OpenVPN server

From Smop.co.uk

Jump to: navigation, search

This is basically a trimmed version of the excellent OpenVPN HOWTO.

First of all we need to generate x509 certificate/key pairs for the server and any clients. You might already have tools in place for this, in which case just be aware of the Man in the middle prevention requirements.

For the rest of us, start by copying /usr/share/doc/openvpn/examples/easy-rsa/2.0 somewhere safe. Now:

  • edit vars changing the KEY_* parameters at the bottom (the country code for England is GB, not UK
    • I increased KEY_SIZE to 2048
  • . ./vars
  • ./clean-all
  • ./build-ca
  • ./build-key-server vpn.example.com
  • ./build-key client.example.com
  • ./build-dh (this took 5mins)

On the server

  • edit /etc/openvpn/server.conf (from /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz)
    • set "local 1.2.3.4" (with IP address) to limit which addresses it listens on
    • leave "proto udp" alone since it's the fastest, most robust choice (cannot use tcp _and_ udp)
    • leave "dev tun" as routed is better than bridged for most people
    • set "dh dh2048.pem" (as I increase the key size)
    • set "server 10.8.0.0. 255.255.255.0" to the VPN range
  • note the files required and copy then from the box above (securing their permissions):
    • ca.crt (I renamed this to ca.example.com.crt)
    • server.crt (I renamed this to vpn.example.com.crt)
    • server.key (I renamed this to vpn.example.com.key)
    • dh2048.pem

On the client:

  • edit /etc/openvpn/client.conf (from /usr/share/doc/openvpn/examples/sample-config-files/client.conf)
    • leave "proto udp"
    • set "remote vpn.example.com 1194"
  • note the files required and copy then from the box above (securing their permissions):
    • ca.crt (I renamed this to ca.example.com.crt)
    • client.crt (I renamed this to client.example.com.crt)
    • client.key (I renamed this to client.example.com.key)

Other server tweaks:

  • set 'push "route 1.2.3.4 255.255.255.0"' if required to tell the client about networks behind the server
  • set 'push "dhcp-option DNS 1.2.3.4"' to tell the client about DNS servers
  • set 'push "dhcp-option WINS 1.2.3.4"' to tell the client about WINS servers
  • set 'push "redirect-gateway"' to force all traffic via the VPN
  • set 'client-to-client' to all VPN clients to see each other

Extra security:

  • openvpn --genkey --secret ta.key
  • set "tls-auth ta.key 0" on the server
  • set "tls-auth ta.key 1" on the client
  • "user nobody" on both client and server
  • "group nobody" on both client and server
  • to avoid Man in the middle attacks:
    • openvpn 2.0: set "ns-cert-type server" on the client
    • openvpn 2.1: set "remote-cert-tls server" on the client

Errors:

  • Cannot load certificate file ...
    • change directory to /etc/openvpn first
  • Note: Cannot open TUN/TAP dev /dev/net/tun: No such file or directory (errno=2)
    • apt-get install udev (this then creates this and loads tun module)
Retrieved from "http://www.smop.co.uk/mediawiki/index.php/OpenVPN_server"
Personal tools