VPN: OpenVPN installation and config

VPN: OpenVPN installation and config

OpenVPN is one of the most secure VPN service. It is also open source making it widely used solution.We will be doing our installation using  Ubuntu Server

Lets dive right in

Install OpenVPN:

sudo apt-get install openvpn 

Server certificates

  • Create the OpenVPN server certificates.
    • Copy the easy-rsa directory to /etc/openvpn. This will ensure that any changes to the scripts will not be lost when the package is updated.
sudo mkdir /etc/openvpn/easy-rsa/ sudo cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0/ /etc/openvpn/ 
  • Edit /etc/openvpn/easy-rsa/vars and adjust the variables for your environment:
export KEY_COUNTRY="US" export KEY_PROVINCE="CA" export KEY_CITY="MyCity" export KEY_ORG="MyCompany" export KEY_EMAIL="webmaster at mycompany.com" 
  • Run the scripts to create the server certificates:
cd /etc/openvpn/easy-rsa/easy-rsa source vars ./clean-all ./build-dh ./pkitool --initca ./pkitool --server server cd keys openvpn --genkey --secret ta.key sudo cp server.crt server.key ca.crt dh1024.pem ta.key /etc/openvpn/ 

Client Certificates

  • A VPN clients requires a certificate in order to authenticate itself to the VPN server.
  • Create the certificate:
cd /etc/openvpn/easy-rsa/ source vars ./pkitool hostname 

Note: Replace hostname with the actual hostname of the client machine that will be connecting to the VPN.

  • Copy the certificate files that have been created to the client:
    • /etc/openvpn/easy-rsa/hostname.ovpn
    • /etc/openvpn/easy-rsa/ca.crt
    • /etc/openvpn/easy-rsa/hostname.crt
    • /etc/openvpn/easy-rsa/hostname.key
    • /etc/openvpn/easy-rsa/ta.key

Note: Use the files that correspond to your client machine's hostname.

Server Configuration

  • On the OpenVPN server, modify /etc/openvpn/server.conf from the example file:
sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/ sudo gzip -d /etc/openvpn/server.conf.gz
  • Edit etc/openvpn/server.conf:
sudo nano /etc/openvpn/server.conf 
  • Changing the following options to resemble:
local dev tap0 server-bridge push "route" push "dhcp-option DNS" push "dhcp-option DOMAIN example.com" tls-auth ta.key 0 # This file is secret user nobody group nogroup

Notes: local: is the IP address of the bridge interface. server-bridge: needed when the configuration uses bridging. The portion is the bridge interface and mask. The IP range is the range of IP addresses that will be assigned to clients. push: directives to add networking options for clients. user and group: configure which user and group the openvpn daemon executes as. Replace all IP addresses and domain names above with those of your network.

  • Create helper scripts to add the tap interface to the bridge.
    • Create /etc/openvpn/up.sh:
sudo nano /etc/openvpn/up.sh

Add the lines:

 #!/bin/sh # BR=$1 DEV=$2 MTU=$3 /sbin/ifconfig $DEV mtu $MTU promisc up /usr/sbin/brctl addif $BR $DEV 
  • Create /etc/openvpn/down.sh:
sudo nano /etc/openvpn/down.sh 

Add the lines:

 #!/bin/sh # BR=$1 DEV=$2 # /usr/sbin/brctl delif $BR $DEV /sbin/ifconfig $DEV down 
  • Make the scripts executable:
sudo chmod 755 /etc/openvpn/down.sh sudo chmod 755 /etc/openvpn/up.sh
  • Restart OpenVpn:
sudo /etc/init.d/openvpn restart

Client Configuration

  • Copy the example client configuration file:
sudo cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn
  • Edit the client configuration file:
sudo nano /etc/openvpn/client.conf 
  • Change it to resemble:
dev tap remote vpn.mycompany.com 1194 cert hostname.crt key hostname.key tls-auth ta.key 1 

Note: Replace vpn.mycompany.com with the hostname of your VPN server, and hostname.* with the actual certificate and key filenames that correspond to the client.

  • Restart OpenVpn:
sudo /etc/init.d/openvpn restart 
  • Connect the VPN client to the remote LAN through the OpenVPN server.

FirstLook: Unboxing iTwin Connect

FirstLook: Unboxing iTwin Connect

FirstLook: Cookoo Watch

FirstLook: Cookoo Watch