OpenVPN
Da PiemonteWireless.
Indice |
OpenVPN: a tutorial
This document describe how to install OpenVPN software on an Ubuntu Linux system (or Debian like one).
For info on OpenVPN, what is and what can do, please refer to Main OpenVPN site.
In this tutorial I'll compile and install OpenVPN from source. If you prefer to install it by APT, please skip the "Compile and Install section" and go to "Configuration section" replacing all occurence to my openvpn config dir (/opt/openvpn/etc) with the default config dir of Ubuntu package that is /etc/openvpn.
Compile and Install
mkdir -p /opt/source/openvpn cd /opt/source/openvpn wget http://openvpn.net/release/openvpn-2.0.9.tar.gz tar xvzf openvpn-2.0.9.tar.gz cd openvpn-2.0.9 ./configure --prefix=/opt/openvpn make sudo make install
If the configure command complain about any missing libs, please install them by APT.
Now we have the last openvpn version in /opt/openvpn directory.
Please repeat this procedure on the client machine.
Configuration
First of all, we need to create all needed SSL certificate for the tunnel.
cd /opt/source/openvpn/openvpn-2.0.9/easy-rsa/ vim vars
We need to replace the last lines of vars file with our certificate info.
My vars file looks like this:
# Increase this to 2048 if you # are paranoid. This will slow # down TLS negotiation performance # as well as the one-time DH parms # generation process. export KEY_SIZE=2048
# These are the default values for fields # which will be placed in the certificate. # Don't leave any of these fields blank. export KEY_COUNTRY=IT export KEY_PROVINCE=RO export KEY_CITY=ROME export KEY_ORG="MY SOCIETY NAME" export KEY_EMAIL="myemail@myemail.net"
Now we to begin the configuration of the server.
. ./vars ./clean-all ./build-ca
Then we need to copy the ca certificate on both server and client config directory.
The name of server and client machine in this tutorial will be myserver.net and myclient.net.
cp keys/ca.* /opt/openvpn/etc scp keys/ca.crt myuser@myclient.net://opt/openvpn/etc
Now you need to create the server and client keys, these are private files that you should keep secure.
./build-key-server myserver ./build-dh ./build-key myclient
Then we copy the created key to the right place (on server and client):
cp keys/dh2048.pem /opt/openvpn/etc cp keys/myserver.* /opt/openvpn/etc scp keys/myclient.* myuser@myclient.net://opt/openvpn/etc
Now we need to create the openVPN configuration file.
On server machine the file is /opt/openvpn/etc/server.conf with the following content:
dev tun port 1194 proto tcp server 10.9.0.0 255.255.0.0 ca /opt/openvpn/etc/ca.crt cert /opt/openvpn/etc/myserver.crt key /opt/openvpn/etc/myserver.key dh /opt/openvpn/etc/dh2048.pem duplicate-cn push "redirect-gateway def1" keepalive 10 120 status /opt/openvpn/log/openvpn.log user nobody group nogroup persist-key persist-tun
On client machine the file is /opt/openvpn/etc/client.conf with the following content:
port 1195 proto tcp dev tun client # IP of the director remote 219.10.10.10 1194 ca /opt/openvpn/etc.zeus/ca.crt cert /opt/openvpn/etc.zeus/webstore.crt key /opt/openvpn/etc.zeus/webstore.key pull
note: replace my random 219.10.10.10 address with your server IP address.
Execution
To run the OpenVPN tunnel the last work is to execute the server and client application.
On server machine:
/opt/openvpn/sbin/openvpn --config /opt/openvpn/etc/server.conf --daemon
On client machine:
/opt/openvpn/sbin/openvpn --config /opt/openvpn/etc/client.conf --daemon
that's all !!!
Now we'll have to new interface on server and client machine (named TUN0).
Use them, in the same manner you normally use eth0 interface, to communicate between machines in a safe manner. Think at them as a secure tunnel between the two machines.
Riferimenti:
