17 01 2013
Configuring a SSL/TLS VPN with OpenVPN
openvpn is a vpn solution that implements connections for the layer 2 or 3, using the SSL/TLS protocol stack. Configuring a vpn SSL/TLS is a good idea and enhance the security of our communications due to the data cipher using the pki infraestructure (pair public/private key) and the verification and authentication of the data. Some advantages of the use openvpn are:
- Not necessary a static ip address for the server.
- The virtual interfaces used by the vpn may be filtered by iptables.
- Easy configuration.
- No problems with NAT, the server and the client may be in a LAN with a router using NAT.
- A single port used for the connectivity with the server, by default use 1194/udp.
Basically we can configure openvpn of two ways:
- tun (layer 3): simulate a point to point connection using IP protocol.
- tap (layer 2): simulate a virtual ethernet adapter. This method may encapsulate other protocols different than IP.
The method used in this post is tun, and the addressing configured here is:
- VPN client: LAN: 192.168.0.0/24 –> NAT (public IP address)
- VPN server: (public ip address) –> LAN 172.20.0.0/16
- VPN network: 10.0.0.0/24
The objective is create a vpn from the client to the vpn server using his public ip address to connect for the LAN 172.20.0.0/16, for this we’ll encapsulate the packages using the virtual network created by the vpn 10.0.0.0/24.
OpenVPN server
- Install openvpn:
# apt-get install openvpn
- Copying openvpn easy rsa scripts to the openvpn default config directory:
# cp -rp /usr/share/doc/openvpn/examples/easy-rsa/2.0/ /etc/openvpn/easy-rsa
- Update the variables used by the scripts to create the certificates with our own information:
# vi /etc/openvpn/easy-rsa/vars export KEY_COUNTRY="ES" export KEY_PROVINCE="BCN" export KEY_CITY="Barcelona" export KEY_ORG="opentodo.net" export KEY_EMAIL="ivan@opentodo.net"
- Create a new CA to sign the new certificates for the vpn:
# cd /etc/openvpn/easy-rsa/ # chmod +x vars # source ./vars # ./clean-all # ./build-ca
- Generate a certificate and private key for the server:
# ./build-key-server opentodo-vpn
- Generate a certificate and private key for the vpn client:
# ./build-key vpn-client
- Generate diffie hellman parameters:
# ./build-dh
- Copying the keys generated for the openvpn server to the directory /etc/openvpn/:
# cp ca.key ca.crt dh1024.pem opentodo-vpn.crt opentodo-vpn.key /etc/openvpn/
- Configuring the vpn server config file:
# cd /usr/share/doc/openvpn/examples/sample-config-files/ # gunzip server.conf.gz # cp server.conf /etc/openvpn/
# vi /etc/openvpn/server.conf # Which TCP/UDP port should OpenVPN listen on? # If you want to run multiple OpenVPN instances # on the same machine, use a different port # number for each one. You will need to # open up this port on your firewall. port 1194 # TCP or UDP server? ;proto tcp proto udp dev tun ca ca.crt cert opentodo-vpn.crt key opentodo-vpn.key dh dh1024.pem # Configure server mode and supply a VPN subnet # for OpenVPN to draw client addresses from. # The server will take 10.8.0.1 for itself, # the rest will be made available to clients. # Each client will be able to reach the server # on 10.8.0.1. Comment this line out if you are # ethernet bridging. See the man page for more info. server 10.0.0.0 255.255.255.0 # The keepalive directive causes ping-like # messages to be sent back and forth over # the link so that each side knows when # the other side has gone down. # Ping every 10 seconds, assume that remote # peer is down if no ping received during # a 120 second time period. keepalive 10 120 # Push routes to the client to allow it # to reach other private subnets behind # the server. Remember that these # private subnets will also need # to know to route the OpenVPN client push "route 172.20.0.0 255.255.0.0" # Enable compression on the VPN link. # If you enable it here, you must also # enable it in the client config file. comp-lzo # The persist options will try to avoid # accessing certain resources on restart # that may no longer be accessible because # of the privilege downgrade. persist-key persist-tun # Output a short status file showing # current connections, truncated # and rewritten every minute. status openvpn-status.log # Set the appropriate level of log # file verbosity. # # 0 is silent, except for fatal errors # 4 is reasonable for general usage # 5 and 6 can help to debug connection problems # 9 is extremely verbose verb 3
Basically with this configuration we create the vpn with the virtual network 10.0.0.0/24 and route to the local network 172.20.0.0/16 for the clients, setting up the parameter push route. The ip address provided to the clients are saved in the file /etc/openvpn/ipp.txt.
- Enabling routing:
# vi /etc/sysctl.conf net.ipv4.ip_forward=1 # sysctl -p
- Starting openvpn daemon:
# /etc/init.d/openvpn start
OpenVPN client
- Install openvpn:
# apt-get install openvpn
- Copying the key and certificates for the client:
# scp root@vpn-server:/etc/openvpn/easy-rsa/keys/ca.crt /etc/openvpn/ # scp root@vpn-server:/etc/openvpn/easy-rsa/keys/vpn-client.crt /etc/openvpn/ # scp root@vpn-server:/etc/openvpn/easy-rsa/keys/vpn-client.key /etc/openvpn/
- Edit the configuration for the client with the name of the certificates, key and the ip address of the server:
# cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/ # vi /etc/openvpn/client.conf # The hostname/IP and port of the server. # You can have multiple remote entries # to load balance between the servers. remote vpn-server 1194 # SSL/TLS parms. # See the server config file for more # description. It's best to use # a separate .crt/.key file pair # for each client. A single ca # file can be used for all clients. ca ca.crt cert vpn-client.crt key vpn-client.key
- Starting openvpn daemon:
# /etc/init.d/openvpn start
- Checking if the LAN of the remote vpn is accessible by the client:
Sources
http://openvpn.net/index.php/open-source/documentation/howto.html#install
http://openvpn.net/index.php/open-source/documentation.html
Related Posts
Configuring FreeRadius for AAA Cisco clients Authenticate DNS Zone Transfer with TSIG
Reblogged this on projectz.
Hi,
Is there any way to force client and server to use SSL instead of TLS from the beginning (authentication) , because in iran they filter us and analyse the packets?
thanks
Hey amir!! TLS is the successor of SSL see the wikipedia entry Do you try to configure a vpn server?
hi ivan, yes i configured open vpn appliance on windows server 2008 r2 and vmware workstation , it work on iphone and ipad but did’t work on windows and said TLS handshake error and it is because of login authentication using TLS in windows (I think)
, is there any way to solve this problem?
It can be error from the configuration file of the client for the certificate entry, check it