For the most part, the how-to documentation on the OpenVPN website it quite good, and easy to follow. However, there are a few “gotcha’s” that the documentation doesn’t make clear. Some of these “gotcha’s” involve errors on the part of the package maintainers or developers. Some involve things that you need to do, but that the documentation doesn’t even mention.
In this document, we’ll endeavor to make things a bit more clear, and save you from suffering the “trial-and-error” method of setting up a simple VPN.
Preparation
You can install OpenVPN on a variety of operating systems. (For our demo, we’ll be using CentOS 5.) For our present purpose, we’ll assume that all applications and data that clients need to reach are on the OpenVPN server itself, and that clients don’t need to reach any other subnets that are on the other side of the server. We’ll also assume that all clients are to use the same OpenVPN configuration.
If you’re using Red Hat Enterprise Linux or one of its derivatives as the OpenVPN server–this would include CentOS 5, Startcom 5, and perhaps a few others—you won’t find OpenVPN in the distro’s repositories. But, it is in a few different third-party repositories. The best one to use is RPMForge. To install RPMForge to your Yum repository list, run one of the following commands:
For systems running a 32-bit version of RHEL 4 or one of its derivatives:
rpm -Uhv http://apt.sw.be/packages/rpmforge-release/rpmforge-release-0.3.6-1.el4.rf.i386.rpm
For systems running a 64-bit version of RHEL 4 or one of its derivatives:
rpm -Uhv http://apt.sw.be/packages/rpmforge-release/rpmforge-release-0.3.6-1.el4.rf.x86_64.rpm
For systems running a 32-bit version of RHEL 5 or one of its derivatives:
rpm -Uhv http://apt.sw.be/packages/rpmforge-release/rpmforge-release-0.3.6-1.el5.rf.i386.rpm
For systems running a 32-bit version of RHEL 5 or one of its derivatives:
rpm -Uhv http://apt.sw.be/packages/rpmforge-release/rpmforge-release-0.3.6-1.el5.rf.x86_64.rpm
Note that you can copy and paste these commands from this document to the command-line of your terminal window. Also, you would want to install this on any RHEL-style Linux machines that you may be using as clients.
If your Linux machines are running either Debian or Ubuntu, you will find OpenVPN in the normal distro repositories. Just use apt-get or your favorite package manager to install it, the same as you would with any other package. Other than that, installation and configuration will be the same as what we’re about to present in the following steps.
Installation
(Note that this portion of the procedure is the same for both OpenVPN servers and OpenVPN clients that are running on Linux.)
Once the repository configuration is done, you can open Yum Extender, search for “openvpn”, and install it as you would any other package.
Alternatively, you can open a command-line window, and enter:
su – root
yum install openvpn
This is actually the recommended option, since Yum Extender is so notoriously slow.
When installation is complete, open a terminal window and enter “su – root”. (If you used the command-line installation option, just keep the window open, and remain logged in as root.)
By default, OpenVPN installs to the “/usr/sbin” directory. So, in order to manually start it from a command-line, the user will either have to be placed in the “sudoer” list, or will have to log into a command-line terminal as root.
After the initial installation, the “/etc/openvpn” directory will be empty. You’ll need to copy the appropriate files to it.
Server specific
First, cd to the “/usr/share/doc/openvpn-2.0.9/sample-config-files” directory. Copy the following files to the “/etc/openvpn” directory:
firewall.sh
openvpn-shutdown.sh
openvpn-startup.sh
server.conf
Note that the three shell script files don’t have executable permissions set. Use the chmod utility to set the executable bit for “all”.
chmod a+x firewall.sh
chmod a+x openvpn-shutdown.sh
chmod a+x openvpn-startup.sh
You’ll also need to change the names of the two “openvpn” scripts to get rid of the “.sh” suffix. (That’s because these two scripts are referenced incorrectly in the openvpn init script.) Do this with the following two commands:
mv openvpn-startup.sh openvpn-startup
mv openvpn-shutdown.sh openvpn-shutdown
Next, cd to the “/usr/share/doc/openvpn-2.0.9/easy-rsa/2.0” directory. Open the “Makefile” file for editing. Set the “DESTDIR” parameter to the following:
DESTDIR=/etc/openvpn
Leave the “PREFIX” parameter blank.
Save the file and exit the text editor. Now, issue the command:
make install
This will copy the files to the “etc/openvpn” directory, and set the executable permission on all but one of the shell-script files. (We’ll fix the one that got missed in the next step.)
Next, cd to the “/etc/openvpn” directory, and open the “vars” file for editing. At the very bottom of the file, set the appropriate values for “export KEY_COUNTRY=”, “export KEY_PROVINCE=”, “export KEY_CITY=”, “export KEY_ORG=”, and “export KEY_EMAIL=”. Save the file and exit the text editor. Use chmod to manually add the executable permissions to the “vars” file.
chmod a+x vars
While still within the “/etc/openvpn” directory, use the “easy-rsa” scripts to create security keys and certificates. To prepare for building the key sets, issue the following commands:
./vars
./clean-all
./build-ca
Note: When you attempt to run the “clean-all” script, you may receive a message about having to source the vars file, first. If you do, just run the command:
source vars
Re-run the “clean-all” script, and continue on to the next step.
To build the appropriate key set for the OpenVPN server, issue the command:
./build-key-server server
When asked to make choices, just hit the “Enter” key to choose the default values.
For each client that will connect to this server, you’ll need to create a set of keys and certificates, each named after the client that will use them. For example, if you have three clients, issue the commands:
./build-key client1
./build-key client2
./build-key client3
(Optionally, you can substitute the “build-key-pass” script if you desire to password-protect the client keys.)
When asked to make choices, just hit the “Enter” key to accept the default value.
Generate the Diffie-Hellman keys by entering:
./build-dh
Finally, cd to the “/etc/openvpn/keys” directory, and copy all of the files back to “/etc/openvpn”. (You don’t want to have your working keys in the “keys” directory, because you’ll wipe them out the next time you use the “clean-all” utility.)
cp * ../
Configure the server by editing the “server.conf” file. Find the line that says:
server 10.8.0.0 255.255.255.0
and change it to the network address and subnet mask that you desire to use. For our example, we’ll initially have one-hundred clients connecting to the server, but we also want scalability in case we add more clients later. So, we’ll use the “10.1.1.0” network with a 25-bit subnet mask. For that, we’ll change this line to:
server 10.1.1.0 255.255.255.128
This will allow for 125 clients, since the server will automatically assign the “10.1.1.1” address to itself.
Scroll down to the stanza that begins with the line, “# Select a cryptographic cipher.” Choose which cryptographic method you desire to use by uncommenting the appropriate line. Later, when you setup the clients, you’ll make this parameter of their configuration files match what you’ve set for the server. (Note that “Blowfish” is the default choice, so you won’t need to uncomment anything if you want to use it.) Save this file, and open the “firewall.sh” file for editing.
Near the top of the file, you’ll see the line that reads:
PRIVATE=10.0.0.0/24
Change this line to the address of the private network that you desire to use. (This must match what you used in the server.conf file.) For our example, we’ll change this to:
PRIVATE=10.1.1.0/25
Important: Even though the “firewall.sh” script makes reference to interfaces “eth0” and “eth1”, that doesn’t mean that you need two active, physical NIC’s in your server. In this case, “eth1” refers to the virtual interface that will be created when you start the OpenVPN program. In fact, if you have installed a second NIC, and you accidentally assign it the address that you want to use for the OpenVPN private network, then your clients won’t be able to connect properly.
Note: If you’re using something other than eth0 as the physical NIC for the VPN, then you’ll need to edit the firewall.sh file, changing all of the “eth0”’s accordingly. You’ll also need to change all of the “eth1”’s to “eth0”. (Even if “eth0” is in use as another NIC, that fine, since all we’re doing here is creating a virtual NIC.
Save the file and open the “openvpn-startup” file for editing. At the bottom of the file, find the lines:
openvpn –cd $dir –daemon –config vpn1.conf
openvpn –cd $dir –daemon –config vpn2.conf
openvpn –cd $dir –daemon –config vpn2.conf
Comment out all three of these lines:
# openvpn –cd $dir –daemon –config vpn1.conf
# openvpn –cd $dir –daemon –config vpn2.conf
# openvpn –cd $dir –daemon –config vpn2.conf
Save the file and exit the text editor.
To manually start the program, you’ll either need to use “sudo” and have the appropriate sudo privileges, or you’ll need to “su” to a root login, and enter one of the following commands:
sudo /sbin/service openvpn start
or, if logged in as root:
service openvpn start
On a Debian or Ubuntu-type system, you would enter one of the following commands:
sudo /etc/init.d/openvpn start
or, if logged in as root,
/etc/init.d/openvpn start
When you initially install OpenVPN, you’ll also install an init script into the “/etc/init.d” directory, and links to it will be installed into the appropriate run-level directories. This will cause OpenVPN to automatically start whenever you boot the server.
Now that that’s done, you’ll want to configure the clients.
Configuring Linux Clients
First, copy the appropriate key sets from the server to the “/etc/openvpn” directory on each of the clients. If the client machines aren’t locally available, then make the transfers via a secure means, such as SFTP. For example, for client 1 copy the following files:
client1.crt
client1.key
ca.crt
Note: The same “ca.crt” file gets copied to each client. Be sure that you don’t copy the “ca.key” file to any clients, or else server security will be compromised.
On each client, copy the “client.conf” file from the “/usr/share/doc/openvpn-2.0.9/sample-config-files/” directory to the “/etc/openvpn” directory. Open the file for editing. Scroll down until you find the line:
remote my-server-1 1194
Change the “my-server-1” part to the actual IP address of your OpenVPN server. For example, if the IP address of your server’s eth0 interface is 216.33.19.3, then the line will become:
remote 216.33.19.3 1194
Next, scroll down until you find the lines:
ca ca.crt
cert client.crt
key client.key
Change these lines to match the client-key files that you transferred from the server. For client 1, these would become:
ca ca.crt
cert client1.crt
key client1.key
Uncomment the line,
;ns-cert-type server
by removing the preceding semi-colon.
Uncomment the
;cipher x
line, and change the “x” to match the cryptographic method that you set up in the server configuration. For example, if you chose the “Blowfish” method in the server configuration, then change this line to:
cipher BF-CBC
Save the file and exit the text editor. To test, start up OpenVPN on the server, and then start OpenVPN on the client.
Note: Even on the clients, manually starting OpenVPN from the command-line requires root privileges. So, for testing, you will either have to have the appropriate settings made so that you can use “sudo”, or you’ll have to have the root password for the respective client machines.
The command to start the client is:
cd /etc/openvpn
openvpn client.conf
On the client, open a second command-line terminal window, and ping the private address of the OpenVPN server. In our example, the command would be “ping 10.1.1.1”. If the ping is successful, you’ve achieved coolness. If it isn’t, you may have to reconfigure the client’s firewall to allow proper connectivity.
As on the server, you’ll find that init script have been installed in the appropriate run-level directories. So, OpenVPN will start automatically, and will automatically connect to the OpenVPN server, whenever you reboot the computer.
Configuring Windows Clients with OpenVPN
To install OpenVPN on a Windows client, you’ll need to download the program installation file from:
http://openvpn.net/download.html
When the download completes, just double-click on the file icon to begin installation. (Accept all defaults.)
When installation completes, you should see a network connection icon with a red “x” over it in the system tray. Don’t let that bother you. It’ll go away when you make a connection to the server.
Transfer the appropriate key set files from the server to the “C:\Program Files\OpenVPN\bin” directory. For example, if the Windows client is “client5”, then it will need the following files from the server:
client5.crt
client5.key
ca.crt
Note that each client will use the same “ca.crt” file. Also, be sure not to transfer the “ca.key” file to any of the clients, or else server security will be compromised.
If you don’t have local access to the client machines, you can have the users use a Windows-type SFTP program to download the files from the server. (For example, they can use Putty, Cygwin, or Filezilla, all of which are free downloads.)
Next, cd to the “C:\Program Files\OpenVPN\sample-config” directory, and copy the “client.ovpn” file to the “C:\Program Files\OpenVPN\bin” directory. Open the copy in the “bin” directory for editing. Scroll down until you find the line:
remote my-server-1 1194
Change the “my-server-1” part to the actual IP address of your OpenVPN server. For example, if the IP address of your server’s eth0 interface is 216.33.19.3, then the line will become:
remote 216.33.19.3 1194
Of course, you may have reason to use another port besides the default port 1194, and to use TCP instead of the default UDP. On the next page, you’ll see that we’ve chosen to resolve a problem with getting through a corporate firewall by using TCP on port 80.
Note: If you have a choice, you’ll most always want to go with the default UDP. TCP involves more overhead, and may slightly affect your VPN’s performance.
Next, scroll down until you find the lines:
ca ca.crt
cert client.crt
key client.key
Change these lines to match the client-key files that you transferred from the server. For client 5, these would become:
ca ca.crt
cert client5.crt
key client5.key
Uncomment the line,
;ns-cert-type server
by removing the preceding semi-colon.
Uncomment the
;cipher x
line, and change the “x” to match the cryptographic method that you set up in the server configuration. For example, if you chose the “Blowfish” method in the server configuration, then change this line to:
cipher BF-CBC
Save the file and exit the text editor. To test, start up OpenVPN on the server, and then start OpenVPN on the client.
The command to start the client is:
cd C:\”Program Files”\OpenVPN\bin
openvpn client.ovpn
On the client, open a second command-line window, and ping the private address of the OpenVPN server. In our example, the command would be “ping 10.1.1.1”. If the ping is successful, you’ve achieved coolness. If it isn’t, you may have to reconfigure the client’s firewall to allow proper connectivity.
For ease-of-use, open Notepad and create a batch file with the preceding two commands. Save it on the desktop as “OpenVPN.bat”. You’ll then be able to invoke OpenVPN by double-clicking on the icon.
In Summary
Once you’ve connected a client to the OpenVPN server, you’ll be able to securely access the server with your normal applications by using the server’s private IP address. So, in our example, whether we’re accessing the server via Telnet, FTP, http, or perhaps even Teamspeak, we would use “10.1.1.1” as the server address. Yeah, it seems strange to use a private IP address to access something from across the Internet, but with Virtual Private Networks, that’s just the way it works.