Difference between revisions of "OpenVPN"

From ArchWiki
Jump to navigation Jump to search
(Another huge edit)
(Remove trailing spaces)
Line 67: Line 67:
  
 
Now you need to create the needed certificates and keys.
 
Now you need to create the needed certificates and keys.
+
 
 
Change to the directory where you installed the scripts.
 
Change to the directory where you installed the scripts.
  
Line 326: Line 326:
 
The server.crt, server.key (secret) and dh{n}.pem files are needed on the server.
 
The server.crt, server.key (secret) and dh{n}.pem files are needed on the server.
  
The client.crt and client.key (secret) files are needed on the client.
+
The client.crt and client.key (secret) files are needed on the client.
  
 
==Configuring OpenVPN==
 
==Configuring OpenVPN==
Line 499: Line 499:
 
.
 
.
 
.
 
.
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500  metric 1                      
+
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500  metric 1
         inet 10.8.0.1  netmask 255.255.255.255  destination 10.8.0.2                              
+
         inet 10.8.0.1  netmask 255.255.255.255  destination 10.8.0.2
         unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)          
+
         unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)
         RX packets 0  bytes 0 (0.0 B)                                                              
+
         RX packets 0  bytes 0 (0.0 B)
         RX errors 0  dropped 0  overruns 0  frame 0                                                
+
         RX errors 0  dropped 0  overruns 0  frame 0
         TX packets 0  bytes 0 (0.0 B)                                                              
+
         TX packets 0  bytes 0 (0.0 B)
         TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0                                
+
         TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
 
</nowiki>}}
 
</nowiki>}}
  
Line 516: Line 516:
 
.
 
.
 
.
 
.
tun1: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500  metric 1                      
+
tun1: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500  metric 1
         inet 10.8.0.6  netmask 255.255.255.255  destination 10.8.0.5                              
+
         inet 10.8.0.6  netmask 255.255.255.255  destination 10.8.0.5
         unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)          
+
         unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)
         RX packets 0  bytes 0 (0.0 B)                                                              
+
         RX packets 0  bytes 0 (0.0 B)
         RX errors 0  dropped 0  overruns 0  frame 0                                                
+
         RX errors 0  dropped 0  overruns 0  frame 0
         TX packets 0  bytes 0 (0.0 B)                                                              
+
         TX packets 0  bytes 0 (0.0 B)
         TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0                                
+
         TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
 
</nowiki>}}
 
</nowiki>}}
  
Line 532: Line 532:
  
 
{{hc|# ping 10.8.0.6|<nowiki>
 
{{hc|# ping 10.8.0.6|<nowiki>
PING 10.8.0.6 (10.8.0.6) 56(84) bytes of data.                                                    
+
PING 10.8.0.6 (10.8.0.6) 56(84) bytes of data.
64 bytes from 10.8.0.6: icmp_req=1 ttl=64 time=238 ms                                              
+
64 bytes from 10.8.0.6: icmp_req=1 ttl=64 time=238 ms
64 bytes from 10.8.0.6: icmp_req=2 ttl=64 time=237 ms                                              
+
64 bytes from 10.8.0.6: icmp_req=2 ttl=64 time=237 ms
64 bytes from 10.8.0.6: icmp_req=3 ttl=64 time=205 ms                                              
+
64 bytes from 10.8.0.6: icmp_req=3 ttl=64 time=205 ms
^C                                                                                                
+
^C
--- 10.8.0.6 ping statistics ---                                                                  
+
--- 10.8.0.6 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms                                    
+
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
 
rtt min/avg/max/mdev = 205.862/227.266/238.788/15.160 ms
 
rtt min/avg/max/mdev = 205.862/227.266/238.788/15.160 ms
 
</nowiki>}}
 
</nowiki>}}
Line 545: Line 545:
  
 
{{hc|# ping 10.8.0.1|<nowiki>
 
{{hc|# ping 10.8.0.1|<nowiki>
PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.                                                    
+
PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.
64 bytes from 10.8.0.1: icmp_req=1 ttl=64 time=158 ms                                              
+
64 bytes from 10.8.0.1: icmp_req=1 ttl=64 time=158 ms
64 bytes from 10.8.0.1: icmp_req=2 ttl=64 time=158 ms                                              
+
64 bytes from 10.8.0.1: icmp_req=2 ttl=64 time=158 ms
64 bytes from 10.8.0.1: icmp_req=3 ttl=64 time=157 ms                                              
+
64 bytes from 10.8.0.1: icmp_req=3 ttl=64 time=157 ms
^C                                                                                                
+
^C
--- 10.8.0.1 ping statistics ---                                                                  
+
--- 10.8.0.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2001ms                                    
+
3 packets transmitted, 3 received, 0% packet loss, time 2001ms
 
rtt min/avg/max/mdev = 157.426/158.278/158.940/0.711 ms
 
rtt min/avg/max/mdev = 157.426/158.278/158.940/0.711 ms
 
</nowiki>}}
 
</nowiki>}}
Line 685: Line 685:
 
comp-lzo
 
comp-lzo
 
}}
 
}}
Copy three files from server to remote computer.  
+
Copy three files from server to remote computer.
 
  ca.crt
 
  ca.crt
 
  client1.crt
 
  client1.crt

Revision as of 15:05, 28 December 2011

This template has only maintenance purposes. For linking to local translations please use interlanguage links, see Help:i18n#Interlanguage links.


Local languages: Català – Dansk – English – Español – Esperanto – Hrvatski – Indonesia – Italiano – Lietuviškai – Magyar – Nederlands – Norsk Bokmål – Polski – Português – Slovenský – Česky – Ελληνικά – Български – Русский – Српски – Українська – עברית – العربية – ไทย – 日本語 – 正體中文 – 简体中文 – 한국어


External languages (all articles in these languages should be moved to the external wiki): Deutsch – Français – Română – Suomi – Svenska – Tiếng Việt – Türkçe – فارسی

Tango-view-fullscreen.pngThis article or section needs expansion.Tango-view-fullscreen.png

Reason: please use the first argument of the template to provide a brief explanation. (Discuss in Talk:OpenVPN#)

Tango-inaccurate.pngThe factual accuracy of this article or section is disputed.Tango-inaccurate.png

Reason: please use the first argument of the template to provide a brief explanation. (Discuss in Talk:OpenVPN#)

This article describes a basic installation and configuration of OpenVPN, suitable for private and small business use. For more detailed information, please see the excellent official OpenVPN documentation.

OpenVPN is an open source software application that implements Virtual Private Network (VPN) techniques for creating secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It uses a custom security protocol that utilizes SSL/TLS for key exchange. It is capable of traversing network address translators (NATs) and firewalls. It was written by James Yonan and is published under the GNU General Public License (GPL).

OpenVPN allows peers to authenticate each other using a pre-shared secret key, certificates, or username/password. When used in a multiclient-server configuration, it allows the server to release an authentication certificate for every client, using signature and Certificate authority. It uses the OpenSSL encryption library extensively, as well as the SSLv3/TLSv1 protocol, and contains many security and control features.

(Source: Wikipedia:OpenVPN)

Installing OpenVPN

Install OpenVPN, available in the Official Repositories.

Note: The package contains both server and client software, so install it on all machines that need to create vpn connections.

You may also want to install openvpn-authldap-pluginAUR, available in the Arch User Repository.

Configuring the kernel

Edit /etc/sysctl.conf to permanently enable ipv4 packet forwarding. It will take effect at the next system boot.

/etc/sysctl.conf
# Enable packet forwarding
net.ipv4.ip_forward=1

You can temporarily enable this option without rebooting by doing:

# echo 1 > /etc/sysctl.conf

OpenVPN requires the Universal TUN/TAP device driver support. Add the tun module to the modules array in /etc/rc.conf on both servers and clients.

The default Arch Linux kernel is already properly configured, but if you build your own kernel, make sure that you enable the TUN/TAP module.

Kernel config file
Device Drivers --->
   Network device support --->
[*]Network device support
<M>   Universal TUN/TAP device driver support 

Public Key Infrastructure (PKI)

The first step when setting up OpenVPN is to create a Public Key Infrastructure (PKI). The PKI consists of:

  • A master Certificate Authority (CA) certificate (public) and key (private) which are used to sign each of the server and client certificates.
  • A separate certificate (public) and key (private) for each server and each client.

OpenVPN comes with a collection of RSA key manangement scripts known as easy-rsa to facilitate the certificate/key creation process (based on the openssl command line tool). While this tool is primarly concerned with key management for the SSL VPN application space, it can also be used for building web certificates.

As you create certificates, keys, and certificate signing requests, please understand that only .key files need to be kept confidential, .crt and .csr files can be sent over insecure channels such as plaintext email.

In this tutorial we will create the needed certificates and keys in root's home directory. This will make sure that the generated files have the right ownership and permissions, thus being safe from other users.

Note: You can create the certificates and keys on any machine, even one not connected to the network.
Warning: Make sure that you backup the generated files, especially the ca.crt and ca.key files since if you lose these, you will not be able to create new certificates and keys for servers and clients, thus requiring the generation of a new Certificate Authority (CA) certificate and key, invalidating all your existing certificates and keys.

Installing the easy-rsa scripts

Install the scripts by doing the following:

# cp -r /usr/share/openvpn/easy-rsa /root

Generating certificates and keys

Now you need to create the needed certificates and keys.

Change to the directory where you installed the scripts.

# cd /root/easy-rsa

In order to ensure that you use consistent values, set default values to be used by the certificate/key generating scripts. Edit /root/easy-rsa/vars and at a minimum set the KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, and KEY_EMAIL parameters (do not leave any of these parameters blank).

Note: You can enter a . (dot) when running the scripts in order to blank out a parameter.
Tip: You may want to increase KEY_SIZE to 2048 if you are paranoid and don't mind slower key processing, but certainly 1024 is fine for testing purposes. KEY_SIZE must be compatible across both peers participating in a secure SSL/TLS connection.
/root/easy-rsa/vars
# easy-rsa parameter settings

# NOTE: If you installed from an RPM,
# don't edit this file in place in
# /usr/share/openvpn/easy-rsa --
# instead, you should copy the whole
# easy-rsa directory to another location
# (such as /etc/openvpn) so that your
# edits will not be wiped out by a future
# OpenVPN package upgrade.

# This variable should point to
# the top level of the easy-rsa
# tree.
export EASY_RSA="`pwd`"

#
# This variable should point to
# the requested executables
#
export OPENSSL="openssl"
export PKCS11TOOL="pkcs11-tool"
export GREP="grep"


# This variable should point to
# the openssl.cnf file included
# with easy-rsa.
export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`

# Edit this variable to point to
# your soon-to-be-created key
# directory.
#
# WARNING: clean-all will do
# a rm -rf on this directory
# so make sure you define
# it correctly!
export KEY_DIR="$EASY_RSA/keys"

# Issue rm -rf warning
echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR

# PKCS11 fixes
export PKCS11_MODULE_PATH="dummy"
export PKCS11_PIN="dummy"

# Increase this to 2048 if you
# are paranoid.  This will slow
# down TLS negotiation performance
# as well as the one-time DH parms
# generation process.
export KEY_SIZE=1024

# In how many days should the root CA key expire?
export CA_EXPIRE=3650

# In how many days should certificates expire?
export KEY_EXPIRE=3650

# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="Acme Acres"
export KEY_ORG="Acme"
export KEY_EMAIL="roadrunner@acmecorp.org"
#export KEY_EMAIL=mail@host.domain
export KEY_CN=Acme-CA
export KEY_NAME=Acme-CA
export KEY_OU=changeme
export PKCS11_MODULE_PATH=changeme
export PKCS11_PIN=1234

Export the environment variables.

# source ./vars

Delete any previously created certificates and keys.

Warning: This will delete any previously generated certificates and keys, and you will not be able to create new certificates and keys for servers and clients, thus requiring the generation of a new Certificate Authority (CA) certificate and key, invalidating all your existing certificates and keys.
# ./clean-all

The build-ca script creates the Certificate Authority (CA) certificate and private key.

# ./build-ca
Generating a 1024 bit RSA private key
..............++++++
...++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [Acme Acres]:
Organization Name (eg, company) [Acme]:
Organizational Unit Name (eg, section) [changeme]:.
Common Name (eg, your name or your server's hostname) [Acme-CA]:
Name [Acme-CA]:
Email Address [roadrunner@acmecorp.org]:

The build-key-server script (followed by the server name) creates a certificate and private key for a server. Make sure that the server name (Common Name when running the script) is unique.

Note: Do not enter a challenge password or company name when the script prompts you for one.
# ./build-key-server elmer
Generating a 1024 bit RSA private key
.....................++++++
.......................................................++++++
writing new private key to 'elmer.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [Acme Acres]:
Organization Name (eg, company) [Acme]:
Organizational Unit Name (eg, section) [changeme]:.
Common Name (eg, your name or your server's hostname) [elmer]:
Name [Acme-CA]:
Email Address [roadrunner@acmecorp.org]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /root/easy-rsa/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'US'
stateOrProvinceName   :PRINTABLE:'CA'
localityName          :PRINTABLE:'Acme Acres'
organizationName      :PRINTABLE:'Acme'
commonName            :PRINTABLE:'elmer'
name                  :PRINTABLE:'Acme-CA'
emailAddress          :IA5STRING:'roadrunner@acmecorp.org'
Certificate is to be certified until Dec 23 19:11:59 2021 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

The build-dh script creates the Diffie-Hellman parameters .pem file needed by the server.

Note: It would be better to generate a new one for each server, but you can use the same one for your servers if you want to.
# ./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
..+.............+.......+.......................................................
.........................................+......................................
.............+.......................................+..........................
...................................+........................................+...
.....................................................+..........................
.....................................................................+.+........
..............................+....................................+............
..............+.................................................................
.................................................+.....+........................
.......................+.....+..........+.......................................
.........................+....................+................+................
.............................................................................++*
++*++*

The build-key script (followed by a client name) creates a certificate and a private key for a client. Make sure that the client name (Common Name when running the script) is unique.

Note: Do not enter a challenge password or company name when the script prompts you for one.
# ./build-key bugs
Generating a 1024 bit RSA private key
....++++++
.............................................................++++++
writing new private key to 'bugs.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [Acme Acres]:
Organization Name (eg, company) [Acme]:
Organizational Unit Name (eg, section) [changeme]:.
Common Name (eg, your name or your server's hostname) [bugs]:
Name [Acme-CA]:
Email Address [roadrunner@acmecorp.org]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /root/easy-rsa/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'US'
stateOrProvinceName   :PRINTABLE:'CA'
localityName          :PRINTABLE:'Acme Acres'
organizationName      :PRINTABLE:'Acme'
commonName            :PRINTABLE:'bugs'
name                  :PRINTABLE:'Acme-CA'
emailAddress          :IA5STRING:'roadrunner@acmecorp.org'
Certificate is to be certified until Dec 23 19:18:27 2021 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

All the created certificates and keys have been stored in /root/easy-rsa/keys. If you make a mistake, you can start over by running the clean-all script again.

Warning: This will delete any previously generated certificates and keys, and you will not be able to create new certificates and keys for servers and clients, thus requiring the generation of a new Certificate Authority (CA) certificate and key, invalidating all your existing certificates and keys.
# ./clean-all

The final step of the key generation process is to copy the files needed to the correct machines through a secure channel.

Note: In this article the certificates and keys will be placed into /etc/openvpn on the server and the client.

The ca.crt certificate will be needed on all servers and clients. The ca.key private key is secret and only needed on the key generating machine.

The server.crt, server.key (secret) and dh{n}.pem files are needed on the server.

The client.crt and client.key (secret) files are needed on the client.

Configuring OpenVPN

OpenVPN is an extremely versatile software and many configurations are possible. You could have machines that are both "servers" and "clients", so the distinction between server and client is blurred.

What really distinguishes a server from a client is the configuration file itself. The openvpn daemon script reads all the .conf configuration files it finds in /etc/openvpn on startup, and acts accordingly. In fact if it finds more than one configuration file it will start at least one OpenVPN processes per configuration file.

This article explains how to setup a machine that we call the server (elmer), and a client that connects to it called (bugs). You can easily add more clients by generating more client certificates/keys and adding client configurations on more machines.

The OpenVPN package comes with a collection of example configuration files for different purposes. The sample server and client configuration files make an ideal starting point for a basic OpenVPN setup with the following features:

  • Uses Public Key Infrastructure (PKI) for authentication.
  • Creates a VPN using a virtual TUN network interface (OSI L3 IP routing).
  • Listens for client connections on UDP port 1194 (OpenVPN's official IANA port number).
  • Distributes virtual addresses to connecting clients from the 10.8.0.0/24 subnet.

For more advanced configurations, please see the official OpenVPN documentation.

The server configuration file

Copy the example server configuration file to /etc/openvpn/server.conf

# cp /usr/share/openvpn/examples/server.conf /etc/openvpn/server.conf

Edit the ca, cert, key, and dh parameters to reflect the path and names of the certificates and key you generated for the server (elmer). Specifying the paths will allow you to run the OpenVPN executable from any directory for testing purposes.

/etc/openvpn/server.conf
ca /etc/openvpn/ca.crt
cert /etc/openvpn/elmer.crt
key /etc/openvpn/elmer.key

dh /etc/openvpn/dh1024.pem

For security reasons is recommended to configure OpenVPN to drop root privileges once it has initialized. Do this by uncommenting the user and group directives.

/etc/openvpn/server.conf
user nobody
group nobody

The client configuration file

Copy the example client configuration file to /etc/openvpn/client.conf

# cp /usr/share/openvpn/examples/client.conf /etc/openvpn/client.conf

Edit the remote directive to reflect the server's (elmer) Fully Qualified Domain Name (FQDN), hostname (as known to the client) or IP address.

Note: Note that if the server is behind a NAT translating router, you will have to forward the OpenVPN UDP port (1194) to the server.
/etc/openvpn/client.conf
remote elmer.acmecorp.org 1194

Again uncomment the user and group directives for security reasons.

/etc/openvpn/client.conf
user nobody
group nobody

Edit the ca, cert, and key parameters to reflect the path and names of the certificates and key you generated for the client (bugs).

/etc/openvpn/client.conf
ca /etc/openvpn/ca.crt
cert /etc/openvpn/bugs.crt
key /etc/openvpn/bugs.key

Configuring iptables

Add a rule for the tun devices on both the server and the client.

Note: That the order of the rules is important. See iptables for more information
/etc/iptables/iptables.rules
-A INPUT -i tun+ -j ACCEPT

Add a rule to accept connections on the OpenVPN UDP port (1194) on the server.

/etc/iptables/iptables.rules
-A INPUT -p udp --dport 1194 -j ACCEPT

Testing the OpenVPN configuration

Run # openpvn /etc/openvpn/server.conf on the server. You should see something similar to this:

# openpvn /etc/openvpn/server.conf
Wed Dec 28 14:41:26 2011 OpenVPN 2.2.1 x86_64-unknown-linux-gnu [SSL] [LZO2] [EPOLL] [eurephia] built on Aug 13 2011
Wed Dec 28 14:41:26 2011 NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x.  Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
Wed Dec 28 14:41:26 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Wed Dec 28 14:41:26 2011 Diffie-Hellman initialized with 2048 bit key
Wed Dec 28 14:41:26 2011 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Wed Dec 28 14:41:26 2011 Socket Buffers: R=[126976->131072] S=[126976->131072]
Wed Dec 28 14:41:26 2011 ROUTE default_gateway=192.168.0.1
Wed Dec 28 14:41:26 2011 TUN/TAP device tun0 opened
Wed Dec 28 14:41:26 2011 TUN/TAP TX queue length set to 100
Wed Dec 28 14:41:26 2011 /usr/sbin/ip link set dev tun0 up mtu 1500
Wed Dec 28 14:41:26 2011 /usr/sbin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2
Wed Dec 28 14:41:26 2011 /usr/sbin/ip route add 10.8.0.0/24 via 10.8.0.2
Wed Dec 28 14:41:26 2011 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Wed Dec 28 14:41:26 2011 GID set to nobody
Wed Dec 28 14:41:26 2011 UID set to nobody
Wed Dec 28 14:41:26 2011 UDPv4 link local (bound): [undef]:1194
Wed Dec 28 14:41:26 2011 UDPv4 link remote: [undef]
Wed Dec 28 14:41:26 2011 MULTI: multi_init called, r=256 v=256
Wed Dec 28 14:41:26 2011 IFCONFIG POOL: base=10.8.0.4 size=62
Wed Dec 28 14:41:26 2011 IFCONFIG POOL LIST
Wed Dec 28 14:41:26 2011 Initialization Sequence Completed
Wed Dec 28 14:41:51 2011 MULTI: multi_create_instance called
Wed Dec 28 14:41:51 2011 95.126.136.73:48904 Re-using SSL/TLS context
Wed Dec 28 14:41:51 2011 95.126.136.73:48904 LZO compression initialized
Wed Dec 28 14:41:51 2011 95.126.136.73:48904 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Wed Dec 28 14:41:51 2011 95.126.136.73:48904 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Wed Dec 28 14:41:51 2011 95.126.136.73:48904 Local Options hash (VER=V4): '530fdded'
Wed Dec 28 14:41:51 2011 95.126.136.73:48904 Expected Remote Options hash (VER=V4): '41690919'
Wed Dec 28 14:41:51 2011 95.126.136.73:48904 TLS: Initial packet from 95.126.136.73:48904, sid=163f4a5e e0399137
Wed Dec 28 14:41:53 2011 95.126.136.73:48904 VERIFY OK: depth=1, /C=LU/ST=Luxembourg/L=Luxembourg/O=Alchemy/CN=Alchemy-CA/name=Alchemy-CA/emailAddress=jbh@alchemy.lu
Wed Dec 28 14:41:53 2011 95.126.136.73:48904 VERIFY OK: depth=0, /C=LU/ST=Luxembourg/L=Luxembourg/O=Alchemy/CN=freja/name=Alchemy-CA/emailAddress=jbh@alchemy.lu
Wed Dec 28 14:41:54 2011 95.126.136.73:48904 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Dec 28 14:41:54 2011 95.126.136.73:48904 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Dec 28 14:41:54 2011 95.126.136.73:48904 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Dec 28 14:41:54 2011 95.126.136.73:48904 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Dec 28 14:41:54 2011 95.126.136.73:48904 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Wed Dec 28 14:41:54 2011 95.126.136.73:48904 [freja] Peer Connection Initiated with 95.126.136.73:48904
Wed Dec 28 14:41:54 2011 freja/95.126.136.73:48904 MULTI: Learn: 10.8.0.6 -> freja/95.126.136.73:48904
Wed Dec 28 14:41:54 2011 freja/95.126.136.73:48904 MULTI: primary virtual IP for freja/95.126.136.73:48904: 10.8.0.6
Wed Dec 28 14:41:57 2011 freja/95.126.136.73:48904 PUSH: Received control message: 'PUSH_REQUEST'
Wed Dec 28 14:41:57 2011 freja/95.126.136.73:48904 SENT CONTROL [freja]: 'PUSH_REPLY,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5' (status=1)

Run # openpvn /etc/openvpn/client.conf on the client. You should see something similar to this:

# openpvn /etc/openvpn/client.conf
Wed Dec 28 14:41:50 2011 OpenVPN 2.2.1 i686-pc-linux-gnu [SSL] [LZO2] [EPOLL] [eurephia] built on Aug 13 2011
Wed Dec 28 14:41:50 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Wed Dec 28 14:41:50 2011 LZO compression initialized
Wed Dec 28 14:41:50 2011 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Wed Dec 28 14:41:50 2011 Socket Buffers: R=[114688->131072] S=[114688->131072]
Wed Dec 28 14:41:51 2011 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Wed Dec 28 14:41:51 2011 Local Options hash (VER=V4): '41690919'
Wed Dec 28 14:41:51 2011 Expected Remote Options hash (VER=V4): '530fdded'
Wed Dec 28 14:41:51 2011 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Wed Dec 28 14:41:51 2011 UDPv4 link local: [undef]
Wed Dec 28 14:41:51 2011 UDPv4 link remote: 85.93.204.250:1194
Wed Dec 28 14:41:51 2011 TLS: Initial packet from 85.93.204.250:1194, sid=5f379f35 50c9ab11
Wed Dec 28 14:41:52 2011 VERIFY OK: depth=1, /C=LU/ST=Luxembourg/L=Luxembourg/O=Alchemy/CN=Alchemy-CA/name=Alchemy-CA/emailAddress=jbh@alchemy.lu
Wed Dec 28 14:41:52 2011 VERIFY OK: nsCertType=SERVER
Wed Dec 28 14:41:52 2011 VERIFY OK: depth=0, /C=LU/ST=Luxembourg/L=Luxembourg/O=Alchemy/CN=tor/name=Alchemy-CA/emailAddress=jbh@alchemy.lu
Wed Dec 28 14:41:54 2011 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Dec 28 14:41:54 2011 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Dec 28 14:41:54 2011 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Dec 28 14:41:54 2011 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Dec 28 14:41:54 2011 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Wed Dec 28 14:41:54 2011 [tor] Peer Connection Initiated with 85.93.204.250:1194
Wed Dec 28 14:41:57 2011 SENT CONTROL [tor]: 'PUSH_REQUEST' (status=1)
Wed Dec 28 14:41:57 2011 PUSH: Received control message: 'PUSH_REPLY,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5'
Wed Dec 28 14:41:57 2011 OPTIONS IMPORT: timers and/or timeouts modified
Wed Dec 28 14:41:57 2011 OPTIONS IMPORT: --ifconfig/up options modified
Wed Dec 28 14:41:57 2011 OPTIONS IMPORT: route options modified
Wed Dec 28 14:41:57 2011 ROUTE default_gateway=10.64.64.64
Wed Dec 28 14:41:57 2011 TUN/TAP device tun1 opened
Wed Dec 28 14:41:57 2011 TUN/TAP TX queue length set to 100
Wed Dec 28 14:41:57 2011 /usr/sbin/ip link set dev tun1 up mtu 1500
Wed Dec 28 14:41:57 2011 /usr/sbin/ip addr add dev tun1 local 10.8.0.6 peer 10.8.0.5
Wed Dec 28 14:41:57 2011 /usr/sbin/ip route add 10.8.0.1/32 via 10.8.0.5
Wed Dec 28 14:41:57 2011 GID set to nobody
Wed Dec 28 14:41:57 2011 UID set to nobody
Wed Dec 28 14:41:57 2011 Initialization Sequence Completed

On the server, find the IP assigned to the tunX device:

# ifconfig
.
.
.
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500  metric 1
        inet 10.8.0.1  netmask 255.255.255.255  destination 10.8.0.2
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Here we see that the server end of the tunnel has been given the IP address 10.8.0.1.

Do the same on the client:

# ifconfig
.
.
.
tun1: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500  metric 1
        inet 10.8.0.6  netmask 255.255.255.255  destination 10.8.0.5
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

And the client side has been given the IP 10.8.0.6.

Now try pinging the interfaces.

On the server:

# ping 10.8.0.6
PING 10.8.0.6 (10.8.0.6) 56(84) bytes of data.
64 bytes from 10.8.0.6: icmp_req=1 ttl=64 time=238 ms
64 bytes from 10.8.0.6: icmp_req=2 ttl=64 time=237 ms
64 bytes from 10.8.0.6: icmp_req=3 ttl=64 time=205 ms
^C
--- 10.8.0.6 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 205.862/227.266/238.788/15.160 ms

On the client:

# ping 10.8.0.1
PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.
64 bytes from 10.8.0.1: icmp_req=1 ttl=64 time=158 ms
64 bytes from 10.8.0.1: icmp_req=2 ttl=64 time=158 ms
64 bytes from 10.8.0.1: icmp_req=3 ttl=64 time=157 ms
^C
--- 10.8.0.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2001ms
rtt min/avg/max/mdev = 157.426/158.278/158.940/0.711 ms

Starting OpenVPN

To start OpenVPN run:

# rc.d start openvpn

Add openvpn to the daemon array in /etc/rc.conf to make it start at system boot.

Deprecated older wiki content

Using PAM and passwords to authenticate

port 1194
proto udp
dev tap
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/<MYSERVER>.crt
key /etc/openvpn/easy-rsa/keys/<MYSERVER>.key
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
server 192.168.56.0 255.255.255.0
ifconfig-pool-persist ipp.txt
;learn-address ./script
client-to-client
;duplicate-cn
keepalive 10 120
;tls-auth ta.key 0
comp-lzo
;max-clients 100
;user nobody
;group nobody
persist-key
persist-tun
status /var/log/openvpn-status.log
verb 3
client-cert-not-required
username-as-common-name
plugin /usr/lib/openvpn/openvpn-auth-pam.so login

Using certs to authenticate

port 1194
proto tcp
dev tun0

ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/<MYSERVER>.crt
key /etc/openvpn/easy-rsa/keys/<MYSERVER>.key
dh /etc/openvpn/easy-rsa/keys/dh1024.pem

server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status /var/log/openvpn-status.log
verb 3

log-append /var/log/openvpn
status /tmp/vpn.status 10

Routing traffic through the server

Append the following to your server's openvpn.conf configuration file:

push "dhcp-option DNS 192.168.1.1"
push "redirect-gateway def1"

Change "192.168.1.1" to your external DNS IP address.

Use an iptable for NAT forwarding:

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

If running ArchLinux in a OpenVZ VPS environment [1]:

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j SNAT --to (venet0 ip)

If all is well, make the changes permanent:

Edit /etc/conf.d/iptables and change IPTABLES_FORWARD=1

/etc/rc.d/iptables save

Setting up the Client

The clientside .conf file

With password authentication

client
dev tap
proto udp
remote <address> 1194
resolv-retry infinite
nobind
persist-tun
comp-lzo
verb 3
auth-user-pass passwd
ca ca.crt

passwd file (referenced by auth-user-pass) must contain two lines:

  • first line - username
  • second - password

Certs authentication

client
remote <MYSERVER> 1194
dev tun0
proto tcp
resolv-retry infinite
nobind
persist-key
persist-tun
verb 2
ca ca.crt
cert client1.crt
key client1.key
comp-lzo

Copy three files from server to remote computer.

ca.crt
client1.crt
client1.key

Install the tunnel/tap module:

 # sudo modprobe tun

To have the tun module loaded automatically at boot time add it to the Modules line in /etc/rc.conf

DNS

The DNS servers used by the system are defined in /etc/resolv.conf. Traditionally, this file is the responsibility of whichever program deals with connecting the system to the network (e.g. Wicd, NetworkManager, etc...) However, OpenVPN will need to modify this file if you want to be able to resolve names on the remote side. To achieve this in a sensible way, install openresolv, which makes it possible for more than one program to modify resolv.conf without stepping on each-other's toes. Before continuing, test openresolv by restarting your network connection and ensuring that resolv.conf states that it was generated by "resolvconf", and that your DNS resolution still works as before. You shouldn't need to configure openresolv; it should be automatically detected and used by your network system.

Next, save the following script at /usr/share/openvpn/update-resolv-conf:

#!/bin/bash
#
# Parses DHCP options from openvpn to update resolv.conf
# To use set as 'up' and 'down' script in your openvpn *.conf:
# up /etc/openvpn/update-resolv-conf
# down /etc/openvpn/update-resolv-conf
#
# Used snippets of resolvconf script by Thomas Hood <jdthood@yahoo.co.uk>
# and Chris Hanson
# Licensed under the GNU GPL.  See /usr/share/common-licenses/GPL.
#
# 05/2006 chlauber@bnc.ch
#
# Example envs set from openvpn:
# foreign_option_1='dhcp-option DNS 193.43.27.132'
# foreign_option_2='dhcp-option DNS 193.43.27.133'
# foreign_option_3='dhcp-option DOMAIN be.bnc.ch'

[ -x /usr/sbin/resolvconf ] || exit 0

case $script_type in

up)
   for optionname in ${!foreign_option_*} ; do
      option="${!optionname}"
      echo $option
      part1=$(echo "$option" | cut -d " " -f 1)
      if [ "$part1" == "dhcp-option" ] ; then
         part2=$(echo "$option" | cut -d " " -f 2)
         part3=$(echo "$option" | cut -d " " -f 3)
         if [ "$part2" == "DNS" ] ; then
            IF_DNS_NAMESERVERS="$IF_DNS_NAMESERVERS $part3"
         fi
         if [ "$part2" == "DOMAIN" ] ; then
            IF_DNS_SEARCH="$part3"
         fi
      fi
   done
   R=""
   if [ "$IF_DNS_SEARCH" ] ; then
           R="${R}search $IF_DNS_SEARCH
"
   fi
   for NS in $IF_DNS_NAMESERVERS ; do
           R="${R}nameserver $NS
"
   done
   echo -n "$R" | /usr/sbin/resolvconf -a "${dev}.inet"
   ;;
down)
   /usr/sbin/resolvconf -d "${dev}.inet"
   ;;
esac

Remember to make the file executable with:

 $ chmod +x /usr/share/openvpn/update-resolv-conf

Next, add the following lines to your OpenVPN client configuration file:

script-security 2
up /usr/share/openvpn/update-resolv-conf
down /usr/share/openvpn/update-resolv-conf

Now, when your launch your OpenVPN connection, you should find that your resolv.conf file is updated accordingly, and also returns to normal when your close the connection.

Connecting to the Server

You need to start the service on the server

/etc/rc.d/openvpn start

You can add it to rc.conf to make it permanet.

On the client, in the home directory create a folder that will hold your OpenVPN client config files along with the .crt/.key files. Assuming your OpenVPN config folder is called .openvpn and your client config file is vpn1.conf, to connect to the server issue the following command:

cd ~/.openvpn && sudo openvpn vpn1.conf