It is rather problematic accessing resources on my home development cluster when I am in other locations. After witnessing the functionality of my Dad’s work VPN, I figured why not have a whack at a VPN setup. SSH tunneling just does not cut it in some cases. In this walk through, I will be installing OpenVPN on a minimal Debian Linux 4.0 installation on a 1.5GHZ/1GB RAM/12 GB hard drive host node. I tried doing this on a OpenVZ virtual node, and it did not work too well dealing with all of the low level (virtual) hardware calls, linux kernel dependencies, and creating a bridged interface within a bridged interface. Use a physical server!

System Requirements

  1. A computer that meets the following minimum system requirments: 300MHZ, 128MB RAM, 2GB HDD
  2. Some sort of Linux installation on said computer. I’ll be using Debian Linux so those of you using Ubuntu, Slackware, Mandrake or any other distro with apt-get luckily won’t have to compile from source (too often).
  3. Root terminal access to the computer (via ssh or KVM)
  4. Knowledge of IPv4 routing in your Local Area Network
  5. YOU NEED bridge-utils (apt-get install bridge-util)! Try and get any of this going without this package and your ifconfig setup will implode! It happened to me both times I tried this because I FORGOT!!!

Downloading and Installing OpenVPN

  1. Use your built-in repository application. In my case “apt-get install openvpn openssl” and I was good to go. For some reason, even though openssl is required for setting up a secured VPN connection, it wasn’t auto-included. For more information on downloading and installing on RHEL based systems (CentOS, OpenSUSE, Red Hat, Fedora) see the OpenVPN howto.
  2. Then determine whether you want to use routed or bridged mode: http://openvpn.net/index.php/documentation/howto.html#vpntype
  3. Now copy the contents of “/usr/share/doc/openvpn/examples/easy-rsa/” to some place more accessible and so to keep a backup copy of the original. I moved it to “/etc/openvpn/”.

The setup on the server (needs openssl installed first)

  1. Get into the new copy of your “easy-rsa” directory and run the following commands to get your server’s Certificate Authority ready.

    . ./vars
    ./clean-all
    ./build-ca

    According to the documentation on openvpn.net:

    The only parameter which must be explicitly entered is the Common Name. [...] I used “OpenVPN-CA”.

  2. Now build the server key: ./build-key-server server. According to the documentation:

    When the Common Name is queried, enter “server”. Two other queries require positive responses, “Sign the certificate? [y/n]” and “1 out of 1 certificate requests certified, commit? [y/n]“.

    Enter “y” for both to continue.

  3. Build the various client keys and certificates: ./build-key clientn. Where “n” is a integer.

    Remember that for each client, make sure to type the appropriate Common Name when prompted, i.e. “client1″, “client2″, or “client3″. Always use a unique common name for each client.

  4. Now execute, “./build-dh“, to build the necessary Diffie-Hellman parameters.
  5. To add a further level of security with a HMAC signature, generate a key for tls-auth by running “openvpn --genkey --secret ta.key” while in your new “easy-rsa/keys” directory. See the section in the documentation on Hardening OpenVPN Security.
  6. Finally copy the various generated keys and certificates to the various hosts that will be utilizing the virtual private network. See below table obtained from: http://openvpn.net/index.php/documentation/howto.html#pki.
    Filename Needed By Purpose Secret
    ca.crt server + all clients Root CA certificate NO
    ca.key key signing machine only Root CA key YES
    dh{n}.pem server only Diffie Hellman parameters NO
    server.crt server only Server Certificate NO
    server.key server only Server Key YES
    client1.crt client1 only Client1 Certificate NO
    client1.key client1 only Client1 Key YES
    client2.crt client2 only Client2 Certificate NO
    client2.key client2 only Client2 Key YES
    client3.crt client3 only Client3 Certificate NO
    client3.key client3 only Client3 Key YES

Configuration Files and the Rest
From here on out the rest of the documentation (on setting up configuration files and running OpenVPN) is pretty self explanatory. I don’t really want to take the time and re-create the end of the tutorial.