what is a vpn?

a virtual private network or vpn is a secure private network that makes use of a shared public medium, such as the internet. vpn makes secured communication cheaper. there is a whole range of techniques for offering vpn services, but not all hardware is compatible with these techniques.

how does it work?

a vpn connection is established by means of secure communication paths which are called ‘tunnels’. each tunnel has two ends, one on either side, or one in each of the two separate networks. all the traffic from site A to site B must go through this tunnel. all the traffic between the ends of the tunnels is encrypted in turn, so that the data transfer is secure.

this is a little tutorial on how to setup an openvpn server. it doesn’t really matter what unix operating system you are using, the basic configuration and install is almost the same.

for this installation i used gentoo.

firstly you need to setup ip forwarding

openvpn ~ # cat /etc/sysctl.conf

net.ipv4.ip_forward = 1

secondly, make sure that your kernel is using the tun/tap driver support.

openvpn ~ # cd /usr/src/linux

openvpn ~ # make menuconfig

Device Drivers --->
   Network device support --->
[*]Network device support
<*>   Universal TUN/TAP device driver support  // This option must be enabled

openvpn ~ # cd /usr/src/linux

openvpn ~ # make && make modules_install

if you compiled any of the two options built-into the kernel, copy the new kernel to /boot and reboot!

now it is time to install openvpn

openvpn ~ # emerge -av openvpn

change to the dir with the openvpn scripts to setup the keys easily (this might be located somewhere else on your system if you are using another distro)

openvpn ~ # cd /usr/share/openvpn/easy-rsa/

we then must edit the basic parameters for the certificates. Edit the vars file and set the KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, and KEY_EMAIL parameters. don’t leave any of these parameters blank.

openvpn ~ # vi vars

Next, initialize the PKI.

openvpn ~ # source ./vars
openvpn ~ # ./clean-all
openvpn ~ # ./build-ca

now generate a certificate and private key for the server.

openvpn ~ # ./build-key-server server

As in the previous step, most parameters can be defaulted. When the common name is queried, enter “server”.

Two other queries require positive responses, “Sign the certificate? [y/n]” and “1 out of 1 certificate requests certified, commit? [y/n]“.

generating client certificates is very similar to the previous step.

./build-key client

if you would like to password-protect your client keys, substitute the build-key-pass script.
remember that for each client, make sure to type the appropriate common name when prompted, i.e. “client”, “client2″, or “client3″. always use a unique common name for each client.

Diffie Hellman parameters must be generated for the openvpn server.

openvpn ~ # ./build-dh

this is a fairly easy configuration, nearly default to openvpn’s

openvpn ~ # cat /etc/openvpn/openvpn.conf
port 1194
proto tcp
dev tun
ca /usr/share/openvpn/easy-rsa/keys/ca.crt
cert /usr/share/openvpn/easy-rsa/keys/server.crt
key /usr/share/openvpn/easy-rsa/keys/server.key
dh /usr/share/openvpn/easy-rsa/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3

start openvpn

openvpn ~ # /etc/init.d/openvpn start

add openvpn to startup

rc-update add openvpn default

now you will also have to open ports/do NAting on your openvpn’s network’s firewall to allow traffic to it from outside.
you maybe also need to look at routing if the openvpn server is giving out IPs that the current network does not recognize.

one can also create a different config for each user connecting to the server and restrict them to certain machines on your network, but i only did a basic configuration here. if you want to do more stuff with it you can read up on it here or you can leave a comment.

so that’s that for the server configuration.
now we have to configure the client to be able to connect to the server.

you can download the openvpn client here openvpn

i created a folder on my desktop for the client configurations

C:\Users\geochi\Desktop\OpenVPN\client.ovpn
client
dev tun
proto tcp
# change this to your servers ip or hostname

remote some.hostname 1194
resolv-retry infinite
nobind

persist-key
persist-tun

ca ca.crt
cert client.crt
key client.key

comp-lzo
verb 3

copy the following files from the openvpn server to your windows machine

cd C:\Users\geochi\Desktop\OpenVPN\
C:\Users\geochi\Desktop\OpenVPN\> dir
ca.crt
client.crt
client.key
client.ovpn

then you can now right click on the client.ovpn and click “Start OpenVPN on this config file”
if you are having trouble connecting to it, have a look at your firewall settings on your desktop/router/firewall you may have.

Share and Enjoy:
  • Print
  • Digg
  • del.icio.us
  • Facebook
  • Google Bookmarks
  • Add to favorites
  • FriendFeed
  • LinkedIn
  • Posterous
  • Reddit
  • RSS
  • Slashdot
  • StumbleUpon
  • Tumblr
  • Twitter
  • Blogplay