OpenVPN

Introduction
OpenVPN is the open source virtual private network software, capable of connecting computers securely across the internet.

Overview
laptop --> openvpn --> firewall --> server --> openvpn --> files

Installation on Gentoo Linux
http://en.gentoo-wiki.com/wiki/OpenVPN

Add The Local Portage File
The latest version available in the official Gentoo portage tree is 2.1.0, however the latest community version of OpenVPN is 2.1.1

Download the latest version custom ebuild and install it as follows:-

su - root echo "PORTDIR_OVERLAY=\"/usr/local/portage\"" >> /etc/make.conf mkdir -p /usr/local/portage/net-misc/openvpn cd /usr/local/portage/net-misc/openvpn/ wget http://www.paully.co.uk/openvpn-2.1.1.ebuild ebuild openvpn-2.1.1.ebuild digest

Download OpenVPN Community Version 2.1.1 custom Gentoo Linux ebuild by Paul Littlefield openvpn-2.1.1.ebuild 2010-05-12

Copy The Important Files Directory
cp -av /usr/portage/net-misc/openvpn/files /usr/local/portage/net-misc/openvpn/

Install Software
You will need to make sure that the minimal USE flag is not set, and that the examples USE flag is set.

echo "net-misc/openvpn -minimal examples ssl" >> /etc/portage/package.use

Then install the software

emerge openvpn

SSL keys / certificates
Change to the directory with the OpenVPN scripts to set up the keys.

cd /usr/share/openvpn/easy-rsa/

Then, edit the basic parameters for the certificates. Edit the vars file and set the KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, and KEY_EMAIL parameters. Don't leave any of these parameters blank.

nano vars

Next, initialize the PKI.

source ./vars ./clean-all ./build-ca

The final command (build-ca) will build the certificate authority (CA) certificate and key by invoking the interactive openssl command:

Generating a 1024 bit RSA private key ...........................++++++ ........++++++ writing new private key to 'ca.key' - You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. - Country Name (2 letter code) [UK]: State or Province Name (full name) [Kent]: Locality Name (eg, city) [Folkestone]: Organization Name (eg, company) [Company Ltd]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) [Company Ltd CA]:server1.company.com Name []: Email Address [myname@company.com]:

Note that in the above sequence, most queried parameters were defaulted to the values set in the vars or vars.bat files. The only parameter which must be explicitly entered is the Common Name. In the example above, I used "server1.company.com".

Generate certificate & key for server

Next, we will generate a certificate and private key for the server.

./build-key-server server

As in the previous step, most parameters can be defaulted. When the Common Name is queried, enter "server". When asked for a challenge password, leave it blank and hit Enter. Two other queries require positive responses, "Sign the certificate? [y/n]" and "1 out of 1 certificate requests certified, commit? [y/n]".

Generating client certificates is very similar to the previous step. On Linux/BSD/Unix:

./build-key client1

Remember that for each client, make sure to type the appropriate Common Name when prompted, i.e. "client1", "client2", or "client3". Always use a unique common name for each client.

Generate Diffie Hellman parameters

Diffie Hellman parameters must be generated for the OpenVPN server.

./build-dh

Server Configuration
Create a directory for your 'named' VPN, e.g 'vpn'...

mkdir /etc/openvpn/vpn

Copy the keys and certificates from the previous steps into the new directory...

cp -av /usr/share/openvpn/easy-rsa/keys/* /etc/openvpn/vpn/

Method A: Routing
First, we will try the simpler method of a 'routed ip tunnel'.

nano /etc/openvpn/openvpn.conf

dev tun proto udp port 1194 tls-server mode server server 192.168.1.0 255.255.255.0 dh /etc/openvpn/vpn/dh1024.pem ca /etc/openvpn/vpn/ca.key cert /etc/openvpn/vpn/server.crt key /etc/openvpn/vpn/server.key comp-lzo user nobody group nogroup ping 15 ping-restart 45 ping-timer-rem persist-tun persist-key push "route 192.168.0.0 255.255.255.0" verb 3 log /var/log/openvpn.log

Shoreline Firewall / Shorewall Configuration
We would like to allow staff on the road (Roadwarriors :) access to the files on their server in the office. Our server acts as a gateway and firewall using 2 network interface cards (eth0 and eth1)

Internet <--> [123.456.789.0 Modem 10.0.0.2] <--> [10.0.0.1 Firewall | Server 192.168.0.1] <--> [Network]

http://www.shorewall.net/OPENVPN.html#RoadWarrior

The current Shorewall config looks like this:-

/etc/shorewall/interfaces net    eth0            detect          routefilter,tcpflags loc    eth1            detect          dhcp,tcpflags
 * 1) ZONE  INTERFACE       BROADCAST       OPTIONS
 * 1) ZONE  INTERFACE       BROADCAST       OPTIONS

/etc/shorewall/zones fw     firewall net    ipv4 loc    ipv4
 * 1) ZONE  TYPE            OPTIONS         IN                      OUT
 * 2)                                       OPTIONS                 OPTIONS
 * 1)                                       OPTIONS                 OPTIONS

/etc/shorewall/policy loc            net     ACCEPT loc            fw      ACCEPT fw             net     ACCEPT fw             loc     ACCEPT net            all     DROP            info all            all     REJECT          info
 * 1) SOURCE        DEST    POLICY          LOG     LIMIT:          CONNLIMIT:
 * 2)                                       LEVEL   BURST           MASK
 * 1)                                       LEVEL   BURST           MASK
 * 1) THE FOLLOWING POLICY MUST BE LAST
 * 1) LAST LINE -- DO NOT REMOVE

http://www.shorewall.net/OPENVPN.html#RoadWarrior