OpenVPN 2.0.9 on openSuSE Linux 10.x
This article describes the installation of OpenVPN 2.0.9 on a SuSE Linux 10.x Server with multiple VPN tunnels.
What is OpenVPN?
- OpenVPN is a robust and highly flexible tunneling application that uses all of the encryption, authentication, and certification features of the OpenSSL library to securely tunnel IP networks over a single UDP port.
Or have a look at their homepage:OpenVPN.
Normally any linux distribution comes with precompiled packages. But if we want to compile the whole thing ourself.
System Description:
Standard SuSE linux 10.x server, installed in runlevel3. No graphical system is required.
Systemrequirements:
Install the following packages via SuSE "YaST"
- openssl
- openssl-devel
- lzo
- lzo-devel
- make
- gcc
- glibc
- glibc-devel
- SuSEfirewall2
Now we start with the compilation:
Download, compile and install OpenVPN 2.0.9
$>cd /usr/local/src $>wget http://openvpn.net/release/openvpn-2.0.9.tar.gz ... $>tar xzvf openvpn-2.0.9.tar.gz $>cd openvpn-2.0.9 $>./configure \ --sbindir=/usr/sbin \ --with-ssl-headers=/usr/include/openssl \ --with-ssl-lib=/usr/lib \ --with-lzo-headers=/usr/include \ --with-lzo-lib=/usr/lib \ --enable-iproute2 \ --with-ifconfig-path=/sbin $>make $>make install
We create directory where we store our config files:
$>mkdir /etc/openvpn $>mkdir /etc/openvpn/ssl $>cp suse/openvpn.init /etc/init.d/openvpn # startup file $>chmod 755 /etc/init.d/openvpn $>cp sample-config-files/office.up tunnel1.conf /etc/openvpn
Now we prepare for certificate authority:
$>cd easy-rsa/ # we are now in "/usr/local/src/openvpn-2.0.9/easy-rsa" $>cp openssl.cnf /etc/openvpn/ $>vi vars $>Set KEY_CONFIG to point to the openssl.cnf # in our config
it is /etc/openvpn $>Set KEY_DIR to point to a directory which will contain all
keys, certificates, etc. # in our config it is /etc/openvpn/ssl $>. vars # this sets the variables we have changed $>./clean-all # deleats everything in /etc/openvpn/ssl, be careful! $>ls -la /etc/openvpn # must look like: drwxr-xr-x 2 root root 152 Feb 13 17:07 . drwxr-xr-x 44 root root 4120 Feb 13 17:08 .. drwxr-xr-x 2 root root 704 Feb 13 17:09 ssl -rw-r--r-- 1 root root 1592 Feb 13 17:10 tunnel1.conf -rw-r--r-- 1 root root 7487 Feb 19 11:01 openssl.cnf
Now we build our own root certificate authority CA):
$>./buil-ca # ca.crt and ca.key are now built in our KEY_DIR directory $>rememeber thy are stored in /etc/openvpn/ssl
Optional we can build an intermeditade certificate authority/key:
$>./build-inter inter # inter.crt and inter.key are now built in
our KEY_DIR directory and signed with our root certificate.ca
Now we build diffie-hellman parameter:
$>./build-dh # necessary for the server end of a SSL/TLS connection
We build now a certificate signing request:
$>First transfer "ca.crt" across a secure channel to all extern
pc's you want connect later through the tunnel into the
firm network. $>Now we build our first certificate. In our example we
use "externpc1". computer name would be a good choise to. $>./build-req externpc1
$>You can ignore most of the fields, but set "Common Name" to something
unique such as your computer's host name.
(very important, change this for every key!!!). $>Your key will be written to $KEY_DIR/externpc1.key and your
certificate signing request will be written to
$KEY_DIR/externpc1.csr
$>./sign-req externpc1 # we sign the certificate signing
request by our own. $>Email now "externpc1.crt", "externpc1.key" to the "externpc1"
to your Windows Client "externpc1". $>The combined files of mycert.crt, mycert.key, and ca.crt can
now be used to secure one end of an SSL/TLS connection.
The "tunnel1.conf" configuration file:
$>vi tunnel1.conf # change here ... # OpenVPN Server config # all rights by komaii at http://www.komaii.com/linux # comments to: komaii@gmx.at # last modified by# this file is for server side # OpenVPN configuration # we have a static ip # your extern ip adress goes here (Linux Server or Firewall) local 81.225.xxx.xxx # Which port should the Server listen on? port 32545 # TCP or UDP server? proto udp # "dev tun" will create a routed IP tunnel, # "dev tap" will create an ethernet tunnel. dev tun # Client 1 "externpc1" ifconfig 10.0.0.1 10.0.0.2 # here the route config to the clients net. up /etc/openvpn/tunnel1.up # In SSL/TLS key exchange, Office will # assume server role and Home # will assume client role. tls-server # Diffie-Hellman Parameters (tls-server only) dh /etc/openvpn/ssl/dh1024.pem # We use X509 key management # OpenVPN can also use a PKCS #12 formatted key file # (see "pkcs12" directive in man page). # here the self signed keys ca /etc/openvpn/ssl/ca.crt cert /etc/openvpn/ssl/inter.crt key /etc/openvpn/ssl/inter.key # we want compression on. # Enable compression on the VPN link. # If you enable it here, you must also # enable it in the client config file. comp-lzo # is not a must have. ping 15 # By default, log messages will go to the syslog (or # on Windows, if running as a service, they will go to # the "\Program Files\OpenVPN\log" directory). # Use log or log-append to override this default. # "log" will truncate the log file on OpenVPN startup, # while "log-append" will append to it. #log openvpn.log #log-append openvpn.log log-append /etc/openvpn/openvpn.log # 0 is silent, except for fatal errors # 1 mostly quiet, but display non-fatal network errors. # 3 medium output, good for normal operation. # 4 is reasonable for general usage # 5 and 6 can help to debug connection problems # 9 is extremely verbose verb 3 ... $># save the file
The "externpc1.up" configuration file:
$>vi externpc1.up # change here ... #!/bin/bash # here we route the remote subnet 192.168.86.0/24 over gateway 10.0.0.2 route add -net 192.168.86.0 netmask 255.255.255.0 gw 10.0.0.2 ... $>save the file
Change the following settings on SuSEfirewall2:
$>vi /etc/sysconfig/SuSEfirewall2 $>Look for FW_DEV_INT=" and add there "tunnel0" like this $>FW_DEV_INT="eth-id-00:0a:5e:4b:17:9c tun0" $>Next look for FW_MASQ_NETS=" and add your internal net (externpc1) $>FW_MASQ_NETS="192.168.81.0/24 $>save the file, quit and restart SuSEfirewall with $>rcSuSEfirewall restart $>that's it ...
Download, compile and install "OpenVPN" the same way on the remote machine if you use Linux, copy all files (tunnel.up, externpc1, the 3 key files) via "scp" or "WinSCP" to the remote machine, change "ip adress" and "ifconfig" variable and the "route" setting, change the firewall settings and restart here.
You find a startup script for OpenVPN under "/usr/local/src/openvpn-2.0.9/suse" cp the "openvpn.init" script to /etc/init.d and fire up the tunnels.
In our example the remote machine is Windows XP (externpc1).
Download and install OpenVPN for Windows now on the remote system:
$>http://openvpn.net/release/openvpn-2.0.9-install.exe $>install the software $>now create a file called "externpc1.ovpn" $>and copy/paste mine and change the right variables you have like
remote IP Adress and path to the cert files $>save sll your files where you installed the software, in mine
example it is "C:\Programme\OpenVPN\config" $>to make it eaysier to start up openvpn on Wondows XP i use "OpenVPN Gui" $>you can download it here: http://openvpn.se/
The "externpc1.opvpn" file:
# OpenVPN Client config # all rights by komaii at http://www.komaii.com/linux # comments to: komaii@gmx.at # last modified byFor security reason you can now deinstall via "YaST" the following packages on your:# this file is for server side # OpenVPN configuration # Change her to Server's static IP remote 81.225.xxx.xxx # Which port should the client listen on? port 32345 # TCP-client or UDP? proto udp # "dev tun" will create a routed IP tunnel, # "dev tap" will create an ethernet tunnel. dev tun # wich device ip local-remote? ifconfig 10.0.0.2 10.0.0.1 # SSL/TLS parms. # See the server config file for more # description. ca C:\\Programme\\OpenVPN\\config\\ca.crt cert C:\\Programme\\OpenVPN\\config\\externpc1.crt key C:\\Programme\\OpenVPN\\config\\externpc1.key # we want compression on. comp-lzo # Uncomment this section for a more reliable detection when a system # loses its connection. For example, dial-ups or laptops that # travel to other locations. ping 15 ping-restart 45 ping-timer-rem persist-tun persist-key # ein bischen logging darfs schon sein # 0 -- quiet except for fatal errors. # 1 -- mostly quiet, but display non-fatal network errors. # 3 -- medium output, good for normal operation. # 9 -- verbose, good for troubleshooting verb 3 # In SSL/TLS key exchange, Office will # assume server role and Home # will assume client role. tls-client ... $>save the file
Linux Firewall Systems: