Server Installation
To install openvpn in a terminal enter:
sudo apt-get install openvpn
Public Key Infrastructure Setup
The first step in building an OpenVPN configuration is to establish a PKI (public key infrastructure). The PKI consists of:
- a separate certificate (also known as a public key) and private key for the server and each client, and
- a master Certificate Authority (CA) certificate and key which is used to sign each of the server and client certificates.
OpenVPN supports bidirectional authentication based on certificates,
meaning that the client must authenticate the server certificate and the
server must authenticate the client certificate before mutual trust is
established.
Both server and client will authenticate the other by first verifying
that the presented certificate was signed by the master certificate
authority (CA), and then by testing information in the now-authenticated
certificate header, such as the certificate common name or certificate
type (client or server).
Certificate Authority Setup
To setup your own Certificate Authority (CA) and generating certificates and keys for an OpenVPN server and multiple clients
first copy the easy-rsa directory to /etc/openvpn. This will ensure that any
changes to the scripts will not be lost when the package is updated.
From a terminal change to user root and:
mkdir /etc/openvpn/easy-rsa/ cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa/
Next, edit /etc/openvpn/easy-rsa/vars adjusting the following to your environment:
export KEY_COUNTRY="US" export KEY_PROVINCE="NC" export KEY_CITY="Winston-Salem" export KEY_ORG="Example Company" export KEY_EMAIL="steve@example.com"
Enter the following to generate the master Certificate Authority (CA) certificate and key:
cd /etc/openvpn/easy-rsa/ source vars ./clean-all ./build-ca
Server Certificates
Next, we will generate a certificate and private key for the server:
./build-key-server myservername
As in the previous step, most parameters can be defaulted. Two other
queries require positive responses, "Sign the certificate? [y/n]" and "1
out of 1 certificate requests certified, commit? [y/n]".
Diffie Hellman parameters must be generated for the OpenVPN server:
./build-dh
All certificates and keys have been generated in the
subdirectory keys/. Common practice is to copy them to /etc/openvpn/:
cd keys/ cp myservername.crt myservername.key ca.crt dh1024.pem /etc/openvpn/
Client Certificates
The VPN client will also need a certificate to authenticate
itself to the server. Usually you create a different certificate for
each client. To create the
certificate, enter the following in a terminal while being user
root:
cd /etc/openvpn/easy-rsa/ source vars ./build-key client1
Copy the following files to the client using a secure method:
- /etc/openvpn/ca.crt
- /etc/openvpn/easy-rsa/keys/client1.crt
- /etc/openvpn/easy-rsa/keys/client1.key
As the client certificates and keys are only required on the client machine, you should remove them from the server.
Simple Server Configuration
Along with your OpenVPN installation
you got these sample config files (and many more if if you check):
root@server:/# ls -l /usr/share/doc/openvpn/examples/sample-config-files/ total 68 -rw-r--r-- 1 root root 3427 2011-07-04 15:09 client.conf -rw-r--r-- 1 root root 4141 2011-07-04 15:09 server.conf.gz
Start with copying and unpacking server.conf.gz to /etc/openvpn/server.conf.
sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/ sudo gzip -d /etc/openvpn/server.conf.gz
Edit /etc/openvpn/server.conf to make sure the following lines are pointing to the certificates and keys you created in the section above.
ca ca.crt cert myservername.crt key myservername.key dh dh1024.pem
That is the minimum you have to configure to get a working
OpenVPN server.
You can use all the default settings in the sample server.conf file. Now
start the server. You will find logging and error messages in your
syslog.
root@server:/etc/openvpn# /etc/init.d/openvpn start * Starting virtual private network daemon(s)... * Autostarting VPN 'server' [ OK ]
Now check if OpenVPN created a tun0 interface:
root@server:/etc/openvpn# ifconfig tun0
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
[...]
Simple Client Configuration
There are various different OpenVPN client implementations
with and without GUIs. You can read more about clients in a later section.
For now we use the OpenVPN client
for Ubuntu which is the same executable as the server. So you have to
install the openvpn package again on the client machine:
sudo apt-get install openvpn
This time copy the client.conf sample config file to /etc/openvpn/.
sudo cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/
Copy the client keys and the certificate of the CA you created in the section above to e.g. /etc/openvpn/ and edit /etc/openvpn/client.conf to make sure the following lines are pointing to those files. If you have the files in /etc/openvpn/ you can omit the path.
ca ca.crt cert client1.crt key client1.key
And you have to at least specify the OpenVPN server name or address.
Make sure the keyword client is in the config. That's what enables
client mode.
client remote vpnserver.example.com 1194
Now start the OpenVPN client:
root@client:/etc/openvpn# /etc/init.d/openvpn start * Starting virtual private network daemon(s)... * Autostarting VPN 'client' [ OK ]
Check if it created a tun0 interface:
root@client:/etc/openvpn# ifconfig tun0
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.6 P-t-P:10.8.0.5 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
Check if you can ping the OpenVPN server:
root@client:/etc/openvpn# ping 10.8.0.1 PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data. 64 bytes from 10.8.0.1: icmp_req=1 ttl=64 time=0.920 ms
