openvpn is a vpn solution that implements connections for the layer 2 or 3, using the SSL/TLS protocol stack. Configuring a vpn SSL/TLS is a good idea and enhance the security of our communications due to the data cipher using the pki infraestructure (pair public/private key) and the verification and authentication of the data. Some advantages of the use openvpn are:

  • Not necessary a static ip address for the server.
  • The virtual interfaces used by the vpn may be filtered by iptables.
  • Easy configuration.
  • No problems with NAT, the server and the client may be in a LAN with a router using NAT.
  • A single port used for the connectivity with the server, by default use 1194/udp.

Basically we can configure openvpn of two ways:

  • tun (layer 3): simulate a point to point connection using IP protocol.
  • tap (layer 2): simulate a virtual ethernet adapter. This method may encapsulate other protocols different than IP.

The method used in this post is tun, and the addressing configured here is:

– VPN client: LAN: 192.168.0.0/24 –> NAT (public IP address)

– VPN server: (public ip address) –> LAN 172.20.0.0/16

– VPN network: 10.0.0.0/24

The objective is create a vpn from the client to the vpn server using his public ip address to connect for the LAN 172.20.0.0/16, for this we’ll encapsulate the packages using the virtual network created by the vpn 10.0.0.0/24.

OpenVPNFlows

OpenVPN server

– Install openvpn:

# apt-get install openvpn

– Copying openvpn easy rsa scripts to the openvpn default config directory:

# cp -rp /usr/share/doc/openvpn/examples/easy-rsa/2.0/ /etc/openvpn/easy-rsa

– Update the variables used by the scripts to create the certificates with our own information:

# vi /etc/openvpn/easy-rsa/vars

export KEY_COUNTRY="ES"
export KEY_PROVINCE="BCN"
export KEY_CITY="Barcelona"
export KEY_ORG="opentodo.net"
export KEY_EMAIL="[email protected]"

– Create a new CA to sign the new certificates for the vpn:

# cd /etc/openvpn/easy-rsa/
# chmod +x vars
# source ./vars
# ./clean-all
# ./build-ca

– Generate a certificate and private key for the server:

# ./build-key-server opentodo-vpn

– Generate a certificate and private key for the vpn client:

# ./build-key vpn-client

– Generate diffie hellman parameters:

# ./build-dh

– Copying the keys generated for the openvpn server to the directory /etc/openvpn/:

# cp ca.key ca.crt dh1024.pem opentodo-vpn.crt opentodo-vpn.key /etc/openvpn/

– Configuring the vpn server config file:

# cd /usr/share/doc/openvpn/examples/sample-config-files/
# gunzip server.conf.gz
# cp server.conf /etc/openvpn/

 

# vi /etc/openvpn/server.conf

# Which TCP/UDP port should OpenVPN listen on?
# If you want to run multiple OpenVPN instances
# on the same machine, use a different port
# number for each one. You will need to
# open up this port on your firewall.
port 1194
# TCP or UDP server?
;proto tcp
proto udp
dev tun
ca ca.crt
cert opentodo-vpn.crt
key opentodo-vpn.key
dh dh1024.pem
# Configure server mode and supply a VPN subnet
# for OpenVPN to draw client addresses from.
# The server will take 10.8.0.1 for itself,
# the rest will be made available to clients.
# Each client will be able to reach the server
# on 10.8.0.1. Comment this line out if you are
# ethernet bridging. See the man page for more info.
server 10.0.0.0 255.255.255.0
# The keepalive directive causes ping-like
# messages to be sent back and forth over
# the link so that each side knows when
# the other side has gone down.
# Ping every 10 seconds, assume that remote
# peer is down if no ping received during
# a 120 second time period.
keepalive 10 120
# Push routes to the client to allow it
# to reach other private subnets behind
# the server. Remember that these
# private subnets will also need
# to know to route the OpenVPN client
push "route 172.20.0.0 255.255.0.0"
# Enable compression on the VPN link.
# If you enable it here, you must also
# enable it in the client config file.
comp-lzo
# The persist options will try to avoid
# accessing certain resources on restart
# that may no longer be accessible because
# of the privilege downgrade.
persist-key
persist-tun
# Output a short status file showing
# current connections, truncated
# and rewritten every minute.
status openvpn-status.log
# Set the appropriate level of log
# file verbosity.
#
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 3

Basically with this configuration we create the vpn with the virtual network 10.0.0.0/24 and route to the local network 172.20.0.0/16 for the clients, setting up the parameter push route. The ip address provided to the clients are saved in the file /etc/openvpn/ipp.txt.

– Enabling routing:

# vi /etc/sysctl.conf

net.ipv4.ip_forward=1

# sysctl -p

– Starting openvpn daemon:

# /etc/init.d/openvpn start

OpenVPN client

– Install openvpn:

# apt-get install openvpn

– Copying the key and certificates for the client:

# scp [email protected]:/etc/openvpn/easy-rsa/keys/ca.crt /etc/openvpn/
# scp [email protected]:/etc/openvpn/easy-rsa/keys/vpn-client.crt /etc/openvpn/
# scp [email protected]:/etc/openvpn/easy-rsa/keys/vpn-client.key /etc/openvpn/

– Edit the configuration for the client with the name of the certificates, key and the ip address of the server:

# cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/
# vi /etc/openvpn/client.conf

# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote vpn-server 1194

# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
ca ca.crt
cert vpn-client.crt
key vpn-client.key

– Starting openvpn daemon:

# /etc/init.d/openvpn start

– Checking if the LAN of the remote vpn is accessible by the client:

vpn-client

Sources

http://openvpn.net/index.php/open-source/documentation/howto.html#install
http://openvpn.net/index.php/open-source/documentation.html

Configuring a SSL/TLS VPN with OpenVPN
Tagged on:         

5 thoughts on “Configuring a SSL/TLS VPN with OpenVPN

  • April 13, 2013 at 13:52
    Permalink

    Hi,
    Is there any way to force client and server to use SSL instead of TLS from the beginning (authentication) , because in iran they filter us and analyse the packets?
    thanks

    Reply
    • April 14, 2013 at 19:34
      Permalink

      Hey amir!! TLS is the successor of SSL see the wikipedia entry Do you try to configure a vpn server?

      Reply
      • April 14, 2013 at 19:46
        Permalink

        hi ivan, yes i configured open vpn appliance on windows server 2008 r2 and vmware workstation , it work on iphone and ipad but did’t work on windows and said TLS handshake error and it is because of login authentication using TLS in windows (I think)
        , is there any way to solve this problem?

        Reply
        • April 18, 2013 at 18:41
          Permalink

          It can be error from the configuration file of the client for the certificate entry, check it

          Reply

Leave a Reply

Follow

Get every new post delivered to your Inbox

Join other followers: