OpenVPN

OpenVPN uses Public Key Infrastructure (PKI) to encrypt VPN traffic between nodes. A simple way of setting up a VPN with OpenVPN is to connect the clients through a bridge interface on the VPN server. This guide will assume that one VPN node, the server in this case, has a bridge interface configured. For more information on setting up a bridge see the section called “Bridging”.

Installation

To install openvpn in a terminal enter:

sudo apt-get install openvpn

Server Certificates

Now that the openvpn package is installed, the certificates for the VPN server need to be created.

First, copy the easy-rsa directory to /etc/openvpn. This will ensure that any changes to the scripts will not be lost when the package is updated. You will also need to adjust permissions in the easy-rsa directory to allow the current user permission to create files. From a terminal enter:

sudo mkdir /etc/openvpn/easy-rsa/
sudo cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa/
sudo chown -R $USER /etc/openvpn/easy-rsa/

Next, edit /etc/openvpn/easy-rsa/vars adjusting the following to your environment:

export KEY_COUNTRY="US"
export KEY_PROVINCE="NC"
export KEY_CITY="Winston-Salem"
export KEY_ORG="Example Company"
export KEY_EMAIL="[email protected]"

Enter the following to create the server certificates:

cd /etc/openvpn/easy-rsa/
source vars
./clean-all
./build-dh
./pkitool --initca
./pkitool --server server
cd keys
openvpn --genkey --secret ta.key
sudo cp server.crt server.key ca.crt dh1024.pem ta.key /etc/openvpn/

Client Certificates

The VPN client will also need a certificate to authenticate itself to the server. To create the certificate, enter the following in a terminal:

cd /etc/openvpn/easy-rsa/
source vars
./pkitool hostname
[Note]

Replace hostname with the actual hostname of the machine connecting to the VPN.

Copy the following files to the client:

  • /etc/openvpn/ca.crt

  • /etc/openvpn/easy-rsa/keys/hostname.crt

  • /etc/openvpn/easy-rsa/keys/hostname.key

  • /etc/openvpn/ta.key

[Note]

Remember to adjust the above file names for your client machine's hostname.

It is best to use a secure method to copy the certificate and key files. The scp utility is a good choice, but copying the files to removable media then to the client, also works well.

Configuration

Server Configuration

Now configure the openvpn server by creating /etc/openvpn/server.conf from the example file. In a terminal enter:

sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
sudo gzip -d /etc/openvpn/server.conf.gz

Edit /etc/openvpn/server.conf changing the following options to:

local 172.18.100.101
dev tap0
up "/etc/openvpn/up.sh br0"
down "/etc/openvpn/down.sh br0"
;server 10.8.0.0 255.255.255.0
server-bridge 172.18.100.101 255.255.255.0 172.18.100.105 172.18.100.200
push "route 172.18.100.1 255.255.255.0"
push "dhcp-option DNS 172.18.100.20"
push "dhcp-option DOMAIN example.com"
tls-auth ta.key 0 # This file is secret
user nobody
group nogroup
  • local: is the IP address of the bridge interface.

  • server-bridge: needed when the configuration uses bridging. The 172.18.100.101 255.255.255.0 portion is the bridge interface and mask. The IP range 172.18.100.105 172.18.100.200 is the range of IP addresses that will be assigned to clients.

  • push: are directives to add networking options for clients.

  • user and group: configure which user and group the openvpn daemon executes as.

[Note]

Replace all IP addresses and domain names above with those of your network.

Next, create a couple of helper scripts to add the tap interface to the bridge. Create /etc/openvpn/up.sh:

#!/bin/sh

BR=$1
DEV=$2
MTU=$3
/sbin/ifconfig $DEV mtu $MTU promisc up
/usr/sbin/brctl addif $BR $DEV

And /etc/openvpn/down.sh:

#!/bin/sh

BR=$1
DEV=$2

/usr/sbin/brctl delif $BR $DEV
/sbin/ifconfig $DEV down

Then make them executable:

sudo chmod 755 /etc/openvpn/down.sh
sudo chmod 755 /etc/openvpn/up.sh

After configuring the server, restart openvpn by entering:

sudo /etc/init.d/openvpn restart

Client Configuration

First, install openvpn on the client:

sudo apt-get install openvpn

Then with the server configured and the client certificates copied to the /etc/openvpn/ directory, create a client configuration file by copying the example. In a terminal on the client machine enter:

sudo cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn

Now edit /etc/openvpn/client.conf changing the following options:

dev tap
remote vpn.example.com 1194
cert hostname.crt
key hostname.key
tls-auth ta.key 1
[Note]

Replace vpn.example.com with the hostname of your VPN server, and hostname.* with the actual certificate and key filenames.

Finally, restart openvpn:

sudo /etc/init.d/openvpn restart

You should now be able to connect to the remote LAN through the VPN.

References