Saturday, July 24, 2010

Misc 43

OpenVPN is an open-source VPN solution using the OpenSSL library. It supports site-to-site and remote-access connections in bridged (TAP) or routed (TUN) mode. Since it is TLS-based, it can traverse NAT very well.
Authentication is done through certificates, pre-shared keys as well as username and password. In this document, I'm going to describe the simple setting up of a certificate authority in Debian using scripts provided by OpenVPN.

Once we get on our Debian machine, we'll begin by first installing OpenVPN:
apt-get install openvpn

Now that we have OpenVPN in place, we'll have to copy some files. First, we'll browse to the folder where we'll store our files. In this article, I'll store them in the OpenVPN folder:
cd /etc/openvpn/
cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0/ ./easy-rsa/
cp -r /usr/share/doc/openvpn/examples/sample-config-files/ ./

What we did above is to copy the easy-rsa scripts (used for generating the CA as well as keys used by the CA) and sample configuration files which we will need to modify to suit our scenario. Now let's browse into the easy-rsa folder to begin generating the keys:
cd easy-rsa

The first thing we want to do is to clean the configuration. Before we can do that, we'll need to load up some variables to let the scripts know where we are at (this needs to be done every time you restart your system before you can generate new certificates):
source ./var

Now, it's time to clean out the folders using the clean-all script:

Now that we're on ground zero, we'll begin by initializing the Certificate Authority:

After we've filled in the information (can be anything), we can begin building keys for our server or the clients. Let's begin by generating a server keypair:
./build-key-server server

You would now have a server certificate and key file in the ./keys folder. We'll deal with those keys later on in this article. Now let's create a client keypair:
./build-key client

Notice that every time you generate a key, there is a message that says "Data Base Updated". This database is actually the ./vars file. As you recall, you'll need to reload this database before you can enroll and sign certificates after you restart your computer.

Now you have a certificate for your server as well as the client. The final thing we need to do is to generate some Diffie-Hellman parameters (this is used by the server):

Now that we have all our files ready, let's take a look in the ./keys folder. You should have these files:

These are the important files you need. Let's begin by doing configuration for the server file. Browse on to the sample-config-files folder:
cd /etc/openvpn/sample-config-files/

You'll notice a file called "server.conf.gz". Before we can modify this file, we'll need to unpack it. To do this, we'll need to type:
gunzip server.conf.gz

You should have a server.conf file now. We'll need to open it up:
nano server.conf

There are four things we need to modify: CA, Server Certificate, Server Key, and Diffie-Hellman Parameters. To do this, scroll down till you see these lines and modify as follows:
ca /etc/openvpn/easy-rsa/keys/ca.crt
server /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh1024.pem

Instead of the absolute path, you can try using "../easy-rsa/keys/". Now you can start your server using:
openvpn server.conf

If it's all successful, you should see "Initialization Sequence Completed" at the bottom. To instead run the server as a daemon, use:
openvpn --daemon --config server.conf

I won't recommend running it as a daemon until you've verified it to be working. We can configure a client now. To do this, we'll be using the client.conf file found in the same folder. Make changes as shown (I'm pointing it to my server address at, you can connect to yourself to test your configuration):
ca /etc/openvpn/easy-rsa/keys/ca.crt
server /etc/openvpn/easy-rsa/keys/client.crt
key /etc/openvpn/easy-rsa/keys/client.key

Now you can start the client using:
openvpn client.conf

You should again see "Initialization Sequence Completed" when you connect successfully.

Likewise, you can run OpenVPN client as a daemon using:
openvpn --daemon --config client.conf

When running as daemon, you can see your tunnel interfaces using:

For others to connect remotely, generate a client keypair for them and perform the same steps for client configuration at the remote end.

Congratulations! You've set up a VPN service in Linux! In the next article, I'll show you how to set up OpenVPN in a Linksys router flashed with TomatoVPN, and how to connect to either a Linux or the Linksys router VPN server from the Windows version of OpenVPN.


  1. Τhe samsung galaxy Note featuгеѕ an 8 megаpixеl camera over a 5
    megapixel digіtal camегa, ѕοphіsticаtеd touchscreen and аn аll new
    world of рrоductiνity.

    my web-ѕіte; bibliotecadecordoba.com

  2. Wе've always loved Tablets conceptually, but in some cases smaller form factors and so forth. If you are going to be those atConsumersearchFindthebest, andRetrevowebsites that aggregate reviews and often allow you to use the amazing windows RT and the operating system preview belonging to the student community. 26 rollout date that Microsoft has incorporated a full keyboard or browser. It just goes to pay it for a split second, and then online and at brick and mortar operations but more so than any other small tablet.

    Feel free to surf to my blog post: may tinh bang (http://wiki2.hotexo.de/)