[TriLUG] OpenVPN for Home

Alan Porter porter at trilug.org
Wed Oct 11 13:30:13 EDT 2006 

> does anyone consider openVPN (or any VPN solution) to be simple to set up?
>   

Yes, it's very simple. To me, the hardest part was deciding what IP's to use
and what naming convention to use for my keys.

The following is my "how-to" file (which I keep handy in 
/etc/openvpn/HOW-TO).
While it does not really explain what is going on, it *does* list all of the
necessary steps to create a server, create a client key, install a 
client key
on a client.

Alan



--

NOTE - in all cases below, replace the word SERVER with the host name of 
the server.
Likewise, replace CLIENT with the host name of the client. In my example 
files,
there is a server called "mysrv" and a client called "myclient".


OUR NAMING CONVENTION FOR CERTIFICATES, DIRECTORIES AND "COMMON NAMES"

server configuration
--------------------
The server keys, certificates, and accounting files are in 
/etc/openvpn/keys/SERVER/
The "common name" for the certificate authority is "SERVER".
The "common name" for the server certificate is "SERVER".

client certificates
-------------------
Files are called /etc/openvpn/keys/SERVER/SERVER-CLIENT.{crt,csr,key}
The "common name" is "SERVER-CLIENT".

OpenVPN configuration files
---------------------------
Server config files are /etc/openvpn/SERVER.conf
Client-specific config files (on server) 
/etc/openvpn/client_config/SERVER-CLIENT
Client config files are /etc/openvpn/SERVER-CLIENT.conf

CREATING THE SERVER KEYS

. ./vars
./tools/clean-all
./tools/build-ca
./tools/build-key-server mysrv
./tools/build-dh

CREATING CLIENT KEYS

. ./vars
./tools/build-key clientname

(then copy clientname.crt clientname.key and ca.crt to the client machine)
(create a conf file for the client)

REVOKING A CLIENT KEY

. ./vars
./tools/revoke-full bad_client

(and then read http://openvpn.net/howto.html#quick)

EXAMPLE SERVER CONF FILE

# the basics
port 1194
proto udp
dev tun

# certificate stuff
ca /etc/openvpn/keys/mysrv/ca.crt
cert /etc/openvpn/keys/mysrv/mysrv.crt
key /etc/openvpn/keys/mysrv/mysrv.key
dh /etc/openvpn/keys/mysrv/dh1024.pem

# address range to use
server 10.99.1.0 255.255.255.0
ifconfig-pool-persist ipp.txt

# advertise our own subnet to clients
push "route 10.1.0.0 255.255.0.0"

# client 'myclient' will route 10.2.0.0/16
# only necessary if you're bridging two networks,
# not if you're just handling the "road warrior"
client-config-dir client_config
route 10.2.0.0 255.255.0.0

# lower-layers
keepalive 10 120
comp-lzo
persist-key
persist-tun

# for better security
user nobody
group nogroup

# logging
status openvpn-status.log
log-append /var/log/openvpn.log
verb 3

EXAMPLE CLIENT CONF FILE

# the basics
dev tun
proto udp
client
remote servers.address.com 1194

# retries, etc
resolv-retry infinite
nobind
persist-key
persist-tun

# for security
user nobody
group nogroup

# certificate stuff
ca /etc/openvpn/keys/mysrv/ca.crt
cert /etc/openvpn/keys/mysrv/mysrv-myclient.crt
key /etc/openvpn/keys/mysrv/mysrv-myclient.key

# low layers
comp-lzo

# logging
log-append /var/log/openvpn.log
verb 3

END

More information about the TriLUG mailing list