OpenVPN

From wikipost
Revision as of 02:47, 19 February 2013 by Admin (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

This page describes how to set up a basic OpenVPN point-to-point installation on Debian Linux. For a setup with a server and username/certificate controlled clients, view the Openvpn-setup page.


From the OpenVPN website:

"OpenVPN is a full-featured SSL VPN which implements OSI layer 2 or 3 secure network extension using the industry standard SSL/TLS protocol, supports flexible client authentication methods based on certificates, smart cards, and/or username/password credentials, and allows user or group-specific access control policies using firewall rules applied to the VPN virtual interface. OpenVPN is not a web application proxy and does not operate through a web browser."

http://openvpn.net/index.php/open-source/documentation/howto.html

Openvpn logo.png

Installing the OpenVPN software

This step needs to be done on both server and client(s).

Make sure to have 'contrib' listed in /etc/apt/sources.list

# apt-get update
# apt-get install openvpn


on the vpn server machine:

  • create a new static key
# cd /etc/openvpn
# openvpn --genkey --secret static.key

This will create a new file called 'static.key'. Copy this file securely to the client in the /etc/openvpn directory.


  • create the server configuration file

Create /etc/openvpn/vpn.conf and add the following lines:

dev tun0
port 655
proto udp
ifconfig 10.9.8.1 10.9.8.2
secret /etc/openvpn/static.key


Where 10.9.8.x is your VPN subnetwork once it is connected, 10.9.8.1 will be IP of the server and 10.9.8.2 is IP of client. There is no need to enter public ip addresses or internet domain names etc.. Only the client will need the server's (router's) public ip address.


On the vpn client machine:

  • make sure the /etc/openvpn/static.key is read-only (chmod 400). This is not a requirement but simply best practice.


  • create the client configuration file

Create /etc/openvpn/vpn.conf and add the following lines:

remote server.public.ip.address
dev tun0
port 655
proto udp
ifconfig 10.9.8.2 10.9.8.1
secret /etc/openvpn/static.key


To test, start OpenVPN by hand on both sides with the following command:

# openvpn --config /etc/openvpn/vpn.conf --verb 6


The openvpn startup script (in /etc/init.d) will automatically look for .conf files in /etc/openvpn and start them at boot. To change this behaviour, simply create a new directory under /etc/openvpn/ and move the .conf file in there (e.g. /etc/openpvn/myvpn/vpn.conf).