OpenVPN

From Halfface
Jump to navigation Jump to search

Generate the master Certificate Authority (CA) certificate & key

sudo rsync -a /usr/share/openvpn/easy-rsa/2.0/ /etc/openvpn/easy-rsa/

/etc/openvpn/easy-rsa/vars set the KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, and KEY_EMAIL parameters.

. ./vars
./clean-all
./build-ca

Answer yes on everything exept:

Generate certificate & key for server

When the Common Name is queried, enter "server"

./build-key-server server

Generate Diffie Hellman parameters

./build-dh

HMAC firewall

cd /etc/openvpn/easy-rsa/keys && openvpn --genkey --secret ta.key

Generate certificates & keys for client

Howto create a new client config.

cd /etc/openvpn/easy-rsa/
. vars
./build-key rollewrt
cp keys/rollewrt.* /etc/openvpn/blt/
cd /etc/openvpn/blt
cp blt_olle.ovpn blt_rollewrt.ovpn
vim blt_rollewrt.ovpn
for i in rollewrt ;do echo $i ;tar czf /tmp/openvpn-client-$i-blt.homeip.net.tar.gz $i.* ca.crt ta.key blt_$i.ovpn;done
for i in bob ;do echo $i ;tar czf /tmp/openvpn-client-$i-www.halfface.se.tar.gz $i.* ca.crt ta.key halfface_$i.ovpn;done

Key Files

Now we will find our newly-generated keys and certificates in the keys subdirectory. Here is an explanation of the relevant files:

Filename 	Needed By 			Purpose 			Secret
ca.crt 		server + all clients 		Root CA certificate 		NO
ca.key 		key signing machine only 	Root CA key 			YES
dh{n}.pem 	server only 			Diffie Hellman parameters 	NO
server.crt 	server only 			Server Certificate 		NO
server.key 	server only 			Server Key 			YES
client1.crt 	client1 only 			Client1 Certificate 		NO
client1.key 	client1 only 			Client1 Key 			YES

setup server and client

server

Copy example configuration files.

mkdir /etc/openvpn/config; cp /usr/share/doc/openvpn-2.1/sample-config-files/{client,server}.conf /etc/openvpn/config

Copy keys to location.

cp -p ca.crt server.crt server.key dh1024.pem ta.key ../..

Edit server.conf

# change this value to the network behind the openvpn server
push "route 192.168.0.0 255.255.255.0"
# Enable clients to comunicate with each other.
client-to-client
# Enable hmac firewall.
tls-auth ta.key 0 # This file is secret

Copy server.conf to location:

cp /etc/openvpn/config/server.conf /etc/openvpn

Edit client.conf and save as /etc/openvpn/blt

# Change to name of openvpn server.
remote blt.homeip.net 1194
# Change path to certificates.
ca blt/ca.crt
cert blt/bjorklun.crt
key blt/bjorklun.key
# Enable hmac firewall.
tls-auth ta.key 1

Copy certificates.

cp -p /etc/openvpn/easy-rsa/keys/{ca.crt,bjorklun.*,ta.key} /etc/openvpn/blt/

Create openvpn config to transfer to client.

for i in rolle olle strate;do echo $i ;tar czf /install/program/windows/openvpn/openvpn-client-$i-blt.homeip.net.tar.gz $i.* ca.crt ta.key blt_$i.ovpn;done

Route a client network.

/etc/openvpn/server.conf:route 192.168.10.0 255.255.255.0
/etc/openvpn/server.conf:push "route 192.168.10.0 255.255.255.0"
/etc/openvpn/ccd/rollewrt:iroute 192.168.10.0 255.255.255.0