OpenVPN is a full-featured open source SSL VPN solution that accommodates a wide range of configurations, including remote access, site-to-site VPNs, Wi-Fi security, and enterprise-scale remote access solutions with load balancing, failover, and fine-grained access-controls. OpenVPN offers a cost-effective, lightweight alternative to other VPN technologies available in the market.
OpenVPN’s lightweight design sheds many of the complexities and the security model is based on SSL, the industry standard for secure communications via the internet. OpenVPN implements OSI layer 2 or 3 secure network extension using the SSL/TLS protocol, supports flexible client authentication methods based on certificates, smart cards, and/or 2-factor authentication, and allows user or group-specific access control policies using firewall rules applied to the VPN virtual interface. OpenVPN is not a web application proxy and does not operate through a web browser.
Let’s see how to install and configure OpenVPN in SUSE Linux and openSUSE
Install OpenVPN
Before installation begins, plan your vpn setup accordingly. This includes choosing routed [recommended] or bridged mode (routed mode seperates the subnets and hence broadcast doesnt traverse while bridged drops in the same LAN subnet and hence broadcasts are allowed over vpn ), IP Range for the private vpn etc.
opensuse:~ # yast2 –install openvpn
This installs the OpenVPN software in /usr/share/openvpn directory
Copy to /etc/ directory
Copy the directory /usr/share/openvpn to the /etc/ directoty to avoid an update overiding the configurations. Also, the default installation loads a startup script /etc/init.d/openvpn that looks for configurations in the /etc/openvpn directory and hence makes more sense.
opensuse:~ # cp -r /usr/share/openvpn /etc/
Generate Master Certificate Authority (CA) certificate and key
Change Directory to /etc/openvpn/easy-rsa/2.0/ directory and run the following commands to cleanup initialize, cleanup any existing keys and build the CA.
Opensuse:~ # cd /etc/opensuse/easy-rsa/2.0/
opensuse:/etc/opensuse/easy-rsa/2.0/ # . ./vars
opensuse:/etc/opensuse/easy-rsa/2.0/ # ./clean-all
opensuse:/etc/opensuse/easy-rsa/2.0/ # ./build-ca
Answer the questions prompted to create the master CA certificate and key
Generate Certificate & Key for Server
opensuse:/etc/opensuse/easy-rsa/2.0/ # ./build-key-server server
Answer the questions prompted to create the server certificate and key.
Generate Certificate & Key for Client
Here, I create a key for a client named vpnhost1.
Opensuse:/etc/opensuse/easy-rsa/2.0/ # ./build-key vpnhost1
Answer the questions prompted to create the Client certificate and key. Repeat procedure to as many client certificate and key as required.
Generate Diffie Hellman (DH) parameters
Generate the Diffie Hellman parameters for the OpenVPN server
opensuse:/etc/opensuse/easy-rsa/2.0/ # ./build-dh
Now, you can see all the Key files created in the directory
/etc/openvpn/easy-rsa/2.0/keys/
where
ca.crt – Root certificate for server & all clients
ca.key Root CA key for key signing machine only
dh<n>.pem – DH paramters for server (dh1024.pem here)
server.crt & server.key – Server Certificate and key (the name will be the common name entered aat the time of certificate generation)
client.crt & client.key – Client Certificate and key (the name will be the common name entered aat the time of certificate generation)
Create Server configuration file
The sample config files are installed in the /usr/share/docs/packages/openvpn/sample-config-files/ directory. Copy the server.conf file to /etc/openvpn/ directory.
Opensuse:/etc/openvpn/ # cp /usr/share/docs/packages/openvpn/server.conf .
Edit the file and modify the parameters,
Network Port to listen
The default port is 1194. If you want to change it. Change the parameter
port 1194
TCP or UDP
Choose if you want to use TCP or UDP protocol. Default is UDP. If you would like to change it then edit the following line accordingly
proto udp
Edit the lines
ca ca.crt
cert server.crt
key server.key
and change it as per your setup. According to our config, the files should be in /etc/openvpn/easy-rsa/2.0/keys/. On my server it is as
ca /etc//openvpn/easy-rsa/2.0/keys/opensuse.crt
cert /etc/openvpn/easy-rsa/2.0/keys/opensuse.crt
key /etc/openvpn/easy-rsa/2.0/keys/opensuse.key
Routed or Bridged
If the VPN setup is routed as in most cases (and here) then leave the following lines untouched
dev tun
and
server 10.8.0.0 255.255.255.0
If you choose to use Bridged environment then comment the above lines and uncomment the lines
dev tap
and
server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
In both the cases, if you would want the IP Pool to be different to the default, feel free to change as per your network requirement.
If you need to push routes to client then uncomment lines
;push “route 192.168.10.0 255.255.255.0”
;push “route 192.168.20.0 255.255.255.0”
and add as many as required for the network
There are lot more one can customize. Feel free to go ahead and change as required.
If you want to remote manage the OpenVPN setup from telnet or a GUI like Webmin the add the line
management localhost 7505
to the bottom. This allows you to directly connect to the port and manage. Of using telnet
telnet localhost 7505
Type help for command options.
Now, we are all set to test run the server.
Start OpenVPN
opensuse:~ # openvpn /etc/openvpn/server.conf
If all was well, the service should and run listening on port 1194 (udp in our case). The errors should there be any are self explanatory to troubleshoot.
Setup Client
On the client install openvpn as above and we need to copy the client.conf file from the sample Config files as with server into the /etc/openvpn directive and edit the file as much the same as the server.conf except
We choose “client” to make it clear that we are a client.
Enter the remote IP of the OpenVPN Server. Multi server load balancing list can be added as well.
Copy the appropriate Certificate & Key files generated on the server onto this client. Ensure this is done securely. Modify the ca.crt,client.crt,client.key entries with appropriate paths and file names.
To start the client
vpnhost:~ # openvpn /etc/openvpn/client.conf
Try connecting (may be a ping of an IP address) and check if you are able to connect to the private network.
Hope you found this useful!!!
Sorry to say, but your description stops when it starts to get interesting:
– How to conditionally boot with or without OpenVPN? NetworkManager is not an option, since the network and all depending services should be initialized _before_ a user is permitted to login.
Hi:
Nice post, but you be carefully with the ‘paths’ you have some errors like this:
cd /etc/opensuse/easy-rsa/2.0/ —>> cd /etc/openvpn/easy-rsa/2.0/
cp /usr/share/docs/packages/openvpn/server.conf . —>> /usr/share/docs/packages/openvpn/sample-config-files/ .
ca /etc//openvpn/easy-rsa/2.0/keys/opensuse.crt >> ca /etc/openvpn/easy-rsa/2.0/keys/opensuse.crt
best regards,
Jorge
It is brief but very useful
Thank you so much.
May God bless you.
Thanks for the guides, very usefull.
I have question if u dont mind,
openvpn already connected, but why if the client open http://whatismyipaddress.com/ it s still showing external IP of the client. Not server IP.
Thanks…
Not sure of your exact configuration but once you are connected thro your VPN, your ip/Gateway changes to the remote network (say your remote office network) and when you look at a site like above, your access to that page was thro the internet access gateway of the remote network and hence will see the public IP of that network.
i have a pretty much same setup as listed above, and now i want to use crl-verify to revoke some of the certificates.
i`ve added
crl-verify /path/to/crl.pem to server.conf
then i run
./revoke-full clientX
command didnt give me error, (i got this `error 23 at 0 depth lookup:certificate revoked`, and according to documntation that is what i want to see)
but I can log on just fine with revoked certificate!!
there is nothing in error log, i am 100% sure that crl.pem is readable ..
any ideas?
about the revoke-full stuff… you gotta read this website…
http://people.mandriva.com/~ybourhis/openvpn/index.html#pkcs11
and/or this
http://metalklesk.blogspot.com/2008/07/vpn-segura-en-opensuse-110-y-windows-xp.html
and see for the revoke-all part….
you gotta edit the openssl.cnf file and uncomment a section. its a big bug in the revoke stuff. it works once you have uncommented or modified it…
De ser así debemos abrir el archivo /etc/openvpn/easy-rsa-V2.0/openssl.cnf (como usuario root) y comentar la ultima sección como se puede ver a continuación:#[ pkcs11_section ]
#engine_id = pkcs11
#dynamic_path = /usr/lib/engines/engine_pkcs11.so
#MODULE_PATH = $ENV::PKCS11_MODULE_PATH
#PIN = $ENV::PKCS11_PIN
#init = 0
Very informative article, which I found quite useful. Cheers ,Jay
Hi my problem is, I have 11 computers in a network 9 of those are running SuSe 11.0 and there is no problems with openvpn which is installed in the networkmanager and all works perfect, but is SuSe 11.1 same setup, ” right click on networkmanager icon and select start vpn connection ” but openvpn will not start, I don’t even get the password box up.
Is there a problem with SuSe 11.1 with regard to openvpn integration in networkmanager ?
When using the openvpn server to give access to other computers on the LAN, you have to enable IP forwarding in the network settings of the eth interface. I made the mistake and wasted quite some hours in trying to find why packets seemed to disappear somewhere between the TUN interface and the LAN.
Previously, my openvpn server was running on Windows and there, I didn’t have this issue.
Hi there.
It is a very nice guide. I absolutely new to the VPN topic and I am looking for a complete and good guide on how to create VPN tunnels on a test webserver box at home, which I would like to access from a friends place for example. I would need the server to listen and answer requests on port 80 to test a website from another place.
Does anybody have a good idea where to find a tutorial or something like that?
I have Opensuse installed on my box and find the topic quiet dificult to undertstand. The question is: Can I access a VPN server if I have dynamic IP from ISP on my home box?
Too many question and no place found with an understandable tutorial for this topic … HELP PLEASE …
very useful start-up informations. thank you.
Thanks a lot for sharing this information has really proven to be helpful. I really enjoy reading easy articles leading straight to the point.
Hi everybody,
i need some help here.
i was reach this step and i can’t move after that
this what is showing in my termianal
linux-yynt:/etc/openvpn/easy-rsa/2.0 # cd /etc/openvpn/
linux-yynt:/etc/openvpn # cp /usr/share/docs/packages/openvpn/sample-config-files/ .
cp: cannot stat `/usr/share/docs/packages/openvpn/sample-config-files/’: No such file or directory
linux-yynt:/etc/openvpn # cp /usr/share/doc/packages/openvpn/sample-config-files/ .
cp: omitting directory `/usr/share/doc/packages/openvpn/sample-config-files/’
linux-yynt:/etc/openvpn # cp /usr/share/doc/packages/openvpn/sample-config-files .
cp: omitting directory `/usr/share/doc/packages/openvpn/sample-config-files’
linux-yynt:/etc/openvpn # cp /usr/share/doc/packages/openvpn/sample-config-files/
cp: missing destination file operand after `/usr/share/doc/packages/openvpn/sample-config-files/’
Try `cp –help’ for more information.
linux-yynt:/etc/openvpn # cp ./usr/share/doc/packages/openvpn/sample-config-files/ .
cp: cannot stat `./usr/share/doc/packages/openvpn/sample-config-files/’: No such file or directory
linux-yynt:/etc/openvpn # cd /etc/
linux-yynt:/etc # /usr/share/docs/packages/openvpn/sample-config-files/ .
bash: /usr/share/docs/packages/openvpn/sample-config-files/: No such file or directory
linux-yynt:/etc # /usr/share/doc/packages/openvpn/sample-config-files/ .
bash: /usr/share/doc/packages/openvpn/sample-config-files/: is a directory
linux-yynt:/etc # cp /usr/share/doc/packages/openvpn/sample-config-files/ .
cp: omitting directory `/usr/share/doc/packages/openvpn/sample-config-files/’
linux-yynt:/etc # cd
linux-yynt:~ # cp /usr/share/doc/packages/openvpn/sample-config-files/ .
cp: omitting directory `/usr/share/doc/packages/openvpn/sample-config-files/’
linux-yynt:~ #
i try to change in the path but nothing is work for me.
please if anyone can detect where is the wrong in this post a reply
or repeat the steps from the beginning.
thanks.
Here:
Opensuse:~ # cd /etc/opensuse/easy-rsa/2.0/
opensuse:/etc/opensuse/easy-rsa/2.0/ # . ./vars
opensuse:/etc/opensuse/easy-rsa/2.0/ # ./clean-all
opensuse:/etc/opensuse/easy-rsa/2.0/ # ./build-ca
In 2nd line, put:
# . + espace bar + ./vars
Very nice!
sorry: in espace, read space
Ok this great. I will be installing this on my suse box that is running shorewall as my firewall. I guess I would have to open port 1194. Is there anything else I would have to do to the firewall if I am running openvpn on the same box? Also If I want to connect to it from a windows client like xp,vista or win7. Is there a download for that? Would it be easy to configure the client? Thanks in advance for all your help.
Hello, i think that here is wrong:
Opensuse:~ # cd /etc/opensuse/easy-rsa/2.0/
opensuse:/etc/opensuse/easy-rsa/2.0/ # . ./vars
opensuse:/etc/opensuse/easy-rsa/2.0/ # ./clean-all
opensuse:/etc/opensuse/easy-rsa/2.0/ # ./build-ca
Its should be:
Opensuse:~ # cd /etc/openvpn/easy-rsa/2.0/
opensuse:/etc/openvpn/easy-rsa/2.0/ # . ./vars
opensuse:/etc/openvpn/easy-rsa/2.0/ # ./clean-all
opensuse:/etc/openvpn/easy-rsa/2.0/ # ./build-ca
But its not working for me.
@Mohammed
if you haven’t figured out your problem yet:
you most likely forgot to install openvpn on your machine. On opensuse 11.2 it always is there after successful install.
@admin:
it is very unfortunate to maintain all the wrong PATHS after having been made aware of it. such a howto on susegeek.com at least should have copy/paste paths for a current opensuse environment.
@others
basically the above howto is a copy/paste with some rewrite from the original at
http://openvpn.net/howto.html
or
http://openvpn.net/index.php/open-source/documentation/howto.html
since openvpn is still popular – more than ever and also available for new mobiles such as Nokia N900 with a debian based Linux …
it may be a good practice to go back to the original howto at http://openvpn.net/
at least we have NO missing spaces and NO wrong paths and verify the howto procedure with the current maintained howto version.
i have 1 domain with server2003 and suse use openvpn about question common name. which computer name will i annswer?
pls give me brief explanation about how to use this software
In the real admin world, users come, users go… Would be nice to add instructions for us admin types that explain how to manage certificates, add and remove them as necessary… I DON’T want to have to rebuild ALL the certificates for all our users and redistribute them each time we acquire a new bod! Ditto for a network topology change… As Robin might say “Holy Repetition Batman! We have hundreds of users!”
Hi,
I tried to configure and run OpenVPN server on CentOS, but it doesn’t run. I checked more than tree time evry step that mentioned in this article or OpenVPN.net
When I run openvpn, I get following error:
“Options error: Unrecognized or missing parameter(s)in server.conf:78 :ca (2.2.1)”
I’m sure where the ca, server cert and server key are.
I’m disappointed about Linux!!
Please help me.
Prime