OPENVPN INSTALLATION AND CONFIGURATION TUTORIAL

Installation/Configuration Step-by-Step
Install OpenVPN

To install OpenVPN it is necessary to run on the terminal of each machine the following command:

# apt-get install openvpn

Generating the Certificates

To create the certificates must be used the "easy-rsa", a set of scripts included into OpenVPN. For
that it is necessary to perform on the Server Linux Terminal the following instructions:

# cd /usr/share/doc/openvpn/examples/easy-rsa/2.0
# mkdir /etc/openvpn/easy-rsa
# cp -a * /etc/openvpn/easy-rsa

Was created a new folder "/etc/openvpn/easy-rsa" that must have the following content:

2.0 build-key build-req make-crl revoke-full

build-ca build-key-pass build-req-pass openssl.cnf sign-req
build-dh build-key-pkcs12 clean-all README.gz vars
build-inter build-key-server list-crl revoke-crt

All the configurations must now be done inside of the folder "/etc/openvpn/easy-rsa".
To start must be changed the archive "vars".

# nano vars

In the end of "vars" archive there are a set of parameters used to generate keys (country, province,
city, etc.), that can be edited like:

export KEY_COUNTRY=CZ
export KEY_PROVINCE=MORAVIA
export KEY_CITY="OSTRAVA"
export KEY_ORG="VSB"
export KEY_EMAIL="smsparada@ua.pt"

Next, to upload the variables inside of the archive "vars" is necessary to run the following
commands:

# source vars
# ./clean-all

saulparada 1
# ./build-ca

Generating a 1024 bit RSA private key

...................++++++
.....................++++++
writing new private key to 'ca.key'
-----

Then it will be asked to enter information that will be incorporated into the certificate request.
What it should be entered is what is called a Distinguished Name.
There are quite a few fields, but some of them can be left in blank. For some fields there are default
values. If it is entered '.', the field will be left at blank.

Country Name (2 letter code) [CZ]: CZ

State or Province Name (full name) [MORAVIA]: MORAVIA
Locality Name (eg, city) [OSTRAVA]: OSTRAVA
Organization Name (eg, company) [VSB]: VSB
Organizational Unit Name (eg, section) []: FEI
Common Name (eg, your name or your server's hostname) []: SMSP
Email Address [smsparada@ua.pt]: smsparada@ua.pt

This will create a folder "/etc/openvpn/easy-rsa/keys" with the following content:

ca.crt ca.key index.txt serial

To generate the server certificate is used the "build-key-server" script, specifying as parameter the
name of the archive which will be used ("server", for example):

# cd /etc/openvpn/easy-rsa/
# ./build-key-server server

NOTE: Must be used the same information included in the "build-ca".

Common Name (eg, your name or your server's hostname) []: SMSP
A challenge password []: ****
Sign the certificate? [y/n]: y
1 out of 1 certificate requests certified, commit? [y/n] y

Next, will be generated the keys used by the clients by running the script "build-key":

# ./build-key client

Generating a 1024 bit RSA private key

.++++++
.......................++++++
writing new private key to 'client.key'
NOTE: Must be confirmed the parameters used in "build-key-server".

saulparada 2
Common Name (eg, your name or your server's hostname) []: Client
...
Sign the certificate? [y/n]: y
1 out of 1 certificate requests certified, commit? [y/n] y

Now must be performed the following command in order to generate the Diffie-Hellman
parameters and increase the security:

# ./build-dh
# rm keys/*.csr

In the end must be found a set of archives inside of "/etc/openvpn/easy-rsa/keys" similar to:

ca.crt client.key index.txt server.crt client.crt

ca.key index.txt.attr server.key serial

Now it is necessary to install the keys, on both server and client.

For the server we must copy the files "ca.crt", "server.crt", "server.key" and the Diffie-Hellman key
(dh1024.pem) to a new folder "/etc/openvpn/keys".

# cd /etc/openvpn/easy-rsa/keys
# mkdir /etc/openvpn/keys
# cp -a ca.crt server.crt server.key /etc/openvpn/keys/
# cp -a dh1024.pem /etc/openvpn/keys/

All the clients must have the archives "ca.crt", "dh1024.pem" and all the ".crt" and ".key"
correspondent files. On the client side it is necessary, as well to create a new folder
"/etc/openvpn/keys" and copy the files into.

Synchronizing the Server-Client clocks

All the machine clocks must be synchronized. For that purpose, the following command must be
executed on both, server and client machines:

# ntpdate -u pool.ntp.org

OpenVPN implementation scheme.

saulparada 3
 Server configuration file

Must be created, on the server machine, the configuration archive used by the OpenVPN.

# nano /etc/openvpn/server.conf

The archive "/etc/openvpn/server.conf" must have the following content:

local 158.196.81.208 # Local IP address that OpenVPN should listen on

dev tun0 # Routed IP tunnel
ifconfig 10.8.0.1 10.8.0.2 # Tunnel IP addresses (Server – Client)
tls-server # TLS Server
proto tcp-server # TCP Server
port 1194 # TCP/UDP port that OpenVPN should listen on

ca /etc/openvpn/keys/ca.crt # SSL/TLS root certificate

cert /etc/openvpn/keys/server.crt # Certificate
key /etc/openvpn/keys/server.key # Private key (this file should be kept secret)
dh /etc/openvpn/keys/dh1024.pem # Diffie-Hellman parameters

keepalive 10 120 # Ping every 10 seconds, assume that remote peer

# is down if no ping received during a 120
# second time period.

;cipher AES-128-CBC # AES cipher - 128 bit default key (fixed)

;cipher DES-EDE3-CBC # 3DES cipher - 192 bit default key (fixed)

auth none #
comp-lzo # Enable compression on the VPN link
max-clients 100 # Assign the maximum number of clients

# The persist options will try to avoid accessing certain resources on restart that may no
# longer be accessible because of the privilege downgrade
persist-key
persist-tun

# Output a short status file showing current connections, truncated and rewritten every
# minute.
status openvpn-status.log

# Set the appropriate level of log file verbosity (3 - reasonable for general usage)
verb 3

# Lines starting with # or ; will not be read by OpenVPN

saulparada 4
 Client configuration file

Analogously, must be created the client configuration file used by the OpenVPN. The archive
"/etc/openvpn/client.conf", on the client machine, must be like:

dev tun0 # Routed IP tunnel

remote 158.196.81.208 # IP address of the Server
ifconfig 10.8.0.2 10.8.0.1 # Tunnel IP addresses (Client – Server)
tls-client # TLS Client
proto tcp-client # TCP Client
port 1194 # TCP/UDP port that OpenVPN should listen on

ca /etc/openvpn/keys/ca.crt # SSL/TLS root certificate

cert /etc/openvpn/keys/client.crt # Certificate
key /etc/openvpn/keys/client.key # Private key (this file should be kept secret)
dh /etc/openvpn/keys/dh1024.pem # Diffie-Hellman parameters

keepalive 10 120 # Ping every 10 seconds, assume that remote peer

# is down if no ping received during a 120
# second time period.

;cipher AES-128-CBC # AES cipher - 128 bit default key (fixed)

;cipher DES-EDE3-CBC # 3DES cipher - 192 bit default key (fixed)

auth none #
comp-lzo # Enable compression on the VPN link
max-clients 100 # Assign the maximum number of clients

# The persist options will try to avoid accessing certain resources on restart that may no
# longer be accessible because of the privilege downgrade
persist-key
persist-tun

# Output a short status file showing current connections, truncated and rewritten every
# minute.
status openvpn-status.log

# Set the appropriate level of log file verbosity (3 - reasonable for general usage)
verb 3

# Lines starting with # or ; will not be read by OpenVPN

saulparada 5
 Restart OpenVPN

After performed all the configurations on both, client and server machines, it is necessary to restart
the OpenVPN in order to apply the new set configurations:

# /etc/init.d/openvpn restart

Now when performed the instruction "ifconfig tun" on the server side, it should show an output
similar to:

# ifconfig tun
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

NOTE: The output of the command "ifconfig tun" on the client side must be similar.

Commands

OpenVPN can be started, stopped and restarted using the following commands:

# service openvpn start

# service openvpn stop
# service openvpn restart

Sources:
http://openvpn.net/index.php/documentation/howto.html

OpenVPN: Building and Integrating Virtual Private Networks by Markus Feilner

saulparada 6