Wednesday, April 14, 2010

VPN client server configuration

In our company we need to allow certain members access to our computer network from the outside. Therefore, we decided to get a VPN.

We choose OpenVPN, because it is Open Source and it is available for Linux, Windows and another OS.

You can let running VPN server on Linux and let blunt Windows client to connect to server.

For server-client configuration you need to generate keys and certificates, but configuration is very simple.

Server configuration


port 1194
proto tcp
dev tun
keepalive 10 60

ifconfig-pool-persist /etc/openvpn/ipp.txt
max-clients 3

push "route"
push "dhcp-option DNS"

ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/akela.crt
key /etc/openvpn/keys/akela.key
dh /etc/openvpn/keys/dh1024.pem
tls-auth /etc/openvpn/keys/static.key

log-append /var/log/openvpn.log
status /var/log/openvpn-status.log
mute 10
verb 5

All important you find out in man pages or on project documentation.

push "dhcp-option DNS" get only Windows client. For Linux client you need script. See HOWTO

Generate certificates

You can use OpenSSL, but developers of OpenVPN prepare scripts for simply generate keys and certificates for server and clients.

You find out it: /user/share/doc/openvpn/examples/easy-rsa/2.0/

Scripts config file is vars. There you can set same variables.

1. We load the config file to system, and create self-signed Certificate Authority

. ./vars

In folder keys (depend on your vars files) you find out file:

  • ca.pem - public certificate
  • ca.key - private key of Certificate Authority

2. we create key and certificate for server.

./build-key-server akela

It creates file:

  • akela.pem - certificate of your server signed of your CA
  • akela.ctr - request of sign (you don´t need that file)
  • akela.key - private key of your server

3. we create Deffie-Hellmann parameters for dynamic key encryption


It creates file:

  • dh1024.pem

4. we create static TLS-AUTH key

openvpn --genkey --secret static.key

It creates file:

  • static.key

Client configuration

We need to create certificate for your client.

In your server use:

./build-key kibo
  • kibo.pem - certificate of your client(notebook) signed of your CA
  • kibo.ctr - request of sign (you don´t need that file)
  • kibo.key - private key of your client(notebook)

In your client(notebook) save this file:

  • kibo.pem
  • kibo.key
  • ca.pem
  • static.key

Clinet configuration on /etc/openvpn/client.conf in Linux client.

Clinet configuration on ..\ProgramFiles\OpenVPN\Config\client.ovpn in Windows client.

dev tun
proto tcp
remote ourServer.tld

ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/kibo.crt
key /etc/openvpn/keys/kibo.key
tls-auth /etc/openvpn/keys/static.key

verb 4
mute 10
ns-cert-type server

Start server and then try to connect from client.

  • openvpn /etc/openvpn/server.conf - on Linux server (or as service)
  • openvpn /etc/openvpn/client.conf - on Linux client(notebook)

OpenVPN and IPTables

$IPTABLES -A INPUT -p tcp --dport 1194 -j ACCEPT # VPN new
$IPTABLES -A INPUT -i tun+ -j ACCEPT # VPN tun
$IPTABLES -A FORWARD -i tun+ -o $LAN_IFACE -j ACCEPT # VPN forward >
$IPTABLES -A FORWARD -i $LAN_IFACE -o tun+ -j ACCEPT # VPN forward <

Good Luck.

No comments:

Post a Comment