vpn-1_sc_connect

Install openvpn using the rpm
Installing OpenVPN from a binary RPM package has these dependencies:


  • openssl
  • lzo
  • pamInstall rpms as root:# rpm -ivh openvpn-2.0.5-1.el4.rf.i386.rpm

 

installing rpm 

 

    rpm -ivh lzo-1.08-4.2.el4.rf.i386.rpm


 The main configuration directory for open vpn is /etc/openvpn

Setting up your Certificate Authority (CA) and generating certificates and keys for an OpenVPN server and multiple clients

The first step in building an OpenVPN 2.0 configuration is to establish a PKI (public key infrastructure). The PKI consists of:

  • A separate certificate (also known as a public key) and private key for the server and each client, and
  • A master Certificate Authority (CA) certificate and key which is used to sign each of the server and client certificates

 Copy the /usr/share/doc/openvpn-2.0.7/easy-rsa/2.0/ directory to /etc/openvpn/easy-rsa


     cp -r /usr/share/doc/openvpn-2.0.7/easy-rsa/2.0/ /etc/openvpn/easy-rsa


Configure easy-rsa

Now edit the vars file  and set the KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, and KEY_EMAIL parameters. Don’t leave any of these parameters blank.

Next, initialize the PKI. on Linux:


./vars

./clean-all

./build-ca


The final command (build-ca) will build the certificate authority (CA) certificate and key by invoking the interactive openssl command:

 


Generating a 1024 bit RSA private key

…………++++++

………..++++++

writing new private key to ‘ca.key’

—–


You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter ‘.’, the field will be left blank.

—–


Country Name (2 letter code) [KG]:IN

State or Province Name (full name) [NA]:KERALA

Locality Name (eg, city) [BISHKEK]:KOCHI

Organization Name (eg, company) [OpenVPN-TEST]:company name

Organizational Unit Name (eg, section) []:company name

Common Name (eg, your name or your server’s hostname) []:company name

Email Address [Riyesh@linuxbuddies.com]

Note that in the above sequence, most queried parameters were defaulted to the values set in the vars or vars.bat files. The only parameter which must be explicitly entered is the Common Name. In the example above.

Generate certificate & key for server
Next, we will generate a certificate and private key for the server. On Linux:


./build-key-server server


As in the previous step, most parameters can be defaulted. When the Common Name is queried, enter “server”. Two other queries require positive responses, “Sign the certificate? [y/n]” and “1 out of 1 certificate requests certified, commit? [y/n]“.

Generate certificates & keys for  clients

Generating client certificates is very similar to the previous step. On Linux:


./build-key client1

 

./build-key client2 and so on…


    Generate Diffie Hellman parameters

Diffie Hellman parameters must be generated for the OpenVPN server. On Linux:

./build-dh

 ./build-dh

Generating DH parameters, 1024 bit long safe prime, generator 2

This is going to take a long time

……………..+…………………………………….

……………….+………….+……………..+………

………………………………..


          Creating TLS Key

The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS.
Using tls-auth requires that you generate a shared-secret key that is used in addition to the standard RSA certificate/key:

openvpn –genkey –secret ta.key

This command will generate an OpenVPN static key and write it to the file ta.key. This key should be copied over a pre-existing secure channel to the server and all client machines. It can be placed in the same directory as the RSA .key and .crt files.

In the server configuration, add:

tls-auth ta.key 0

In the client configuration, add:

tls-auth ta.key 1

        

          Creating configuration files for server and clients

remote ekm1.dyndns.org 1194

#remote  ekm2.linuxbuddies.com 1194/etc/openvpn/server.conf

port 1194                               ; Port for OpenVpn traffic

proto tcp                               ; TCP protocol

dev tun                                 ; use Tun device

ca ca.crt                               ; Certificate file of signing Authority

cert server.crt                         ; Server certificate

key server.key                          ; Server Key

dh dh2048.pem                           ;Diffie Hellman parameters

server 10.2.100.0 255.255.255.0         ; Openvpn subnet should be different from the local network of server and client

ifconfig-pool-persist ipp.txt

push “route 10.2.1.0 255.255.255.0     ; Pushing routes to client

push “route 10.1.1.0 255.255.255.0

client-config-dir ccd

route 10.2.100.0 255.255.255.0

push “dhcp-option DNS 10.2.1.11        ; Pushing DNS server to client

client-to-client                        ; Clients can communicate eatch other

duplicate-cn

keepalive 10 120

tls-auth ta.key 0                       ; tls key

comp-lzo                                ; Use lzo compression Algo

max-clients 10

user nobody                             ; Run openvpn as user nobody  -

group nobody                            ; group nobody for security

persist-key

persist-tun

tun-mtu 1500

status openvpn-status.log

log-append /var/log/openvpn.log

verb 6

mute 20

client.conf

client

dev tun

proto tcp

resolv-retry infinite

nobind

persist-key

persist-tun

ca ca.crt

cert client.crt

key client.key

tls-auth ta.key 1

comp-lzo

verb 3

mute 20

ns-cert-type server

auth-user-pass

pull

mssfix 1450

 

 

############