Documente Academic
Documente Profesional
Documente Cultură
Installation/Configuration Step-by-Step
Install OpenVPN
To install OpenVPN it is necessary to run on the terminal of each machine the following command:
To create the certificates must be used the "easy-rsa", a set of scripts included into OpenVPN. For
that it is necessary to perform on the Server Linux Terminal the following instructions:
# cd /usr/share/doc/openvpn/examples/easy-rsa/2.0
# mkdir /etc/openvpn/easy-rsa
# cp -a * /etc/openvpn/easy-rsa
Was created a new folder "/etc/openvpn/easy-rsa" that must have the following content:
All the configurations must now be done inside of the folder "/etc/openvpn/easy-rsa".
To start must be changed the archive "vars".
# nano vars
In the end of "vars" archive there are a set of parameters used to generate keys (country, province,
city, etc.), that can be edited like:
export KEY_COUNTRY=CZ
export KEY_PROVINCE=MORAVIA
export KEY_CITY="OSTRAVA"
export KEY_ORG="VSB"
export KEY_EMAIL="smsparada@ua.pt"
Next, to upload the variables inside of the archive "vars" is necessary to run the following
commands:
# source vars
# ./clean-all
saulparada 1
# ./build-ca
Then it will be asked to enter information that will be incorporated into the certificate request.
What it should be entered is what is called a Distinguished Name.
There are quite a few fields, but some of them can be left in blank. For some fields there are default
values. If it is entered '.', the field will be left at blank.
To generate the server certificate is used the "build-key-server" script, specifying as parameter the
name of the archive which will be used ("server", for example):
# cd /etc/openvpn/easy-rsa/
# ./build-key-server server
Common Name (eg, your name or your server's hostname) []: SMSP
A challenge password []: ****
Sign the certificate? [y/n]: y
1 out of 1 certificate requests certified, commit? [y/n] y
Next, will be generated the keys used by the clients by running the script "build-key":
# ./build-key client
saulparada 2
Common Name (eg, your name or your server's hostname) []: Client
...
Sign the certificate? [y/n]: y
1 out of 1 certificate requests certified, commit? [y/n] y
Now must be performed the following command in order to generate the Diffie-Hellman
parameters and increase the security:
# ./build-dh
# rm keys/*.csr
In the end must be found a set of archives inside of "/etc/openvpn/easy-rsa/keys" similar to:
# cd /etc/openvpn/easy-rsa/keys
# mkdir /etc/openvpn/keys
# cp -a ca.crt server.crt server.key /etc/openvpn/keys/
# cp -a dh1024.pem /etc/openvpn/keys/
All the clients must have the archives "ca.crt", "dh1024.pem" and all the ".crt" and ".key"
correspondent files. On the client side it is necessary, as well to create a new folder
"/etc/openvpn/keys" and copy the files into.
All the machine clocks must be synchronized. For that purpose, the following command must be
executed on both, server and client machines:
# ntpdate -u pool.ntp.org
saulparada 3
Server configuration file
Must be created, on the server machine, the configuration archive used by the OpenVPN.
# nano /etc/openvpn/server.conf
auth none #
comp-lzo # Enable compression on the VPN link
max-clients 100 # Assign the maximum number of clients
# The persist options will try to avoid accessing certain resources on restart that may no
# longer be accessible because of the privilege downgrade
persist-key
persist-tun
# Output a short status file showing current connections, truncated and rewritten every
# minute.
status openvpn-status.log
# Set the appropriate level of log file verbosity (3 - reasonable for general usage)
verb 3
saulparada 4
Client configuration file
Analogously, must be created the client configuration file used by the OpenVPN. The archive
"/etc/openvpn/client.conf", on the client machine, must be like:
auth none #
comp-lzo # Enable compression on the VPN link
max-clients 100 # Assign the maximum number of clients
# The persist options will try to avoid accessing certain resources on restart that may no
# longer be accessible because of the privilege downgrade
persist-key
persist-tun
# Output a short status file showing current connections, truncated and rewritten every
# minute.
status openvpn-status.log
# Set the appropriate level of log file verbosity (3 - reasonable for general usage)
verb 3
saulparada 5
Restart OpenVPN
After performed all the configurations on both, client and server machines, it is necessary to restart
the OpenVPN in order to apply the new set configurations:
# /etc/init.d/openvpn restart
Now when performed the instruction "ifconfig tun" on the server side, it should show an output
similar to:
# ifconfig tun
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
NOTE: The output of the command "ifconfig tun" on the client side must be similar.
Commands
OpenVPN can be started, stopped and restarted using the following commands:
Sources:
http://openvpn.net/index.php/documentation/howto.html
saulparada 6