This article describes the installation of OpenVPN 2.0.9 on a SuSE Linux 10.x Server with multiple VPN tunnels.
What is OpenVPN?
- OpenVPN is a robust and highly flexible tunneling application that uses all of the encryption, authentication, and certification features of the OpenSSL library to securely tunnel IP networks over a single UDP port.
Or have a look at their homepage:OpenVPN.
Normally any linux distribution comes with precompiled packages. But if we want to compile the whole thing ourself.
Standard SuSE linux 10.x server, installed in runlevel3. No graphical system is required.
Install the following packages via SuSE "YaST"
Now we start with the compilation:
Download, compile and install OpenVPN 2.0.9
$>cd /usr/local/src $>wget http://openvpn.net/release/openvpn-2.0.9.tar.gz ... $>tar xzvf openvpn-2.0.9.tar.gz $>cd openvpn-2.0.9 $>./configure \ --sbindir=/usr/sbin \ --with-ssl-headers=/usr/include/openssl \ --with-ssl-lib=/usr/lib \ --with-lzo-headers=/usr/include \ --with-lzo-lib=/usr/lib \ --enable-iproute2 \ --with-ifconfig-path=/sbin $>make $>make install
We create directory where we store our config files:
$>mkdir /etc/openvpn $>mkdir /etc/openvpn/ssl $>cp suse/openvpn.init /etc/init.d/openvpn # startup file $>chmod 755 /etc/init.d/openvpn $>cp sample-config-files/office.up tunnel1.conf /etc/openvpn
Now we prepare for certificate authority:
$>cd easy-rsa/ # we are now in "/usr/local/src/openvpn-2.0.9/easy-rsa" $>cp openssl.cnf /etc/openvpn/ $>vi vars $>Set KEY_CONFIG to point to the openssl.cnf # in our config
it is /etc/openvpn $>Set KEY_DIR to point to a directory which will contain all
keys, certificates, etc. # in our config it is /etc/openvpn/ssl $>. vars # this sets the variables we have changed $>./clean-all # deleats everything in /etc/openvpn/ssl, be careful! $>ls -la /etc/openvpn # must look like: drwxr-xr-x 2 root root 152 Feb 13 17:07 . drwxr-xr-x 44 root root 4120 Feb 13 17:08 .. drwxr-xr-x 2 root root 704 Feb 13 17:09 ssl -rw-r--r-- 1 root root 1592 Feb 13 17:10 tunnel1.conf -rw-r--r-- 1 root root 7487 Feb 19 11:01 openssl.cnf
Now we build our own root certificate authority CA):
$>./buil-ca # ca.crt and ca.key are now built in our KEY_DIR directory $>rememeber thy are stored in /etc/openvpn/ssl
Optional we can build an intermeditade certificate authority/key:
$>./build-inter inter # inter.crt and inter.key are now built in
our KEY_DIR directory and signed with our root certificate.ca
Now we build diffie-hellman parameter:
$>./build-dh # necessary for the server end of a SSL/TLS connection
We build now a certificate signing request:
$>First transfer "ca.crt" across a secure channel to all extern
pc's you want connect later through the tunnel into the
firm network. $>Now we build our first certificate. In our example we
use "externpc1". computer name would be a good choise to. $>./build-req externpc1
$>You can ignore most of the fields, but set "Common Name" to something
unique such as your computer's host name.
(very important, change this for every key!!!). $>Your key will be written to $KEY_DIR/externpc1.key and your
certificate signing request will be written to
$>./sign-req externpc1 # we sign the certificate signing
request by our own. $>Email now "externpc1.crt", "externpc1.key" to the "externpc1"
to your Windows Client "externpc1". $>The combined files of mycert.crt, mycert.key, and ca.crt can
now be used to secure one end of an SSL/TLS connection.
The "tunnel1.conf" configuration file:
$>vi tunnel1.conf # change here ... # OpenVPN Server config # all rights by komaii at http://www.komaii.com/linux # comments to: email@example.com # last modified by
# this file is for server side # OpenVPN configuration # we have a static ip # your extern ip adress goes here (Linux Server or Firewall) local 81.225.xxx.xxx # Which port should the Server listen on? port 32545 # TCP or UDP server? proto udp # "dev tun" will create a routed IP tunnel, # "dev tap" will create an ethernet tunnel. dev tun # Client 1 "externpc1" ifconfig 10.0.0.1 10.0.0.2 # here the route config to the clients net. up /etc/openvpn/tunnel1.up # In SSL/TLS key exchange, Office will # assume server role and Home # will assume client role. tls-server # Diffie-Hellman Parameters (tls-server only) dh /etc/openvpn/ssl/dh1024.pem # We use X509 key management # OpenVPN can also use a PKCS #12 formatted key file # (see "pkcs12" directive in man page). # here the self signed keys ca /etc/openvpn/ssl/ca.crt cert /etc/openvpn/ssl/inter.crt key /etc/openvpn/ssl/inter.key # we want compression on. # Enable compression on the VPN link. # If you enable it here, you must also # enable it in the client config file. comp-lzo # is not a must have. ping 15 # By default, log messages will go to the syslog (or # on Windows, if running as a service, they will go to # the "\Program Files\OpenVPN\log" directory). # Use log or log-append to override this default. # "log" will truncate the log file on OpenVPN startup, # while "log-append" will append to it. #log openvpn.log #log-append openvpn.log log-append /etc/openvpn/openvpn.log # 0 is silent, except for fatal errors # 1 mostly quiet, but display non-fatal network errors. # 3 medium output, good for normal operation. # 4 is reasonable for general usage # 5 and 6 can help to debug connection problems # 9 is extremely verbose verb 3 ... $># save the file
The "externpc1.up" configuration file:
$>vi externpc1.up # change here ... #!/bin/bash # here we route the remote subnet 192.168.86.0/24 over gateway 10.0.0.2 route add -net 192.168.86.0 netmask 255.255.255.0 gw 10.0.0.2 ... $>save the file
Change the following settings on SuSEfirewall2:
$>vi /etc/sysconfig/SuSEfirewall2 $>Look for FW_DEV_INT=" and add there "tunnel0" like this $>FW_DEV_INT="eth-id-00:0a:5e:4b:17:9c tun0" $>Next look for FW_MASQ_NETS=" and add your internal net (externpc1) $>FW_MASQ_NETS="192.168.81.0/24 $>save the file, quit and restart SuSEfirewall with $>rcSuSEfirewall restart $>that's it ...
Download, compile and install "OpenVPN" the same way on the remote machine if you use Linux, copy all files (tunnel.up, externpc1, the 3 key files) via "scp" or "WinSCP" to the remote machine, change "ip adress" and "ifconfig" variable and the "route" setting, change the firewall settings and restart here.
You find a startup script for OpenVPN under "/usr/local/src/openvpn-2.0.9/suse" cp the "openvpn.init" script to /etc/init.d and fire up the tunnels.
In our example the remote machine is Windows XP (externpc1).
Download and install OpenVPN for Windows now on the remote system:
$>http://openvpn.net/release/openvpn-2.0.9-install.exe $>install the software $>now create a file called "externpc1.ovpn" $>and copy/paste mine and change the right variables you have like
remote IP Adress and path to the cert files $>save sll your files where you installed the software, in mine
example it is "C:\Programme\OpenVPN\config" $>to make it eaysier to start up openvpn on Wondows XP i use "OpenVPN Gui" $>you can download it here: http://openvpn.se/
The "externpc1.opvpn" file:
# OpenVPN Client config # all rights by komaii at http://www.komaii.com/linux # comments to: firstname.lastname@example.org # last modified byFor security reason you can now deinstall via "YaST" the following packages on your:
# this file is for server side # OpenVPN configuration # Change her to Server's static IP remote 81.225.xxx.xxx # Which port should the client listen on? port 32345 # TCP-client or UDP? proto udp # "dev tun" will create a routed IP tunnel, # "dev tap" will create an ethernet tunnel. dev tun # wich device ip local-remote? ifconfig 10.0.0.2 10.0.0.1 # SSL/TLS parms. # See the server config file for more # description. ca C:\\Programme\\OpenVPN\\config\\ca.crt cert C:\\Programme\\OpenVPN\\config\\externpc1.crt key C:\\Programme\\OpenVPN\\config\\externpc1.key # we want compression on. comp-lzo # Uncomment this section for a more reliable detection when a system # loses its connection. For example, dial-ups or laptops that # travel to other locations. ping 15 ping-restart 45 ping-timer-rem persist-tun persist-key # ein bischen logging darfs schon sein # 0 -- quiet except for fatal errors. # 1 -- mostly quiet, but display non-fatal network errors. # 3 -- medium output, good for normal operation. # 9 -- verbose, good for troubleshooting verb 3 # In SSL/TLS key exchange, Office will # assume server role and Home # will assume client role. tls-client ... $>save the file
Linux Firewall Systems: