Openvpn-setup

From wikipost

Openvpn logo.png

This page describes how to set up an OpenVPN server installation on Debian Linux. For a very basic host-to-host vpn, check out this OpenVPN page.

The recipe here creates an OpenVPN setup with:

  • certificates
  • username and password authentication
  • multiple clients
  • client vpn dhcp


On the Server (Debian Linux)

Install the software

  • Make sure to have 'contrib' listed in /etc/apt/sources.list
# apt-get update
# apt-get install openvpn


Set up a Certification Authority

See the easy-rsa page for installation details.


Create vpn client user accounts

  • On the vpn server add a new user group called 'vpn-users'
groupadd vpn-users
  • Create a new vpn account without a shell and make it part of the vpn-users group. We need to do this for every vpn client.
  • set the password for the vpn client user account.
# useradd -s /bin/false -g vpn-users client1
# passwd client1


Create OpenVPN pam.d authentication plugin

  • create a file /etc/security/vpn.group.allowed
# echo "vpn-users" > /etc/security/vpn.group.allowed
  • copy the default authentication script to create the /etc/pam.d/ovpn plugin
# cp /etc/pam.d/login /etc/pam.d/ovpn
  • edit the ovpn pam file, position the cursor at the first line and insert an auth directive
auth  required pam_listfile.so onerr=fail item=group sense=allow file=/etc/security/vpn.group.allowed


Create vpn server configuration file

  • create the server configuration file /etc/openvpn/server.conf
port 655
proto udp
dev tun0

ca      /etc/openvpn/easy-rsa/keys/ca.crt      # generated keys
cert    /etc/openvpn/easy-rsa/keys/server.crt
key     /etc/openvpn/easy-rsa/keys/server.key  # keep secret
dh      /etc/openvpn/easy-rsa/keys/dh1024.pem

#plugin /usr/lib/openvpn/openvpn-auth-pam.so ovpn         # old location
plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so ovpn  # new location

script-security 3

server 10.9.8.0 255.255.255.0  # internal tun0 connection IP
ifconfig-pool-persist ipp.txt

keepalive 10 120

comp-lzo         # Compression - must be turned on at both ends
persist-key
persist-tun

status /var/log/openvpn-status.log

verb 3  # verbose mode
client-to-client


Additional instructions to use your vpn as the client's default internet gateway. vpn-gateway


Distribute certificates to client(s)

  • Copy the ca.crt, clientname.crt, clientname.key from the server to the client(s).

For a Linux client, copy the files to /etc/openvpn/.

For a Windows client, copy the files to C:\Program Files\OpenVPN\config\.


On the Client (Debian Linux)

(see further down for setting up the client connection on Windows)

Install the software

  • Make sure to have 'contrib' listed in /etc/apt/sources.list
# apt-get update
# apt-get install openvpn


Create client configuration file

  • create the client configuration file at /etc/openvpn/client.conf
client
remote remote.vpn.server.address
dev tun0
port 655
proto udp

auth-user-pass

nobind

ca     /etc/openvpn/ca.crt
cert   /etc/openvpn/clientname.crt
key    /etc/openvpn/clientname.key

comp-lzo         # Compression - must be turned on at both ends

# add a route to the client see other hosts on the server network
# you may need to update this line to match your network setup
push "route 192.168.0.0 255.255.255.0"

persist-key
persist-tun
verb 3

On the Client (Windows)

Probably the most used add-on to OpenVPN is the Windows client GUI. The ​old client GUI is effectively unmaintained, but is still (as of 19 February 2013) included in the official OpenVPN-2.3 installer packages. The ​new GUI is more advanced and uses the OpenVPN management interface for controlling the OpenVPN daemon and should therefore be more reliable. The new GUI will eventually replace the old GUI in the official installers.

Install the software

  • Run the installation binary and install the software, just accept all defaults.


Create the client configuration file

  • open a text editor, create c:\program files\openvpn\config\client.ovpn and add the following lines:
client
remote remote.server.ip.address
dev tun
port 655
proto udp

auth-user-pass

nobind

ca     ca.crt
cert   clientname.crt
key    clientname.key

comp-lzo         # Compression - must be turned on at both ends

# add a route to the client see other hosts on the server network
# you may need to update this line to match your network setup
push "route 192.168.0.0 255.255.255.0"

keepalive 10 60
ping-timer-rem
verb 3


Start the VPN tunnel

On the server (Debian Linux)

  • with the .conf file placed in /etc/openvpn/ the vpn server will be listening for incoming connections automatically when the system is booted.
  • use the init script to force a restart of the vpn server
/etc/init.d/openvpn restart
  • check the log files in /var/log/ for debugging


On the client (Debian Linux)

  • with the .conf file placed in /etc/openvpn/ the vpn client will automatically try to make a connection to the vpn server when the system is booted.
  • use the init script to force a restart of the vpn client
/etc/init.d/openvpn restart
  • a prompt asking you for a username and password will appear on the console. Enter the credentials for the client account and press ENTER.
  • check the log files in /var/log/ for debugging


On the client (Windows)

  • From the Windows program files menu, start the OpenVPN GUI program. The openvpn icon will appear in the sytem tray. Right-click on the icon and select 'Connect' on the config for your vpn. A dialog box prompting for a username and password will appear.

Openvpn-win-gui.PNG

Enter the credentials for the client account and click 'Ok'.



That's it! :-)