Analytic

Tuesday, February 19, 2008

Install OPENVPN on Ubuntu

Install the necessary software

I am going to configure openVPN as routing and not as Bridge.

Enter these commands on both the server and the client.

apt-get install openvpn openssl rdate


Now on the server side issue these commands

cd /usr/share/doc/openvpn/examples/easy-rsa/
cp * /etc/openvpn -R
cd /etc/openvpn
. ./vars (Be carefull there is a blank between two points)
./clean-all
./build-ca

Now create the certificates for the server

./build-key-server server

Now create the certificate for the client site

./build-key home

you can call it anything, I called it home

you can create as many keys as you need from this point for as many clients as you want, once you have finished issue this command.

./build-dh

Configure the server side

cd /usr/share/doc/openvpn/examples/sample-config-files/
cp server.conf.gz /etc/openvpn/
cd /etc/openvpn/
gunzip server.conf.gz
vim server.conf

Look for these lines

ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh1024.pem

and change to these ones

ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key # This file should be kept secret
dh /etc/openvpn/keys/dh1024.pem

uncomment the client-to-client directive to enable clients to be able to connect to each others through the VPN, and not only to the server.

Here is my SERVER.CONF:

port 1194

;proto tcp
proto udp

dev tap
;dev tun

ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key # This file should be kept secret

dh /etc/openvpn/keys/dh1024.pem

server 10.8.0.0 255.255.255.0

ifconfig-pool-persist ipp.txt
client-to-client
;duplicate-cn

keepalive 10 120
comp-lzo

persist-key
persist-tun

status openvpn-status.log

verb 3


Configure the client

First you need to copy the certificates from the server to the client, be sure to make this in a secure way, either using scp or a USB Key in order to keep your files secure.

the needed files are:

ca.crt
home.crt
home.key (should be kept secret)

and they are in the server's directory /etc/openvpn/keys/

now you have copied all these files to the client open a console on the client and

cd /usr/share/doc/openvpn/examples/sample-config-files/
cp client.conf /etc/openvpn/
cd /etc/openvpn/
vi client.conf

Look for these lines

ca ca.crt
cert client.crt
key client.key
remote my-server-1 1194

and change them for these ones.

ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/home.crt
key /etc/openvpn/keys/home.key
remote [the.ip.of.server] 1194
that is all, unless you have made some other changes on the server side, as for example change from UDP to TCP to the default port, so you will have to change that also on the client side.

Start the server

openvpn /etc/openvpn/server.conf

if everything goes ok, you should see something like this,

Sat Jul 14 11:12:11 2007 OpenVPN 2.0.9 i486-pc-linux-gnu [SSL] [LZO] [EPOLL] built on Jan 21 2007
Sat Jul 14 11:12:11 2007 Diffie-Hellman initialized with 1024 bit key
Sat Jul 14 11:12:11 2007 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Sat Jul 14 11:12:11 2007 TUN/TAP device tun0 opened
Sat Jul 14 11:12:11 2007 /sbin/ifconfig tun0 10.8.0.1 pointopoint 10.8.0.2 mtu 1500
Sat Jul 14 11:12:11 2007 /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.2
Sat Jul 14 11:12:11 2007 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Sat Jul 14 11:12:11 2007 GID set to nogroup
Sat Jul 14 11:12:11 2007 UID set to nobody
Sat Jul 14 11:12:11 2007 UDPv4 link local (bound): [undef]:1194
Sat Jul 14 11:12:11 2007 UDPv4 link remote: [undef]
Sat Jul 14 11:12:11 2007 MULTI: multi_init called, r=256 v=256
Sat Jul 14 11:12:11 2007 IFCONFIG POOL: base=10.8.0.4 size=62
Sat Jul 14 11:12:11 2007 IFCONFIG POOL LIST

Sat Jul 14 11:12:11 2007 Initialization Sequence Completed

Start the client

openvpn /etc/openvpn/client.conf

the output should look like this

Sat Jul 14 15:40:36 2007 OpenVPN 2.0.9 i486-pc-linux-gnu [SSL] [LZO] [EPOLL] built on Jan 21 2007
Sat Jul 14 15:40:36 2007 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Sat Jul 14 15:40:36 2007 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Sat Jul 14 15:40:36 2007 LZO compression initialized
Sat Jul 14 15:40:36 2007 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Sat Jul 14 15:40:36 2007 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Sat Jul 14 15:40:36 2007 Local Options hash (VER=V4): '41690919'
Sat Jul 14 15:40:36 2007 Expected Remote Options hash (VER=V4): '530fdded'
Sat Jul 14 15:40:36 2007 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Sat Jul 14 15:40:36 2007 UDPv4 link local: [undef]
Sat Jul 14 15:40:36 2007 UDPv4 link remote: 200.87.61.90:1194
Sat Jul 14 15:40:36 2007 TLS: Initial packet from 200.87.61.90:1194, sid=408d696e 88814e22
Sat Jul 14 15:40:37 2007 VERIFY OK: depth=1, /C=bo/ST=bo/L=santacruz/O=go2linux.org/CN=OpenVPN-CA/emailAddress=gerencia@alketech.com
Sat Jul 14 15:40:37 2007 VERIFY OK: depth=0, /C=bo/ST=bo/O=go2linux.org/CN=server/emailAddress=gerencia@alketech.com
Sat Jul 14 15:40:38 2007 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sat Jul 14 15:40:38 2007 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Jul 14 15:40:38 2007 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sat Jul 14 15:40:38 2007 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Jul 14 15:40:38 2007 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Sat Jul 14 15:40:38 2007 [server] Peer Connection Initiated with 200.87.61.90:1194
Sat Jul 14 15:40:39 2007 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Sat Jul 14 15:40:39 2007 PUSH: Received control message: 'PUSH_REPLY,route 10.8.0.0 255.255.255.0,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5'
Sat Jul 14 15:40:39 2007 OPTIONS IMPORT: timers and/or timeouts modified
Sat Jul 14 15:40:39 2007 OPTIONS IMPORT: --ifconfig/up options modified
Sat Jul 14 15:40:39 2007 OPTIONS IMPORT: route options modified
Sat Jul 14 15:40:39 2007 TUN/TAP device tun0 opened
Sat Jul 14 15:40:39 2007 /sbin/ifconfig tun0 10.8.0.6 pointopoint 10.8.0.5 mtu 1500
Sat Jul 14 15:40:39 2007 /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.5
Sat Jul 14 15:40:39 2007 GID set to nogroup
Sat Jul 14 15:40:39 2007 UID set to nobody

Sat Jul 14 15:40:39 2007 Initialization Sequence Completed


If you arrived to this point you have your VPN stablished.

Then, you need to make one machine (the remote machine you want to connect to) publically visible.
Go to that machine and connect to the Internet. Go to No-IP.com.

Open an account at No-IP (it's free). In the No-IP setup screens (on their web site),
set up the information for your machine (they call it a "host"). Give your host a name (such
as "MyOffice") and select an extension to be added after "No-IP".
If you selected ".biz", for example, your machine will have the public name "myoffice.no-ip.biz".
Since the name you choose must be unique, No-IP provides a number of different extensions;

keep trying until your name is approved.

Install ddclient and set it with No-IP account:

apt-get install ddclient

No comments: