Posted by admin on July 3rd, 2008
OpenVPN is a full-featured open source SSL VPN solution that accommodates a wide range of configurations, including remote access, site-to-site VPNs, Wi-Fi security, and enterprise-scale remote access solutions with load balancing, failover, and fine-grained access-controls. OpenVPN offers a cost-effective, lightweight alternative to other VPN technologies available in the market.
OpenVPN’s lightweight design sheds many of the complexities and the security model is based on SSL, the industry standard for secure communications via the internet. OpenVPN implements OSI layer 2 or 3 secure network extension using the SSL/TLS protocol, supports flexible client authentication methods based on certificates, smart cards, and/or 2-factor authentication, and allows user or group-specific access control policies using firewall rules applied to the VPN virtual interface. OpenVPN is not a web application proxy and does not operate through a web browser.
Let’s see how to install and configure OpenVPN in SUSE Linux and openSUSE
Before installation begins, plan your vpn setup accordingly. This includes choosing routed [recommended] or bridged mode (routed mode seperates the subnets and hence broadcast doesnt traverse while bridged drops in the same LAN subnet and hence broadcasts are allowed over vpn ), IP Range for the private vpn etc.
opensuse:~ # yast2 –install openvpn
This installs the OpenVPN software in /usr/share/openvpn directory
Copy to /etc/ directory
Copy the directory /usr/share/openvpn to the /etc/ directoty to avoid an update overiding the configurations. Also, the default installation loads a startup script /etc/init.d/openvpn that looks for configurations in the /etc/openvpn directory and hence makes more sense.
opensuse:~ # cp -r /usr/share/openvpn /etc/
Generate Master Certificate Authority (CA) certificate and key
Change Directory to /etc/openvpn/easy-rsa/2.0/ directory and run the following commands to cleanup initialize, cleanup any existing keys and build the CA.
Opensuse:~ # cd /etc/opensuse/easy-rsa/2.0/
opensuse:/etc/opensuse/easy-rsa/2.0/ # . ./vars
opensuse:/etc/opensuse/easy-rsa/2.0/ # ./clean-all
opensuse:/etc/opensuse/easy-rsa/2.0/ # ./build-ca
Answer the questions prompted to create the master CA certificate and key
Generate Certificate & Key for Server
opensuse:/etc/opensuse/easy-rsa/2.0/ # ./build-key-server server
Answer the questions prompted to create the server certificate and key.
Generate Certificate & Key for Client
Here, I create a key for a client named vpnhost1.
Opensuse:/etc/opensuse/easy-rsa/2.0/ # ./build-key vpnhost1
Answer the questions prompted to create the Client certificate and key. Repeat procedure to as many client certificate and key as required.
Generate Diffie Hellman (DH) parameters
Generate the Diffie Hellman parameters for the OpenVPN server
opensuse:/etc/opensuse/easy-rsa/2.0/ # ./build-dh
Now, you can see all the Key files created in the directory
ca.crt – Root certificate for server & all clients
ca.key Root CA key for key signing machine only
dh<n>.pem – DH paramters for server (dh1024.pem here)
server.crt & server.key – Server Certificate and key (the name will be the common name entered aat the time of certificate generation)
client.crt & client.key – Client Certificate and key (the name will be the common name entered aat the time of certificate generation)
Create Server configuration file
The sample config files are installed in the /usr/share/docs/packages/openvpn/sample-config-files/ directory. Copy the server.conf file to /etc/openvpn/ directory.
Opensuse:/etc/openvpn/ # cp /usr/share/docs/packages/openvpn/server.conf .
Edit the file and modify the parameters,
Network Port to listen
The default port is 1194. If you want to change it. Change the parameter
TCP or UDP
Choose if you want to use TCP or UDP protocol. Default is UDP. If you would like to change it then edit the following line accordingly
Edit the lines
and change it as per your setup. According to our config, the files should be in /etc/openvpn/easy-rsa/2.0/keys/. On my server it is as
Routed or Bridged
If the VPN setup is routed as in most cases (and here) then leave the following lines untouched
server 10.8.0.0 255.255.255.0
If you choose to use Bridged environment then comment the above lines and uncomment the lines
server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
In both the cases, if you would want the IP Pool to be different to the default, feel free to change as per your network requirement.
If you need to push routes to client then uncomment lines
;push “route 192.168.10.0 255.255.255.0″
;push “route 192.168.20.0 255.255.255.0″
and add as many as required for the network
There are lot more one can customize. Feel free to go ahead and change as required.
If you want to remote manage the OpenVPN setup from telnet or a GUI like Webmin the add the line
management localhost 7505
to the bottom. This allows you to directly connect to the port and manage. Of using telnet
telnet localhost 7505
Type help for command options.
Now, we are all set to test run the server.
opensuse:~ # openvpn /etc/openvpn/server.conf
If all was well, the service should and run listening on port 1194 (udp in our case). The errors should there be any are self explanatory to troubleshoot.
On the client install openvpn as above and we need to copy the client.conf file from the sample Config files as with server into the /etc/openvpn directive and edit the file as much the same as the server.conf except
We choose “client” to make it clear that we are a client.
Enter the remote IP of the OpenVPN Server. Multi server load balancing list can be added as well.
Copy the appropriate Certificate & Key files generated on the server onto this client. Ensure this is done securely. Modify the ca.crt,client.crt,client.key entries with appropriate paths and file names.
To start the client
vpnhost:~ # openvpn /etc/openvpn/client.conf
Try connecting (may be a ping of an IP address) and check if you are able to connect to the private network.
Hope you found this useful!!!