OpenVPN HOWTO

Overview

OpenVPN is an Open Source VPN product which uses SSL encryption. The main advantage of OpenVPN over other VPN products is that it is very easy to setup (unlike IPSec based products) and very secure (unlike PPTP which has known security weaknesses). As well as a Linux client, Windows and MacOS/X clients are also available.

Howto

This is basically a trimmed version of the excellent OpenVPN HOWTO.

x509 setup

First of all we need to generate x509 certificate/key pairs for the server and any clients. You might already have tools in place for this, in which case just be aware of the Man In The Middle prevention requirements.

  • take a copy of the easy-rsa samples*
  • cp -a /usr/share/doc/openvpn/examples/easy-rsa/2.0 ~/openvpn/ssl
  • cd ~/openvpn/ssl
  • edit vars changing the KEY_* parameters at the bottom
    • the country code for England is GB, not UK (which is the Ukraine)
    • we increased KEY_SIZE to 2048
  • . ./vars
  • ./clean-all
  • ./build-ca
  • ./build-key-server vpn.example.com
  • ./build-key client.example.com
    • repeat as necessary
  • ./build-dh (this took 5mins)

Server setup

  • edit /etc/openvpn/server.conf (from /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz)
    • set "local 1.2.3.4" (with IP address) to limit which addresses OpenVPN listens on
    • leave "proto udp" alone since it's the fastest, most robust choice
    • note that you cannot currently use tcp and udp without running two copies of OpenVPN
    • leave "dev tun" as routed is better than bridged for most people
    • set "dh dh2048.pem" (as we increase the key size)
    • set "server 10.8.0.0. 255.255.255.0" to the VPN range
  • note the files required and copy them from where you created the certificates earlier:
    • ca.crt (we renamed this to ca.example.com.crt)
    • server.crt (we renamed this to vpn.example.com.crt)
    • server.key (we renamed this to vpn.example.com.key)
    • dh2048.pem
  • ensure these files are not writable by anyone besides administrators
  • also ensure that only root can read the .key and dh2048.pem files

Linux client setup

  • edit /etc/openvpn/client.conf (from /usr/share/doc/openvpn/examples/sample-config-files/client.conf)
    • leave "proto udp"
    • set "remote vpn.example.com 1194"
  • note the files required and copy them from where you created the certificates earlier
    • ca.crt (we renamed this to ca.example.com.crt)
    • client.crt (we renamed this to client.example.com.crt)
    • client.key (we renamed this to client.example.com.key)
  • ensure that only root can read the .key file

Windows client setup

  • download the Windows client from http://openvpn.net/
    • use the v2.1 versions as they support Vista and the GUI is built-in
  • select “Start” → “OpenVPN” → “OpenVPN configuration file directory”
  • now follow roughly the same procedure as above
    • however call the file "client.ovpn" so that it is associated with OpenVPN
  • right click “client.ovpn” and select “Start OpenVPN on this config file”, this launches a command prompt window
  • enter your username/password when prompted
  • kill this session off now - it's just the easiest way to import the settings
  • to close the VPN session, switch focus to the OpenVPN command prompt window and press F4

In future, just right click the OpenVPN icon in the tasktray and select “Connect”.

If you use Vista you must run openvpn GUI as administrator (right click on it in start→programs and select “run as administrator”). Otherwise it will connect but you will be unable to talk to anything.

Tweaks

  • set 'push "route 1.2.3.4 255.255.255.0"' if required to tell the client about networks behind the server
  • set 'push "dhcp-option DNS 1.2.3.4"' to tell the client about DNS servers
  • set 'push "dhcp-option WINS 1.2.3.4"' to tell the client about WINS servers
  • set 'push "redirect-gateway"' to force all traffic via the VPN
  • set 'client-to-client' to all VPN clients to see each other

Enhanced security

  • run "openvpn --genkey --secret ta.key" and copy the file to both clients and the server
  • set "tls-auth ta.key 0" in the server configuration file
  • set "tls-auth ta.key 1" on the client configuration file
  • ensure "user nobody" and "group nobody " is set on both client and server
  • in order to avoid Man In The Middle attacks:
    • openvpn 2.0: set "ns-cert-type server" on the client
    • openvpn 2.1: set "remote-cert-tls server" on the client
    • NB: you must ensure that you have marked the server key as outlined earlier in order for this to work

Problems

  • Client complains "Cannot load certificate file ..."
    • either edit the configuration file to refer to absolute file locations, or change directory to /etc/openvpn before running openvpn
  • You receive the error "Note: Cannot open TUN/TAP dev /dev/net/tun: No such file or directory (errno=2)"
    • apt-get install udev (this then creates /dev/net/tun and loads the tun module)
  • Share this