OpenVPN

Introduction

OpenVPN, or Open Virtual Private Network, is a tool for creating networking "tunnels" between and among groups of computers that are not on the same local network. This is useful if you have services on a local network and need to access them remotely but don't want these services to be publicly accessible. By integrating with OpenSSL, OpenVPN can encrypt all VPN traffic to provide a secure connection between machines.

Installing OpenVPN

Begin by installing the OpenVPN software and the udev dependency with the following command:

sudo aptitude install openvpn udev

The OpenVPN package provides a set of encryption-related tools called "easy-rsa". These scripts are located by default in the /usr/share/doc/openvpn/examples/easy-rsa/ directory. However, in order to function properly, these scripts should be located in the /etc/openvpn directory. Copy these files with the following command:

sudo cp -R /usr/share/doc/openvpn/examples/easy-rsa/ /etc/openvpn

Most of the relevant configuration for the OpenVPN public key infrastructure is contained in /etc/openvpn/easy-rsa/2.0/, and much of our configuration will be located in this directory.

Configure Public Key Infrastructure Variables

Before we can generate the public key infrastructure for OpenVPN we must configure a few variables that the easy-rsa scripts will use to generate the scripts. These variables are set near the end of the /etc/openvpn/easy-rsa/2.0/vars file. Here is an example of the relevant values.

File: /etc/openvpn/easy-rsa/2.0/vars :

export KEY_COUNTRY="US"
export KEY_PROVINCE="OH"
export KEY_CITY="Oxford"
export KEY_ORG="Ducklington"
export KEY_EMAIL="squire@ducklington.org"

Alter the examples to reflect your configuration. This information will be included in certificates you create and it is important that the information be accurate, particularly the KEY_ORG and KEY_EMAIL values.

Initialize the Public Key Infrastructure (PKI)

Issue the following three commands in sequence to initialize the certificate authority and the public key infrastructure:

cd /etc/openvpn/easy-rsa/2.0/
. /etc/openvpn/easy-rsa/2.0/vars
. /etc/openvpn/easy-rsa/2.0/clean-all
. /etc/openvpn/easy-rsa/2.0/build-ca

These scripts will prompt you to enter a number of values. By configuring the vars you can be sure that your PKI is configured properly. If you set the correct values in vars, you will be able to press return at each prompt.

Generate Certificates and Private Keys

With the certificate authority generated you can generate the private key for the server. To accomplish this, issue the following command:

. /etc/openvpn/easy-rsa/2.0/build-key-server server

This script will also prompt you for additional information. By default, the Common Name for this key will be "server". You can change these values in cases where it makes sense to use alternate values. The challenge password and company names are optional and can be left blank. When you've completed the question section you can confirm the signing of the certificate and the "certificate requests certified" by answering "yes" to these questions.

With the private keys generated, we can create certificates for all of the VPN clients. Issue the following command:

. /etc/openvpn/easy-rsa/2.0/build-key client1

Replace the client1 parameter with a relevant identifier for each client. You will want to generate a unique key for every user of the VPN. Each key should have it's own unique identifier. All other information can remain the same. If you need to add other users to your OpenVPN at any time, repeat this step to create additional keys.

Generate Diffie Hellman Parameters

The "Diffie Hellman Parameters" govern the method of key exchange and authentication used by the OpenVPN server. Issue the following command to generate these parameters:

. /etc/openvpn/easy-rsa/2.0/build-dh

This should produce the following output:

Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time

This will be followed by a quantity of seemingly random output. The task has succeeded.

sudo cp -R /usr/share/doc/openvpn/examples/easy-rsa/ /etc/openvpn

Most of the relevant configuration for the OpenVPN public key infrastructure is contained in /etc/openvpn/easy-rsa/2.0/, and much of our configuration will be located in this directory.

Relocate Secure Keys

The /etc/openvpn/easy-rsa/2.0/keys/ directory contains all of the keys that you have generated using the easy-rsa tools.

Server Keys

The keys and certificates for the server need to be relocated to the /etc/openvpn directory so the OpenVPN server process can access them. These files are:

ca.crt
ca.key
dh1024.pem
server.crt
server.key

Issue the following commands:

cd /etc/openvpn/easy-rsa/2.0/keys
sudo cp ca.crt ca.key dh1024.pem server.crt server.key /etc/openvpn

These files need not leave your server. Maintaining integrity and control over these files is of the utmost importance to the integrity of your server. If you ever need to move or back up these keys, ensure that they're encrypted and secured. If these files are compromised, they will need to be recreated along with all client keys.

This will revoke the ability of users who have the client1 certificate to access the VPN. For this reason, keeping track of which users are in possession of which certificates is crucial.

Client Keys

In order to authenticate to the VPN, you'll need to copy a number of certificate and key files to the remote client machines. They are:

ca.crt
client1.crt
client1.key

You can use the scp tool, or any other means of transferring. Be advised, these keys should transferred with the utmost attention to security. Anyone who has the key or is able to intercept an unencrypted copy of the key will be able to gain full access to your virtual private network.

Typically we recommend that you encrypt the keys for transfer, either by using a protocol like SSH, or by encrypting them with the PGP tool.

Configuring the Virtual Private Network

We'll now need to configure the server file. There's an example file in /usr/share/doc/openvpn/examples/sample-config-files. Issue the following sequence of commands to retrieve the example configuration file and move it to the /etc/openvpn directory:

cd /usr/share/doc/openvpn/examples/sample-config-files
gunzip -d server.conf.gz
cp server.conf /etc/openvpn/

The default settings in here are generally pretty good to get your server going. The conf file is well commented and worth reading through in case you need to make any changes. Options that may be worth looking at are:

  • local - optionally set an IP address to listen on.
  • port - the port number OpenVPN will listen on.
  • proto - the protocol to use, TCP or UDP.
  • server - the private network range that OpenVPN will use.

Enable VPN Traffic Through Firewall

If you have a firewall configured (as per instructions followed in the Intitial Setup section this guide) then you'll need to add a rule to allow OpenVPN traffic to pass through the firewall.

Firstly add the following lines to our /etc/iptables.test.rules file:

File: /etc/iptables.test.rules

# Allow OpenVPN connections
-A INPUT -p udp --dport 1194 -j ACCEPT

We now need to switch to the root user (su root) in order to issue the command to test the rules on the firewall:

iptables-restore < /etc/iptables.test.rules

All being well we need to update the master rule set in /etc/iptables.up.rules, so that these changes are applied next time the server is rebooted. You can exit from the root user account now.

sudo cp /etc/iptables.test.rules /etc/iptables.up.rules

Connect to the OpenVPN

To initialize the OpenVPN server process, run the following command:

sudo /etc/init.d/openvpn start

This will scan the /etc/openvpn directory on the server for files with a .conf extension. For every file that it finds, it will create and run a VPN daemon (server).

The process for connecting to the VPN varies depending on your specific operating system and distribution running on the client machine. You will need to install the OpenVPN package for your operating system if you have not already.

Most network management tools provide some facility for managing connections to a VPN. Configure connections to your OpenVPN through the same interface where you might configure wireless or ethernet connections. If you choose to install and manage OpenVPN manually, you will need to place the the client1.conf file and the requisite certificate files in the local machine's /etc/openvpn directory, or equivalent location.

Example 3rd party tools for managing OpenVPN client connections:

  • Mac OS X - Tunnelblick tool. See the section at the bottom of this page for details about how to set up and use Tunnelblick.
  • Windows - Open VPN GUI tool.
  • Linux Desktop users can install the OpenVPN package and use the network management tools that come with your desktop environment.

Using OpenVPN

Connect Remote Networks Securely With the VPN

Once configured, the OpenVPN server allows you to encrypt traffic between your local computer and your Linode's local network. While all other traffic is handled in the conventional manner, the VPN allows traffic on non-public interfaces to be securely passed through your Linode. This will also allow you to connect to the local area network in your Linode's data center if you are using the LAN to connect to multiple Linodes in the same datacenter. Using OpenVPN in this manner is supported by the default configuration, and if you connect to the OpenVPN you have configured at this point you will have access to this functionality.

Tunnel All Connections through the VPN

By deploying the following configuration, you will be able to forward all traffic from client machines through your Linode, and encrypt it with transport layer security (TLS/SSL) between the client machine and the Linode. Begin by adding the following parameter to the /etc/openvpn/server.conf file to enable "full tunneling":

File: /etc/openvpn/server.conf

push "redirect-gateway def1"

Now edit the /etc/sysctl.conf file to uncomment or add the following line to ensure that your system is able to forward IPv4 traffic:

File: /etc/sysctl.conf

net.ipv4.ip_forward=1

Issue the following command to set this variable for the current session:

echo 1 > /proc/sys/net/ipv4/ip_forward

We now need to update the firewall to forward traffic through the VPN. Do this using the same method outlined above.

File: /etc/iptables.test.rules

Add the next block to the top of this file, above the *filter block:

*nat

-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

COMMIT

And then add the following to the *filter section:

# Tunnel All Connections through the VPN
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.8.0.0/24 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i tun0 -j ACCEPT

This will enable all client traffic except DNS queries to be forwarded through the VPN.

To forward forward DNS traffic through the VPN you will need to install the dnsmasq package and modify the /etc/opnevpn/server.conf package. Before we can install dnsmasq we must enable the "universe" repositories. Edit the /etc/apt/sources.list to uncomment or add the following lines:

File: /etc/apt/sources.list

## universe repositories - uncomment to enable
deb http://us.archive.ubuntu.com/ubuntu/ lucid universe
deb-src http://us.archive.ubuntu.com/ubuntu/ lucid universe

deb http://us.archive.ubuntu.com/ubuntu/ lucid-updates universe
deb-src http://us.archive.ubuntu.com/ubuntu/ lucid-updates universe

deb http://security.ubuntu.com/ubuntu lucid-security universe
deb-src http://security.ubuntu.com/ubuntu lucid-security universe

Now reload the package database by issuing the following command:

sudo aptitude update

Finally install the dnsmasq package with the following command:

sudo aptitude install dnsmasq

We need to tell OpenVPN to push a DNS address to the clients when they connect. To do this add the following directive to the /etc/openvpn/server.conf file:

File: /etc/openvpn/server.conf

push "dhcp-option DNS 10.8.0.1"

Finally, before attempting to connect to the VPN in any configuration, restart the OpenVPN server by issuing the following command:

sudo /etc/init.d/openvpn restart

Once these configuration options have been implemented, you can test the VPN connection by connecting to the VPN from your local machine, and access one of the many websites that will display your IP address. If the IP address displayed matches the IP address of your Linode, all network traffic from your local machine will be filtered through your Linode and encrypted over the VPN between your Linode and your local machine. If, however, your apparent public IP address is different from your Linode's IP address, your traffic is not being filtered through your Linode or encrypted by the VPN.

Revoking Client Certificates

If you need to remove a user's access to the VPN server, issue the following command sequence.

. /etc/openvpn/easy-rsa/2.0/vars
. /etc/openvpn/easy-rsa/2.0/revoke-full client1

Using Tunnelblick For Mac OS X

Firstly download and install the latest stable release. At the time of writing this was version 3.0.

Launch the Tunnelblick application for the first time so that it can create the necessary configuration folder and files for your user. Tunnelblick will appear as a icon in your menu bar. Quit Tunnelblick so that we can now make the necessary configuration changes.

Configuration

The Configurations folder is created in /Users/username/Library/Application Support/Tunnelblick/Configurations, where username is the name of your user account.

Copy the client keys that you created above to this folder.

When launched Tunnelblick scans the Configurations folder looking for any .conf files. Each one found is presented in it's menu of connections. By default Tunnelblick provides an example named client.conf. Start by renaming this file to something more meaningful, e.g the hostname of you server.

You will now need to edit this your configuration file using a suitable text editor.

  1. Set the address of our remote OpenVPN server
    remote server.domain.com 1194
  2. Set the SSL/TLS parameters
    ca ca.crt
    cert client1.crt
    key client1.key

NOTES:

  • If you are using a custom port for OpenVPN then remember to set that for the remote connection line.
  • Change the names of the keys files to match the key files copied down from your server.

Connecting

Launch Tunnelblick - you may get a message about permissions needing to be updated on the newly created configuration file and keys. Once done, click it's icon and from the menu select "Connect" option for the connection we just configured. All being well the Tunnelblick icon will flash and end up with a white centre (tunnel open), indicating the connection is established.

For more details about the connection or to diagnose potential problems select the "Details…" option from the Tunnelblick menu. This will present a window similar to the one below:

tunnelblick-details.png

Set nameserver
Check this to make Tunnelblick set your local DNS settings to those "pushed" from the server. When the connection is closed your old settings will be restored. Enable this if you want all traffic on your Mac, including DNS, to be passed down the VPN connection.

NOTE: There are rules to how Tunnelblick can do this based on which version of Mac OS X you are running. Please see this section in the QuickStartGuide for more information. Basically, on 10.6 you shouldn't have any manual DNS servers defined in your active Network connection as Tunnelblick will not be able to replace these. To avoid this problem leave your DNS servers empty and have them supplied automatically by your router.

Monitor connection (Only available if "Set nameserver" is checked.)
If checked, Tunnelblick will monitor the network and restart the connection if changes to the network DNS or WINS configurations are detected. If unchecked, or if "Set nameserver" is not checked, no monitoring will be done. Note: under certain circumstances, repeated and unnecessary restarts are peformed when "Monitor connection" is checked; unchecking it stops this from occurring.

References

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License