for keeping track of my digital experiments

A bit of googling turned up a great post by on howtoforge.com called, “OpenVPN Server On CentOS 5.2“. I didn’t know quite how to add the rpmforge repo that is needed to install OpenVPN from so … google turned up another handy article how to do that called, “CentOS 5 – install rpmforge yum repo“. I checked the rpmforge RPM releases at http://dag.wieers.com/rpm/packages/rpmforge-release/ to be sure that this is the latest release … it is (as of June 2009). The following pasties are based off of the aforementioned article with some changes.

yum install openvpn
cd /etc/openvpn/
mkdir easy-rsa
cp -R /usr/share/doc/openvpn-2.0.9/easy-rsa/2.0/* easy-rsa/
chmod -R 777 easy-rsa/
cd easy-rsa/
. ./vars
./clean-all
./build-ca
–> For the common name use “OpenVPN-CA”, of anything else helpfully descriptive. <–
./build-key-server server
–> Enter various customized values if you so please, but be sure to leave the common name value as the default – “server”. Oh, and answer yes to the two questions at the end. <–
./build-key client1
–> Change the number 1 to 2, 3, and so on how ever many client certificates you want. Leave the common name as the default “clientn“. <–
./build-dh
cd keys/
openvpn --genkey --secret ta.key

For more information on transferring the necessary keys to the client, see the final part of a blog post I did on running OpenVPN on Debian.

I created two example config files utilizing the OpenVPN routed tunnel method … hope they help. [server] [client]

Just add the static routes to the VPN subnet(s) to your LAN gateway.

If you need any help I suppose you could always pay me to set this up for you, that’s what I’ve done for some other folks.

I have been searching for a way to visualize an OpenVPN setup for some time now. I need it to be virtual because of my lack of physical machines. I have had OpenVPN running before using Ethernet bridging, but without the adequate hardware, it is time to go virtual and use routing methods instead of bridging.

With a little bit of google searching I found “Adding openvpn support to openvz VPS” on biogeogen.com. The post in question gets you started, but leaves out a few pointers.

1) Don’t use the /etc/modules.conf file, just throw up modprobe tun inside of /etc/rc.d/rc.local. So the command will be executed each boot time. This is of course if after using lsmod | grep tun, you discover that tun support is not automatically loaded.
2) You need to have the virtual node off before running the following command on it: vzctl set 101 --capability net_admin:on --save. Where 101 is the VEID.
3) To execute commands on said virtual node with vzctl exec, you then need it to be started.

So the revised pastie:

lsmod | grep tun
[no output, then -->] modprobe tun
[stop the container]
vzctl set 101 --devices c:10:200:rw --save
vzctl set 101 --capability net_admin:on --save
[start the container]
vzctl exec 101 mkdir -p /dev/net
vzctl exec 101 mknod /dev/net/tun c 10 200
vzctl exec 101 chmod 600 /dev/net/tun

For setting up OpenVPN inside of the virtual node see: OpenVPN on Debian linux.

It is rather problematic accessing resources on my home development cluster when I am in other locations. After witnessing the functionality of my Dad’s work VPN, I figured why not have a whack at a VPN setup. SSH tunneling just does not cut it in some cases. In this walk through, I will be installing OpenVPN on a minimal Debian Linux 4.0 installation on a 1.5GHZ/1GB RAM/12 GB hard drive host node. I tried doing this on a OpenVZ virtual node, and it did not work too well dealing with all of the low level (virtual) hardware calls, linux kernel dependencies, and creating a bridged interface within a bridged interface. Use a physical server!

System Requirements

1. A computer that meets the following minimum system requirments: 300MHZ, 128MB RAM, 2GB HDD
2. Some sort of Linux installation on said computer. I’ll be using Debian Linux so those of you using Ubuntu, Slackware, Mandrake or any other distro with apt-get luckily won’t have to compile from source (too often).
3. Root terminal access to the computer (via ssh or KVM)
4. Knowledge of IPv4 routing in your Local Area Network
5. YOU NEED bridge-utils (apt-get install bridge-util)! Try and get any of this going without this package and your ifconfig setup will implode! It happened to me both times I tried this because I FORGOT!!!

Downloading and Installing OpenVPN

1. Use your built-in repository application. In my case “apt-get install openvpn openssl” and I was good to go. For some reason, even though openssl is required for setting up a secured VPN connection, it wasn’t auto-included. For more information on downloading and installing on RHEL based systems (CentOS, OpenSUSE, Red Hat, Fedora) see the OpenVPN howto.
2. Then determine whether you want to use routed or bridged mode: http://openvpn.net/index.php/documentation/howto.html#vpntype
3. Now copy the contents of “/usr/share/doc/openvpn/examples/easy-rsa/” to some place more accessible and so to keep a backup copy of the original. I moved it to “/etc/openvpn/”.

The setup on the server (needs openssl installed first)

1. Get into the new copy of your “easy-rsa” directory and run the following commands to get your server’s Certificate Authority ready.
   

   . ./vars
./clean-all
./build-ca

   According to the documentation on openvpn.net:

   The only parameter which must be explicitly entered is the Common Name. [...] I used “OpenVPN-CA”.

2. Now build the server key: ./build-key-server server. According to the documentation:
   

   When the Common Name is queried, enter “server”. Two other queries require positive responses, “Sign the certificate? [y/n]” and “1 out of 1 certificate requests certified, commit? [y/n]“.

   Enter “y” for both to continue.

3. Build the various client keys and certificates: ./build-key clientn. Where “n” is a integer.
   

   Remember that for each client, make sure to type the appropriate Common Name when prompted, i.e. “client1″, “client2″, or “client3″. Always use a unique common name for each client.

4. Now execute, “./build-dh“, to build the necessary Diffie-Hellman parameters.
5. To add a further level of security with a HMAC signature, generate a key for tls-auth by running “openvpn --genkey --secret ta.key” while in your new “easy-rsa/keys” directory. See the section in the documentation on Hardening OpenVPN Security.
6. Finally copy the various generated keys and certificates to the various hosts that will be utilizing the virtual private network. See below table obtained from: http://openvpn.net/index.php/documentation/howto.html#pki.
   

   Filename	Needed By	Purpose	Secret
   ca.crt	server + all clients	Root CA certificate	NO
   ca.key	key signing machine only	Root CA key	YES
   dh{n}.pem	server only	Diffie Hellman parameters	NO
   server.crt	server only	Server Certificate	NO
   server.key	server only	Server Key	YES
   client1.crt	client1 only	Client1 Certificate	NO
   client1.key	client1 only	Client1 Key	YES
   client2.crt	client2 only	Client2 Certificate	NO
   client2.key	client2 only	Client2 Key	YES
   client3.crt	client3 only	Client3 Certificate	NO
   client3.key	client3 only	Client3 Key	YES

Configuration Files and the Rest
From here on out the rest of the documentation (on setting up configuration files and running OpenVPN) is pretty self explanatory. I don’t really want to take the time and re-create the end of the tutorial.