OpenVPN: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
|||
(16 intermediate revisions by 3 users not shown) | |||
Line 1: | Line 1: | ||
==Generate the master Certificate Authority (CA) certificate & key== | ==Generate the master Certificate Authority (CA) certificate & key== | ||
sudo rsync -a /usr/share/openvpn/easy-rsa/2.0 /etc/openvpn/easy-rsa | sudo rsync -a /usr/share/openvpn/easy-rsa/2.0/ /etc/openvpn/easy-rsa/ | ||
/etc/openvpn/easy-rsa/vars | /etc/openvpn/easy-rsa/vars | ||
Line 8: | Line 8: | ||
./clean-all | ./clean-all | ||
./build-ca | ./build-ca | ||
Answer yes on everything exept: | |||
==Generate certificate & key for server== | ==Generate certificate & key for server== | ||
Line 13: | Line 15: | ||
When the Common Name is queried, enter "server" | When the Common Name is queried, enter "server" | ||
./build-key-server server | ./build-key-server server | ||
Generate Diffie Hellman parameters | |||
./build-dh | |||
HMAC firewall | |||
cd /etc/openvpn/easy-rsa/keys && openvpn --genkey --secret ta.key | |||
==Generate certificates & keys for client== | ==Generate certificates & keys for client== | ||
Howto create a new client config. | |||
./build-key | cd /etc/openvpn/easy-rsa/ | ||
. vars | |||
./build-key rollewrt | |||
cp keys/rollewrt.* /etc/openvpn/blt/ | |||
cd /etc/openvpn/blt | |||
cp blt_olle.ovpn blt_rollewrt.ovpn | |||
vim blt_rollewrt.ovpn | |||
for i in rollewrt ;do echo $i ;tar czf /tmp/openvpn-client-$i-blt.homeip.net.tar.gz $i.* ca.crt ta.key blt_$i.ovpn;done | |||
for i in bob ;do echo $i ;tar czf /tmp/openvpn-client-$i-www.halfface.se.tar.gz $i.* ca.crt ta.key halfface_$i.ovpn;done | |||
==Key Files== | ==Key Files== | ||
Line 32: | Line 46: | ||
client1.crt client1 only Client1 Certificate NO | client1.crt client1 only Client1 Certificate NO | ||
client1.key client1 only Client1 Key YES | client1.key client1 only Client1 Key YES | ||
==setup server and client== | |||
===server=== | |||
Copy example configuration files. | |||
mkdir /etc/openvpn/config; cp /usr/share/doc/openvpn-2.1/sample-config-files/{client,server}.conf /etc/openvpn/config | |||
Copy keys to location. | |||
cp -p ca.crt server.crt server.key dh1024.pem ta.key ../.. | |||
Edit server.conf | |||
# change this value to the network behind the openvpn server | |||
push "route 192.168.0.0 255.255.255.0" | |||
# Enable clients to comunicate with each other. | |||
client-to-client | |||
# Enable hmac firewall. | |||
tls-auth ta.key 0 # This file is secret | |||
Copy server.conf to location: | |||
cp /etc/openvpn/config/server.conf /etc/openvpn | |||
Edit client.conf and save as /etc/openvpn/blt | |||
# Change to name of openvpn server. | |||
remote blt.homeip.net 1194 | |||
# Change path to certificates. | |||
ca blt/ca.crt | |||
cert blt/bjorklun.crt | |||
key blt/bjorklun.key | |||
# Enable hmac firewall. | |||
tls-auth ta.key 1 | |||
Copy certificates. | |||
cp -p /etc/openvpn/easy-rsa/keys/{ca.crt,bjorklun.*,ta.key} /etc/openvpn/blt/ | |||
Create openvpn config to transfer to client. | |||
for i in rolle olle strate;do echo $i ;tar czf /install/program/windows/openvpn/openvpn-client-$i-blt.homeip.net.tar.gz $i.* ca.crt ta.key blt_$i.ovpn;done | |||
==Route a client network.== | |||
/etc/openvpn/server.conf:route 192.168.10.0 255.255.255.0 | |||
/etc/openvpn/server.conf:push "route 192.168.10.0 255.255.255.0" | |||
/etc/openvpn/ccd/rollewrt:iroute 192.168.10.0 255.255.255.0 | |||
[[Category:Applications]] | |||
[[Category:Unix]] | |||
[[Category:Vpn]] |
Latest revision as of 04:24, 5 September 2010
Generate the master Certificate Authority (CA) certificate & key
sudo rsync -a /usr/share/openvpn/easy-rsa/2.0/ /etc/openvpn/easy-rsa/
/etc/openvpn/easy-rsa/vars set the KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, and KEY_EMAIL parameters.
. ./vars ./clean-all ./build-ca
Answer yes on everything exept:
Generate certificate & key for server
When the Common Name is queried, enter "server"
./build-key-server server
Generate Diffie Hellman parameters
./build-dh
HMAC firewall
cd /etc/openvpn/easy-rsa/keys && openvpn --genkey --secret ta.key
Generate certificates & keys for client
Howto create a new client config.
cd /etc/openvpn/easy-rsa/ . vars ./build-key rollewrt cp keys/rollewrt.* /etc/openvpn/blt/ cd /etc/openvpn/blt cp blt_olle.ovpn blt_rollewrt.ovpn vim blt_rollewrt.ovpn for i in rollewrt ;do echo $i ;tar czf /tmp/openvpn-client-$i-blt.homeip.net.tar.gz $i.* ca.crt ta.key blt_$i.ovpn;done
for i in bob ;do echo $i ;tar czf /tmp/openvpn-client-$i-www.halfface.se.tar.gz $i.* ca.crt ta.key halfface_$i.ovpn;done
Key Files
Now we will find our newly-generated keys and certificates in the keys subdirectory. Here is an explanation of the relevant files:
Filename Needed By Purpose Secret ca.crt server + all clients Root CA certificate NO ca.key key signing machine only Root CA key YES dh{n}.pem server only Diffie Hellman parameters NO server.crt server only Server Certificate NO server.key server only Server Key YES client1.crt client1 only Client1 Certificate NO client1.key client1 only Client1 Key YES
setup server and client
server
Copy example configuration files.
mkdir /etc/openvpn/config; cp /usr/share/doc/openvpn-2.1/sample-config-files/{client,server}.conf /etc/openvpn/config
Copy keys to location.
cp -p ca.crt server.crt server.key dh1024.pem ta.key ../..
Edit server.conf
# change this value to the network behind the openvpn server push "route 192.168.0.0 255.255.255.0" # Enable clients to comunicate with each other. client-to-client # Enable hmac firewall. tls-auth ta.key 0 # This file is secret
Copy server.conf to location:
cp /etc/openvpn/config/server.conf /etc/openvpn
Edit client.conf and save as /etc/openvpn/blt
# Change to name of openvpn server. remote blt.homeip.net 1194 # Change path to certificates. ca blt/ca.crt cert blt/bjorklun.crt key blt/bjorklun.key # Enable hmac firewall. tls-auth ta.key 1
Copy certificates.
cp -p /etc/openvpn/easy-rsa/keys/{ca.crt,bjorklun.*,ta.key} /etc/openvpn/blt/
Create openvpn config to transfer to client.
for i in rolle olle strate;do echo $i ;tar czf /install/program/windows/openvpn/openvpn-client-$i-blt.homeip.net.tar.gz $i.* ca.crt ta.key blt_$i.ovpn;done
Route a client network.
/etc/openvpn/server.conf:route 192.168.10.0 255.255.255.0 /etc/openvpn/server.conf:push "route 192.168.10.0 255.255.255.0" /etc/openvpn/ccd/rollewrt:iroute 192.168.10.0 255.255.255.0