Install/Configure OpenVPN
2011/05/30 |
Install OpenVPN to Configure Virtual Private Network.
This example shows to configure on the environment like follows. ( use Bridge mode )
( [172.16.2.1] is actually for private IP addtess, though, replace it to your global IP address. )
(1) VPN Server
[172.16.2.1] - Global IP address [10.0.0.50] - eth0 ( real IP address ) [10.0.0.60] - br0 - set new as a Bridge (2) VPN Client(Windows) [192.168.0.244] - real IP address [10.0.0.??] - automatically set from VPN Server
By the way, it's neccesary to set some settings on your router for NAT/Port forwarding.
The used protocol and listening port by default on VPN server is UDP/1194.
Speaking on an example on here, requests to 1194 with UDP from internet is needed to forward to 10.0.0.60:1194 in LAN.
|
|
[1] | Install and Configure OpenVPN |
[root@vpn ~]# cp /usr/share/doc/openvpn-*/sample-config-files/server.conf /etc/openvpn/
[root@vpn ~]#
vi /etc/openvpn/server.conf # line 53: change dev tap0
# line 78: change like follows ca /etc/openvpn/easy-rsa/keys/ca.crt cert /etc/openvpn/easy-rsa/keys/server.crt key /etc/openvpn/easy-rsa/keys/server.key
# line 87: change dh /etc/openvpn/easy-rsa/keys/dh1024.pem
# line 96: make it comment # server 10.8.0.0 255.255.255.0
# line 103: make it comment # ifconfig-pool-persist ipp.txt
# line 115: uncomment and chnage ( [VPN server's IP] [subnetmask] [the range of IP for client] ) server-bridge 10.0.0.60 255.255.255.0 10.0.0.200 10.0.0.254
# line 138: add ( [network VPN server in] [subnetmask] ) push "route 10.0.0.0 255.255.255.0"
# line 275: change status /var/log/openvpn-status.log
# line 284: uncomment and change log /var/log/openvpn.log log-append /var/log/openvpn.log
|
[2] | Create CA certificate and CA key. |
[root@vpn ~]# cp -R /usr/share/openvpn/easy-rsa/2.0 /etc/openvpn/easy-rsa [root@vpn ~]# cd /etc/openvpn/easy-rsa [root@vpn easy-rsa]# mkdir keys
[root@vpn easy-rsa]#
vi vars # line 64: change to your environment export KEY_COUNTRY=" JP "export KEY_PROVINCE=" Hiroshima "export KEY_CITY=" Hiroshima "export KEY_ORG=" GTS "export KEY_EMAIL=" xxx@srv.world "
source ./vars NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/keys [root@vpn easy-rsa]# ./clean-all [root@vpn easy-rsa]# ./build-ca Generating a 1024 bit RSA private key .................++++++ ......++++++ writing new private key to 'ca.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [JP]: # Enter State or Province Name (full name) [Hiroshima]: # Enter Locality Name (eg, city) [Hiroshima]: # Enter Organization Name (eg, company) [GTS]: # Enter Organizational Unit Name (eg, section) []: # Enter Common Name (eg, your name or your server's hostname) [GTS CA]: vpn.srv.world # input FQDN Name []: server-ca # set Email Address [xxx@srv.world]: # Enter |
[3] |
ca.crt is created under "/etc/openvpn/easy-rsa/keys",
transfer it to your client PC via FTP or SFTP and so on.
|
[4] | Create certificate and key for server. |
[root@vpn easy-rsa]# ./build-key-server server Generating a 1024 bit RSA private key ........++++++ .......++++++ writing new private key to 'server.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. -----
Country Name (2 letter code) [JP]:
# Enter State or Province Name (full name) [Hiroshima]: # Enter Locality Name (eg, city) [Hiroshima]: # Enter Organization Name (eg, company) [GTS]: # Enter Organizational Unit Name (eg, section) []: # Enter Common Name (eg, your name or your server's hostname) [server]: vpn.srv.world # input FQDN Name []: server # set Email Address [xxx@srv.world]: # Enter
Please enter the following 'extra' attributes
1 out of 1 certificate requests certified, commit? [y/n]to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /etc/openvpn/easy-rsa/2.0/openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'JP' stateOrProvinceName :PRINTABLE:'Hiroshima' localityName :PRINTABLE:'Hiroshima' organizationName :PRINTABLE:'GTS' commonName :PRINTABLE:'vpn.srv.world' name :PRINTABLE:'server' emailAddress :IA5STRING:'xxx@srv.world' Certificate is to be certified until May 17 20:20:18 2021 GMT (3650 days) Sign the certificate? [y/n]: y
y Write out database with 1 new entries Data Base Updated |
[5] | Generate Diffie Hellman ( DH ) parameter. |
[root@vpn easy-rsa]# ./build-dh Generating DH parameters, 1024 bit long safe prime, generator 2 This is going to take a long time |
[6] | Create certificate and key for client. |
[root@vpn easy-rsa]# ./build-key-pass client
Generating a 1024 bit RSA private key
..................++++++ ..................++++++ writing new private key to 'client.key' Enter PEM pass phrase: # set pass-phrase Verifying - Enter PEM pass phrase: # confirm ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [JP]: # Enter State or Province Name (full name) [Hiroshima]: # Enter Locality Name (eg, city) [Hiroshima]: # Enter Organization Name (eg, company) [GTS]: # Enter Organizational Unit Name (eg, section) []: # Enter Common Name (eg, your name or your server's hostname) [client]: vpn.srv.world # input FQDN Name []: client # set Email Address [xxx@srv.world]: # Enter
Please enter the following 'extra' attributes
1 out of 1 certificate requests certified, commit? [y/n]to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /etc/openvpn/easy-rsa/2.0/openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'JP' stateOrProvinceName :PRINTABLE:'Hiroshima' localityName :PRINTABLE:'Hiroshima' organizationName :PRINTABLE:'GTS' commonName :PRINTABLE:'vpn.srv.world' name :PRINTABLE:'client' emailAddress :IA5STRING:'xxx@srv.world' Certificate is to be certified until May 17 20:33:28 2021 GMT (3650 days) Sign the certificate? [y/n]: y y Write out database with 1 new entries Data Base Updated |
[7] |
client.crt and client.key are
created under "/etc/openvpn/easy-rsa/keys", transfer them to your client PC via FTP or SFTP and so on.
|
[8] | Start OpenVPN |
[root@vpn ~]# cp /usr/share/doc/openvpn-*/sample-scripts/bridge-stop /etc/openvpn/ [root@vpn ~]# cp /usr/share/doc/openvpn-*/sample-scripts/bridge-start /etc/openvpn/ [root@vpn ~]# chmod 755 /etc/openvpn/bridge-start [root@vpn ~]# chmod 755 /etc/openvpn/bridge-stop
[root@vpn ~]#
vi /etc/openvpn/bridge-start # line 17-20: change eth="eth0" # chnage if needed eth_ip=" 10.0.0.60 "# IP address for bridge eth_netmask=" 255.255.255.0 "# subnetmask eth_broadcast=" 10.0.0.255 "# broadcast address
[root@vpn ~]#
vi /etc/rc.d/init.d/openvpn
start)
echo -n $"Starting openvpn: " # line 126: add /etc/openvpn/bridge-start
# line 205: add /etc/openvpn/bridge-stop success; echo rm -f $lock /etc/rc.d/init.d/openvpn start Starting openvpn: tun: Universal TUN/TAP device driver, 1.6 tun: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com> Mon May 30 22:48:15 2011 TUN/TAP device tap0 opened Mon May 30 22:48:15 2011 Persist state set to: ON Bridge firewalling registered device eth1 entered promiscuous mode device tap0 entered promiscuous mode br0: port 2(tap0) entering learning state br0: port 1(eth1) entering learning state [ OK ] [root@vpn ~]# chkconfig openvpn on
|