OpenVPN Howto

This page will outline some information on implementing an OpenVPN VPN solution for both nailed up VPN connections as well as client-to-server connections.

Conventions

I have the following three conventions with my firewall builds:

   1. I always give a firewall a FQDN.

   2. The domain name is specific to the organization (i.e. pachogrande.local)

   3. The hostname is specific to the build of the firewall and is stickered on the case and with the computers software bundle (i.e. HEMLOCK, HAZELNUT)

Nailed up VPN

I'm going on the assumption that the server server.hostname.com has IP space 192.168.0.0/24 behind it, and that the client client.hostname.com has IP space 192.168.32.0/24 behind it, and that both segments should speak to each other.

On server.hostname.com:

apt-get install openvpn

cd /usr/share/doc/openvpn/examples/easy-rsa

vim vars

. ./vars

./clean-all

./build-ca (set Common Name to OpenVPN-CA)

./build-key-server server.hostname.com (set Common Name to server.hostname.com)

./build-key client.hostname.com (set Common Name to client.hostname.com)

./build-dh

Then copy the following files to /etc/openvpn on the server:

Then copy the following files to /etc/openvpn on the client:

On server, uncompress /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz into /etc/openvpn/openvpn.conf

On client, copy /usr/share/doc/openvpn/examples/sample-config-files/client.conf into /etc/openvpn/openvpn.conf

You can tweak as per your needs or use the following quick reference files (for OpenVPN 2.0.9 on Debian 'etch'):

Server's /etc/openvpn/openvpn.conf:

port 1194

proto udp

dev tun

ca ca.crt

cert server.hostname.com.crt

key server.hostname.com.key

dh dh1024.pem

server 10.8.0.0 255.255.255.0

ifconfig-pool-persist ipp.txt

push "route 192.168.0.0 255.255.255.0"

client-config-dir ccd

route 192.168.32.0 255.255.255.0

keepalive 10 120

comp-lzo

persist-key

persist-tun

status openvpn-status.log

verb 3

Server's /etc/openvpn/ccd/client.hostname.com:

iroute 192.168.32.0 255.255.255.0

Client's /etc/openvpn/openvpn.conf:

port 1194

proto udp

dev tun

ca ca.crt

cert client.hostname.com.crt

key client.hostname.com.key

dh dh1024.pem

server 10.8.0.0 255.255.255.0

ifconfig-pool-persist ipp.txt

push "route 192.168.0.0 255.255.255.0"

client-config-dir ccd

route 192.168.32.0 255.255.255.0

keepalive 10 120

comp-lzo

persist-key

persist-tun

status openvpn-status.log

verb 3

Now, make sure that UDP port 1194 is open on both client and server.

On server, /etc/rc.d/openvpn restart

On client, /etc/rc.d/openvpn restart

The only weird gotcha that I've been burned by is that you need to have time accurate between the two machines, i.e. synchronized using NTP. If they are too far out then they can't negotiate keys back and forth and you'll get weird errors in the logs.