bogdi19 Posted August 14, 2012 Report Posted August 14, 2012 OpenVPN is the de facto standard when it comes to deploying secure VPNs with a Linux as a server. OpenVPN has Windows and Mac clients which makes it a perfect VPN solution with a mix of server-to-server, server-to-network and a server-to-road-warrior setup.This tutorial will setup OpenVPN on Ubuntu server allowing a remote workstation to connect to the VPN. The workstation will be bridged into the local network over the OpenVPN tunnel giving it a local IP address on the network.Server SetupFirstly, lets install the OpenVPN and bridge tools packages on the server.$ sudo apt-get install openvpn bridge-utilsIn order to assign the remote workstation a 192.0.2.0/24 address we need to be able to bridge the OpenVPN interface (tap0) to the local 192.0.2.0/24 network. The adding of the tap0 to the bridge interface br0 will be handled by OpenVPN.Within the servers network configuration file /etc/network/interfaces we need to create the br0 interface.auto br0iface br0 inet static address 192.0.2.1 netmask 255.255.255.0 network 192.0.2.0 broadcast 192.0.2.255 bridge_ports eth0 bridge_fd 9 bridge_hello 2 bridge_maxage 12 bridge_stp on bridge_prio 1000Bring up the br0 interface with ifup. If eth0 or any other NIC was already configured on the local network, this NIC will have to be brought down before bringing up br0.$ sudo ifup br0Check out the Network Connection Bridge Ubuntu wiki page if you are after more information on bridging.Now back to the OpenVPN setup.Import the easy-rsa scripts which are shipped with the OpenVPN package and stored in /usr/share/doc. Also setup a vars file which will be sourced when creating certificates.$ sudo mkdir /etc/openvpn/easy-rsa$ sudo rsync -avP /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa/ $ sudo vim /etc/openvpn/easy-rsa/varsexport KEY_COUNTRY="AU"export KEY_PROVINCE=VICexport KEY_CITY=MELBOURNEexport KEY_ORG="OpenVPN-EXAMPLECOMPANY"export KEY_EMAIL="admin@example.org"Setup the CA, its certificates and the shared secret key storing them in /etc/openvpn/$ sudo chown -R root:admin /etc/openvpn/easy-rsa$ sudo chmod g+w /etc/openvpn/easy-rsa$ cd /etc/openvpn/easy-rsa$ source ./vars$ sh ./clean-all$ sh ./build-dh$ sh ./pkitool --initca$ sh ./pkitool --server server$ cd keys$ openvpn --genkey --secret ta.key$ sudo cp server.crt server.key ca.crt dh1024.pem ta.key /etc/openvpn/Create the scripts that will execute when the OpenVPN service starts and stops. These scripts add and remove the OpenVPN interface to the servers br0 interface.$ sudo su -# cat - <<EOF > /etc/openvpn/down.sh#!/bin/shPATH=/sbin:/usr/sbin:/bin:/usr/binBR=\$1DEV=\$2brctl delif \$BR \$DEVip link set "\$DEV" downEOF# cat - <<EOF > /etc/openvpn/up.sh#!/bin/shPATH=/sbin:/usr/sbin:/bin:/usr/binBR=\$1DEV=\$2MTU=\$3ip link set "\$DEV" up promisc on mtu "\$MTU"if ! brctl show \$BR | egrep -q "\W+\$DEV\$"; then brctl addif \$BR \$DEVfiEOF# chmod a+x /etc/openvpn/down.sh /etc/openvpn/up.shThe server configuration for OpenVPN is created in /etc/openvpn/server.conf. The config below bridges the OpenVPN clients to the 192.0.2.1/24 network using a range between 192.0.2.160 and 192.0.2.170 to lease to OpenVPN clients. It also calls the up.sh and down.sh scripts when the OpenVPN service is started and stopped.# cat - <<EOF > /etc/openvpn/server.confport 1194proto udpserver-bridge 192.0.2.1 255.255.255.0 192.0.2.160 192.0.2.170dev tap0ca ca.crtcert server.crttun-mtu 1454key server.key dh dh1024.pemup "/etc/openvpn/up.sh br0"down "/etc/openvpn/down.sh br0"ifconfig-pool-persist ipp.txtkeepalive 10 600comp-lzopersist-keypersist-tunverb 3mute 20status openvpn-status.logclient-config-dir ccdclient-to-clientEOFOnce the config and the server certificates are in place, start the OpenVPN service.$ sudo service openvpn startClient SetupOn the server generate the client certificates for a client named John Example.$ cd /etc/openvpn/easy-rsa$ source ./vars$ ./build-key-pass john_exampleEnter the PEM pass phrase that the client will need to enter in everytime he connects to the VPN. The other options can be left as the default except for the Common Name which should be set to john_example.ovpnTar the certificates up and transfer them to the client work station.$ cd /etc/openvpn/easy-rsa/keys$ tar cvf ~/john_example.tar john_example.{crt,csr,key} ca.crtTunnelblick is a free, open source OpenVPN graphical user interface for Mac OS. The contents of the tar files can be dropped into ~/Library/Application Support/Tunnelblick/Configurations and will be automatically imported into tunnelblick.With a Linux workstation, drop the files into /etc/openvpn/ after installing the openvpn package.On the client generate the OpenVPN client configuration file.# cat - <<EOF > /etc/openvpn/client-hq.confclientdev tapproto udpremote vpn-headoffice.example.org 1194tun-mtu 1454nobindpersist-tunca ca.crtcert client-john_example.crtkey client-john_example.keycomp-lzoverb 3mute 20auth-nocacheEOFOn a Linux client, the configuration file should dropped into /etc/openvpn/client.conf. With tunnelblick, the configuration file is dropped into ~/Library/Application Support/Tunnelblick/Configurations.The remote end point for the tunnel is vpn-headoffice.example.org which is the 203.0.113.254 interface on server.hq.example.orgOnce the client configuration is in place, start up the tunnel with tunnelblick or by starting the OpenVPN service on the Linux workstation.$ sudo service openvpn startOn a Linux client a tap0 interface is created and should be assigned a 192.0.2.160/24 address allowing the entire 192.0.2.0/24 to be routed across the OpenVPN connection.$ ip addr show tap010: tap0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1454 qdisc pfifo_fast state UNKNOWN qlen 100 link/ether f2:24:a0:41:51:f0 brd ff:ff:ff:ff:ff:ff inet 192.0.2.160/24 brd 192.0.2.255 scope global tap0 inet6 fe80::fc24:adff:fe43:51f0/64 scope linkSURSA: Linux Sysadmin Tutorials — Linux Sysadmin Tutorials Quote
