OpenVPN

From ArchWiki
Revision as of 13:23, 22 November 2011 by Kynikos (Talk | contribs) (<pre> -> Bc)

Jump to: navigation, search

This template has only maintenance purposes. For linking to local translations please use interlanguage links, see Help:i18n#Interlanguage links.


Local languages: Català – Dansk – English – Español – Esperanto – Hrvatski – Indonesia – Italiano – Lietuviškai – Magyar – Nederlands – Norsk Bokmål – Polski – Português – Slovenský – Česky – Ελληνικά – Български – Русский – Српски – Українська – עברית – العربية – ไทย – 日本語 – 正體中文 – 简体中文 – 한국어


External languages (all articles in these languages should be moved to the external wiki): Deutsch – Français – Română – Suomi – Svenska – Tiếng Việt – Türkçe – فارسی

This article describes a basic installation and configuration of OpenVPN. For more detailed information, please use the official OpenVPN HOWTO and Manual.

Install

Install openvpn:

 pacman -S openvpn

Also you may install ldap authentication module from AUR.

Prepare OpenSSL data

Create certificates and keys. First copy /usr/share/openvpn/easy-rsa to /etc/openvpn/easy-rsa and cd there. Edit the file "vars" with the information you want, then source it. (note the single dot)

 . ./vars

Clean up any previous keys:

 ./clean-all

Generate the certificates. build-ca creates the "certificate authority" key the key signing machine needs and the ca.crt certificate that the server and client both need. build-key-server (followed by your server name) creates certificate and private key for the server. build-dh creates the Diffie-Hellman pem file that the server needs. Don't enter a challenge password or company name when you set these up.

 ./build-ca
 ./build-key-server <server-name>
 ./build-dh

build-key (followed by a common client name) creates the certificate for a client. You can build as many as you need for different clients.

./build-key client1

All certificates are stored in /etc/openvpn/easy-rsa/keys. If you mess up, you can start all over by doing a ./clean-all

Copy the ca.crt, client1.crt and client1.key to client1, etc. over a secure connection.

Setting up the Server

Create empty conf file and store it in /etc/openvpn/openvpn.conf

Using PAM and passwords to authenticate

port 1194
proto udp
dev tap
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/<MYSERVER>.crt
key /etc/openvpn/easy-rsa/keys/<MYSERVER>.key
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
server 192.168.56.0 255.255.255.0
ifconfig-pool-persist ipp.txt
;learn-address ./script
client-to-client
;duplicate-cn
keepalive 10 120
;tls-auth ta.key 0
comp-lzo
;max-clients 100
;user nobody
;group nobody
persist-key
persist-tun
status /var/log/openvpn-status.log
verb 3
client-cert-not-required
username-as-common-name
plugin /usr/lib/openvpn/openvpn-auth-pam.so login

Using certs to authenticate

port 1194
proto tcp
dev tun0

ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/<MYSERVER>.crt
key /etc/openvpn/easy-rsa/keys/<MYSERVER>.key
dh /etc/openvpn/easy-rsa/keys/dh1024.pem

server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status /var/log/openvpn-status.log
verb 3

log-append /var/log/openvpn
status /tmp/vpn.status 10

Routing traffic through the server

Append the following to your server's openvpn.conf configuration file:

push "dhcp-option DNS 192.168.1.1"
push "redirect-gateway def1"

Change "192.168.1.1" to your external DNS IP address.

Use an iptable for NAT forwarding:

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

If running ArchLinux in a OpenVZ VPS environment [1]:

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j SNAT --to (venet0 ip)

If all is well, make the changes permanent:

Edit /etc/conf.d/iptables and change IPTABLES_FORWARD=1

/etc/rc.d/iptables save

Setting up the Client

The clientside .conf file

With password authentication

client
dev tap
proto udp
remote <address> 1194
resolv-retry infinite
nobind
persist-tun
comp-lzo
verb 3
auth-user-pass passwd
ca ca.crt

passwd file (referenced by auth-user-pass) must contain two lines:

  • first line - username
  • second - password

Certs authentication

client
remote <MYSERVER> 1194
dev tun0
proto tcp
resolv-retry infinite
nobind
persist-key
persist-tun
verb 2
ca ca.crt
cert client1.crt
key client1.key
comp-lzo

Copy three files from server to remote computer.

ca.crt
client1.crt
client1.key

Install the tunnel/tap module:

 # sudo modprobe tun

To have the tun module loaded automatically at boot time add it to the Modules line in /etc/rc.conf

DNS

The DNS servers used by the system are defined in /etc/resolv.conf. Traditionally, this file is the responsibility of whichever program deals with connecting the system to the network (e.g. Wicd, NetworkManager, etc...) However, OpenVPN will need to modify this file if you want to be able to resolve names on the remote side. To achieve this in a sensible way, install openresolv, which makes it possible for more than one program to modify resolv.conf without stepping on each-other's toes. Before continuing, test openresolv by restarting your network connection and ensuring that resolv.conf states that it was generated by "resolvconf", and that your DNS resolution still works as before. You shouldn't need to configure openresolv; it should be automatically detected and used by your network system.

Next, save the following script at /usr/share/openvpn/update-resolv-conf:

#!/bin/bash
#
# Parses DHCP options from openvpn to update resolv.conf
# To use set as 'up' and 'down' script in your openvpn *.conf:
# up /etc/openvpn/update-resolv-conf
# down /etc/openvpn/update-resolv-conf
#
# Used snippets of resolvconf script by Thomas Hood <jdthood@yahoo.co.uk>
# and Chris Hanson
# Licensed under the GNU GPL.  See /usr/share/common-licenses/GPL.
#
# 05/2006 chlauber@bnc.ch
#
# Example envs set from openvpn:
# foreign_option_1='dhcp-option DNS 193.43.27.132'
# foreign_option_2='dhcp-option DNS 193.43.27.133'
# foreign_option_3='dhcp-option DOMAIN be.bnc.ch'

[ -x /usr/sbin/resolvconf ] || exit 0

case $script_type in

up)
   for optionname in ${!foreign_option_*} ; do
      option="${!optionname}"
      echo $option
      part1=$(echo "$option" | cut -d " " -f 1)
      if [ "$part1" == "dhcp-option" ] ; then
         part2=$(echo "$option" | cut -d " " -f 2)
         part3=$(echo "$option" | cut -d " " -f 3)
         if [ "$part2" == "DNS" ] ; then
            IF_DNS_NAMESERVERS="$IF_DNS_NAMESERVERS $part3"
         fi
         if [ "$part2" == "DOMAIN" ] ; then
            IF_DNS_SEARCH="$part3"
         fi
      fi
   done
   R=""
   if [ "$IF_DNS_SEARCH" ] ; then
           R="${R}search $IF_DNS_SEARCH
"
   fi
   for NS in $IF_DNS_NAMESERVERS ; do
           R="${R}nameserver $NS
"
   done
   echo -n "$R" | /usr/sbin/resolvconf -a "${dev}.inet"
   ;;
down)
   /usr/sbin/resolvconf -d "${dev}.inet"
   ;;
esac

Remember to make the file executable with:

 $ chmod +x /usr/share/openvpn/update-resolv-conf

Next, add the following lines to your OpenVPN client configuration file:

script-security 2
up /usr/share/openvpn/update-resolv-conf
down /usr/share/openvpn/update-resolv-conf

Now, when your launch your OpenVPN connection, you should find that your resolv.conf file is updated accordingly, and also returns to normal when your close the connection.

Connecting to the Server

You need to start the service on the server

/etc/rc.d/openvpn start

You can add it to rc.conf to make it permanet.

On the client, in the home directory create a folder that will hold your OpenVPN client config files along with the .crt/.key files. Assuming your OpenVPN config folder is called .openvpn and your client config file is vpn1.conf, to connect to the server issue the following command:

cd ~/.openvpn && sudo openvpn vpn1.conf