openvpn

Posted on 7/10/2005 by nils

I started looking at openvpn over that last week, It’s is much simplier than IPSEC to setup but requires to know something about routing and iptables. I started by setting up a static key just to get it working, as the Documentation states 90% of problems are with firewalls. I banged my head against the wall for a while on this. I use shorewall for my home server and ipcop for work. I created a new zone in the /etc/shorewall/zones

vpn VPN VPN ZONE

I added this to /etc/shorewall/interfaces file

vpn tun0 detect

Then added these to /etc/shorewall/rules to the rules file

ACCEPT vpn loc all
ACCEPT vpn loc all
ACCEPT fw vpn all
ACCEPT vpn fw all

I could just restrict it to the VPN port of 1194 using


ACCEPT vpn loc tcp 1194
ACCEPT vpn loc tcp 1194
ACCEPT fw vpn tcp 1194
ACCEPT vpn fw tcp 1194

I had the VPN server on a box in work, so i had to tell ipcop to forward tcp port 1194 to the vpn server box.
After some testing with static keys(by far the easiest to setup) i rearranged the config files /etc/openvpn to allow certificate auth.

The Server Config file


mode server
tls-server
proto tcp-server
dev tun
server 10.8.0.0 255.255.255.0
ifconfig 10.8.0.1 10.8.0.2
push "route 192.168.10.0 255.255.255.0"
management localhost 7505
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
client-to-client
client-config-dir ccd
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
status openvpn-status.log
log openvpn.log
log-append openvpn.log
verb 4

I’m pushing route configuration to the client(s) so that i don’t have to add them manually to the client config files.
As the openvpn server isn’t on the firewall i had to add a route to the firewall so all traffic bound for the client subnet would go through the vpn box.
As IPCOP doesn’t give you a gui way to add routes i has to ssh to the box and add execute :

route add -net 10.8.0.0 netmask 255.255.255.0 gw 192.168.10.6 (gw is the ipaddress of the openvpn server)

Using bridged mode would bypass the need for adding routes.
http://openvpn.net/bridge.html
Openvpn comes with easy-rsa which under debian is located :
/usr/share/doc/openvpn/examples/easy-rsa
copy this folder to /etc/openvpn as you will be required to edit the file vars
Executing the file didn’t export aything so i had to manually export the variables, I’ll have to look into it sometime.
after that it was quite easy to run the script to generate the client certs and server certs.

http://openvpn.net/howto.html#pki

After i generated the client certificates i scp’ed them to my home box( faster than sticking it on floppy) and moved them to /etc/openvpn/

The Client config file


client
dev tun
tls-client
proto tcp-client
remote ipaddress(ipcop firewall)
ifconfig 10.8.0.2 10.8.0.1
ca ca.crt
cert client1.crt
key client1.key
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
status openvpn-status.log
log openvpn.log
log-append openvpn.log
verb 4

When all that was done it was just a matter of starting the server and starting the client.
Doing a ping 10.8.0.1 from the client returned this.
PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.
64 bytes from 10.8.0.1: icmp_seq=8 ttl=64 time=61.0 ms
64 bytes from 10.8.0.1: icmp_seq=9 ttl=64 time=88.7 ms

Which showed that the vpn tunnel was established.

This entry was posted in linux. Bookmark the permalink.

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>