Operating System: Debian Etch 4.0

Install and Key Generation

First we just need to grab the primary packages from the repos and install. Make sure you’re root.

apt-get install openvpn openssl

Next find the easy-rsa directory, and copy those files over to the OpenVPN configuration directory so we can setup a certificate.

cp -R /usr/share/doc/openvpn/examples/easy-rsa/2.0 /etc/openvpn/

Now in the /etc/openvpn directory open up the vars file and make some edits that suit you. I only made changes to the very end of the file.

export KEY_SIZE=2048 export KEY_COUNTRY=US export KEY_PROVINCE=NA export KEY_CITY=mycity export KEY_ORG="My Company" export KEY_OU="Operations" export KEY_CN="CommonName" export KEY_EMAIL="sysadmin@test.com"

Save this file. Then run:

. ./vars

Yeah, there’s a dot, a space, and then another dot in there. Then these commands:

./clean-all
./build-ca

You’ll be asked the cert questions, but most of the defaults should be filled in for you since you manually entered them in the vars file. Now build the server key:

./build-key-server myserver

You’ll be asked the same type of questions, but for common name you need to enter something. “Server” is the default. Run this next command, which will take awhile.

./build-dh

Then generate your TLS-AUTH keys:

cd keys
openvpn --genkey --secret ta.key

Now create a key directory closer to the root folder to stay organized and copy the necessary keys there:

mkdir -m 0700 /etc/openvpn/keys
cp ca.crt ../../keys
mv dh2048.pem ta.key myserver.crt myserver.key ../../keys

Server Config File

My server configuration is located in /etc/openvpn/server.conf. It’s what worked for me. The 172.21.0.0 subnet is the virtual one used by the VPN. The 10.10.0.0 subnet is the LAN I’m trying to connect to.

dev tun
port 1194
proto udp
server 172.21.0.0 255.255.255.0
ifconfig-pool-persist /etc/openvpn/ipp.txt
push "route 10.10.0.0 255.255.255.0"
max-clients 10
user nobody
group nogroup
duplicate-cn

ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/myserver.crt
key /etc/openvpn/keys/myserver.key
dh /etc/openvpn/keys/dh2048.pem
tls-auth /etc/openvpn/keys/ta.key 0

keepalive 10 120
comp-lzo
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log /var/log/openvpn/openvpn.log
verb 4

More info on configuration options is here: http://openvpn.net/howto.html. You’ll also have to enable packet forwarding so packets can flow from the VPN interface to the ethernet interface. Open the file /etc/sysctl.confand uncomment this line:

net.ipv4.conf.default.forwarding=1

Restart the server.

Setup the Revocation List

Now setup a revocation list so you can block certificates and users that you create. Execute your variables again.

cd /etc/openvpn/easy-rsa
. ./vars

I had to modify my openssl configuration and repoint to my openvpn directory.

cd /usr/lib/ssl
mv openssl.cnf openssl.cnf.old
ln -s /etc/openvpn/easy-rsa/openssl.cnf openssl.cnf

Edit the config file openssl.cnf at the end and comment out the pkcs11 section if you’re not using it, otherwise it will throw errors. Then create your CRL:

cd keys
openssl ca -gencrl -keyfile ca.key -cert ca.crt -out \ crl.pem

User Configuration

Now create your first user:

./build-key-pass user1

Answer the same prompts and give it a password. If you don’t want to use a password, just use build-key instead. Restart the OpenVPN server for it to read the config:

/etc/init.d/openvpn restart

Now, on the client machine run the same install commands (assuming you’re using an Ubuntu or Debain box) and create a keys directory:

apt-get install openvpn openssl
mkdir /etc/openvpn/keys

Copy the keys ca.crt, user1.crt, user1.key, and ta.key into the keys directory and then create a file called client.conf in the /etc/openvpn directory. Be sure you restrict access and lock down the keys directory, since compromise of these files will give someone else access.

Here’s my config:

client
dev tun
proto udp
remote myserver.site.com 1194
nobind
user nobody
group nogroup

ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/user1.crt
key /etc/openvpn/keys/user1.key
tls-auth /etc/openvpn/keys/ta.key 1

comp-lzo persist-key
persist-tun
log /var/log/openvpn/openvpn.log
verb 4
ns-cert-type server

You can get more info on the configuration here: http://openvpn.net/howto.html. Now start up the VPN:

openvpn /etc/openvpn/client.conf

You can check the logs for errors, but in a few seconds, if you run an ifconfig, you can see a tun0 device has been created and has one of the virtual IP addresses. You can then ping the remote VPN server’s inside address for testing.

Routing Issues

In my situation, my VPN server was not the default gateway on my LAN, so I had to add some permantent routes to my clients so they could find their way back through the tunnel and to my remote client. For Linux boxes use:

route add -net 172.21.0.0 netmask 255.255.255.0 gw 10.10.0.5

And on Windows use:

route -p add 172.21.0.0 mask 255.255.255.0 10.10.0.5 metric 10

Adding and Removing Other Users

When you need to add new users or client certificates, simply run:

cd /etc/openvpn/easy-rsa
. ./vars
./pkitool client2

This will generate the keys for the new client to copy down to their machine, just the same as the initial client.

Removing users is easy as well.

cd /etc/openvpn/easy-rsa
. ./vars
./revoke-full client2

You may see a bunch of error 23′s at the end, but that’s normal and just testing that the certificate does not have access anymore.