Static key vs. SSL/TLSOpenVPN can be configured in a manner called "static key", in this mode the configuration is easier and quick since you don't need to setup a CA and public/private keys. Client and server will then share the same symmetric key that has to be transferred on a secure channel. The "static key" setup has unfortunately some drawbacks: you can't authenticate multiple users at the same time. To use the "SSL/TLS" mode is required the definition of a CA and generation of keys but it's not that hard, in this tutorial we'll focus on this setup.
Routed vs. BridgedAfter a client is successfully connected to OpenVPN to be able to talk with the server and with other hosts on the remote network the OpenVPN server interfaces must be configured in one of these ways: # Routing IP # Bridge ethernet Routing it's easier (everything is handled by OpenVPN) but it doesn't support non-IP protocols (for example IPX) or applications that needs broadcast access. In this tutorial we'll configure a Bridged OpenVPN.
Bridge ConfigurationLet's install the package:
we now have to edit the network configuration file in /etc/network/interfaces, remove the lines about the physical interface with which we are bridging, we are gonna replace them with the bridge definition. You'll have to write on the bridge interface br0 the IP address that was assigned to the physical interface that you are bridging, for example:
sudo apt-get install bridge-utils
let's restart the networking service
auto lo iface lo inet loopback auto br0 iface br0 inet static #ip, netmask, ecc are the original ones address 10.0.0.10 netmask 255.255.255.0 gateway 10.0.0.4 #network interfaces on which to enable the bridge bridge_ports eth0 # optional configurations if the machine is a VM #bridge_fd 9 #bridge_hello 2 #bridge_maxage 12 #bridge_stp off
and check that the bridge is working correctly
sudo /etc/init.d/networking restart
you should get an output similar to this:
bridge name bridge id STP enabled interfaces br0 8000.002421eeaf99 no eth0
What to do if using Ubuntu DesktopIf the Ubuntu box on which you're install OpenVPN has a gnome desktop it may have installed the "Network Manager" application. Sometimes this hinders the ability for the bridge to work, you may have more success just removing it.
At this point it's better to also reboot the system to check that everything works as it should on startup.
sudo apt-get remove network-manager sudo /etc/init.d/networking restart
OpenVPN installationLet's install the required packages:
sudo apt-get install openvpn
Certificate creationOpenVPN already includes a set of script called "easy-rsa" that handles all the certificates creations for us, it's also already included in the ubuntu documentation, so let's copy it:
You should then edit the file /etc/openvpn/easy-rsa/vars setting default variables for the certificates:
sudo mkdir /etc/openvpn/easy-rsa/ sudo cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa/ sudo chown -R $USER /etc/openvpn/easy-rsa/
export KEY_COUNTRY="IT" export KEY_PROVINCE="VE" export KEY_CITY="Venezia" export KEY_ORG="Example" export KEY_EMAIL="firstname.lastname@example.org"
CA Certificate and KeysLet's finally create those certificates following the script wizards:
Keys and certificate for the CA:
cd /etc/openvpn/easy-rsa/ source vars ./clean-all
Keys and certificate for the OpenVPN Server:
Diffie Hellman crypto parameters:
Client CertificatesIt's now time to generate the certificates for all the clients, it's also possible to share one certificate between various clients.
Let's move the certificate directory on the right place, on the root of /etc/openvpn and let's leave a symbolic link in "easy-rsa":
cd /etc/openvpn/easy-rsa/ source vars ./build-key client1
cd /etc/openvpn/easy-rsa/ mv /etc/openvpn/easy-rsa/keys /etc/openvpn/ ln -s /etc/opevpn/keys keys
and also /etc/openvpn/down.sh:
#!/bin/sh BR=$1 DEV=$2 MTU=$3 /sbin/ifconfig $DEV mtu $MTU promisc up /usr/sbin/brctl addif $BR $DEV
Let's make those script executable:
#!/bin/sh BR=$1 DEV=$2 /usr/sbin/brctl delif $BR $DEV /sbin/ifconfig $DEV down
We can now configure the OpenVPN server editing the file in /etc/openvpn/server.conf and changing the option as required. The important parameters you should take care are ''server-bridge'' and ''push'' where you'll define the range of addresses the OpenVPN server will assign to clients.
sudo chmod 755 /etc/openvpn/down.sh sudo chmod 755 /etc/openvpn/up.sh
Let's restart the OpenVPN server and we are good to go:
# main configuration # mode server port 1194 proto udp # bridging directive - this is needed to use the br0 dev tap0 # script to attach the tap0 interface to the bridge up "/etc/openvpn/up.sh br0" down "/etc/openvpn/down.sh br0" persist-key persist-tun #certificates and encryption ca keys/ca.crt cert keys/server.crt key keys/server.key # This file should be kept secret dh keys/dh1024.pem cipher BF-CBC # Blowfish (default) comp-lzo # compression # enable communication between vpn clients client-to-client # enable multiple access from the same client certificate duplicate-cn # DHCP configuration # # ipp.txt saves the status of the dhcp leases ifconfig-pool-persist ipp.txt # pool of addresses available for VPN leases # format: <server IP> <netmask> <pool start IP> <pool end IP> server-bridge 192.168.11.8 255.255.255.0 192.168.11.220 192.168.11.249 # additional option to give to dhcp clients push "dhcp-option DNS 192.168.11.4" # maximium number of clients connected at a time max-clients 10 # log and security # user nobody group nogroup keepalive 10 120 status openvpn-status.log verb 3 script-security 3 system
sudo /etc/init.d/openvpn restart
Client configurationLet's create a configuration file for the clients in a safe folder (for example /root/customername/customername.conf).
Inside this file it's important to setup the parameter "remote" with correct hostname/ip address for our OpenVPN server and also to setup the correct path for keys and certificates, in this example the files are in a folder called "customername":
let's copy in the same folder the keys and certificate genereated on the previous steps:
# Specify that this is a client client # Bridge device setting dev tap # Host name and port for the server (default port is 1194) # note: replace with the correct values your server set up remote server.example.com 1194 # Client does not need to bind to a specific local port nobind # Keep trying to resolve the host name of OpenVPN server. ## The windows GUI seems to dislike the following rule. ##You may need to comment it out. resolv-retry infinite # Preserve state across restarts persist-key persist-tun # SSL/TLS parameters - files created previously ca customername/ca.crt cert customername/client1.crt key customername/client1.key # Specify same cipher as server cipher BF-CBC # Use compression comp-lzo # Log verbosity (to help if there are problems) verb 3
To the client we just have to give the content of the "customername" folder and copy it in the OpenVPN client folder.
sudo cp /etc/openvpn/keys/ca.crt . sudo cp /etc/openvpn/keys/client1.crt . sudo cp /etc/openvpn/keys/client1.key .