OpenVPN: Setting up OpenVPN on different platforms
Software version | OpenVPN 2.x |
Operating System | Debian 6 OpenBSD 5.9 FreeBSD 9 |
Website | OpenVPN Website |
Introduction
OpenVPN is currently the best solution available for software-based VPN.
OpenVPN allows peers to authenticate each other using a pre-shared private key, certificates, or username/password combinations. It heavily utilizes the OpenSSL authentication library and the SSLv3/TLSv1 protocol. Available on Solaris, OpenBSD, FreeBSD, NetBSD, Linux (Debian, Redhat, Ubuntu, etc…), Mac OS X, Windows 2000, XP, Vista and 7, it also offers numerous security and control functions.
OpenVPN is not compatible with IPsec or other VPN software. The software consists of an executable for both client and server connections, an optional configuration file, and one or more keys depending on the chosen authentication method.
Installation
Debian
For Debian or Debian-like distributions (such as Ubuntu), it’s very simple:
|
|
In addition to this documentation, take a look at /etc/default/openvpn
. There are some very interesting options there.
FreeBSD
On FreeBSD, it’s also simple:
|
|
OpenBSD
On OpenBSD:
|
|
Configuration
Authentication via credentials
Dual authentication using PAM adds a security level to certificate authentication. This solution can be used for a deployment using a single certificate shared among all users while still having an authentication method.
Finally, PAM authentication can be used to manage users in an LDAP database.
All my configuration was done on OpenBSD. I’ll still try to document for Linux as well based on what I’ve found.
Server
Let’s install the appropriate package (as it’s a plugin not integrated into OpenVPN today):
|
|
- Add these lines to the server configuration for credential authentication on Linux:
|
|
or
|
|
_openvpnusers: corresponds to the name of the group with connection rights
- If you are on BSD:
|
|
Then add the people you want to be able to connect in the ‘_openvpnusers’ group.
Restart the OpenVPN server.
Client
- Login with prompt
At the client level, here’s what you need to add:
|
|
Now, when you try to launch your connection, it will ask you for a login and password.
- Automatic login
If you want to have an automatic login and password, you’ll need to put the login and password in a file like this:
|
|
Make sure that you are the only one with rights to this file:
|
|
And add this to client.conf:
|
|
Now, launch the connection and nothing will be asked of you.
Authentication with keys
Server
Here we’ll create certificates for authentication. We’ll need to create a root certificate, then certificates for the clients. Edit the following file and adapt it to your configuration:
|
|
Here, I set the key expiration to 10 years so I don’t have to regenerate keys too often. Next, navigate to the OpenVPN documentation folder to find all the scripts that will allow you to generate certificates:
|
|
Replace server with the name of your server where openvpn is installed.
Generate client certificates
Still on the server side, for clients, proceed like this for each of them:
|
|
IP reservation for clients
Add this to the openvpn config if you want to make IP reservations:
|
|
Don’t forget to create the /etc/openvpn/clients directory.
Then, you need a configuration file per client (/etc/openvpn/clients/
|
|
(The address 10.8.0.51 is used as a “Peer Point” for the OpenVPN server)
Client configuration
Here are the different types of possible configurations.
Windows
First, you need to download OpenVPN GUI. Then, place the keys in C:\Program Files\OpenVPN\Config and the configuration file as well. But it must be renamed to config.ovpn (or xxxx.ovpn)
|
|
Now check the OpenVPN service if you want a permanent connection, or use the GUI.
Mac OS X
On Mac, the GUI is Tunnel Blick. You need to apply this type of configuration and place the keys in the right location:
|
|
All that remains is to “Connect openvpn” on the tunnel placed in the top right.
Linux
On Linux, you just need to install openvpn and apply the client configuration identical to that of Windows.
Then, to launch the client:
|
|
For the VPN connection to auto-establish, the config file must be named with the same name as the certificates.
If you want a graphical client on Linux, Ubuntu has its own Network Manager and with a small plugin installed, it handles it very well:
|
|
My configuration
Because it’s not always easy to see what a working configuration looks like, here are mine. Warning for people who want to try quickly without reading the documentation: I use dual authentication. Remove the lines that don’t interest you after reading the documentation.
Server
I launch my server with these lines:
|
|
|
|
Client
This configuration is used to have a fully automatic connection:
|
|
For your information, here are the options that need to be configured:
- keepalive: enables automatic reconnection in case of loss
- auth-user-pass: allows you to store your credentials in a file
- auth-retry: allows for no interaction
- auth-nocache: this directive is deliberately not included. If you include it, the credentials will be dropped from memory after the first connection and at the first disconnection, no automatic reconnection will work. This usually results in a message like: “ERROR: could not read Auth username from stdin”.
FAQ
WARNING: No server certificate verification method has been enabled
This line is simply missing from your client configuration:
|
|
Revoking a certificate
In case of compromise of one of the clients, it is important to know how to revoke its certificate to block access to the OpenVPN server. It is possible to block access to a client using easy-rsa (still positioning yourself in the easy-rsa directory):
|
|
Then you just need to copy the revocation list (keys/crl.pem) to the /etc/openvpn/server/ directory and specify to the OpenVPN server to check the revocation list by adding the line:
|
|
to the server configuration file (/etc/openvpn/server.conf).
You then need to restart the OpenVPN server.
Bypassing proxies
You may be at work or school where only ports 80 and 443 are open (bad). Additionally, some sites are blocked. To get around this, the server needs to use port 443 to establish the tunnel. Port 80 might not work due to certain restrictions (port 443 uses the CONNECT method due to SSL, while port 80 works in GET and POST mode). I specify that this is how it works if the proxy is correctly configured (and not in a “Swiss cheese” mode, otherwise it goes through on port 80 if the CONNECT mode is enabled).
Server
You simply need to modify the connection type (replace UDP with TCP) and automatically change its default gateway with these 2 options:
|
|
Then restart the server :-)
Client
Here we will define proxy rules and go through port 443:
|
|
With all this, we’re good to go :-)
FAQ
Advanced routing impossible
If like me you want to do a bit of complex routing on OpenVPN, you absolutely must change your TUN interfaces to TAP. Why? Simply because you’re on layer 3 with TUN and layer 2 with TAP.
- On OpenBSD, you need to do it like this:
|
|
- On Linux:
|
|
Making OpenVPN work in an OpenVZ VE
If you want to run an OpenVPN server in a VE, add these types of rights and create the necessary devices:
|
|
Resources
- OpenVPN Installation
- Documentation on a complex OpenVPN setup
- Hardware Authentication for OpenVPN
- http://blog.innerewut.de/2005/7/4/openvpn-2-0-on-openbsd
- http://www.openbsd-france.org/documentations/OpenBSD-openvpn.html
- http://www.procyonlabs.com/guides/openbsd/openvpn/index.php
- http://purple.monk.free.fr/phiva/?p=90
- http://www.imped.net/oss/misc/openvpn-2.0-howto-edit.html
- http://auth-passwd.sourceforge.net/
Last updated 30 May 2013, 15:26 CEST.