Difference between revisions of "OpenVPN"

From wikipost
Jump to navigationJump to search
(No difference)

Latest revision as of 12:47, 19 February 2013

This page describes how to set up a basic OpenVPN point-to-point installation on Debian Linux. For a setup with a server and username/certificate controlled clients, view the Openvpn-setup page.

From the OpenVPN website:

"OpenVPN is a full-featured SSL VPN which implements OSI layer 2 or 3 secure network extension using the industry standard SSL/TLS protocol, supports flexible client authentication methods based on certificates, smart cards, and/or username/password credentials, and allows user or group-specific access control policies using firewall rules applied to the VPN virtual interface. OpenVPN is not a web application proxy and does not operate through a web browser."


Openvpn logo.png

Installing the OpenVPN software

This step needs to be done on both server and client(s).

Make sure to have 'contrib' listed in /etc/apt/sources.list

# apt-get update
# apt-get install openvpn

on the vpn server machine:

  • create a new static key
# cd /etc/openvpn
# openvpn --genkey --secret static.key

This will create a new file called 'static.key'. Copy this file securely to the client in the /etc/openvpn directory.

  • create the server configuration file

Create /etc/openvpn/vpn.conf and add the following lines:

dev tun0
port 655
proto udp
secret /etc/openvpn/static.key

Where 10.9.8.x is your VPN subnetwork once it is connected, will be IP of the server and is IP of client. There is no need to enter public ip addresses or internet domain names etc.. Only the client will need the server's (router's) public ip address.

On the vpn client machine:

  • make sure the /etc/openvpn/static.key is read-only (chmod 400). This is not a requirement but simply best practice.

  • create the client configuration file

Create /etc/openvpn/vpn.conf and add the following lines:

remote server.public.ip.address
dev tun0
port 655
proto udp
secret /etc/openvpn/static.key

To test, start OpenVPN by hand on both sides with the following command:

# openvpn --config /etc/openvpn/vpn.conf --verb 6

The openvpn startup script (in /etc/init.d) will automatically look for .conf files in /etc/openvpn and start them at boot. To change this behaviour, simply create a new directory under /etc/openvpn/ and move the .conf file in there (e.g. /etc/openpvn/myvpn/vpn.conf).