An OpenVPN server can be put in place to aid network and system administrators in performing their duties when not physically wired to a specific network, or to allow regular users to be part of their normal network when trying to work from off-site. When properly set up, machines connecting to the VPN server will appear to other hosts as if they were on the network itself.
root@openvpn:~# apt-get install openvpn bridge-utils openssl
root@openvpn:~# ln -s /usr/share/doc/openvpn/examples/easy-rsa /etc/openvpn/easy-rsa
root@openvpn:~# cd /etc/openvpn/easy-rsa
Edit the vars files and change the variables at the bottom:
root@openvpn:~# . vars root@openvpn:~# ./clean-all root@openvpn:~# ./build-ca
This should ask you for some of the information you filled in in vars, so hit Enter on those. Fill in the sections not already filled in. For the CA certificate, the Common Name is the name of the host: openvpn.sclab.clarkson.edu
When you're done with that, you'll need to generate the Diffie-Hellman parameters... prepare to wait awhile unless it's a fast machine:
root@openvpn:~# ./build-dh
Then, build the server key:
root@openvpn:~# ./build-key-server openvpn.sclab.clarkson.eduYou should hit Enter when prompted for a challenge password and optional company name. Enter y to sign the certificatei and y to commit.
For a passwordless certificate, do the following:
root@openvpn:~# . vars root@openvpn:~# ./build-key hostname
This will have the same prompts as in the CA certificate. The only difference this time is the Common Name. Set this to the host name of your choice. This name does not need to be resolvable, only unique. When prompted for a challenge password or optional company name, just hit Enter. Hit y to sign the certificate, and y to commit.
For a password-protected certificate:
root@openvpn:~# . vars root@openvpn:~# ./build-key-pass necronomicon
When you run this, it will prompt you for a PEM pass phrase. This is the passphrase you must enter every time you initiate a connection with the VPN server. After you enter this (twice), the process is the same as the passwordless process.
After generating the host certificate, scp hostname.crt, hostname.key, and ca.crt from /etc/openvpn/easy-rsa/keys to /etc/openvpn on the remote host.
Edit /etc/openvpn/openvpn.conf:
Edit /etc/openvpn/openvpn.conf:
The 'remote' entry should correspond to the machine that the OpenVPN server is running on. Port 1194 is the official OpenVPN port.
In a bridged network setup, the VPN clients "become" part of the network the bridge is attached to. For example, eth0 is attached to the 144-net (sclab), when you bridge eth0 and tap0 to br0, clients can assume 144-net IPs and pass traffic like they were on the physical network.
root@openvpn:~# openvpn --mktun --dev tap0 --dev-type tap root@openvpn:~# brctl addbr br0 root@openvpn:~# ifconfig eth0 0.0.0.0 promisc up root@openvpn:~# brctl addif br0 eth0 root@openvpn:~# ifconfig tap0 0.0.0.0 promisc up root@openvpn:~# brctl addif br0 tap0 root@openvpn:~# ifconfig br0 128.153.144.106 netmask 255.255.254.0 broadcast 128.153.145.255
The above directives are stored in /etc/openvpn/setup-networking and are run from /etc/rc.local on boot.
Now that it's installed, start up OpenVPN:
root@openvpn:~# /etc/init.d/openvpn start