[nylug-talk] OpenVPN... Yeah or nay?

R. Mariotti r.mariotti at fdcx.net
Fri Sep 7 11:09:14 EDT 2007 

Brandorr wrote:
> I am looking for an opensource VPN solution that supports Windows and
> Unixy clients. (Linux/Mac/Solaris)
> 
> This is to connect to my home network from the road.
> 
> I have 6.0mb/768kb ADSL and am trying to figure out if there is a
> reason I might want to go with L2 tunneling vs. routed VPN. (Other
> than CIFS browsing are there any protocols that I might want to use
> network broadcast for?)
> 
> Cheers,
> Brian
> 

OpenVPN Setup (Updated 11/02/2006)

16th June 2006

I had two machines that I needed to install OpenVPN on yesterday, so I 
figured I would post the steps required to get them up and running. The 
servers where both running Ubuntu 6.06.

Here are the quick and dirty steps:
sudo apt-get install openvpn openssl

cd /usr/share/doc/openvpn/examples
sudo cp -R easy-rsa/ /etc/openvpn

cd /etc/openvpn/easy-rsa
sudo . ./vars
sudo ./clean-all
sudo ./build-ca
Answer the questions to create the key

Now we need to create the server key:
sudo ./build-key-server server
Again answer the questions to customize the key. You can use the 
defaults if you want and just enter the server name when asked. The name 
is required, if you do not enter a name the key will be a zero length 
and will not work. The error message if not all that straight forward, 
it only says the server failed to start.

Now we need to create the client keys:
sudo ./build-key 'name of key'
Again answer the questions to customize the key. You can use the 
defaults if you want and just enter the computer name when asked. I like 
to use the name of the computer the key is for, because it makes it 
easier to keep track of the keys if you need to remove one. The name is 
required, if you do not enter a name the key will be a zero length and 
will not work. The error message if not all that straight forward, it 
only says the server failed to start.

Now we create the Diffie-Hellman parameters:
sudo ./build-dh

When we pass the keys to the clients we need to distribute the following 
keys to each client:
ca.crt goes to the client and the server.
ca.key goes to the key signing machine only, which we set this on to be.
dh{n}.pem goes to the server only.
server.crt goes to the server only.
server.key goes to the server only.
.crt goes to the client only.
.key goes to the client only.

The last thing to do on the server is create the configuration file: 
(view sample)
sudo vi /etc/openvpn/server.conf

Restart the service and the server is done.
sudo /etc/init.d/openvpn restart

Next we have to create the configuration file for the client: (view sample)
This file needs to be saved in the same directory as the keys. On 
windows the configuration file should be saved with a .ovpn extension. 
Just double-click this file to establish the connection. Establish the 
connection on *nix or Windows run openvpn [client config file]. With a 
little luck you should be connected now.

Posted in Linux, How-To | 4 Comments »

More information about the nylug-talk mailing list