OpenVPN 2.0.9 on openSuSE Linux 10.x

This article describes the installation of OpenVPN 2.0.9 on a SuSE Linux 10.x Server with multiple VPN tunnels.

What is OpenVPN?

  • OpenVPN is a robust and highly flexible tunneling application that uses all of the encryption, authentication, and certification features of the OpenSSL library to securely tunnel IP networks over a single UDP port.

Or have a look at their homepage:OpenVPN.

Normally any linux distribution comes with precompiled packages. But if we want to compile the whole thing ourself.

System Description:

Standard SuSE linux 10.x server, installed in runlevel3. No graphical system is required.

Systemrequirements:

Install the following packages via SuSE "YaST"

  • openssl
  • openssl-devel
  • lzo
  • lzo-devel
  • make
  • gcc
  • glibc
  • glibc-devel
  • SuSEfirewall2

Now we start with the compilation:

Download, compile and install OpenVPN 2.0.9

$>cd /usr/local/src
$>wget http://openvpn.net/release/openvpn-2.0.9.tar.gz
...
$>tar xzvf openvpn-2.0.9.tar.gz
$>cd openvpn-2.0.9
$>./configure \
  --sbindir=/usr/sbin \
  --with-ssl-headers=/usr/include/openssl \
  --with-ssl-lib=/usr/lib \
  --with-lzo-headers=/usr/include \
  --with-lzo-lib=/usr/lib \
  --enable-iproute2 \
  --with-ifconfig-path=/sbin
$>make
$>make install

We create directory where we store our config files:

$>mkdir /etc/openvpn
$>mkdir /etc/openvpn/ssl
$>cp suse/openvpn.init /etc/init.d/openvpn # startup file
$>chmod 755 /etc/init.d/openvpn
$>cp sample-config-files/office.up tunnel1.conf /etc/openvpn

Now we prepare for certificate authority:

$>cd easy-rsa/ # we are now in "/usr/local/src/openvpn-2.0.9/easy-rsa"
$>cp openssl.cnf /etc/openvpn/
$>vi vars
$>Set KEY_CONFIG to point to the openssl.cnf # in our config
it is /etc/openvpn $>Set KEY_DIR to point to a directory which will contain all
keys, certificates, etc. # in our config it is /etc/openvpn/ssl $>. vars # this sets the variables we have changed $>./clean-all # deleats everything in /etc/openvpn/ssl, be careful! $>ls -la /etc/openvpn # must look like: drwxr-xr-x 2 root root 152 Feb 13 17:07 . drwxr-xr-x 44 root root 4120 Feb 13 17:08 .. drwxr-xr-x 2 root root 704 Feb 13 17:09 ssl -rw-r--r-- 1 root root 1592 Feb 13 17:10 tunnel1.conf -rw-r--r-- 1 root root 7487 Feb 19 11:01 openssl.cnf

Now we build our own root certificate authority CA):

$>./buil-ca # ca.crt and ca.key are now built in our KEY_DIR directory
$>rememeber thy are stored in /etc/openvpn/ssl

Optional we can build an intermeditade certificate authority/key:

$>./build-inter inter # inter.crt and inter.key are now built in 
our KEY_DIR directory and signed with our root certificate.ca

Now we build diffie-hellman parameter:

$>./build-dh # necessary for the server end of a SSL/TLS connection

We build now a certificate signing request:

$>First transfer "ca.crt" across a secure channel to all extern
pc's you want connect later through the tunnel into the
firm network. $>Now we build our first certificate. In our example we
use "externpc1". computer name would be a good choise to. $>./build-req externpc1
$>You can ignore most of the fields, but set "Common Name" to something
unique such as your computer's host name.
(very important, change this for every key!!!). $>Your key will be written to $KEY_DIR/externpc1.key and your
certificate signing request will be written to
$KEY_DIR/externpc1.csr
$>./sign-req externpc1 # we sign the certificate signing
request by our own. $>Email now "externpc1.crt", "externpc1.key" to the "externpc1"
to your Windows Client "externpc1". $>The combined files of mycert.crt, mycert.key, and ca.crt can
now be used to secure one end of an SSL/TLS connection.

The "tunnel1.conf" configuration file:


$>vi tunnel1.conf # change here
...
# OpenVPN Server config
# all rights by komaii at http://www.komaii.com/linux
# comments to: komaii@gmx.at
# last modified by 
# this file is for server side 
# OpenVPN configuration

# we have a static ip
# your extern ip adress goes here (Linux Server or Firewall)
local 81.225.xxx.xxx

# Which port should the Server listen on?
port 32545

# TCP or UDP server?
proto udp

# "dev tun" will create a routed IP tunnel,
# "dev tap" will create an ethernet tunnel.
dev tun

# Client 1 "externpc1"
ifconfig 10.0.0.1 10.0.0.2

# here the route config to the clients net.
up /etc/openvpn/tunnel1.up

# In SSL/TLS key exchange, Office will
# assume server role and Home
# will assume client role.
tls-server

# Diffie-Hellman Parameters (tls-server only)
dh /etc/openvpn/ssl/dh1024.pem

# We use X509 key management
# OpenVPN can also use a PKCS #12 formatted key file
# (see "pkcs12" directive in man page).
# here the self signed keys

ca /etc/openvpn/ssl/ca.crt
cert /etc/openvpn/ssl/inter.crt
key /etc/openvpn/ssl/inter.key

# we want compression on.
# Enable compression on the VPN link.
# If you enable it here, you must also
# enable it in the client config file.
comp-lzo

# is not a must have.
ping 15

# By default, log messages will go to the syslog (or
# on Windows, if running as a service, they will go to
# the "\Program Files\OpenVPN\log" directory).
# Use log or log-append to override this default.
# "log" will truncate the log file on OpenVPN startup,
# while "log-append" will append to it.
#log         openvpn.log
#log-append  openvpn.log
log-append /etc/openvpn/openvpn.log

# 0 is silent, except for fatal errors
# 1 mostly quiet, but display non-fatal network errors.
# 3 medium output, good for normal operation.
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 3
...
$># save the file

The "externpc1.up" configuration file:

$>vi externpc1.up # change here
...
#!/bin/bash
# here we route the remote subnet 192.168.86.0/24 over gateway 10.0.0.2
route add -net 192.168.86.0 netmask 255.255.255.0 gw 10.0.0.2
...
$>save the file

Change the following settings on SuSEfirewall2:

$>vi /etc/sysconfig/SuSEfirewall2
$>Look for FW_DEV_INT=" and add there "tunnel0" like this
$>FW_DEV_INT="eth-id-00:0a:5e:4b:17:9c tun0"
$>Next look for FW_MASQ_NETS=" and add your internal net (externpc1)
$>FW_MASQ_NETS="192.168.81.0/24
$>save the file, quit and restart SuSEfirewall with
$>rcSuSEfirewall restart
$>that's it
...

Download, compile and install "OpenVPN" the same way on the remote machine if you use Linux, copy all files (tunnel.up, externpc1, the 3 key files) via "scp" or "WinSCP" to the remote machine, change "ip adress" and "ifconfig" variable and the "route" setting, change the firewall settings and restart here.
You find a startup script for OpenVPN under "/usr/local/src/openvpn-2.0.9/suse" cp the "openvpn.init" script to /etc/init.d and fire up the tunnels.

In our example the remote machine is Windows XP (externpc1).


Download and install OpenVPN for Windows now on the remote system:

$>http://openvpn.net/release/openvpn-2.0.9-install.exe
$>install the software
$>now create a file called "externpc1.ovpn"
$>and copy/paste mine and change the right variables you have like
remote IP Adress and path to the cert files $>save sll your files where you installed the software, in mine
example it is "C:\Programme\OpenVPN\config" $>to make it eaysier to start up openvpn on Wondows XP i use "OpenVPN Gui" $>you can download it here: http://openvpn.se/

The "externpc1.opvpn" file:

# OpenVPN Client config
# all rights by komaii at http://www.komaii.com/linux
# comments to: komaii@gmx.at
# last modified by 
# this file is for server side 
# OpenVPN configuration

# Change her to Server's static IP
remote 81.225.xxx.xxx

# Which port should the client listen on?
port 32345

# TCP-client or UDP?
proto udp

# "dev tun" will create a routed IP tunnel,
# "dev tap" will create an ethernet tunnel.
dev tun

# wich device ip local-remote?
ifconfig 10.0.0.2 10.0.0.1

# SSL/TLS parms.
# See the server config file for more
# description.

ca C:\\Programme\\OpenVPN\\config\\ca.crt
cert C:\\Programme\\OpenVPN\\config\\externpc1.crt
key C:\\Programme\\OpenVPN\\config\\externpc1.key

# we want compression on.
comp-lzo

# Uncomment this section for a more reliable detection when a system
# loses its connection.  For example, dial-ups or laptops that
# travel to other locations.
ping 15
ping-restart 45
ping-timer-rem
persist-tun
persist-key

# ein bischen logging darfs schon sein
# 0 -- quiet except for fatal errors.
# 1 -- mostly quiet, but display non-fatal network errors.
# 3 -- medium output, good for normal operation.
# 9 -- verbose, good for troubleshooting
verb 3

# In SSL/TLS key exchange, Office will
# assume server role and Home
# will assume client role.
tls-client
...
$>save the file
For security reason you can now deinstall via "YaST" the following packages on your:
Linux Firewall Systems:
  • make
  • gcc
  • glibc
  • glibc-devel
  • <<<------------>>> that`s it <<<------------>>>