Install OpenVPN in Ubuntu By: Onno W. Purbo cp openvpn-2.0.9.tar.gz /usr/local/src cd /usr/local/src tar zxvf openvpn-2.0.9.tar.gz cd openvpn-2.0.9 ./configure make make install # apt-get install openvpn --------------------------------- Linux Server Internal IP: 192.168.0.2 Internet Gateway: 192.168.0.222 Gateway's IP Address: dynamic Speedy Network Layout: Internet ----- Router/Firewall ----- OpenVPN Server (eth1) vi etc/network/interfaces auto eth0 iface eth0 inet static address 192.168.0.2 netmask 255.255.255.0 gateway 192.168.0.222 # apt-get install openvpn # cp -Rf /usr/share/doc/openvpn/examples/easy-rsa/* /etc/openvpn/ # cd /etc/openvpn/ # vi vars #this is to ensure secure data export KEY_SIZE=1024 # These are the default values for fields # which will be placed in the certificate. # Don't leave any of these fields blank. export KEY_COUNTRY=ID export KEY_PROVINCE=DKI export KEY_CITY=Jakarta export KEY_ORG="Kerm.IT" export KEY_EMAIL="onno@indo.net.id" # cd /etc/openvpn/ . ./vars ./clean-all ./build-ca Country Name (2 letter code) [ID]: State or Province Name (full name) [DKI]: Locality Name (eg, city) [Jakarta]: Organization Name (eg, company) [Kerm.IT]: Organizational Unit Name (eg, section) []:Kerm.IT Common Name (eg, your name or your server's hostname) []:yc0mlc.ampr.org Email Address [onno@indo.net.id]: # ls -l /etc/openvpn/ # ls -l /etc/openvpn/keys ca.crt ca.key index.txt serial ./build-key-server server Country Name (2 letter code) [ID]: State or Province Name (full name) [DKI]: Locality Name (eg, city) [Jakarta]: Organization Name (eg, company) [Kerm.IT]: Organizational Unit Name (eg, section) []:Kerm.IT Common Name (eg, your name or your server's hostname) []:yc0mlc.ampr.org Email Address [onno@indo.net.id]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:123456 An optional company name []:Kerm.IT Using configuration from /etc/openvpn/openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'ID' stateOrProvinceName :PRINTABLE:'DKI' localityName :PRINTABLE:'Jakarta' organizationName :PRINTABLE:'Kerm.IT' organizationalUnitName:PRINTABLE:'Kerm.IT' commonName :PRINTABLE:'yc0mlc.ampr.org' emailAddress :IA5STRING:'onno@indo.net.id' Certificate is to be certified until Jan 13 03:34:36 2018 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated ./build-key admin 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated ./build-key-pass username ./build-key username ./build-dh openvpn --genkey --secret keys/ta.key openvpn --genkey --secret keys/ca.key openvpn --genkey --secret keys/ta.key test key # openvpn --genkey --secret key # openvpn --test-crypto --secret key test di 2 windows # cd /etc/openvpn # cp -Rf /usr/share/doc/openvpn/examples/sample-config-files/ /etc/openvpn/ # cp -Rf /usr/share/doc/openvpn/examples/sample-keys/ /etc/openvpn/ # openvpn --config sample-config-files/loopback-client # openvpn --config sample-config-files/loopback-server Example OpenVPN-Admin # apt-get install mono openvpn-admin Operational Server server.conf (from www.openvpn.org) # openvpn --config /etc/openvpn/server.conf Operational Client client.conf (from www.openvpn.org) # openvpn --config /etc/openvpn/client.conf # vi /etc/openvpn/server.conf #OpenVPN Server config file # Which local IP address should OpenVPN listen on? (optional) # local 10.1.1.2 local 192.168.0.2 # Which TCP/UDP port should OpenVPN listen on? port 1194 # TCP or UDP server? proto tcp # "dev tun" will create a routed IP tunnel, which is what we want dev tun # Windows needs the TAP-Win32 adapter name # from the Network Connections panel if you # have more than one. On XP SP2 or higher, # you may need to selectively disable the # Windows firewall for the TAP adapter. # Non-Windows systems usually don't need this. ;dev-node MyTap # SSL/TLS root certificate (ca), certificate # (cert), and private key (key). Each client # and the server must have their own cert and # key file. The server and all clients will # use the same ca file. ca keys/ca.crt cert keys/server.crt key keys/server.key # This file should be kept secret # Diffie hellman parameters. dh keys/dh1024.pem # Configure server mode and supply a VPN subnet server 192.168.1.0 255.255.255.0 # Maintain a record of client <-> virtual IP address # associations in this file. ifconfig-pool-persist ipp.txt # Push routes to the client to allow it # to reach other private subnets behind # the server. Remember that these # private subnets will also need # to know to route the OpenVPN client # address pool (10.8.0.0/255.255.255.0) # back to the OpenVPN server. # push “route 172.10.1.0 255.255.255.0" # push “route 192.168.0.0 255.255.255.0" # If enabled, this directive will configure # all clients to redirect their default # network gateway through the VPN, causing # all IP traffic such as web browsing and # and DNS lookups to go through the VPN push “redirect-gateway” # Certain Windows-specific network settings # can be pushed to clients, such as DNS # or WINS server addresses. ;push “dhcp-option DNS 172.10.1.2′′ # Uncomment this directive to allow different # clients to be able to “see” each other. client-to-client # Ping every 10 seconds, assume that remote # peer is down if no ping received during # a 120 second time period. keepalive 10 120 # For extra security beyond that provided # by SSL/TLS, create an “HMAC firewall” # to help block DoS attacks and UDP port flooding. tls-auth keys/ta.key 0 # This file is secret # Select a cryptographic cipher. # This config item must be copied to # the client config file as well. ;cipher BF-CBC # Blowfish (default) cipher AES-128-CBC # AES ;cipher DES-EDE3-CBC # Triple-DES # Enable compression on the VPN link. # comp-lzo # The maximum number of concurrently connected # clients we want to allow. max-clients 250 # It’s a good idea to reduce the OpenVPN # daemon’s privileges after initialization. user nobody group nogroup # The persist options will try to avoid # accessing certain resources on restart # that may no longer be accessible because # of the privilege downgrade. persist-key persist-tun # Output a short status file showing status openvpn-status.log log-append openvpn.log # Set the appropriate level of log # file verbosity. # # 0 is silent, except for fatal errors # 4 is reasonable for general usage # 5 and 6 can help to debug connection problems # 9 is extremely verbose verb 4 # Silence repeating messages. At most 20 # sequential messages of the same message # category will be output to the log. mute 20 --------------- client Linux ----------------- # apt-get install kvpnc # apt-get install network-manager-openvpn openvpn # cp -Rf /usr/share/doc/openvpn/examples/easy-rsa/* /etc/openvpn/ # cd /etc/openvpn # mkdir /etc/openvpn/keys # vi vars # , ./vars # ./clean-all # scp -r root@192.168.0.2:/etc/openvpn/keys/ca.crt /etc/openvpn/keys # scp -r root@192.168.0.2:/etc/openvpn/keys/user1.crt /etc/openvpn/keys # scp -r root@192.168.0.2:/etc/openvpn/keys/user1.key /etc/openvpn/keys Operational Client (client.conf from www.openvpn.org) # openvpn --config /etc/openvpn/client.conf # vi /etc/openvpn/client.conf # Specify that we are a client and that we # will be pulling certain config file directives # from the server. client # Use the same setting as you are using on # the server. # On most systems, the VPN will not function # unless you partially or fully disable # the firewall for the TUN/TAP interface. ;dev tap dev tun # Windows needs the TAP-Win32 adapter name # from the Network Connections panel # if you have more than one. On XP SP2, # you may need to disable the firewall # for the TAP adapter. ;dev-node MyTap # Are we connecting to a TCP or # UDP server? Use the same setting as # on the server. ;proto tcp proto udp # The hostname/IP and port of the server. # You can have multiple remote entries # to load balance between the servers. ;remote my-server-1 1194 ;remote my-server-2 1194 remote 192.168.0.2 1194 # Choose a random host from the remote # list for load-balancing. Otherwise # try hosts in the order specified. ;remote-random # Keep trying indefinitely to resolve the # host name of the OpenVPN server. Very useful # on machines which are not permanently connected # to the internet such as laptops. resolv-retry infinite # Most clients don't need to bind to # a specific local port number. nobind # Downgrade privileges after initialization (non-Windows only) user nobody group nogroup # Try to preserve some state across restarts. persist-key persist-tun # If you are connecting through an # HTTP proxy to reach the actual OpenVPN # server, put the proxy server/IP and # port number here. See the man page # if your proxy server requires # authentication. ;http-proxy-retry # retry on connection failures ;http-proxy [proxy server] [proxy port #] # Wireless networks often produce a lot # of duplicate packets. Set this flag # to silence duplicate packet warnings. ;mute-replay-warnings # SSL/TLS parms. # See the server config file for more # description. It's best to use # a separate .crt/.key file pair # for each client. A single ca # file can be used for all clients. ca keys/ca.crt cert keys/client.crt key keys/client.key # Verify server certificate by checking # that the certicate has the nsCertType # field set to "server". This is an # important precaution to protect against # a potential attack discussed here: # http://openvpn.net/howto.html#mitm # # To use this feature, you will need to generate # your server certificates with the nsCertType # field set to "server". The build-key-server # script in the easy-rsa folder will do this. ;ns-cert-type server # If a tls-auth key is used on the server # then every client must also have the key. ;tls-auth ta.key 1 # Select a cryptographic cipher. # If the cipher option is used on the server # then you must also specify it here. ;cipher x # Enable compression on the VPN link. # Don't enable this unless it is also # enabled in the server config file. comp-lzo # Set log file verbosity. verb 3 # Silence repeating messages ;mute 20