Authentication is done through certificates, pre-shared keys as well as username and password. In this document, I'm going to describe the simple setting up of a certificate authority in Debian using scripts provided by OpenVPN.
Once we get on our Debian machine, we'll begin by first installing OpenVPN:
apt-get install openvpnNow that we have OpenVPN in place, we'll have to copy some files. First, we'll browse to the folder where we'll store our files. In this article, I'll store them in the OpenVPN folder:
cd /etc/openvpn/
cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0/ ./easy-rsa/
cp -r /usr/share/doc/openvpn/examples/sample-config-files/ ./What we did above is to copy the easy-rsa scripts (used for generating the CA as well as keys used by the CA) and sample configuration files which we will need to modify to suit our scenario. Now let's browse into the easy-rsa folder to begin generating the keys:
cd easy-rsaThe first thing we want to do is to clean the configuration. Before we can do that, we'll need to load up some variables to let the scripts know where we are at (this needs to be done every time you restart your system before you can generate new certificates):
source ./varNow, it's time to clean out the folders using the clean-all script:
./clean-allNow that we're on ground zero, we'll begin by initializing the Certificate Authority:
./build-caAfter we've filled in the information (can be anything), we can begin building keys for our server or the clients. Let's begin by generating a server keypair:
./build-key-server serverYou would now have a server certificate and key file in the ./keys folder. We'll deal with those keys later on in this article. Now let's create a client keypair:
./build-key clientNotice that every time you generate a key, there is a message that says "Data Base Updated". This database is actually the ./vars file. As you recall, you'll need to reload this database before you can enroll and sign certificates after you restart your computer.
Now you have a certificate for your server as well as the client. The final thing we need to do is to generate some Diffie-Hellman parameters (this is used by the server):
./build-dhNow that we have all our files ready, let's take a look in the ./keys folder. You should have these files:
ca.crt ca.key client.crt client.key server.crt server.key
These are the important files you need. Let's begin by doing configuration for the server file. Browse on to the sample-config-files folder:
cd /etc/openvpn/sample-config-files/You'll notice a file called "server.conf.gz". Before we can modify this file, we'll need to unpack it. To do this, we'll need to type:
gunzip server.conf.gzYou should have a server.conf file now. We'll need to open it up:
nano server.confThere are four things we need to modify: CA, Server Certificate, Server Key, and Diffie-Hellman Parameters. To do this, scroll down till you see these lines and modify as follows:
ca /etc/openvpn/easy-rsa/keys/ca.crt
server /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh1024.pemInstead of the absolute path, you can try using "../easy-rsa/keys/". Now you can start your server using:
openvpn server.confIf it's all successful, you should see "Initialization Sequence Completed" at the bottom. To instead run the server as a daemon, use:
openvpn --daemon --config server.confI won't recommend running it as a daemon until you've verified it to be working. We can configure a client now. To do this, we'll be using the client.conf file found in the same folder. Make changes as shown (I'm pointing it to my server address at 192.168.1.2, you can connect to yourself to test your configuration):
remote 192.168.1.2
ca /etc/openvpn/easy-rsa/keys/ca.crt
server /etc/openvpn/easy-rsa/keys/client.crt
key /etc/openvpn/easy-rsa/keys/client.keyNow you can start the client using:
openvpn client.confYou should again see "Initialization Sequence Completed" when you connect successfully.
Likewise, you can run OpenVPN client as a daemon using:
openvpn --daemon --config client.confWhen running as daemon, you can see your tunnel interfaces using:
ifconfigFor others to connect remotely, generate a client keypair for them and perform the same steps for client configuration at the remote end.
Congratulations! You've set up a VPN service in Linux! In the next article, I'll show you how to set up OpenVPN in a Linksys router flashed with TomatoVPN, and how to connect to either a Linux or the Linksys router VPN server from the Windows version of OpenVPN.
Τhe samsung galaxy Note featuгеѕ an 8 megаpixеl camera over a 5
ReplyDeletemegapixel digіtal camегa, ѕοphіsticаtеd touchscreen and аn аll new
world of рrоductiνity.
my web-ѕіte; bibliotecadecordoba.com
Wе've always loved Tablets conceptually, but in some cases smaller form factors and so forth. If you are going to be those atConsumersearchFindthebest, andRetrevowebsites that aggregate reviews and often allow you to use the amazing windows RT and the operating system preview belonging to the student community. 26 rollout date that Microsoft has incorporated a full keyboard or browser. It just goes to pay it for a split second, and then online and at brick and mortar operations but more so than any other small tablet.
ReplyDeleteFeel free to surf to my blog post: may tinh bang (http://wiki2.hotexo.de/)