OpenVPN uses Public Key Infrastructure (PKI) to encrypt VPN traffic between nodes. A simple way of setting up a VPN with OpenVPN is to connect the clients through a bridge interface on the VPN server. This guide will assume that one VPN node, the server in this case, has a bridge interface configured. For more information on setting up a bridge see „Bridging”.
To install openvpn in a terminal enter:
sudo apt-get install openvpn
Now that the openvpn package is installed, the certificates for the VPN server need to be created.
First, copy the easy-rsa
directory to /etc/openvpn
. This will ensure that any
changes to the scripts will not be lost when the package is updated. From a terminal enter:
sudo mkdir /etc/openvpn/easy-rsa/ sudo cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0/ /etc/openvpn/
Next, edit /etc/openvpn/easy-rsa/vars
adjusting the following to your environment:
export KEY_COUNTRY="US" export KEY_PROVINCE="NC" export KEY_CITY="Winston-Salem" export KEY_ORG="Example Company" export KEY_EMAIL="steve@example.com"
Enter the following to create the server certificates:
cd /etc/openvpn/easy-rsa/easy-rsa source vars ./clean-all ./build-dh ./pkitool --initca ./pkitool --server server cd keys openvpn --genkey --secret ta.key sudo cp server.crt server.key ca.crt dh1024.pem ta.key /etc/openvpn/
The VPN client will also need a certificate to authenticate itself to the server. To create the certificate, enter the following in a terminal:
cd /etc/openvpn/easy-rsa/ source vars ./pkitool hostname
Replace hostname with the actual hostname of the machine connecting to the VPN. |
Copy the following files to the client:
-
/etc/openvpn/easy-rsa/hostname.ovpn
-
/etc/openvpn/easy-rsa/ca.crt
-
/etc/openvpn/easy-rsa/hostname.crt
-
/etc/openvpn/easy-rsa/hostname.key
-
/etc/openvpn/easy-rsa/ta.key
Remember to adjust the above file names for your client machine's hostname. |
It is best to use a secure method to copy the certificate and key files. The scp utility is a good choice, but copying the files to removable media then to the client, also works well.
Now configure the openvpn server by creating /etc/openvpn/server.conf
from the
example file. In a terminal enter:
sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/ sudo gzip -d /etc/openvpn/server.conf.gz
Edit etc/openvpn/server.conf
changing the following options to:
local 172.18.100.101 dev tap0 server-bridge 172.18.100.101 255.255.255.0 172.18.100.105 172.18.100.200 push "route 172.18.100.1 255.255.255.0" push "dhcp-option DNS 172.18.100.20" push "dhcp-option DOMAIN example.com" tls-auth ta.key 0 # This file is secret user nobody group nogroup
-
local: is the IP address of the bridge interface.
-
server-bridge: needed when the configuration uses bridging. The 172.18.100.101 255.255.255.0 portion is the bridge interface and mask. The IP range 172.18.100.105 172.18.100.200 is the range of IP addresses that will be assigned to clients.
-
push: are directives to add networking options for clients.
-
user and group: configure which user and group the openvpn daemon executes as.
Replace all IP addresses and domain names above with those of your network. |
Next, create a couple of helper scripts to add the tap interface to the bridge. Create /etc/openvpn/up.sh
:
#!/bin/sh BR=$1 DEV=$2 MTU=$3 /sbin/ifconfig $DEV mtu $MTU promisc up /usr/sbin/brctl addif $BR $DEV
And /etc/openvpn/down.sh
:
#!/bin/sh BR=$1 DEV=$2 /usr/sbin/brctl delif $BR $DEV /sbin/ifconfig $DEV down
Then make them executable:
sudo chmod 755 /etc/openvpn/down.sh sudo chmod 755 /etc/openvpn/up.sh
After configuring the server, restart openvpn by entering:
sudo /etc/init.d/openvpn restart
With the server configured and the client certificates copied over, create a client configuration file by copying the example. In a terminal on the client machine enter:
sudo cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn
Now edit /etc/openvpn/client.conf
changing the following options:
dev tap remote vpn.example.com 1194 cert hostname.crt key hostname.key tls-auth ta.key 1
Replace vpn.example.com with the hostname of your VPN server, and hostname.* with the actual certificate and key filenames. |
Finally, restart openvpn:
sudo /etc/init.d/openvpn restart
You should now be able to connect to the remote LAN through the VPN.
-
See the OpenVPN website for additional information.
-
Also, Pakt's OpenVPN: Building and Integrating Virtual Private Networks is a good resource.