Difference between revisions of "OpenVPN"

From ArchWiki
Jump to: navigation, search
(Remove trailing spaces)
(retract the change from 128bit blowfish to 256bit aes encryption)
(4 intermediate revisions by the same user not shown)
Line 3: Line 3:
 
{{Expansion}}
 
{{Expansion}}
 
{{Accuracy}}
 
{{Accuracy}}
 +
<!--' add support for ipv6 and L2 ethernet bridging '-->
  
 
This article describes a basic installation and configuration of OpenVPN, suitable for private and small business use. For more detailed information, please see the excellent [http://openvpn.net/index.php/open-source/documentation official OpenVPN documentation].
 
This article describes a basic installation and configuration of OpenVPN, suitable for private and small business use. For more detailed information, please see the excellent [http://openvpn.net/index.php/open-source/documentation official OpenVPN documentation].
Line 11: Line 12:
  
 
(Source: [[Wikipedia:OpenVPN]])
 
(Source: [[Wikipedia:OpenVPN]])
 +
 +
==Preamble==
  
 
==Installing OpenVPN==
 
==Installing OpenVPN==
Line 17: Line 20:
 
{{Note|The package contains both server and client software, so install it on all machines that need to create vpn connections.}}
 
{{Note|The package contains both server and client software, so install it on all machines that need to create vpn connections.}}
  
 +
<!--' what does this do, and is the package still supported?
 
You may also want to install {{AUR|openvpn-authldap-plugin}}, available in the [[Arch User Repository]].
 
You may also want to install {{AUR|openvpn-authldap-plugin}}, available in the [[Arch User Repository]].
 
+
'-->
 
==Configuring the kernel==
 
==Configuring the kernel==
  
Line 231: Line 235:
 
name                  :PRINTABLE:'Acme-CA'
 
name                  :PRINTABLE:'Acme-CA'
 
emailAddress          :IA5STRING:'roadrunner@acmecorp.org'
 
emailAddress          :IA5STRING:'roadrunner@acmecorp.org'
Certificate is to be certified until Dec 23 19:11:59 2021 GMT (3650 days)
+
Certificate is to be certified until Dec 27 19:11:59 2021 GMT (3650 days)
 
Sign the certificate? [y/n]:y
 
Sign the certificate? [y/n]:y
  
Line 303: Line 307:
 
name                  :PRINTABLE:'Acme-CA'
 
name                  :PRINTABLE:'Acme-CA'
 
emailAddress          :IA5STRING:'roadrunner@acmecorp.org'
 
emailAddress          :IA5STRING:'roadrunner@acmecorp.org'
Certificate is to be certified until Dec 23 19:18:27 2021 GMT (3650 days)
+
Certificate is to be certified until Dec 27 19:18:27 2021 GMT (3650 days)
 
Sign the certificate? [y/n]:y
 
Sign the certificate? [y/n]:y
  
Line 311: Line 315:
 
Data Base Updated
 
Data Base Updated
 
</nowiki>}}
 
</nowiki>}}
 +
 +
Generate a [[Wikipedia:HMAC|Hash-based Message Authentication Code (HMAC)]] by running:
 +
{{ic|# openvpn --genkey --secret /root/easy-rsa/keys/ta.key}}
 +
 +
This will be used to add an additional HMAC signature to all SSL/TLS handshake packets.  Any UDP packet not having the correct HMAC signature will be immidiately dropped, protecting against:
 +
 +
* Portscanning.
 +
* DOS attacks on the OpenVPN UDP port.
 +
* SSL/TLS handshake initiations from unauthorized machines.
 +
* Any eventual buffer overflow vulnerabilities in the SSL/TLS implementation.
  
 
All the created certificates and keys have been stored in /root/easy-rsa/keys.  If you make a mistake, you can start over by running the clean-all script again.
 
All the created certificates and keys have been stored in /root/easy-rsa/keys.  If you make a mistake, you can start over by running the clean-all script again.
Line 324: Line 338:
 
The ca.crt certificate will be needed on all servers and clients. The ca.key private key is secret and only needed on the key generating machine.
 
The ca.crt certificate will be needed on all servers and clients. The ca.key private key is secret and only needed on the key generating machine.
  
The server.crt, server.key (secret) and dh{n}.pem files are needed on the server.
+
The server.crt, dh{n}.pem, server.key (secret), and ta.key (secret) files are needed on the server.
  
The client.crt and client.key (secret) files are needed on the client.
+
The client.crt, client.key (secret), and ta.key (secret) files are needed on the client.
  
 
==Configuring OpenVPN==
 
==Configuring OpenVPN==
Line 332: Line 346:
 
OpenVPN is an extremely versatile software and many configurations are possible.  You could have machines that are both "servers" and "clients", so the distinction between server and client is blurred.
 
OpenVPN is an extremely versatile software and many configurations are possible.  You could have machines that are both "servers" and "clients", so the distinction between server and client is blurred.
  
What really distinguishes a server from a client is the configuration file itself.  The openvpn daemon script reads all the .conf configuration files it finds in /etc/openvpn on startup, and acts accordingly. In fact if it finds more than one configuration file it will start at least one OpenVPN processes per configuration file.
+
What really distinguishes a server from a client is the configuration file itself.  The openvpn daemon startup script reads all the .conf configuration files it finds in /etc/openvpn on startup, and acts accordingly. In fact if it finds more than one configuration file it will start one OpenVPN processes per configuration file.
  
 
This article explains how to setup a machine that we call the server (elmer), and a client that connects to it called (bugs).  You can easily add more clients by generating more client certificates/keys and adding client configurations on more machines.
 
This article explains how to setup a machine that we call the server (elmer), and a client that connects to it called (bugs).  You can easily add more clients by generating more client certificates/keys and adding client configurations on more machines.
Line 360: Line 374:
 
dh /etc/openvpn/dh1024.pem
 
dh /etc/openvpn/dh1024.pem
 
}}
 
}}
 +
 +
Enable the SSL/TLS HMAC handshake protection:
 +
{{Note| Use the parameter 0 on a server configuration.}}
 +
{{hc|/etc/openvpn/server.conf|tls-auth /etc/openvpn/ta.key 0}}
 +
 +
<!--' probably better to use blowfish...
 +
Enable the 256 bit [[Wikipedia:Advanced_Encryption_Standard|AES (Advanced Encryption Standard)]] instead of the default 128 bit blowfish cryptographic cipher:
 +
{{hc|/etc/openvpn/server.conf|
 +
;cipher BF-CBC        # Blowfish (default)
 +
;cipher AES-128-CBC  # AES
 +
;cipher DES-EDE3-CBC  # Triple-DES
 +
cipher AES-256-CBC
 +
}}
 +
'-->
  
 
For security reasons is recommended to configure OpenVPN to drop root privileges once it has initialized. Do this by uncommenting the user and group directives.
 
For security reasons is recommended to configure OpenVPN to drop root privileges once it has initialized. Do this by uncommenting the user and group directives.
Line 395: Line 423:
 
}}
 
}}
  
 +
Enable the SSL/TLS HMAC handshake protection:
 +
{{Note| Use the parameter 1 on a client configuration.}}
 +
 +
{{hc|/etc/openvpn/client.conf|tls-auth /etc/openvpn/ta.key 1}}
 +
 +
<!--' probably better to use blowfish...
 +
Enable the 256 bit [[Wikipedia:Advanced_Encryption_Standard|AES (Advanced Encryption Standard)]] instead of the default 128 bit blowfish cryptographic cipher:
 +
{{hc|/etc/openvpn/client.conf|
 +
;cipher x
 +
cipher AES-256-CBC
 +
}}
 +
'-->
 
==Configuring iptables==
 
==Configuring iptables==
  
Line 407: Line 447:
 
==Testing the OpenVPN configuration==
 
==Testing the OpenVPN configuration==
  
Run {{ic|# openpvn /etc/openvpn/server.conf}} on the server.  You should see something similar to this:
+
Run {{ic|# openpvn /etc/openvpn/server.conf}} on the server, and {{ic|# openpvn /etc/openvpn/client.conf}} on the client.  You should see something similar to this:
  
 
{{hc|# openpvn /etc/openvpn/server.conf|<nowiki>
 
{{hc|# openpvn /etc/openvpn/server.conf|<nowiki>
 
Wed Dec 28 14:41:26 2011 OpenVPN 2.2.1 x86_64-unknown-linux-gnu [SSL] [LZO2] [EPOLL] [eurephia] built on Aug 13 2011
 
Wed Dec 28 14:41:26 2011 OpenVPN 2.2.1 x86_64-unknown-linux-gnu [SSL] [LZO2] [EPOLL] [eurephia] built on Aug 13 2011
Wed Dec 28 14:41:26 2011 NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x.  Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
 
 
Wed Dec 28 14:41:26 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
 
Wed Dec 28 14:41:26 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Wed Dec 28 14:41:26 2011 Diffie-Hellman initialized with 2048 bit key
+
Wed Dec 28 14:41:26 2011 Diffie-Hellman initialized with 1024 bit key
 
Wed Dec 28 14:41:26 2011 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
 
Wed Dec 28 14:41:26 2011 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
 
Wed Dec 28 14:41:26 2011 Socket Buffers: R=[126976->131072] S=[126976->131072]
 
Wed Dec 28 14:41:26 2011 Socket Buffers: R=[126976->131072] S=[126976->131072]
Wed Dec 28 14:41:26 2011 ROUTE default_gateway=192.168.0.1
+
Wed Dec 28 14:41:26 2011 ROUTE default_gateway=10.66.0.1
 
Wed Dec 28 14:41:26 2011 TUN/TAP device tun0 opened
 
Wed Dec 28 14:41:26 2011 TUN/TAP device tun0 opened
 
Wed Dec 28 14:41:26 2011 TUN/TAP TX queue length set to 100
 
Wed Dec 28 14:41:26 2011 TUN/TAP TX queue length set to 100
Line 439: Line 478:
 
Wed Dec 28 14:41:51 2011 95.126.136.73:48904 Expected Remote Options hash (VER=V4): '41690919'
 
Wed Dec 28 14:41:51 2011 95.126.136.73:48904 Expected Remote Options hash (VER=V4): '41690919'
 
Wed Dec 28 14:41:51 2011 95.126.136.73:48904 TLS: Initial packet from 95.126.136.73:48904, sid=163f4a5e e0399137
 
Wed Dec 28 14:41:51 2011 95.126.136.73:48904 TLS: Initial packet from 95.126.136.73:48904, sid=163f4a5e e0399137
Wed Dec 28 14:41:53 2011 95.126.136.73:48904 VERIFY OK: depth=1, /C=LU/ST=Luxembourg/L=Luxembourg/O=Alchemy/CN=Alchemy-CA/name=Alchemy-CA/emailAddress=jbh@alchemy.lu
+
Wed Dec 28 14:41:53 2011 95.126.136.73:48904 VERIFY OK: depth=1, /C=US/ST=CA/L=Acme Acres/O=Acme/CN=Acme-CA/name=Acme-CA/emailAddress=roadrunner@acmecorp.org
Wed Dec 28 14:41:53 2011 95.126.136.73:48904 VERIFY OK: depth=0, /C=LU/ST=Luxembourg/L=Luxembourg/O=Alchemy/CN=freja/name=Alchemy-CA/emailAddress=jbh@alchemy.lu
+
Wed Dec 28 14:41:53 2011 95.126.136.73:48904 VERIFY OK: depth=0, /C=US/ST=CA/L=Acme Acres/O=Acme/CN=bugs/name=Acme-CA/emailAddress=roadrunner@acmecorp.org
 
Wed Dec 28 14:41:54 2011 95.126.136.73:48904 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
 
Wed Dec 28 14:41:54 2011 95.126.136.73:48904 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
 
Wed Dec 28 14:41:54 2011 95.126.136.73:48904 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
 
Wed Dec 28 14:41:54 2011 95.126.136.73:48904 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
 
Wed Dec 28 14:41:54 2011 95.126.136.73:48904 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
 
Wed Dec 28 14:41:54 2011 95.126.136.73:48904 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
 
Wed Dec 28 14:41:54 2011 95.126.136.73:48904 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
 
Wed Dec 28 14:41:54 2011 95.126.136.73:48904 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Dec 28 14:41:54 2011 95.126.136.73:48904 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
+
Wed Dec 28 14:41:54 2011 95.126.136.73:48904 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Wed Dec 28 14:41:54 2011 95.126.136.73:48904 [freja] Peer Connection Initiated with 95.126.136.73:48904
+
Wed Dec 28 14:41:54 2011 95.126.136.73:48904 [bugs] Peer Connection Initiated with 95.126.136.73:48904
Wed Dec 28 14:41:54 2011 freja/95.126.136.73:48904 MULTI: Learn: 10.8.0.6 -> freja/95.126.136.73:48904
+
Wed Dec 28 14:41:54 2011 bugs/95.126.136.73:48904 MULTI: Learn: 10.8.0.6 -> bugs/95.126.136.73:48904
Wed Dec 28 14:41:54 2011 freja/95.126.136.73:48904 MULTI: primary virtual IP for freja/95.126.136.73:48904: 10.8.0.6
+
Wed Dec 28 14:41:54 2011 bugs/95.126.136.73:48904 MULTI: primary virtual IP for bugs/95.126.136.73:48904: 10.8.0.6
Wed Dec 28 14:41:57 2011 freja/95.126.136.73:48904 PUSH: Received control message: 'PUSH_REQUEST'
+
Wed Dec 28 14:41:57 2011 bugs/95.126.136.73:48904 PUSH: Received control message: 'PUSH_REQUEST'
Wed Dec 28 14:41:57 2011 freja/95.126.136.73:48904 SENT CONTROL [freja]: 'PUSH_REPLY,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5' (status=1)
+
Wed Dec 28 14:41:57 2011 bugs/95.126.136.73:48904 SENT CONTROL [bugs]: 'PUSH_REPLY,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5' (status=1)
 
</nowiki>}}
 
</nowiki>}}
 
Run {{ic|# openpvn /etc/openvpn/client.conf}} on the client.  You should see something similar to this:
 
  
 
{{hc|# openpvn /etc/openvpn/client.conf|<nowiki>
 
{{hc|# openpvn /etc/openvpn/client.conf|<nowiki>
Line 468: Line 505:
 
Wed Dec 28 14:41:51 2011 UDPv4 link remote: 85.93.204.250:1194
 
Wed Dec 28 14:41:51 2011 UDPv4 link remote: 85.93.204.250:1194
 
Wed Dec 28 14:41:51 2011 TLS: Initial packet from 85.93.204.250:1194, sid=5f379f35 50c9ab11
 
Wed Dec 28 14:41:51 2011 TLS: Initial packet from 85.93.204.250:1194, sid=5f379f35 50c9ab11
Wed Dec 28 14:41:52 2011 VERIFY OK: depth=1, /C=LU/ST=Luxembourg/L=Luxembourg/O=Alchemy/CN=Alchemy-CA/name=Alchemy-CA/emailAddress=jbh@alchemy.lu
+
Wed Dec 28 14:41:52 2011 VERIFY OK: depth=1, /C=US/ST=CA/L=Acme Acres/O=Acme/CN=Acme-CA/name=Acme-CA/emailAddress=roadrunner@acmecorp.org
 
Wed Dec 28 14:41:52 2011 VERIFY OK: nsCertType=SERVER
 
Wed Dec 28 14:41:52 2011 VERIFY OK: nsCertType=SERVER
Wed Dec 28 14:41:52 2011 VERIFY OK: depth=0, /C=LU/ST=Luxembourg/L=Luxembourg/O=Alchemy/CN=tor/name=Alchemy-CA/emailAddress=jbh@alchemy.lu
+
Wed Dec 28 14:41:52 2011 VERIFY OK: depth=0, /C=US/ST=CA/L=Acme Acres/O=Acme/CN=elmer/name=Acme-CA/emailAddress=roadrunner@acmecorp.org
 
Wed Dec 28 14:41:54 2011 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
 
Wed Dec 28 14:41:54 2011 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
 
Wed Dec 28 14:41:54 2011 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
 
Wed Dec 28 14:41:54 2011 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
 
Wed Dec 28 14:41:54 2011 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
 
Wed Dec 28 14:41:54 2011 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
 
Wed Dec 28 14:41:54 2011 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
 
Wed Dec 28 14:41:54 2011 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Dec 28 14:41:54 2011 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
+
Wed Dec 28 14:41:54 2011 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Wed Dec 28 14:41:54 2011 [tor] Peer Connection Initiated with 85.93.204.250:1194
+
Wed Dec 28 14:41:54 2011 [elmer] Peer Connection Initiated with 85.93.204.250:1194
Wed Dec 28 14:41:57 2011 SENT CONTROL [tor]: 'PUSH_REQUEST' (status=1)
+
Wed Dec 28 14:41:57 2011 SENT CONTROL [elmer]: 'PUSH_REQUEST' (status=1)
 
Wed Dec 28 14:41:57 2011 PUSH: Received control message: 'PUSH_REPLY,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5'
 
Wed Dec 28 14:41:57 2011 PUSH: Received control message: 'PUSH_REPLY,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5'
 
Wed Dec 28 14:41:57 2011 OPTIONS IMPORT: timers and/or timeouts modified
 
Wed Dec 28 14:41:57 2011 OPTIONS IMPORT: timers and/or timeouts modified
Line 495: Line 532:
 
On the server, find the IP assigned to the tunX device:
 
On the server, find the IP assigned to the tunX device:
  
{{hc|# ifconfig|<nowiki>
+
{{hc|# ip addr show|<nowiki>
 
.
 
.
 
.
 
.
 
.
 
.
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500 metric 1
+
40: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100
        inet 10.8.0.1 netmask 255.255.255.255  destination 10.8.0.2
+
    link/none
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)
+
    inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0</nowiki>}}
        RX packets 0  bytes 0 (0.0 B)
+
        RX errors 0  dropped 0  overruns 0  frame 0
+
        TX packets 0  bytes 0 (0.0 B)
+
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
+
</nowiki>}}
+
  
 
Here we see that the server end of the tunnel has been given the IP address 10.8.0.1.
 
Here we see that the server end of the tunnel has been given the IP address 10.8.0.1.
Line 512: Line 544:
 
Do the same on the client:
 
Do the same on the client:
  
{{hc|# ifconfig|<nowiki>
+
{{hc|# ip addr show|<nowiki>
 
.
 
.
 
.
 
.
 
.
 
.
tun1: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500 metric 1
+
37: tun1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100
        inet 10.8.0.6 netmask 255.255.255.255  destination 10.8.0.5
+
    link/none
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)
+
    inet 10.8.0.6 peer 10.8.0.5/32 scope global tun1</nowiki>}}
        RX packets 0  bytes 0 (0.0 B)
+
        RX errors 0  dropped 0  overruns 0  frame 0
+
        TX packets 0  bytes 0 (0.0 B)
+
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
+
</nowiki>}}
+
  
 
And the client side has been given the IP 10.8.0.6.
 
And the client side has been given the IP 10.8.0.6.
Line 554: Line 581:
 
rtt min/avg/max/mdev = 157.426/158.278/158.940/0.711 ms
 
rtt min/avg/max/mdev = 157.426/158.278/158.940/0.711 ms
 
</nowiki>}}
 
</nowiki>}}
 +
 +
You now have a working OpenVPN installation, and your client (bugs) will be able to use services on the server (elmer).
  
 
==Starting OpenVPN==
 
==Starting OpenVPN==
  
To start OpenVPN run:
+
To start OpenVPN manually run:
  
 
{{bc|# rc.d start openvpn}}
 
{{bc|# rc.d start openvpn}}
  
Add openvpn to the daemon array in /etc/rc.conf to make it start at system boot.
+
To have your system run OpenVPN automatically at system start, add openvpn to the daemon array in /etc/rc.conf.
 +
 
 +
==Advanced OpenVPN configuration==
 +
 
 +
===Routing the LAN of the server to a client===
 +
 
 +
Prerequisites:
 +
 
 +
* The server (elmer) is on a LAN using the [[Wikipedia:Private_network#Private_IPv4_address_spaces|private class C network range]] 10.66.0.0/24.
 +
* The server's LAN network interface is called eth0.
 +
* The client (bugs) is assigned an ip address out of the private class C network address pool 10.8.0.0/24, as specified by the server directive in the server's configuration file (/etc/openvpn/server.conf):
 +
{{hc|/etc/openvpn/server.conf|server 10.8.0.0 255.255.255.0}}
 +
 
 +
<!--'Investigate if scripts hooked into openvpn can do this,  http://openvpn.net/index.php/open-source/documentation/manuals/69-openvpn-21.html#lbAR'-->
 +
 
 +
Do {{ic|# ip link set dev eth0 promisc on}} to set set the server's LAN interface to [[Wikipedia:Promiscuous_mode|promiscious mode]].
 +
 
 +
Then add the following to /etc/rc.local to make it persistent across reboots:
 +
 
 +
{{hc|/etc/rc.local|ip link set dev eth0 promisc on}}
 +
 
 +
Add a push directive to the server configuration file:
 +
 
 +
{{hc|/etc/openvpn/server.conf|push "route 10.66.0.0 255.255.255.0"}}
 +
 
 +
If you use the iptables firewall on the server (elmer) add the following rules to /etc/iptables/iptables.rules, then restart iptables:
 +
 
 +
{{hc|/etc/iptables/iptables.rules|
 +
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
 +
-A FORWARD -s 10.8.0.0/24 -j ACCEPT
 +
-A FORWARD -j REJECT
 +
}}
 +
 
 +
{{Note|If the server (elmer) is not the default LAN gateway on the server side, you will need to add a static route to your LAN's default gateway (most likely your LAN's router), routing the client IP range 10.8.0.0/24 back to the server's eth0 IP address.  Alternatively you could add a static route to each host on the server side LAN that you want to be able to respond to the client (bugs).}}
 +
 
 +
<!--'Add information on how to route several lans to the client'-->
 +
 
 +
===Routing the LAN of a client to the server===
 +
 
 +
Prerequisites:
 +
 
 +
* You must make sure that any subnets used on the client side (bugs), are unique and not in use on the server side or by any other client. In this example we will use 192.168.4.0/24 for the clients LAN.
 +
* The client's LAN network interface is called eth0.
 +
* Each client's certificate has a unique Common Name, in this case bugs.
 +
* The server may not use the duplicate-cn directive in it's config file.
 +
 
 +
Do {{ic|# ip link set dev eth0 promisc on}} to set set the client's LAN interface to [[Wikipedia:Promiscuous_mode|promiscious mode]].
 +
 
 +
Then add the following to /etc/rc.local to make it persistent across reboots:
 +
 
 +
{{hc|/etc/rc.local|ip link set dev eth0 promisc on}}
 +
 
 +
If you use the iptables firewall on the client (bugs) add the following rules to /etc/iptables/iptables.rules, then restart iptables:
 +
 
 +
{{hc|/etc/iptables/iptables.rules|
 +
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
 +
-A FORWARD -s 10.8.0.0/24 -j ACCEPT
 +
-A FORWARD -j REJECT
 +
}}
 +
 
 +
You must now create a client configuration directory on the server (elmer).  When a client connects, the server process will check this directory for a file named the same as the client certificate's common name, and apply the directives to the client.
 +
 
 +
{{bc|# mkdir -p /etc/openvpn/ccd}}
 +
 
 +
Create a file in the client configuration directory called bugs, containing the directive iroute 192.168.4.0 255.255.255.0.  This will tell the server that the 192.168.4.0/24 subnet should be routed to the client (bugs):
 +
 
 +
{{hc|/etc/openvpn/ccd/bugs|iroute 192.168.4.0 255.255.255.0}}
 +
 
 +
Then add the directive route 192.168.4.0 255.255.255.0 to the server's configuration file /etc/openvpn/server.conf. This will tell the server that the 192.168.4.0/24 subnet should be routed from the tun device to the server process.  Both are needed:
 +
 
 +
{{hc|/etc/openvpn/server.conf|route 192.168.4.0 255.255.255.0}}
 +
 
 +
{{Note|If the client (bugs) is not the default LAN gateway on the client side, you will need to add a static route to the client LAN's default gateway (most likely the client LAN router), routing the server's IP range 10.66.0.0/24 back to the client's eth0 IP address.  Alternatively you could add a static route to each host on the client side LAN that you want to be able to respond to the server.}}
 +
 
 +
<!--'Add information on how to route several LANs to the server side'-->
 +
 
 +
===Pushing DHCP options to clients===
 +
 
 +
===Configuring client-specific rules and access policies===
 +
 
 +
===Routing all client traffic through the server===
 +
 
 +
===Running an OpenVPN server on a dynamic IP address===
 +
 
 +
===Implementing a load-balancing/failover configuration===
 +
 
 +
<!--'
 +
===Locking down security===
 +
 
 +
====Security through obfuscation====
 +
 
 +
====Port knocking====
 +
 
 +
====Running in unprivileged mode====
 +
 
 +
====Running in a chroot jail====
 +
 
 +
====Larger RSA keys====
 +
 
 +
===Revoking certificates===
 +
'-->
  
 
==Deprecated older wiki content==
 
==Deprecated older wiki content==
Line 648: Line 777:
 
}}
 
}}
  
==Setting up the Client==
+
===Setting up the Client===
 
The clientside .conf file
 
The clientside .conf file
===With password authentication===
+
====With password authentication====
 
{{bc|
 
{{bc|
 
client
 
client
Line 669: Line 798:
 
* second - password
 
* second - password
  
===Certs authentication===
+
====Certs authentication====
 
{{bc|
 
{{bc|
 
client
 
client
Line 697: Line 826:
 
To have the '''tun''' module loaded automatically at boot time add it to the Modules line in /etc/rc.conf
 
To have the '''tun''' module loaded automatically at boot time add it to the Modules line in /etc/rc.conf
  
===DNS===
+
====DNS====
 
The DNS servers used by the system are defined in '''/etc/resolv.conf'''.  Traditionally, this file is the responsibility of whichever program deals with connecting the system to the network (e.g. Wicd, NetworkManager, etc...)  However, OpenVPN will need to modify this file if you want to be able to resolve names on the remote side.  To achieve this in a sensible way, install '''openresolv''', which makes it possible for more than one program to modify resolv.conf without stepping on each-other's toes.  Before continuing, test openresolv by restarting your network connection and ensuring that resolv.conf states that it was generated by "resolvconf", and that your DNS resolution still works as before.  You shouldn't need to configure openresolv; it should be automatically detected and used by your network system.
 
The DNS servers used by the system are defined in '''/etc/resolv.conf'''.  Traditionally, this file is the responsibility of whichever program deals with connecting the system to the network (e.g. Wicd, NetworkManager, etc...)  However, OpenVPN will need to modify this file if you want to be able to resolve names on the remote side.  To achieve this in a sensible way, install '''openresolv''', which makes it possible for more than one program to modify resolv.conf without stepping on each-other's toes.  Before continuing, test openresolv by restarting your network connection and ensuring that resolv.conf states that it was generated by "resolvconf", and that your DNS resolution still works as before.  You shouldn't need to configure openresolv; it should be automatically detected and used by your network system.
  
Line 768: Line 897:
 
Now, when your launch your OpenVPN connection, you should find that your resolv.conf file is updated accordingly, and also returns to normal when your close the connection.
 
Now, when your launch your OpenVPN connection, you should find that your resolv.conf file is updated accordingly, and also returns to normal when your close the connection.
  
==Connecting to the Server==
+
===Connecting to the Server===
 
You need to start the service on the server
 
You need to start the service on the server
 
{{bc|
 
{{bc|

Revision as of 18:46, 29 December 2011

This template has only maintenance purposes. For linking to local translations please use interlanguage links, see Help:i18n#Interlanguage links.


Local languages: Català – Dansk – English – Español – Esperanto – Hrvatski – Indonesia – Italiano – Lietuviškai – Magyar – Nederlands – Norsk Bokmål – Polski – Português – Slovenský – Česky – Ελληνικά – Български – Русский – Српски – Українська – עברית – العربية – ไทย – 日本語 – 正體中文 – 简体中文 – 한국어


External languages (all articles in these languages should be moved to the external wiki): Deutsch – Français – Română – Suomi – Svenska – Tiếng Việt – Türkçe – فارسی

Tango-view-fullscreen.pngThis article or section needs expansion.Tango-view-fullscreen.png

Reason: please use the first argument of the template to provide a brief explanation. (Discuss in Talk:OpenVPN#)

Tango-inaccurate.pngThe factual accuracy of this article or section is disputed.Tango-inaccurate.png

Reason: please use the first argument of the template to provide a brief explanation. (Discuss in Talk:OpenVPN#)

This article describes a basic installation and configuration of OpenVPN, suitable for private and small business use. For more detailed information, please see the excellent official OpenVPN documentation.

OpenVPN is an open source software application that implements Virtual Private Network (VPN) techniques for creating secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It uses a custom security protocol that utilizes SSL/TLS for key exchange. It is capable of traversing network address translators (NATs) and firewalls. It was written by James Yonan and is published under the GNU General Public License (GPL).

OpenVPN allows peers to authenticate each other using a pre-shared secret key, certificates, or username/password. When used in a multiclient-server configuration, it allows the server to release an authentication certificate for every client, using signature and Certificate authority. It uses the OpenSSL encryption library extensively, as well as the SSLv3/TLSv1 protocol, and contains many security and control features.

(Source: Wikipedia:OpenVPN)

Preamble

Installing OpenVPN

Install OpenVPN, available in the Official Repositories.

Note: The package contains both server and client software, so install it on all machines that need to create vpn connections.

Configuring the kernel

Edit /etc/sysctl.conf to permanently enable ipv4 packet forwarding. It will take effect at the next system boot.

/etc/sysctl.conf
# Enable packet forwarding
net.ipv4.ip_forward=1

You can temporarily enable this option without rebooting by doing:

# echo 1 > /etc/sysctl.conf

OpenVPN requires the Universal TUN/TAP device driver support. Add the tun module to the modules array in /etc/rc.conf on both servers and clients.

The default Arch Linux kernel is already properly configured, but if you build your own kernel, make sure that you enable the TUN/TAP module.

Kernel config file
Device Drivers --->
   Network device support --->
[*]Network device support
<M>   Universal TUN/TAP device driver support 

Public Key Infrastructure (PKI)

The first step when setting up OpenVPN is to create a Public Key Infrastructure (PKI). The PKI consists of:

  • A master Certificate Authority (CA) certificate (public) and key (private) which are used to sign each of the server and client certificates.
  • A separate certificate (public) and key (private) for each server and each client.

OpenVPN comes with a collection of RSA key manangement scripts known as easy-rsa to facilitate the certificate/key creation process (based on the openssl command line tool). While this tool is primarly concerned with key management for the SSL VPN application space, it can also be used for building web certificates.

As you create certificates, keys, and certificate signing requests, please understand that only .key files need to be kept confidential, .crt and .csr files can be sent over insecure channels such as plaintext email.

In this tutorial we will create the needed certificates and keys in root's home directory. This will make sure that the generated files have the right ownership and permissions, thus being safe from other users.

Note: You can create the certificates and keys on any machine, even one not connected to the network.
Warning: Make sure that you backup the generated files, especially the ca.crt and ca.key files since if you lose these, you will not be able to create new certificates and keys for servers and clients, thus requiring the generation of a new Certificate Authority (CA) certificate and key, invalidating all your existing certificates and keys.

Installing the easy-rsa scripts

Install the scripts by doing the following:

# cp -r /usr/share/openvpn/easy-rsa /root

Generating certificates and keys

Now you need to create the needed certificates and keys.

Change to the directory where you installed the scripts.

# cd /root/easy-rsa

In order to ensure that you use consistent values, set default values to be used by the certificate/key generating scripts. Edit /root/easy-rsa/vars and at a minimum set the KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, and KEY_EMAIL parameters (do not leave any of these parameters blank).

Note: You can enter a . (dot) when running the scripts in order to blank out a parameter.
Tip: You may want to increase KEY_SIZE to 2048 if you are paranoid and don't mind slower key processing, but certainly 1024 is fine for testing purposes. KEY_SIZE must be compatible across both peers participating in a secure SSL/TLS connection.
/root/easy-rsa/vars
# easy-rsa parameter settings

# NOTE: If you installed from an RPM,
# don't edit this file in place in
# /usr/share/openvpn/easy-rsa --
# instead, you should copy the whole
# easy-rsa directory to another location
# (such as /etc/openvpn) so that your
# edits will not be wiped out by a future
# OpenVPN package upgrade.

# This variable should point to
# the top level of the easy-rsa
# tree.
export EASY_RSA="`pwd`"

#
# This variable should point to
# the requested executables
#
export OPENSSL="openssl"
export PKCS11TOOL="pkcs11-tool"
export GREP="grep"


# This variable should point to
# the openssl.cnf file included
# with easy-rsa.
export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`

# Edit this variable to point to
# your soon-to-be-created key
# directory.
#
# WARNING: clean-all will do
# a rm -rf on this directory
# so make sure you define
# it correctly!
export KEY_DIR="$EASY_RSA/keys"

# Issue rm -rf warning
echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR

# PKCS11 fixes
export PKCS11_MODULE_PATH="dummy"
export PKCS11_PIN="dummy"

# Increase this to 2048 if you
# are paranoid.  This will slow
# down TLS negotiation performance
# as well as the one-time DH parms
# generation process.
export KEY_SIZE=1024

# In how many days should the root CA key expire?
export CA_EXPIRE=3650

# In how many days should certificates expire?
export KEY_EXPIRE=3650

# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="Acme Acres"
export KEY_ORG="Acme"
export KEY_EMAIL="roadrunner@acmecorp.org"
#export KEY_EMAIL=mail@host.domain
export KEY_CN=Acme-CA
export KEY_NAME=Acme-CA
export KEY_OU=changeme
export PKCS11_MODULE_PATH=changeme
export PKCS11_PIN=1234

Export the environment variables.

# source ./vars

Delete any previously created certificates and keys.

Warning: This will delete any previously generated certificates and keys, and you will not be able to create new certificates and keys for servers and clients, thus requiring the generation of a new Certificate Authority (CA) certificate and key, invalidating all your existing certificates and keys.
# ./clean-all

The build-ca script creates the Certificate Authority (CA) certificate and private key.

# ./build-ca
Generating a 1024 bit RSA private key
..............++++++
...++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [Acme Acres]:
Organization Name (eg, company) [Acme]:
Organizational Unit Name (eg, section) [changeme]:.
Common Name (eg, your name or your server's hostname) [Acme-CA]:
Name [Acme-CA]:
Email Address [roadrunner@acmecorp.org]:

The build-key-server script (followed by the server name) creates a certificate and private key for a server. Make sure that the server name (Common Name when running the script) is unique.

Note: Do not enter a challenge password or company name when the script prompts you for one.
# ./build-key-server elmer
Generating a 1024 bit RSA private key
.....................++++++
.......................................................++++++
writing new private key to 'elmer.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [Acme Acres]:
Organization Name (eg, company) [Acme]:
Organizational Unit Name (eg, section) [changeme]:.
Common Name (eg, your name or your server's hostname) [elmer]:
Name [Acme-CA]:
Email Address [roadrunner@acmecorp.org]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /root/easy-rsa/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'US'
stateOrProvinceName   :PRINTABLE:'CA'
localityName          :PRINTABLE:'Acme Acres'
organizationName      :PRINTABLE:'Acme'
commonName            :PRINTABLE:'elmer'
name                  :PRINTABLE:'Acme-CA'
emailAddress          :IA5STRING:'roadrunner@acmecorp.org'
Certificate is to be certified until Dec 27 19:11:59 2021 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

The build-dh script creates the Diffie-Hellman parameters .pem file needed by the server.

Note: It would be better to generate a new one for each server, but you can use the same one for your servers if you want to.
# ./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
..+.............+.......+.......................................................
.........................................+......................................
.............+.......................................+..........................
...................................+........................................+...
.....................................................+..........................
.....................................................................+.+........
..............................+....................................+............
..............+.................................................................
.................................................+.....+........................
.......................+.....+..........+.......................................
.........................+....................+................+................
.............................................................................++*
++*++*

The build-key script (followed by a client name) creates a certificate and a private key for a client. Make sure that the client name (Common Name when running the script) is unique.

Note: Do not enter a challenge password or company name when the script prompts you for one.
# ./build-key bugs
Generating a 1024 bit RSA private key
....++++++
.............................................................++++++
writing new private key to 'bugs.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [Acme Acres]:
Organization Name (eg, company) [Acme]:
Organizational Unit Name (eg, section) [changeme]:.
Common Name (eg, your name or your server's hostname) [bugs]:
Name [Acme-CA]:
Email Address [roadrunner@acmecorp.org]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /root/easy-rsa/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'US'
stateOrProvinceName   :PRINTABLE:'CA'
localityName          :PRINTABLE:'Acme Acres'
organizationName      :PRINTABLE:'Acme'
commonName            :PRINTABLE:'bugs'
name                  :PRINTABLE:'Acme-CA'
emailAddress          :IA5STRING:'roadrunner@acmecorp.org'
Certificate is to be certified until Dec 27 19:18:27 2021 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

Generate a Hash-based Message Authentication Code (HMAC) by running: # openvpn --genkey --secret /root/easy-rsa/keys/ta.key

This will be used to add an additional HMAC signature to all SSL/TLS handshake packets. Any UDP packet not having the correct HMAC signature will be immidiately dropped, protecting against:

  • Portscanning.
  • DOS attacks on the OpenVPN UDP port.
  • SSL/TLS handshake initiations from unauthorized machines.
  • Any eventual buffer overflow vulnerabilities in the SSL/TLS implementation.

All the created certificates and keys have been stored in /root/easy-rsa/keys. If you make a mistake, you can start over by running the clean-all script again.

Warning: This will delete any previously generated certificates and keys, and you will not be able to create new certificates and keys for servers and clients, thus requiring the generation of a new Certificate Authority (CA) certificate and key, invalidating all your existing certificates and keys.
# ./clean-all

The final step of the key generation process is to copy the files needed to the correct machines through a secure channel.

Note: In this article the certificates and keys will be placed into /etc/openvpn on the server and the client.

The ca.crt certificate will be needed on all servers and clients. The ca.key private key is secret and only needed on the key generating machine.

The server.crt, dh{n}.pem, server.key (secret), and ta.key (secret) files are needed on the server.

The client.crt, client.key (secret), and ta.key (secret) files are needed on the client.

Configuring OpenVPN

OpenVPN is an extremely versatile software and many configurations are possible. You could have machines that are both "servers" and "clients", so the distinction between server and client is blurred.

What really distinguishes a server from a client is the configuration file itself. The openvpn daemon startup script reads all the .conf configuration files it finds in /etc/openvpn on startup, and acts accordingly. In fact if it finds more than one configuration file it will start one OpenVPN processes per configuration file.

This article explains how to setup a machine that we call the server (elmer), and a client that connects to it called (bugs). You can easily add more clients by generating more client certificates/keys and adding client configurations on more machines.

The OpenVPN package comes with a collection of example configuration files for different purposes. The sample server and client configuration files make an ideal starting point for a basic OpenVPN setup with the following features:

  • Uses Public Key Infrastructure (PKI) for authentication.
  • Creates a VPN using a virtual TUN network interface (OSI L3 IP routing).
  • Listens for client connections on UDP port 1194 (OpenVPN's official IANA port number).
  • Distributes virtual addresses to connecting clients from the 10.8.0.0/24 subnet.

For more advanced configurations, please see the official OpenVPN documentation.

The server configuration file

Copy the example server configuration file to /etc/openvpn/server.conf

# cp /usr/share/openvpn/examples/server.conf /etc/openvpn/server.conf

Edit the ca, cert, key, and dh parameters to reflect the path and names of the certificates and key you generated for the server (elmer). Specifying the paths will allow you to run the OpenVPN executable from any directory for testing purposes.

/etc/openvpn/server.conf
ca /etc/openvpn/ca.crt
cert /etc/openvpn/elmer.crt
key /etc/openvpn/elmer.key

dh /etc/openvpn/dh1024.pem

Enable the SSL/TLS HMAC handshake protection:

Note: Use the parameter 0 on a server configuration.
/etc/openvpn/server.conf
tls-auth /etc/openvpn/ta.key 0


For security reasons is recommended to configure OpenVPN to drop root privileges once it has initialized. Do this by uncommenting the user and group directives.

/etc/openvpn/server.conf
user nobody
group nobody

The client configuration file

Copy the example client configuration file to /etc/openvpn/client.conf

# cp /usr/share/openvpn/examples/client.conf /etc/openvpn/client.conf

Edit the remote directive to reflect the server's (elmer) Fully Qualified Domain Name (FQDN), hostname (as known to the client) or IP address.

Note: Note that if the server is behind a NAT translating router, you will have to forward the OpenVPN UDP port (1194) to the server.
/etc/openvpn/client.conf
remote elmer.acmecorp.org 1194

Again uncomment the user and group directives for security reasons.

/etc/openvpn/client.conf
user nobody
group nobody

Edit the ca, cert, and key parameters to reflect the path and names of the certificates and key you generated for the client (bugs).

/etc/openvpn/client.conf
ca /etc/openvpn/ca.crt
cert /etc/openvpn/bugs.crt
key /etc/openvpn/bugs.key

Enable the SSL/TLS HMAC handshake protection:

Note: Use the parameter 1 on a client configuration.
/etc/openvpn/client.conf
tls-auth /etc/openvpn/ta.key 1

Configuring iptables

Add a rule for the tun devices on both the server and the client.

Note: That the order of the rules is important. See iptables for more information
/etc/iptables/iptables.rules
-A INPUT -i tun+ -j ACCEPT

Add a rule to accept connections on the OpenVPN UDP port (1194) on the server.

/etc/iptables/iptables.rules
-A INPUT -p udp --dport 1194 -j ACCEPT

Testing the OpenVPN configuration

Run # openpvn /etc/openvpn/server.conf on the server, and # openpvn /etc/openvpn/client.conf on the client. You should see something similar to this:

# openpvn /etc/openvpn/server.conf
Wed Dec 28 14:41:26 2011 OpenVPN 2.2.1 x86_64-unknown-linux-gnu [SSL] [LZO2] [EPOLL] [eurephia] built on Aug 13 2011
Wed Dec 28 14:41:26 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Wed Dec 28 14:41:26 2011 Diffie-Hellman initialized with 1024 bit key
Wed Dec 28 14:41:26 2011 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Wed Dec 28 14:41:26 2011 Socket Buffers: R=[126976->131072] S=[126976->131072]
Wed Dec 28 14:41:26 2011 ROUTE default_gateway=10.66.0.1
Wed Dec 28 14:41:26 2011 TUN/TAP device tun0 opened
Wed Dec 28 14:41:26 2011 TUN/TAP TX queue length set to 100
Wed Dec 28 14:41:26 2011 /usr/sbin/ip link set dev tun0 up mtu 1500
Wed Dec 28 14:41:26 2011 /usr/sbin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2
Wed Dec 28 14:41:26 2011 /usr/sbin/ip route add 10.8.0.0/24 via 10.8.0.2
Wed Dec 28 14:41:26 2011 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Wed Dec 28 14:41:26 2011 GID set to nobody
Wed Dec 28 14:41:26 2011 UID set to nobody
Wed Dec 28 14:41:26 2011 UDPv4 link local (bound): [undef]:1194
Wed Dec 28 14:41:26 2011 UDPv4 link remote: [undef]
Wed Dec 28 14:41:26 2011 MULTI: multi_init called, r=256 v=256
Wed Dec 28 14:41:26 2011 IFCONFIG POOL: base=10.8.0.4 size=62
Wed Dec 28 14:41:26 2011 IFCONFIG POOL LIST
Wed Dec 28 14:41:26 2011 Initialization Sequence Completed
Wed Dec 28 14:41:51 2011 MULTI: multi_create_instance called
Wed Dec 28 14:41:51 2011 95.126.136.73:48904 Re-using SSL/TLS context
Wed Dec 28 14:41:51 2011 95.126.136.73:48904 LZO compression initialized
Wed Dec 28 14:41:51 2011 95.126.136.73:48904 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Wed Dec 28 14:41:51 2011 95.126.136.73:48904 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Wed Dec 28 14:41:51 2011 95.126.136.73:48904 Local Options hash (VER=V4): '530fdded'
Wed Dec 28 14:41:51 2011 95.126.136.73:48904 Expected Remote Options hash (VER=V4): '41690919'
Wed Dec 28 14:41:51 2011 95.126.136.73:48904 TLS: Initial packet from 95.126.136.73:48904, sid=163f4a5e e0399137
Wed Dec 28 14:41:53 2011 95.126.136.73:48904 VERIFY OK: depth=1, /C=US/ST=CA/L=Acme Acres/O=Acme/CN=Acme-CA/name=Acme-CA/emailAddress=roadrunner@acmecorp.org
Wed Dec 28 14:41:53 2011 95.126.136.73:48904 VERIFY OK: depth=0, /C=US/ST=CA/L=Acme Acres/O=Acme/CN=bugs/name=Acme-CA/emailAddress=roadrunner@acmecorp.org
Wed Dec 28 14:41:54 2011 95.126.136.73:48904 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Dec 28 14:41:54 2011 95.126.136.73:48904 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Dec 28 14:41:54 2011 95.126.136.73:48904 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Dec 28 14:41:54 2011 95.126.136.73:48904 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Dec 28 14:41:54 2011 95.126.136.73:48904 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Wed Dec 28 14:41:54 2011 95.126.136.73:48904 [bugs] Peer Connection Initiated with 95.126.136.73:48904
Wed Dec 28 14:41:54 2011 bugs/95.126.136.73:48904 MULTI: Learn: 10.8.0.6 -> bugs/95.126.136.73:48904
Wed Dec 28 14:41:54 2011 bugs/95.126.136.73:48904 MULTI: primary virtual IP for bugs/95.126.136.73:48904: 10.8.0.6
Wed Dec 28 14:41:57 2011 bugs/95.126.136.73:48904 PUSH: Received control message: 'PUSH_REQUEST'
Wed Dec 28 14:41:57 2011 bugs/95.126.136.73:48904 SENT CONTROL [bugs]: 'PUSH_REPLY,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5' (status=1)
# openpvn /etc/openvpn/client.conf
Wed Dec 28 14:41:50 2011 OpenVPN 2.2.1 i686-pc-linux-gnu [SSL] [LZO2] [EPOLL] [eurephia] built on Aug 13 2011
Wed Dec 28 14:41:50 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Wed Dec 28 14:41:50 2011 LZO compression initialized
Wed Dec 28 14:41:50 2011 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Wed Dec 28 14:41:50 2011 Socket Buffers: R=[114688->131072] S=[114688->131072]
Wed Dec 28 14:41:51 2011 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Wed Dec 28 14:41:51 2011 Local Options hash (VER=V4): '41690919'
Wed Dec 28 14:41:51 2011 Expected Remote Options hash (VER=V4): '530fdded'
Wed Dec 28 14:41:51 2011 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Wed Dec 28 14:41:51 2011 UDPv4 link local: [undef]
Wed Dec 28 14:41:51 2011 UDPv4 link remote: 85.93.204.250:1194
Wed Dec 28 14:41:51 2011 TLS: Initial packet from 85.93.204.250:1194, sid=5f379f35 50c9ab11
Wed Dec 28 14:41:52 2011 VERIFY OK: depth=1, /C=US/ST=CA/L=Acme Acres/O=Acme/CN=Acme-CA/name=Acme-CA/emailAddress=roadrunner@acmecorp.org
Wed Dec 28 14:41:52 2011 VERIFY OK: nsCertType=SERVER
Wed Dec 28 14:41:52 2011 VERIFY OK: depth=0, /C=US/ST=CA/L=Acme Acres/O=Acme/CN=elmer/name=Acme-CA/emailAddress=roadrunner@acmecorp.org
Wed Dec 28 14:41:54 2011 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Dec 28 14:41:54 2011 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Dec 28 14:41:54 2011 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Dec 28 14:41:54 2011 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Dec 28 14:41:54 2011 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Wed Dec 28 14:41:54 2011 [elmer] Peer Connection Initiated with 85.93.204.250:1194
Wed Dec 28 14:41:57 2011 SENT CONTROL [elmer]: 'PUSH_REQUEST' (status=1)
Wed Dec 28 14:41:57 2011 PUSH: Received control message: 'PUSH_REPLY,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5'
Wed Dec 28 14:41:57 2011 OPTIONS IMPORT: timers and/or timeouts modified
Wed Dec 28 14:41:57 2011 OPTIONS IMPORT: --ifconfig/up options modified
Wed Dec 28 14:41:57 2011 OPTIONS IMPORT: route options modified
Wed Dec 28 14:41:57 2011 ROUTE default_gateway=10.64.64.64
Wed Dec 28 14:41:57 2011 TUN/TAP device tun1 opened
Wed Dec 28 14:41:57 2011 TUN/TAP TX queue length set to 100
Wed Dec 28 14:41:57 2011 /usr/sbin/ip link set dev tun1 up mtu 1500
Wed Dec 28 14:41:57 2011 /usr/sbin/ip addr add dev tun1 local 10.8.0.6 peer 10.8.0.5
Wed Dec 28 14:41:57 2011 /usr/sbin/ip route add 10.8.0.1/32 via 10.8.0.5
Wed Dec 28 14:41:57 2011 GID set to nobody
Wed Dec 28 14:41:57 2011 UID set to nobody
Wed Dec 28 14:41:57 2011 Initialization Sequence Completed

On the server, find the IP assigned to the tunX device:

# ip addr show
.
.
.
40: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100
    link/none
    inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0

Here we see that the server end of the tunnel has been given the IP address 10.8.0.1.

Do the same on the client:

# ip addr show
.
.
.
37: tun1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100
    link/none
    inet 10.8.0.6 peer 10.8.0.5/32 scope global tun1

And the client side has been given the IP 10.8.0.6.

Now try pinging the interfaces.

On the server:

# ping 10.8.0.6
PING 10.8.0.6 (10.8.0.6) 56(84) bytes of data.
64 bytes from 10.8.0.6: icmp_req=1 ttl=64 time=238 ms
64 bytes from 10.8.0.6: icmp_req=2 ttl=64 time=237 ms
64 bytes from 10.8.0.6: icmp_req=3 ttl=64 time=205 ms
^C
--- 10.8.0.6 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 205.862/227.266/238.788/15.160 ms

On the client:

# ping 10.8.0.1
PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.
64 bytes from 10.8.0.1: icmp_req=1 ttl=64 time=158 ms
64 bytes from 10.8.0.1: icmp_req=2 ttl=64 time=158 ms
64 bytes from 10.8.0.1: icmp_req=3 ttl=64 time=157 ms
^C
--- 10.8.0.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2001ms
rtt min/avg/max/mdev = 157.426/158.278/158.940/0.711 ms

You now have a working OpenVPN installation, and your client (bugs) will be able to use services on the server (elmer).

Starting OpenVPN

To start OpenVPN manually run:

# rc.d start openvpn

To have your system run OpenVPN automatically at system start, add openvpn to the daemon array in /etc/rc.conf.

Advanced OpenVPN configuration

Routing the LAN of the server to a client

Prerequisites:

  • The server (elmer) is on a LAN using the private class C network range 10.66.0.0/24.
  • The server's LAN network interface is called eth0.
  • The client (bugs) is assigned an ip address out of the private class C network address pool 10.8.0.0/24, as specified by the server directive in the server's configuration file (/etc/openvpn/server.conf):
/etc/openvpn/server.conf
server 10.8.0.0 255.255.255.0


Do # ip link set dev eth0 promisc on to set set the server's LAN interface to promiscious mode.

Then add the following to /etc/rc.local to make it persistent across reboots:

/etc/rc.local
ip link set dev eth0 promisc on

Add a push directive to the server configuration file:

/etc/openvpn/server.conf
push "route 10.66.0.0 255.255.255.0"

If you use the iptables firewall on the server (elmer) add the following rules to /etc/iptables/iptables.rules, then restart iptables:

/etc/iptables/iptables.rules
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.8.0.0/24 -j ACCEPT
-A FORWARD -j REJECT
Note: If the server (elmer) is not the default LAN gateway on the server side, you will need to add a static route to your LAN's default gateway (most likely your LAN's router), routing the client IP range 10.8.0.0/24 back to the server's eth0 IP address. Alternatively you could add a static route to each host on the server side LAN that you want to be able to respond to the client (bugs).


Routing the LAN of a client to the server

Prerequisites:

  • You must make sure that any subnets used on the client side (bugs), are unique and not in use on the server side or by any other client. In this example we will use 192.168.4.0/24 for the clients LAN.
  • The client's LAN network interface is called eth0.
  • Each client's certificate has a unique Common Name, in this case bugs.
  • The server may not use the duplicate-cn directive in it's config file.

Do # ip link set dev eth0 promisc on to set set the client's LAN interface to promiscious mode.

Then add the following to /etc/rc.local to make it persistent across reboots:

/etc/rc.local
ip link set dev eth0 promisc on

If you use the iptables firewall on the client (bugs) add the following rules to /etc/iptables/iptables.rules, then restart iptables:

/etc/iptables/iptables.rules
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.8.0.0/24 -j ACCEPT
-A FORWARD -j REJECT

You must now create a client configuration directory on the server (elmer). When a client connects, the server process will check this directory for a file named the same as the client certificate's common name, and apply the directives to the client.

# mkdir -p /etc/openvpn/ccd

Create a file in the client configuration directory called bugs, containing the directive iroute 192.168.4.0 255.255.255.0. This will tell the server that the 192.168.4.0/24 subnet should be routed to the client (bugs):

/etc/openvpn/ccd/bugs
iroute 192.168.4.0 255.255.255.0

Then add the directive route 192.168.4.0 255.255.255.0 to the server's configuration file /etc/openvpn/server.conf. This will tell the server that the 192.168.4.0/24 subnet should be routed from the tun device to the server process. Both are needed:

/etc/openvpn/server.conf
route 192.168.4.0 255.255.255.0
Note: If the client (bugs) is not the default LAN gateway on the client side, you will need to add a static route to the client LAN's default gateway (most likely the client LAN router), routing the server's IP range 10.66.0.0/24 back to the client's eth0 IP address. Alternatively you could add a static route to each host on the client side LAN that you want to be able to respond to the server.


Pushing DHCP options to clients

Configuring client-specific rules and access policies

Routing all client traffic through the server

Running an OpenVPN server on a dynamic IP address

Implementing a load-balancing/failover configuration

Deprecated older wiki content

Using PAM and passwords to authenticate

port 1194
proto udp
dev tap
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/<MYSERVER>.crt
key /etc/openvpn/easy-rsa/keys/<MYSERVER>.key
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
server 192.168.56.0 255.255.255.0
ifconfig-pool-persist ipp.txt
;learn-address ./script
client-to-client
;duplicate-cn
keepalive 10 120
;tls-auth ta.key 0
comp-lzo
;max-clients 100
;user nobody
;group nobody
persist-key
persist-tun
status /var/log/openvpn-status.log
verb 3
client-cert-not-required
username-as-common-name
plugin /usr/lib/openvpn/openvpn-auth-pam.so login

Using certs to authenticate

port 1194
proto tcp
dev tun0

ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/<MYSERVER>.crt
key /etc/openvpn/easy-rsa/keys/<MYSERVER>.key
dh /etc/openvpn/easy-rsa/keys/dh1024.pem

server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status /var/log/openvpn-status.log
verb 3

log-append /var/log/openvpn
status /tmp/vpn.status 10

Routing traffic through the server

Append the following to your server's openvpn.conf configuration file:

push "dhcp-option DNS 192.168.1.1"
push "redirect-gateway def1"

Change "192.168.1.1" to your external DNS IP address.

Use an iptable for NAT forwarding:

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

If running ArchLinux in a OpenVZ VPS environment [1]:

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j SNAT --to (venet0 ip)

If all is well, make the changes permanent:

Edit /etc/conf.d/iptables and change IPTABLES_FORWARD=1

/etc/rc.d/iptables save

Setting up the Client

The clientside .conf file

With password authentication

client
dev tap
proto udp
remote <address> 1194
resolv-retry infinite
nobind
persist-tun
comp-lzo
verb 3
auth-user-pass passwd
ca ca.crt

passwd file (referenced by auth-user-pass) must contain two lines:

  • first line - username
  • second - password

Certs authentication

client
remote <MYSERVER> 1194
dev tun0
proto tcp
resolv-retry infinite
nobind
persist-key
persist-tun
verb 2
ca ca.crt
cert client1.crt
key client1.key
comp-lzo

Copy three files from server to remote computer.

ca.crt
client1.crt
client1.key

Install the tunnel/tap module:

 # sudo modprobe tun

To have the tun module loaded automatically at boot time add it to the Modules line in /etc/rc.conf

DNS

The DNS servers used by the system are defined in /etc/resolv.conf. Traditionally, this file is the responsibility of whichever program deals with connecting the system to the network (e.g. Wicd, NetworkManager, etc...) However, OpenVPN will need to modify this file if you want to be able to resolve names on the remote side. To achieve this in a sensible way, install openresolv, which makes it possible for more than one program to modify resolv.conf without stepping on each-other's toes. Before continuing, test openresolv by restarting your network connection and ensuring that resolv.conf states that it was generated by "resolvconf", and that your DNS resolution still works as before. You shouldn't need to configure openresolv; it should be automatically detected and used by your network system.

Next, save the following script at /usr/share/openvpn/update-resolv-conf:

#!/bin/bash
#
# Parses DHCP options from openvpn to update resolv.conf
# To use set as 'up' and 'down' script in your openvpn *.conf:
# up /etc/openvpn/update-resolv-conf
# down /etc/openvpn/update-resolv-conf
#
# Used snippets of resolvconf script by Thomas Hood <jdthood@yahoo.co.uk>
# and Chris Hanson
# Licensed under the GNU GPL.  See /usr/share/common-licenses/GPL.
#
# 05/2006 chlauber@bnc.ch
#
# Example envs set from openvpn:
# foreign_option_1='dhcp-option DNS 193.43.27.132'
# foreign_option_2='dhcp-option DNS 193.43.27.133'
# foreign_option_3='dhcp-option DOMAIN be.bnc.ch'

[ -x /usr/sbin/resolvconf ] || exit 0

case $script_type in

up)
   for optionname in ${!foreign_option_*} ; do
      option="${!optionname}"
      echo $option
      part1=$(echo "$option" | cut -d " " -f 1)
      if [ "$part1" == "dhcp-option" ] ; then
         part2=$(echo "$option" | cut -d " " -f 2)
         part3=$(echo "$option" | cut -d " " -f 3)
         if [ "$part2" == "DNS" ] ; then
            IF_DNS_NAMESERVERS="$IF_DNS_NAMESERVERS $part3"
         fi
         if [ "$part2" == "DOMAIN" ] ; then
            IF_DNS_SEARCH="$part3"
         fi
      fi
   done
   R=""
   if [ "$IF_DNS_SEARCH" ] ; then
           R="${R}search $IF_DNS_SEARCH
"
   fi
   for NS in $IF_DNS_NAMESERVERS ; do
           R="${R}nameserver $NS
"
   done
   echo -n "$R" | /usr/sbin/resolvconf -a "${dev}.inet"
   ;;
down)
   /usr/sbin/resolvconf -d "${dev}.inet"
   ;;
esac

Remember to make the file executable with:

 $ chmod +x /usr/share/openvpn/update-resolv-conf

Next, add the following lines to your OpenVPN client configuration file:

script-security 2
up /usr/share/openvpn/update-resolv-conf
down /usr/share/openvpn/update-resolv-conf

Now, when your launch your OpenVPN connection, you should find that your resolv.conf file is updated accordingly, and also returns to normal when your close the connection.

Connecting to the Server

You need to start the service on the server

/etc/rc.d/openvpn start

You can add it to rc.conf to make it permanet.

On the client, in the home directory create a folder that will hold your OpenVPN client config files along with the .crt/.key files. Assuming your OpenVPN config folder is called .openvpn and your client config file is vpn1.conf, to connect to the server issue the following command:

cd ~/.openvpn && sudo openvpn vpn1.conf