OpenVPN

Introduction
OpenVPN is the open source virtual private network software, capable of connecting computers securely across the internet.

Overview
laptop --> openvpn --> firewall --> server --> openvpn --> files

Modem Settings
OpenVPN requires a port to be opened on DSL/broadband modem.

Default Port: 1195 UDP

Quick and Dirty Install on Gentoo Linux
This will install OpenVPN just for 1 client with a simple secret file instead of keys.

http://briancarper.net/blog/243/

Installation on Gentoo Linux
http://en.gentoo-wiki.com/wiki/OpenVPN

Add The Local Portage File
** UPDATE ** '''Version 2.1.3 is now in the Portage tree. Do not use the method below.''' Skip to section Install Software

The latest version available in the official Gentoo portage tree is 2.1.0, however the latest community version of OpenVPN is 2.1.1

Download the latest version custom ebuild and install it as follows:-

su - root echo "PORTDIR_OVERLAY=\"/usr/local/portage\"" >> /etc/make.conf mkdir -p /usr/local/portage/net-misc/openvpn cd /usr/local/portage/net-misc/openvpn/ wget http://www.paully.co.uk/openvpn-2.1.1.ebuild

Download OpenVPN Community Version 2.1.1 custom Gentoo Linux ebuild by Paul Littlefield openvpn-2.1.1.ebuild 2010-05-12

Copy The Important Files Directory
cp -av /usr/portage/net-misc/openvpn/files /usr/local/portage/net-misc/openvpn/

Create The Portage Manifest File
cd /usr/local/portage/net-misc/openvpn/ ebuild openvpn-2.1.1.ebuild digest

Update The EIX Portage Cache
eix-update

Allow Beta Software
echo "net-misc/openvpn ~amd64" >> /etc/portage/package.keywords

Install Software
You will need to make sure that the minimal USE flag is not set, and that the examples and ssl USE flags are set.

echo "net-misc/openvpn -minimal examples ssl" >> /etc/portage/package.use

Then test the software.

emerge -pv openvpn

Then install the software.

emerge openvpn

SSL keys / certificates
Change to the directory with the OpenVPN scripts to set up the keys.

cd /usr/share/openvpn/easy-rsa/

Then, edit the basic parameters for the certificates. Edit the vars file and set the KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, and KEY_EMAIL parameters. Don't leave any of these parameters blank.

nano vars export KEY_COUNTRY="UK" export KEY_PROVINCE="Kent" export KEY_CITY="Canterbury" export KEY_ORG="My Company" export KEY_EMAIL="me@mycompany.com"

Next, initialize the PKI.

source ./vars ./clean-all ./build-ca

The final command (build-ca) will build the certificate authority (CA) certificate and key by invoking the interactive openssl command:

Generating a 1024 bit RSA private key ...........................++++++ ........++++++ writing new private key to 'ca.key' - You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. - Country Name (2 letter code) [UK]: State or Province Name (full name) [Kent]: Locality Name (eg, city) [Folkestone]: Organization Name (eg, company) [Company Ltd]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) [Company Ltd CA]:server1.company.com Name []: Email Address [myname@company.com]:

Note that in the above sequence, most queried parameters were defaulted to the values set in the vars or vars.bat files. The only parameter which must be explicitly entered is the Common Name. In the example above, I used "server1.company.com".

Generate certificate & key for server

Next, we will generate a certificate and private key for the server.

./build-key-server server

As in the previous step, most parameters can be defaulted. When the Common Name is queried, enter "server". When asked for a challenge password, leave it blank and hit Enter. Two other queries require positive responses, "Sign the certificate? [y/n]" and "1 out of 1 certificate requests certified, commit? [y/n]".

Generating client certificates is very similar to the previous step. On Linux/BSD/Unix:

./build-key client1

Remember that for each client, make sure to type the appropriate Common Name when prompted, i.e. "client1", "client2", or "client3". Always use a unique common name for each client.

Generate Diffie Hellman parameters

Diffie Hellman parameters must be generated for the OpenVPN server.

./build-dh

Server Configuration
This is for a Gentoo Linux server with 2 network interface cards, acting as as gateway / firewall / file share...

ip addr show 1: lo:  mtu 16436 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 brd 127.255.255.255 scope host lo    inet6 ::1/128 scope host 2: eth0:  mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000 link/ether e0:cb:4e:3a:da:a4 brd ff:ff:ff:ff:ff:ff inet 10.0.0.1/24 brd 10.0.0.255 scope global eth0 inet6 fe80::e2cb:4eff:fe3a:daa4/64 scope link 3: eth1:  mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000 link/ether 00:50:bf:10:05:6e brd ff:ff:ff:ff:ff:ff inet 192.168.0.1/24 brd 192.168.0.255 scope global eth1 inet6 fe80::250:bfff:fe10:56e/64 scope link 4: sit0:  mtu 1480 qdisc noop state DOWN link/sit 0.0.0.0 brd 0.0.0.0 11: tun0:  mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100 link/[65534] inet 192.168.1.1 peer 192.168.1.2/32 scope global tun0 12: tun1:  mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100 link/[65534] inet 192.168.2.1 peer 192.168.2.2/32 scope global tun1

Create a directory for your 'named' VPN, e.g 'vpn'...

mkdir /etc/openvpn/vpn

Copy the keys and certificates from the previous steps into the new directory...

rsync -av /usr/share/openvpn/easy-rsa/keys/* /etc/openvpn/vpn/

Method A: Routing
We will try the simpler method of a 'routed ip tunnel'.

OK, create the first VPN server configuration file...

nano /etc/openvpn/openvpn.conf

port 1194 proto udp dev tun ca /etc/openvpn/vpn/ca.crt cert /etc/openvpn/vpn/server.crt key /etc/openvpn/vpn/server.key dh /etc/openvpn/vpn/dh1024.pem server 192.168.1.0 255.255.255.0 ifconfig-pool-persist /etc/openvpn/vpn/ipp.txt push "route 192.168.0.0 255.255.255.0" keepalive 10 120 comp-lzo user nobody group nogroup persist-key persist-tun verb 3 log /var/log/openvpn.log

Now create the second VPN server configuration file...

nano /etc/openvpn/openvpn2.conf

port 1195 proto udp dev tun ca /etc/openvpn/vpn/ca.crt cert /etc/openvpn/vpn/server.crt key /etc/openvpn/vpn/server.key dh /etc/openvpn/vpn/dh1024.pem server 192.168.2.0 255.255.255.0 ifconfig-pool-persist /etc/openvpn/vpn/ipp.txt push "route 172.20.0.0 255.255.255.0" keepalive 10 120 comp-lzo user nobody group nogroup persist-key persist-tun verb 3 log /var/log/openvpn2.log

Next, create the Gentoo Linux system start-up files...

cd /etc/init.d/ ln -s openvpn openvpn.openvpn2 rc-update add openvpn default rc-update add openvpn.openvpn2 default

Finally, start the 2 OpenVPN servers...

/etc/init.d/openvpn start /etc/init.d/openvpn.openvpn2 start

Check that you have both of the new VPN interfaces...

ifconfig tun0 tun0     Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:192.168.1.1 P-t-P:192.168.1.2  Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500  Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:2294 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:0 (0.0 B) TX bytes:247206 (241.4 KiB)

ifconfig tun1 tun1     Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:192.168.2.1 P-t-P:192.168.2.2  Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500  Metric:1 RX packets:3216 errors:0 dropped:0 overruns:0 frame:0 TX packets:3214 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:433830 (423.6 KiB) TX bytes:607390 (593.1 KiB)

Your log file should look like this...

tail /var/log/openvpn.log

Fri May 21 14:02:51 2010 OpenVPN 2.1.1 i686-pc-linux-gnu [SSL] [LZO2] [EPOLL] built on May 14 2010 Fri May 21 14:02:51 2010 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables Fri May 21 14:02:51 2010 Diffie-Hellman initialized with 1024 bit key Fri May 21 14:02:51 2010 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ] Fri May 21 14:02:51 2010 ROUTE default_gateway=10.0.0.2 Fri May 21 14:02:51 2010 TUN/TAP device tun1 opened Fri May 21 14:02:51 2010 TUN/TAP TX queue length set to 100 Fri May 21 14:02:51 2010 /sbin/ifconfig tun1 192.168.2.1 pointopoint 192.168.2.2 mtu 1500 Fri May 21 14:02:51 2010 /sbin/route add -net 192.168.2.0 netmask 255.255.255.0 gw 192.168.2.2 Fri May 21 14:02:51 2010 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ] Fri May 21 14:02:51 2010 GID set to nogroup Fri May 21 14:02:51 2010 UID set to nobody Fri May 21 14:02:51 2010 Socket Buffers: R=[112640->131072] S=[112640->131072] Fri May 21 14:02:51 2010 UDPv4 link local (bound): [undef]:1195 Fri May 21 14:02:51 2010 UDPv4 link remote: [undef] Fri May 21 14:02:51 2010 MULTI: multi_init called, r=256 v=256 Fri May 21 14:02:51 2010 IFCONFIG POOL: base=192.168.2.4 size=62 Fri May 21 14:02:51 2010 IFCONFIG POOL LIST Fri May 21 14:02:51 2010 Initialization Sequence Completed

Method B: Bridged
to be done

Shoreline Firewall / Shorewall Configuration
We would like to allow staff on the road (Roadwarriors :) access to the files on their server in the office. Our server acts as a gateway and firewall using 2 network interface cards (eth0 and eth1)

Internet <--> [123.456.789.0 Modem 10.0.0.2] <--> [10.0.0.1 Firewall | Server 192.168.0.1] <--> [Network]

http://www.shorewall.net/OPENVPN.html#RoadWarrior

'''IMPORTANT - If the roadwarrior uses a hotel WiFI, you have to allow for both ends of the tunnel to be the same IP address range. This ROUTING config will take care of that :-)'''

[192.168.0.x roadwarrior] <-- VPN --> [server 192.168.0.x]

Edit the Shorewall config files, adding the lines shown in bold below:-

/etc/shorewall/zones fw     firewall net    ipv4 loc    ipv4 vpn    ipv4
 * 1) ZONE  TYPE            OPTIONS         IN                      OUT
 * 2)                                       OPTIONS                 OPTIONS
 * 1)                                       OPTIONS                 OPTIONS
 * 1) LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

/etc/shorewall/interfaces net    eth0            detect          routefilter,tcpflags loc    eth1            detect          dhcp,tcpflags vpn    tun+
 * 1) ZONE  INTERFACE       BROADCAST       OPTIONS
 * 1) ZONE  INTERFACE       BROADCAST       OPTIONS
 * 1) LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

/etc/shorewall/tunnels openvpnserver:1194     net     0.0.0.0/0 openvpnserver:1195     net     0.0.0.0/0
 * 1) TYPE                  ZONE    GATEWAY         GATEWAY
 * 2)                                               ZONE
 * 1)                                               ZONE
 * 1) LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

/etc/shorewall/policy loc            net     ACCEPT loc            fw      ACCEPT fw             net     ACCEPT fw             loc     ACCEPT vpn            loc     ACCEPT loc            vpn     ACCEPT vpn            fw      ACCEPT fw             vpn     ACCEPT net            all     DROP            info all            all     REJECT          info
 * 1) SOURCE        DEST    POLICY          LOG     LIMIT:          CONNLIMIT:
 * 2)                                       LEVEL   BURST           MASK
 * 1)                                       LEVEL   BURST           MASK
 * 1) THE FOLLOWING POLICY MUST BE LAST
 * 1) LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

/etc/shorewall/netmap SNAT   192.168.0.0/24          tun+            172.20.0.0/24 DNAT   172.20.0.0/24           tun+            192.168.0.0/24
 * 1) TYPE  NET1                    INTERFACE       NET2
 * 1) TYPE  NET1                    INTERFACE       NET2
 * 1) LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

Check your firewall configuration, and correct any errors.

shorewall check

Then restart.

/etc/init.d/shorewall restart

Client Configuration
This will install OpenVPN so that the client can use it anywhere - even if both networks at each end of the VPN tunnel share the same IP address range.

Installation in Microsoft Windows
As Administrator

Download and install the latest OpenVPN Community Edition Microsoft Windows software from here, then reboot.

Copy the example config file (C:\Program Files\OpenVPN\config-samples\client.ovpn) into the actual config folder (C:\Program Files\OpenVPN\config) as something like 'office.ovpn' or 'server.ovpn'

Edit the following lines of the new .ovpn file:-

remote server1.myoffice.com 1195

The 1195 is important, because you will be connecting to the second OpenVPN server which then passes the requests for data through the firewall by cool network mapping to the first openvpn server :-)

Copy the necessary client key files (ca.crt, client.crt, client.key) which have been generated from the server (as shown above) to the C:\Program Files\OpenVPN\config folder.

Create a shortcut on the User's desktop for the OpenVPN GUI.

As User

Right-click on the OpenVPN GUI shortcut icon, and choose Run as Administrator. Put in the Windows Administrator password and click OK.

Right-click on the little OpenVPN icon on the task bar near the clock, and choose Connect.

With any luck you see the connect log whizz buy and it will show Connected.

Then you can do a quick ping test...

ping 172.20.0.x   (the last number in the IP address of your server)

Then you can launch Windows Explorer and put the following in the address bar...

\\172.20.0.x\shared\  (or whatever your Samba share is called)

Installation in Linux
Install the package...

emerge openvpn

Create the directory for the VPN files...

mkdir -p /etc/openvpn/domain.co.uk

Copy the client and server files to that directory...

server1.ovpn client1.key client1.crt ca.crt

Load the tun module...

modprobe tun

Start the client...

cd /etc/openvpn/domain.co.uk openvpn server1.ovpn

Windows Vista or Windows 7 Tips and Tricks
In the Windows vpn configuration file (e.g. C:\Program Files\OpenVPN\config\server.ovpn) add the following 2 lines to prevent errors or problems when running in Windows Vista or 7:-

route-method exe route-delay 2

FIX 1

http://www.personalvpn.org/openvpn_vista.htm - If you are not running an 'Administrator' profile, then you need to ensure that the User Account Control (UAC) is enabled.

POSSIBLE FIX 2

If you are running OpenVPN under Home Editions of Vista in a 'Standard User' profile its permissions need to be set to allow it to run.

Log on in an administrator profile

Open Windows Explorer and navigate to the Program Files folder, locate and right-click on the OpenVPN folder and select 'Properties' from the shell menu.

Select the 'Security' tab and click the 'Edit' button.

On the next window click the 'Add' button

On the next window click the 'Advanced' button

On the next window click the 'Find' button

Under the search results click once on the user you want to add and then click the 'OK' buttons through to the window which reads 'Permissions for OpenVPN'

In the top box click on the user just added and in the permissions box below select the check box next to 'Full Control' in the 'Allow' column

 Other possibles 

http://www.surfbouncer.com/Windows_7.htm

http://forums.openvpn.net/topic9972.html