using.

File Summary

These are the key files for OpenVPN.

Filename Needed By Purpose Secret
ca.crt server + all clients Root CA certificate No
ca.key key signing machine only Root CA key Yes
dh1024.pem server only Diffie Hellman parameters No
daimon.alteeve.ca.crt daimon.alteeve.ca server only Server Certificate No
daimon.alteeve.ca.key daimon.alteeve.ca server only Server Key Yes
These files are an example of the digimer-lework keys. There will be a similar pair for every client's device you've made a key for.
digimer-lework.crt The digimer-lework client device only Client Certificate No
digimer-lework.key The digimer-lework client device only Client Key Yes

Starting OpenVPN On The Client

You should now be able to start the OpenVPN daemon on the client machines now. This is identical to starting it on the server.

/etc/init.d/openvpn start
Starting openvpn:                                          [  OK  ]

If the start fails, look in /var/log/messages for clues to the problem.

To confirm that the server is up, check the interfaces and you should now see a tun0 device.

Note: If you have anything already using tun0, the '0' will be incremented to the first free integer.
ifconfig tun0
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.30.0.10  P-t-P:10.30.0.9  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

You should now be able to connect to the server, and vice-versa, using the 10.30.0.0 network.

Done!!

 

Any questions, feedback, advice, complaints or meanderings are welcome.
Alteeve's Niche! Enterprise Support:
Alteeve Support
Community Support
© Alteeve's Niche! Inc. 1997-2024   Anvil! "Intelligent Availability®" Platform
legal stuff: All info is provided "As-Is". Do not use anything here unless you are willing and able to take responsibility for your own actions.