The purpose of this tutorial is to introduce some OpenVPN basics. We will be configuring an OpenVPN server running on Linux, and then one client that has all it’s traffic re-directed through the tunnel. This may be useful to some readers to bypass any restrictions on internet access they may be faced with. This tutorial is based on an Ubuntu server and a Windows Client.
Server setup
The first thing we are going to do is to set-up the server. Install the relevant software -:
server# sudo aptitude install openvpn
Now copy the example configs and more importantly the easy-rsa scripts into /etc -:
server# cp -R /usr/share/doc/openvpn/examples/ /etc/openvpn
Now we want to load the vars file with our own defaults. Open the file in your favorite editor and change KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, and KEY_EMAIL to match your information.
cd /etc/openvpn/examples/easy-rsa/ vi ./vars
My vars file looks like this: (key components only)
#this is to ensure secure data export KEY_SIZE=2048 # These are the default values for fields # which will be placed in the certificate. # Don't leave any of these fields blank. export KEY_COUNTRY=UK export KEY_PROVINCE=Adminville export KEY_CITY=Adminland export KEY_ORG=remoteadmin.org.uk export KEY_EMAIL="nospam@netwizards.co.uk"
Now we to begin the configuration of the server.
. ./vars ./clean-all ./build-ca
The purpose of these command are as follows, the first one will clear any old keys or configuration elements, there should not be any there but it does not hurt to be sure. The last command will setup OpenVPN configuration items, be sure to follow the prompt and make sure you fill in using elements to match your situation. Since we loaded the vars file with your settings prior to these steps the default values should work on almost all elements, but the Common Name will need to be specified.
Now you need to create the server keys, these are private files that you should keep secure.
./build-key-server server
I found that if I did not use the same information that I used in the build-ca step above that the “Sign Certificate” and “commit” did not work. If you experience this problem just repeat this step with the same values, it should work at that point. This should not occur for you as we have loaded the default values into the vars file, but just in case be aware of the cause.
Now you are ready to generate keys for users, first decide if you wish to password protect the keys or not. I recommend building with passwords if you are not going to implement authentication in OpenVPN, if you are then simply generate without. This tutorial will assume that you are going to implement authentication in OpenVPN, since it is the most trusted method. Make sure that you specify the correct Common Name when prompted.
#Generate with password ./build-key-pass username #Generate without password ./build-key username
Now you need to build the Diffie Hellman parameters, for details on what these are simply check the OpenVPN homepage. The simple answer is that they provide a method to negotiate a secure connection over an insecure channel. This process will take a bit of time so you may want to take a break, just relax we are almost there.
./build-dh #generate server id key openvpn --genkey --secret ta.key
As an aside I found a very interesting table on the OpenVPN web-page. It provides some information on what to do with the various files we just generated. For the purposes of this tutorial I have “borrowed” their table and pasted it here, to view the original visit the OpenVPN installation guide on their homepage.
| Filename | Needed By | Purpose | Secret |
| ca.crt | server + all clients | Root CA certificate | NO |
| ca.key | key signing machine only | Root CA key | YES |
| dh{n}.pem | server only | Diffie Hellman parameters | NO |
| server.crt | server only | Server Certificate | NO |
| server.key | server only | Server Key | YES |
| ta.key | server+ all clients | Server TLS Auth Key | YES |
| client1.crt | client1 only | Client1 Certificate | NO |
| client1.key | client1 only | Client1 Key | YES |
| client2.crt | client2 only | Client2 Certificate | NO |
| client2.key | client2 only | Client2 Key | YES |
| client3.crt | client3 only | Client3 Certificate | NO |
| client3.key | client3 only | Client3 Key | YES |
Ok, the last step for the server set-up is the actual server config file. This is the configuration I finally settled on -:
port 1194 proto udp dev tun ca keys/ca.crt # The CA certificate cert keys/server.crt # The server certificate key keys/server.key # This file should be kept secret dh keys/dh1024.pem server 172.16.1.0 255.255.255.0 # Subnet to be used by clients ifconfig-pool-persist ipp.txt push "redirect-gateway def1" # We want to redirect the client gateway to us push "dhcp-option DNS 208.67.222.222" # Specify a DNS server for the clients keepalive 10 120 # Keepalives for the tunnels ;comp-lzo # Uncomment this to enable lzo compression user nobody group nobody persist-key persist-tun status openvpn-status.log verb 3 mute 20
Client Set-up
Ok so we now have our working server waiting for clients to connect. So now we want to create the client config. Firstly though, generate the certificates for the first client -:
./build-key client1
You will then need to copy ca.crt, client1.crt, and client1.key onto the client machine.
No for the client OpenVPN config, this is a simple config that I use -:
remote ip.ad.re.ss 1194 proto udp ca ca.crt cert client1.crt key client1.key ;comp-lzo # Uncomment this to enable lzo compression verb 3 mute 20 resolv-retry infinite nobind client dev tun persist-key persist-tun
References -: