Openvpn

In other languages: English | Afrikaans | Albanian | Arabic | Brazilian | Bulgarian | Catalan | Chinese | Croatian | Czech | Danish | Dutch | Esperanto | Estonian | Filipino | Finnish | Flemish | French | German | Greek | Hebrew | Hindi | Hungarian | Indonesian | Italian | Japanese | Latvian | Lithuanian | Macedonian | Malay | Malayalam | Norwegian (Bokmål) | Norwegian (Nynorsk) | Persian | Polish | Portuguese | Romanian | Russian | Serbian | Slovak | Slovenian | Spanish | Swedish | Turkish | Ukrainian | Urdu

This Feature Is Prohibited

If you attempt to use this on SHellium you will be banned.

Overview

OpenVPN is one of the few open source SSL VPN toolkits available. With it, you can connect to a remote destination and be on the same LAN virtually. OpenVPN can also be used to create links between computers through NAT Firewalls.

OpenVPN is supported on many platforms. These include (but are not limited to) Windows 2000, Windows XP, Windows Vista, Mac OS X, FreeBSD, OpenBSD, Linux, and Solaris. This VPN toolkit is not compatible with IPSec or any other VPN package at all.

Encryption / Security

The OpenVPN package uses openssl for all data encryption. HMAC firewalls are possible via HMAC packet encryption, and this can be an extra layer of security for data transmissions. The crypto library supports hardware acceleration as well, so all encryption tends to be on the fast side. As far as security goes, OpenVPN boasts many features. For one, it is able to drop root privileges. OpenVPN runs in the userspace, which prevents the risky need of using the kernel IP stack. OpenVPN is also able to drop into a jailed shell after initialization and use mlockall to prevent harmful writing to the disk.

Authentication Methods

OpenVPN allows other computers to authenticate to each other through a variety of methods. These methods include authentication via certificates, pre-shared secret keys, and/or a username/password. This package relies on the open library openssl heavily for most processes, as well as SSL/TLS.

Routed VPN Tutorial

Introduction

This tutorial is very general, and each linux operating system should follow similar procedure. First, install OpenVPN using emerge/yum/rpm or build it from source. This tutorial assumes you know how to do that. Please note that two dependencies are required. (Openssl and LZO)

Routing is usually a better solution for many people. It is more efficient and easier to set up than bridging. Routing also gives more control access rights on a client-specific basis.

Following this tutorial is recommended unless you are running applications on the vpn which require network broadcasts, if you want to allow browsing of windows shares without a Samba server, or if need to handle non-IP protocols. (such as IPX)server.

First, we want to choose our subnet. Three major ones are reserved.

10.0.0.0 (10/8) 172.16.0.0 (172.16/12) 192.168.0.0 (192.168/16)

Be sure to pick one which will cause little conflicts on your network. Most consumer routers default to using the 192.168.0.0 subnet, but some use 10.0.0.0. Check your network settings before making a choice.

The Certificate Authority

Next, we want to setup a PKI. (Public Key Infrastructure) Using the included easy-rsa scripts are recommended for this purpose. They are usually located where your openVPN install is (usually /etc/openvpn/easy-rsa or /usr/openvpn/easy-rsa)

Now, run your favorite editor and edit the vars script and fill in the KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, and KEY_EMAIL parameters as you choose. Do NOT leave any blank.

Next, setup the PKI. Do this by sourcing vars.

../vars - This initializes the vars script ./clean-all - This cleans up all prior keys, beware that if you had a prior CA in this directory it WILL be erased. ./build-ca - This script builds the certificate authority. Be sure to fill in the "Common Name" of your choice.

Next up is the server key generation. To do this, issue the following commands:

./build-key-server server - The last word can be changed to something else if you'd like, but please note that this change must also be reflected in the configuration file later on. For the common name, enter server.

Say yes to both prompts.

Building Certificates the Insecure Way

Please be careful doing this. Private keys should never be shared over communication channels for security reasons.

Run:

./build-key insertnameyouwanthere

You can add a passphrase to the keys by issuing this command instead:

./build-key-pass insertnameyouwanthere

The key and certificate (.key and .crt) will be stored in the keys directory in easy-rsa.

Building Certificates the Secure Way

First, generate a certificate signing request on your computer. CSR's and certificates can be exchanged over public channels, private keys can not be for security reasons. When you generate your CSR, and private key is generated on the local machine as well. Do not let this leave your machine. Transmit your CSR to the signing CA, and run the following command:

./sign-req nameofcsrhere (place CSR in keys directory)

Generate DH Parameters

This will take varying times depending on your specifications and key size.

./build-dh

Configuration

It is finally time to configure the openvpn kit. Please remember the locations of your CA certificate, server key, and dh parameters.

First, edit your sample "server" configuration that came with the toolkit to match below (or, add one by following the instructions below)

Your configuration file should include: (do NOT include the dash or any explanation beyond the dash)

port 1194 - Default, change if you'd like
proto udp - Default, change it to proto tcp if you want to.
dev tun - Required for routed tunnel.
ca ca.crt - be sure to copy this to the directory the configuration file is in. This should be located in the keys directory in the easy-rsa folder)
cert server.crt - see above
key server.key - see above
dh dh1024.pem - see above...Note: May be dh2048.pem if you changed keysize
server subnet netmask - Replace subnet and netmask with the subnet and netmask of your choice. See above for more information.
ifconfig-pool-persist ipp.txt - Maintains record of IP associations
keepalive 10 120 - Change timeouts to your liking
comp-lzo - Enable lzo compression on connection
persist-key
persist-tun
status openvpn-status.log - Log file
verb 3 - Change to 0-5 depending on log verbosity you want.

Optional

Route Pushing: (push specific routes to clients)

push "route insertsubnet insertnetmask"

Max Number of Clients:

max-clients numberhere

Other options are available as well, please see the complete openVPN howto at http://openvpn.net/index.php/documentation/howto.html - or continue reading sample configuration file

Filtering ALL Internet Traffic through OpenVPN

Edit this into the conf file:

1. Make sure clients traverse tun0 when accessing Internet

push "redirect-gateway def1"

1. Push a DNS server (handled by openVPN)

push "dhcp-option DNS IPhere"

Make sure IP forwarding is turned on!

iptables -t nat -A POSTROUTING -s LOCAL IP -o tun0 -j SNAT --to 10.8.0.10

Dropping packets?

Bad source address.

Starting OpenVPN

To start the OpenVPN deamon, issue the following command:

openvpn insertpathtoconfighere - For example, openvpn /etc/openvpn/serverouted.conf

You can use GNU screen to run the deamon in the background as well.

Client Configuration

To configure the GUI client, check out the sample client configuration file. Copy your private key and certificate to the configuration file directory, change the required parameters to match the server and your key/certificate locations and you are all set.

Testing

Run ipconfig on the server to get the tun device details. Ping the IP associated with the device on the server from the client. If the ping succeeds, you have successfully completed the tutorial. Congratulations.