OpenVPN Installation

| September 3rd, 2010

UPDATE: I realize I cannot cover everything in one post, so I’m breaking my openvpn discussions into several sessions as I work on openvpn. This first session will just be about installing and connecting client(s) to one server without any routing.

I keep forgetting how to configure OpenVPN and it’s so annoying reading the same HOWTO a dozen times! The problem is I only setup VPN once a year and I forget it afterwards, so this post is partially for my own personal reference.

sudo apt-get install openvpn

Decision #1 (out of many!) – PKI (Public Key Infrastructure) or Static keys..

PKI:  More complex to setup, but more secure, supports multiple clients
Static: Very simple to setup (1 command), insecure (all traffic could be decrypted if the static.key file is lost), only supports 1 client

Static Keys Setup:

The openVPN tutorial is simple enough to follow so I am just going to link it here. You can add commands such as port 443 or proto tcp-server and route, but be warned! Push commands do not work from the server! You need some tls-mode which is not available using a static key. I wasted some time trying to debug this and wondered why my push commands were not being honored until I explicitly placed pull in the client config and found out:

Options error: Parameter –pull can only be specified in TLS-mode, i.e. where –tls-server or –tls-client is also specified.

Public Key Infrastructure (PKI) Setup:

# setup CA & key-generating server
sudo mkdir /etc/openvpn/easy-rsa/
sudo cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa/
sudo chown bashusr: /etc/openvpn/easy-rsa

# create keys
vi /etc/openvpn/easy-rsa/vars # set defaults for state, country, email, etc.
source vars

./build-key-server server

./build-key no_password_client
./build-key-pass client_with_password

cd keys
cp ca.crt server.crt server.key dh1024.pem /etc/openvpn/

scp ca.crt no_password_client.crt no_password_client.key remoteclient:/etc/openvpn/

# you can find this configuration file online here too
sudo bash -c ‘gzip -dc /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz > /etc/openvpn/server.conf’

Choices choices… At this point, you (or I?) have to decide whether to do ethernet bridging or routing, here’s a simple rundown:

TUN: Ethernet Routing (different networks), good for site to site, client to site, or site to client connections

TAP: Ethernet Bridging (same network), good for client to site – simplified setup (setup instructions)

(Note to self, you’ll need to use TUN if you want to do any routing!)

Go through the config file reading the descriptions to each line. Remember, this is just a reference… you should have a general idea what you want to do with the IP addresses, if not… read the full howto! You shouldn’t be here! After you’re done, create a corresponding client.conf and install it on the client. Then test the configuration using:

openvpn –config CONFIGFILE.conf

If the connection establishes, you’re all set! Now, make sure if you’re behind a router, that you forward the appropriate ports so you can connect from outside your network. Also, setup the service (on ubuntu, you don’t have to do anything) so it runs automatically on startup.

/etc/init.d/openvpn start

Stay tuned for future posts on VPN routing…

2 Responses to “OpenVPN Installation”

  1. bashusr » Blog Archive » OpenVPN Site to Client (Road Warrior) Setup Says:

    […] $ /bin/bash -x /usr/sbin/ > /dev/internet « OpenVPN Installation   OpenVPN Site to Client (Road Warrior) Setup | September 4th, […]

  2. bashusr » Blog Archive » OpenVPN TAP Bridge Says:

    […] Again, we assume you have the initial config working… […]

Leave a Reply