OpenVPN Part I

For a long time I’ve had OpenVPN on my todo list. My wife’s primary computer is a laptop running Debian and it would be nice to VPN into the home wired subnet from the home wireless subnet.

For my router I have a LinkSys WRT54G. On this I’m running OpenWRT. I’ve “broken the bridge” between the wireless interface and the wired interface so I have a separate subnet for my wireless network. I did this primarily because I didn’t want to expose my NFS exports to a wireless network using WEP. I don’t have any WPA capable devices but even if I did I still prefer having a separate subnet for the wireless devices.

On the other hand I WOULD like to have access to the NFS exports as well as Myth TV in a secure fashion. I looked into running openswan on OpenWRT (white russian release) but didn’t have any luck. After doing more research I decided that OpenVPN makes more sense for my situation anyhow. I don’t want to run a computationally intensive app on the WRT54G. I can run OpenVPN on more powerful machines in my network.

I installed OpenVPN on my file server using apt-get. I wanted a simple way to get up and running and finally settled on reading the Open VPN 2.0 Howto. Of course I wasted a bunch of time trying to do shortcuts but in the end I had to read that document. Not only did I have to read it but I had to read it carefully.

I wanted to setup the VPN server to support multiple clients even though I’ll likely only use one client. There is a slight chance that I might issue client keys to friends that bring their laptops over but it’s unlikely. Either way it’s better to learn the “right way” of doing things.

The basic steps for setting up the server are:

  1. Create a Certificate Authority. This sounds complicated but it’s not because a script comes with OpenVPN to create it for you. The Certificate Authority, which everyone likes to abbreviate with CA, is a file.
  2. Build Diffie Helman parameters for the server.
  3. Create a server key signed by the Certificate Authority created in step 1.
  4. Create client keys signed by the Certificate Authority created in step 1.

To create the Certificate Authority (based on my Debian system):

$ cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0/ /etc/openvpn/keys
$ cd /etc/openvpn/keys
$ $EDITOR vars
$ source vars
$ ./clean-all
$ ./build-ca

To build the Diffie Hellman parameters:

$ ./build-dh

To create a server key

$ ./build-key-server

To create client keys

$ ./build-key

Next you need to copy the default server.conf file and make a few modifications. On Debian the default server config file is located in /usr/share/doc/openvpn/examples/sample-config-files/serv.conf.gz. Uncompress the file and place it in /etc/openvpn. Some of the changes you may need to make are:

  • dropping of priviledges – this should be turned on
  • paths to the various key files

The OpenVPN init script will find all of the config file in /etc/openvpn and load each of them. Initially you will probably want to run the server directly for easy viewing of output (e.g. `#openvpn server.conf`). If you have trouble you main get extra insight by increasing ‘verb’ setting in the config file.

In my next post about OpenVPN I’ll discuss my network configuration and the steps required to get routing working correctly.

This entry was posted in Geek, Tips. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s