Admin at 03:24, 14 October 2015

2015-10-14T03:24:21Z

New page

[[File:Openvpn logo.png]]

This page describes how to set up an [http://openvpn.net/ OpenVPN] server installation on Debian Linux. For a very basic host-to-host vpn, check out this [[OpenVPN]] page.

The recipe here creates an OpenVPN setup with:
* certificates
* username and password authentication
* multiple clients
* client vpn dhcp

==On the Server (Debian Linux)==

===Install the software===

* Make sure to have 'contrib' listed in /etc/apt/sources.list

<pre>
# apt-get update
# apt-get install openvpn
</pre>

===Set up a Certification Authority===

See the [[easy-rsa]] page for installation details.

===Create vpn client user accounts===

* On the vpn server add a new user group called 'vpn-users'

<pre>
groupadd vpn-users
</pre>

* Create a new vpn account without a shell and make it part of the vpn-users group. We need to do this for every vpn client.
* set the password for the vpn client user account.

<pre>
# useradd -s /bin/false -g vpn-users client1
# passwd client1
</pre>

===Create OpenVPN pam.d authentication plugin===

* create a file /etc/security/vpn.group.allowed

<pre>
# echo "vpn-users" > /etc/security/vpn.group.allowed
</pre>

* copy the default authentication script to create the /etc/pam.d/ovpn plugin

<pre>
# cp /etc/pam.d/login /etc/pam.d/ovpn
</pre>

* edit the ovpn pam file, position the cursor at the first line and insert an auth directive

<pre>
auth required pam_listfile.so onerr=fail item=group sense=allow file=/etc/security/vpn.group.allowed
</pre>

===Create vpn server configuration file===

* create the server configuration file /etc/openvpn/server.conf

<pre>
port 655
proto udp
dev tun0

ca /etc/openvpn/easy-rsa/keys/ca.crt # generated keys
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key # keep secret
dh /etc/openvpn/easy-rsa/keys/dh1024.pem

#plugin /usr/lib/openvpn/openvpn-auth-pam.so ovpn # old location
plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so ovpn # new location

script-security 3

server 10.9.8.0 255.255.255.0 # internal tun0 connection IP
ifconfig-pool-persist ipp.txt

keepalive 10 120

comp-lzo # Compression - must be turned on at both ends
persist-key
persist-tun

status /var/log/openvpn-status.log

verb 3 # verbose mode
client-to-client
</pre>

Additional instructions to use your vpn as the client's default internet gateway. [[vpn-gateway]]

===Distribute certificates to client(s)===

* Copy the ca.crt, clientname.crt, clientname.key from the server to the client(s).

For a Linux client, copy the files to /etc/openvpn/.

For a Windows client, copy the files to C:\Program Files\OpenVPN\config\.

==On the Client (Debian Linux)==

(see further down for setting up the client connection on Windows)

===Install the software===

* Make sure to have 'contrib' listed in /etc/apt/sources.list

<pre>
# apt-get update
# apt-get install openvpn
</pre>

===Create client configuration file===

* create the client configuration file at /etc/openvpn/client.conf

<pre>
client
remote remote.vpn.server.address
dev tun0
port 655
proto udp

auth-user-pass

nobind

ca /etc/openvpn/ca.crt
cert /etc/openvpn/clientname.crt
key /etc/openvpn/clientname.key

comp-lzo # Compression - must be turned on at both ends

# add a route to the client see other hosts on the server network
# you may need to update this line to match your network setup
push "route 192.168.0.0 255.255.255.0"

persist-key
persist-tun
verb 3
</pre>

==On the Client (Windows)==

Probably the most used add-on to OpenVPN is the Windows client GUI. The old client GUI is effectively unmaintained, but is still (as of 19 February 2013) included in the official OpenVPN-2.3 installer packages. The new GUI is more advanced and uses the OpenVPN management interface for controlling the OpenVPN daemon and should therefore be more reliable. The new GUI will eventually replace the old GUI in the official installers.

===Install the software===

* Download the openvpn windows installer from http://openvpn.net/index.php/open-source/downloads.html

* Run the installation binary and install the software, just accept all defaults.

===Create the client configuration file===

* open a text editor, create c:\program files\openvpn\config\client.ovpn and add the following lines:

<pre>
client
remote remote.server.ip.address
dev tun
port 655
proto udp

auth-user-pass

nobind

ca ca.crt
cert clientname.crt
key clientname.key

comp-lzo # Compression - must be turned on at both ends

# add a route to the client see other hosts on the server network
# you may need to update this line to match your network setup
push "route 192.168.0.0 255.255.255.0"

keepalive 10 60
ping-timer-rem
verb 3
</pre>

==Start the VPN tunnel==

===On the server (Debian Linux)===

* with the .conf file placed in /etc/openvpn/ the vpn server will be listening for incoming connections automatically when the system is booted.

* use the init script to force a restart of the vpn server

<pre>
/etc/init.d/openvpn restart
</pre>

* check the log files in /var/log/ for debugging

===On the client (Debian Linux)===

* with the .conf file placed in /etc/openvpn/ the vpn client will automatically try to make a connection to the vpn server when the system is booted.

* use the init script to force a restart of the vpn client

<pre>
/etc/init.d/openvpn restart
</pre>

* a prompt asking you for a username and password will appear on the console. Enter the credentials for the client account and press ENTER.

* check the log files in /var/log/ for debugging

===On the client (Windows)===

* From the Windows program files menu, start the OpenVPN GUI program. The openvpn icon will appear in the sytem tray. Right-click on the icon and select 'Connect' on the config for your vpn. A dialog box prompting for a username and password will appear.

[[File:Openvpn-win-gui.PNG]]

Enter the credentials for the client account and click 'Ok'.

That's it! :-)

Openvpn-setup - Revision history

Admin at 03:24, 14 October 2015