Installing and Configuring OpenVPN

A virtual private network (VPN stands for Virtual Private Network) is a network technology that enables a secure extension of the local network over a public network or uncontrolled. Common examples are the ability to connect two or more branches of a company using the Internet as a link, allowing team members support the connection from your home to the computer center, etc.. All using the Internet infrastructure. This article details the steps for installing and configuringOpenVPN on a Debian 6 or Ubuntu 12.04 (for this product has been tested on both) to provide remote access from the Internet to a private network datacenter. OpenVPN is an SSL-based VPN solution, released under the GPL license and is the de facto standard for creating a VPN on GNU / Linux.

Scenario
By building a VPN, whatever you want is to be able to access a local network (protected behind a firewall / gateway) from the Internet (or from any other untrusted network).The goal is for a client physically located outside the local network (and possibly a mile away) seem connected locally. The VPN server is the one that allows the "extension" and who provides a secure connection between the client and the local network via SSL (using certificates obtained mutual authentication and confidentiality).
The following diagram shows the scenario considered. In the example presented in this article is not performed the VPN through the Internet, but through an insecure network 192.168.122.0/24. You want to access the private network 10.9.0.0/24 through 10.8.0.0/24 VPN.
Installing OpenVPN
On Debian / Ubuntu you can install OpenVPN from official repositories:
apt-get install openvpn After installation you must copy the sample configuration scripts to the / etc / openvpn:
cd / usr / share / doc / openvpn / examples / easy-rsa cp-a 2.0 / / etc / openvpn / easy-rsa cd / etc / openvpn / easy-rsa These scripts allow automatic creation of a certification authority (CA) self-signed, which greatly simplifies installation. Since OpenVPN is based on SSL, openssl is used for mutual authentication of clients and servers. The CA is used to issue certificates to the VPN server and clients.
before starting to create the CA and certificates must set some environment variables.Edit the vars :
nano varsThey must correctly configure KEY_COUNTRY , KEY_PROVINCE , KEY_CITY , KEY_ORG and KEY_EMAIL .
In "Ubuntu 12.04.1 LTS" is necessary to modify the script whichopensslcnf to work properly (not in Debian 6, since it detects the correct version of openssl ):
nano whichopensslcnfDelete all occurrences of the following string (in version "OpenVPN 2.2.1 x86_64-linux-gnu" are 3 appearances): [[: alnum:]] After setting the file vars is possible to generate the certificate and key Certification Authority (CA):


. . / Vars . / Clean-all . / Build-ca The script build-ca create the CA certificate using the parameters set in vars . Verify that the parameters in brackets are correct, otherwise modify. Then it is possible to generate the certificate and key to the VPN server:
. / Build-key-server server The CN (Common Name) should be "server", answer 'and' twice to sign and commit the certificate.
Generate certificates for clients (it is important that the client certificates and server are signed by the same CA) :
. / Build-key client1 . / Build-key client2 . / Build-key client3 Note: each time you restart the session, run ".. / var" to set the environment variables again.
Reply 'and' twice to sign and commit the certificate.
Finally it should generate Diffie-Hellman parameters:
. / Build-dh Configuration files for the server and clients
After building our PKI (Public Key Infrastructure), ie our authentication infrastructure and public-key encryption, you must copy the sample configuration files to the directory / etc / openvpn :
cp-a / usr / share / doc / openvpn / examples / sample-config-files / / etc / openvpn / Server Configuration
Unzip the server configuration file:
cd / etc / openvpn / sample-config-files / gunzip server.conf.gz Edit the server configuration file:
nano server.conf Modify the following lines:
proto tcp ; Proto udp ca easy-rsa/keys/ca.crt cert easy-rsa/keys/server.crt # This file easy-rsa/keys/server.key key Should be kept secret dh easy-rsa/keys/dh1024.pem server 10.8.0.0 255.255.255.0 This server will 10.8.0.0/24 network access and take the IP address 10.8.0.1 (customers will have an IP in the range 10.8.0.2 to 10.8.0.254.)
If you need to send the routing rules customers must be added (eg to reach 10.9.0.0/24 network that is behind the VPN):
push "route 10.9.0.0 255.255.255.0" Finally copy the configuration file to the / etc / openvpn:
cp server.conf .. / cd / etc / openvpn Client configuration
Edit the configuration file of customers:
cd / etc / openvpn / sample-config-files nano client.conf Modify the following lines:
proto tcp ; Proto udp 1194 192 168 122 169 remote In this example the IP address 192,168,122,169 is the direction in which the server is listening for connection requests to the VPN 10.8.0.0/24 on port 1194 (OpenVPN's default port).
Package configuration file together with the certificates and password:
cd / etc / openvpn mkdir client1 client1 sample-config-files/client.conf cp / client1 easy-rsa/keys/ca.crt cp / cp easy-rsa/keys/client1.crt client1/client.crt cp easy-rsa/keys/client1.key client1/client.key zip-r-Z deflate client1.zip client1 / * Repeat for the remaining customers.
Start the server to verify connectivity
Note: Before starting the server IP forwarding must be enabled to operate packet routing.
Enable IP forwarding:
echo 1> / proc/sys/net/ipv4/ip_forward Start the VPN server:
cd / etc / openvpn / openvpn server.conf Example:
root @ ubuntu :/ etc / openvpn # openvpn server.conf Wed Nov. 14 18:07:28 2012 OpenVPN 2.2.1 x86_64-linux-gnu [SSL] [LZO2] [epoll] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Mar 30 2012 Wed Nov. 14 18:07:28 2012 NOTE: OpenVPN 2.1 Requires '- script-security 2' or higher to call user-defined scripts or executables Wed Nov. 14 18:07:28 2012 Diffie-Hellman initialized with 1024 bit key Wed Nov. 14 18:07:28 2012 TLS-Auth MTU parms [L: 1544 D: 140 EF: 40 EB: 0 ET: 0 EL: 0] Wed Nov. 14 18:07:28 2012 Socket Buffers: R = [87380 -> 131072] S = [16384 -> 131072] Wed Nov. 14 18:07:28 2012 ROUTE DEFAULT_GATEWAY = 192.168.122.1 Wed Nov. 14 18:07:28 2012 TUN / TAP device tun0 opened Wed Nov. 14 18:07:28 2012 TUN / TAP TX queue length to 100 in September Wed Nov. 14 2012 18:07:28 do_ifconfig, tt-> ipv6 = 0, tt-> did_ifconfig_ipv6_setup = 0 Wed Nov. 14 18:07:28 2012 / sbin / ifconfig tun0 10.8.0.1 10.8.0.2 mtu 1500 pointopoint Wed Nov. 14 18:07:28 2012 / sbin / route add-net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.2 Wed Nov. 14 18:07:28 2012 Data Channel MTU parms [L: 1544 D: 1450 EF: 44 EB: 135 ET: 0 EL: 0 AF: 3/1] Wed Nov. 14 18:07:28 2012 Listening for incoming TCP connection on [undef] Wed Nov. 14 2012 18:07:28 TCPv4_SERVER link local (bound): [undef] Wed Nov. 14 2012 18:07:28 TCPv4_SERVER link remote: [undef] Wed Nov. 14 18:07:28 2012 MULTI: multi_init called, r = 256 v = 256 Wed Nov. 14 2012 18:07:28 IFCONFIG POOL: base = 10.8.0.4 size = 62, ipv6 = 0 Wed Nov. 14 2012 18:07:28 IFCONFIG POOL LIST Wed Nov. 14 18:07:28 2012 MULTI: TCP INIT maxevents maxclients = 1024 = 1028 Wed Nov. 14 18:07:28 2012 Initialization Sequence Completed After making sure it starts correctly is to start the service using the service or from / etc / init.d .
Windows Client
Installation of OpenVPN to access the VPN from Windows clients is extremely simple, follow these steps:
Download the OpenVPN client from the following link:http://swupdate.openvpn.org/community/releases/openvpn-2.2.2-install.exeInstall the client with the default options.Copy the zip package containing the certificates, the key and the configuration file to the Windows client.Unzip the contents of the zip into the "C: \ Program Files \ OpenVPN \ config":Rename the file "client.conf" a "client.ovpn".Start client from the icon "OpenVPN GUI" found on the Windows desktop.Once you start, right click on the icon in the taskbar and run "Connect": In the taskbar notification connection: IP address assigned: Route added:Finally check the connection with ping.NAT or not NAT??
's asking if you want to perform NAT (Network Address Translation) to the private network from the VPN, is due to routing issues. In the example, if NAT is not used, the gateway of the private network (10.9.0.0/24) must know the route to the VPN (10.8.0.0/24) for the VPN clients can connect successfully to hosts on the private network. If you can not add the route to the VPN at the gateway, or if there is no gateway directly (because it is an isolated network), all hosts on the private network must have defined a static route to the VPN (10.8. 0.0/24). From the private network, the gateway to reach the VPN is the VPN server.
A simpler alternative, without allowing a gateway and static routes on the hosts, is to use NAT or IP masquerading. With this technique, masking all VPN traffic as coming from the VPN server. As the VPN server is on the private network IP is not needed any routing rule. NAT When using NAT to networks behind the VPN (eg to the network 10.9.0.0/24), you must enable IP forward and use iptables on the VPN server:
Resources writer : http://www.newspaperstimes.com/ and http://www.technocrates.org/