OpenVPN: Difference between revisions

From Halfface
Jump to navigation Jump to search
No edit summary
 
(16 intermediate revisions by 3 users not shown)
Line 1: Line 1:
==Generate the master Certificate Authority (CA) certificate & key==
==Generate the master Certificate Authority (CA) certificate & key==


  sudo rsync -a /usr/share/openvpn/easy-rsa/2.0 /etc/openvpn/easy-rsa
  sudo rsync -a /usr/share/openvpn/easy-rsa/2.0/ /etc/openvpn/easy-rsa/


/etc/openvpn/easy-rsa/vars
/etc/openvpn/easy-rsa/vars
Line 8: Line 8:
  ./clean-all
  ./clean-all
  ./build-ca
  ./build-ca
Answer yes on everything exept:


==Generate certificate & key for server==
==Generate certificate & key for server==
Line 13: Line 15:
When the Common Name is queried, enter "server"
When the Common Name is queried, enter "server"
  ./build-key-server server
  ./build-key-server server
Generate Diffie Hellman parameters
./build-dh
HMAC firewall
cd /etc/openvpn/easy-rsa/keys && openvpn --genkey --secret ta.key


==Generate certificates & keys for client==
==Generate certificates & keys for client==
Appropriate Common Name when prompte
Howto create a new client config.
  ./build-key bjorklun
cd /etc/openvpn/easy-rsa/
. vars
  ./build-key rollewrt
cp keys/rollewrt.* /etc/openvpn/blt/
cd /etc/openvpn/blt
cp blt_olle.ovpn blt_rollewrt.ovpn
vim blt_rollewrt.ovpn
for i in rollewrt ;do echo $i ;tar czf /tmp/openvpn-client-$i-blt.homeip.net.tar.gz $i.* ca.crt ta.key blt_$i.ovpn;done


Generate Diffie Hellman parameters
  for i in bob ;do echo $i ;tar czf /tmp/openvpn-client-$i-www.halfface.se.tar.gz $i.* ca.crt ta.key halfface_$i.ovpn;done
  ./build-dh


==Key Files==
==Key Files==
Line 32: Line 46:
  client1.crt client1 only Client1 Certificate NO
  client1.crt client1 only Client1 Certificate NO
  client1.key client1 only Client1 Key YES
  client1.key client1 only Client1 Key YES
==setup server and client==
===server===
Copy example configuration files.
mkdir /etc/openvpn/config; cp /usr/share/doc/openvpn-2.1/sample-config-files/{client,server}.conf /etc/openvpn/config
Copy keys to location.
cp -p ca.crt server.crt server.key dh1024.pem ta.key ../..
Edit server.conf
# change this value to the network behind the openvpn server
push "route 192.168.0.0 255.255.255.0"
# Enable clients to comunicate with each other.
client-to-client
# Enable hmac firewall.
tls-auth ta.key 0 # This file is secret
Copy server.conf to location:
cp /etc/openvpn/config/server.conf /etc/openvpn
Edit client.conf and save as /etc/openvpn/blt
# Change to name of openvpn server.
remote blt.homeip.net 1194
# Change path to certificates.
ca blt/ca.crt
cert blt/bjorklun.crt
key blt/bjorklun.key
# Enable hmac firewall.
tls-auth ta.key 1
Copy certificates.
cp -p /etc/openvpn/easy-rsa/keys/{ca.crt,bjorklun.*,ta.key} /etc/openvpn/blt/
Create openvpn config to transfer to client.
for i in rolle olle strate;do echo $i ;tar czf /install/program/windows/openvpn/openvpn-client-$i-blt.homeip.net.tar.gz $i.* ca.crt ta.key blt_$i.ovpn;done
==Route a client network.==
/etc/openvpn/server.conf:route 192.168.10.0 255.255.255.0
/etc/openvpn/server.conf:push "route 192.168.10.0 255.255.255.0"
/etc/openvpn/ccd/rollewrt:iroute 192.168.10.0 255.255.255.0
[[Category:Applications]]
[[Category:Unix]]
[[Category:Vpn]]

Latest revision as of 04:24, 5 September 2010

Generate the master Certificate Authority (CA) certificate & key

sudo rsync -a /usr/share/openvpn/easy-rsa/2.0/ /etc/openvpn/easy-rsa/

/etc/openvpn/easy-rsa/vars set the KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, and KEY_EMAIL parameters.

. ./vars
./clean-all
./build-ca

Answer yes on everything exept:

Generate certificate & key for server

When the Common Name is queried, enter "server"

./build-key-server server

Generate Diffie Hellman parameters

./build-dh

HMAC firewall

cd /etc/openvpn/easy-rsa/keys && openvpn --genkey --secret ta.key

Generate certificates & keys for client

Howto create a new client config.

cd /etc/openvpn/easy-rsa/
. vars
./build-key rollewrt
cp keys/rollewrt.* /etc/openvpn/blt/
cd /etc/openvpn/blt
cp blt_olle.ovpn blt_rollewrt.ovpn
vim blt_rollewrt.ovpn
for i in rollewrt ;do echo $i ;tar czf /tmp/openvpn-client-$i-blt.homeip.net.tar.gz $i.* ca.crt ta.key blt_$i.ovpn;done
for i in bob ;do echo $i ;tar czf /tmp/openvpn-client-$i-www.halfface.se.tar.gz $i.* ca.crt ta.key halfface_$i.ovpn;done

Key Files

Now we will find our newly-generated keys and certificates in the keys subdirectory. Here is an explanation of the relevant files:

Filename 	Needed By 			Purpose 			Secret
ca.crt 		server + all clients 		Root CA certificate 		NO
ca.key 		key signing machine only 	Root CA key 			YES
dh{n}.pem 	server only 			Diffie Hellman parameters 	NO
server.crt 	server only 			Server Certificate 		NO
server.key 	server only 			Server Key 			YES
client1.crt 	client1 only 			Client1 Certificate 		NO
client1.key 	client1 only 			Client1 Key 			YES

setup server and client

server

Copy example configuration files.

mkdir /etc/openvpn/config; cp /usr/share/doc/openvpn-2.1/sample-config-files/{client,server}.conf /etc/openvpn/config

Copy keys to location.

cp -p ca.crt server.crt server.key dh1024.pem ta.key ../..

Edit server.conf

# change this value to the network behind the openvpn server
push "route 192.168.0.0 255.255.255.0"
# Enable clients to comunicate with each other.
client-to-client
# Enable hmac firewall.
tls-auth ta.key 0 # This file is secret

Copy server.conf to location:

cp /etc/openvpn/config/server.conf /etc/openvpn

Edit client.conf and save as /etc/openvpn/blt

# Change to name of openvpn server.
remote blt.homeip.net 1194
# Change path to certificates.
ca blt/ca.crt
cert blt/bjorklun.crt
key blt/bjorklun.key
# Enable hmac firewall.
tls-auth ta.key 1

Copy certificates.

cp -p /etc/openvpn/easy-rsa/keys/{ca.crt,bjorklun.*,ta.key} /etc/openvpn/blt/

Create openvpn config to transfer to client.

for i in rolle olle strate;do echo $i ;tar czf /install/program/windows/openvpn/openvpn-client-$i-blt.homeip.net.tar.gz $i.* ca.crt ta.key blt_$i.ovpn;done

Route a client network.

/etc/openvpn/server.conf:route 192.168.10.0 255.255.255.0
/etc/openvpn/server.conf:push "route 192.168.10.0 255.255.255.0"
/etc/openvpn/ccd/rollewrt:iroute 192.168.10.0 255.255.255.0