Sunday, November 11, 2012

How to set up an OpenVPN server

OpenVPN is an open source software application that implements virtual private network (VPN) techniques for creating secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It uses a custom security protocol that utilizes SSL/TLS for key exchange. It is capable of traversing network address translators (NATs) and firewalls. It was written by James Yonan and is published under the GNU General Public License (GPL).
OpenVPN allows peers to authenticate each other using a pre-shared secret key, certificates, or username/password. When used in a multiclient-server configuration, it allows the server to release an authentication certificate for every client, using signature and Certificate authority. It uses the OpenSSL encryption library extensively, as well as the SSLv3/TLSv1 protocol, and contains many security and control features.

In this tutorial we are going to setup an OpenVPN Server on Debian Linux.

1. Installation and Configuration

1.1 OpenVPN Installation
root@openvpnserver:~# apt-get update 
root@openvpnserver:~# apt-get install openvpn

1.2 Preparing to generate the keys
Copy the 'easy-rsa' encryption-related tools.
root@openvpnserver:~# mkdir /etc/openvpn/easy-rsa 
root@openvpnserver:~# cp /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa 
Now edit the vars file and set the KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, and KEY_EMAIL parameters. Don't leave any of these parameters blank.
root@openvpnserver:~# cd /etc/openvpn/easy-rsa/2.0/ 
root@openvpnserver:/etc/openvpn/easy-rsa/2.0# nano vars 
# These are the default values for fields 
# which will be placed in the certificate. 
# Don't leave any of these fields blank. 
export KEY_COUNTRY="CY" 
export KEY_PROVINCE="YourProvince" 
export KEY_CITY="YourCity" 
export KEY_ORG="YourOrganization" 
export KEY_EMAIL="Your_Email" 

Create the certificate for CA:
root@openvpnserver:/etc/openvpn/easy-rsa/2.0# source ./vars 
root@openvpnserver:/etc/openvpn/easy-rsa/2.0# ./clean-all 
root@openvpnserver:/etc/openvpn/easy-rsa/2.0# ./build-ca
Create the certificate for the server.
root@openvpnserver:/etc/openvpn/easy-rsa/2.0# ./build-key-server serverName 
Create the certificate for client.
root@openvpnserver:/etc/openvpn/easy-rsa/2.0# ./build-key clientName
At this step you have to build the diffie-hellman parameters which are used for key exchange between the client and server. **This may take a few minutes.
root@openvpnserver:/etc/openvpn/easy-rsa/2.0# ./build-dh 
Now all keys are build and are located in /etc/openvpn/easy-rsa/2.0/keys/
ca.key ca.crt serverName.key serverName.crt clientName.key clientName.crt dh1024.pem

In the last step, you have to copy this files to /etc/openvpn/
root@openvpnserver:/etc/openvpn/easy-rsa/2.0# cd keys/
root@openvpnserver:/etc/openvpn/easy-rsa/2.0/keys# cp ca.crt ca.key serverName.crt serverName.key dh1024.pem /etc/openvpn 

1.3 Client and Server Configuration
Configure the Client
Copy and modify the configuration file for client.
root@openvpnserver:/etc/openvpn/easy-rsa/2.0/keys# cd ~/
root@openvpnserver:~# cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/ 
root@openvpnserver:~# nano client.conf
Locate the line remote my-server-1 1194 and replace my-server-1 with server Public IP Address.
*1194 is the default port for openvpn

Locate the following lines.
cert client.crt 
key client.key
and replace “client” with your client name.
At this example
cert clientName.crt 
key clientName.key 
Configure the Server
Copy, extract and modify the configuration file for server.
root@openvpnserver:~# cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/ 
root@openvpnserver:~# cd /etc/openvpn/ 
root@openvpnserver:/etc/openvpn# gunzip -d server.conf.gz 
root@openvpnserver:/etc/openvpn# nano server.conf 
Locate the following lines.
cert server.crt 
key server.key 
and replace “server” with your server name.
At this example
cert serverName.crt 
key serverName.key

Routing all client traffic.
Add the following lines at the end of the server configuration file.
push "redirect-gateway def1"
push "dhcp-option DNS"

Also, if you want to keep Log Files add this line at the end of the server configuration file.
log /var/log/openvpn.log

You must copy the following configuration, certificate and key files using SCP or SFTP to client system.

Copy the certificate and the key files from /etc/openvpn/easy-rsa/2.0/keys directory.
ca.crt clientName.crt clientName.key

At this example we will copy this files using Secure Copy – SCP by issuing the following command.
petros@petrosandreou:~$ mkdir openvpn_files
petros@petrosandreou:~$ scp\{ca.crt,clientName.crt,clientName.key\} /home/petros/openvpn_files/
Copy the client configuration file from /root/ directory.
petros@petrosandreou:~$ scp /home/petros/openvpn_files/

2. Enable IP Forwarding and Configure iptables

2.1 Enable IP Forwarding
Edit the /etc/sysctl.conf file to modify the following line to ensure that our system is able to forward IPv4 traffic.
net.ipv4.ip_forward = 1 
Enable IP Forwarding.
root@openvpnserver:~# echo 1 > /proc/sys/net/ipv4/ip_forward 

2.2 Configure iptables
Now you have to add the following iptables rules.
root@openvpnserver:~# iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT 
root@openvpnserver:~# iptables -A FORWARD -s -j ACCEPT 
root@openvpnserver:~# iptables -A FORWARD -j REJECT 
root@openvpnserver:~# iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADE 
Before you move on, you must insert the following iptables rules into /etc/rc.local file to ensure that theses iptables rules will be recreated after the next system reboot.
iptables -A INPUT -p udp -m multiport --dport 1194 -j ACCEPT 
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT 
iptables -A FORWARD -s -j ACCEPT 
iptables -A FORWARD -j REJECT 
iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADE 

3. Dnsmasq

3.1 About Dnsmasq
Dnsmasq is a lightweight server designed to provide DNS, DHCP and TFTP services to a small-scale network. It can serve the names of local machines which are not in the global DNS. The DHCP server integrates with the DNS server and allows machines with DHCP-allocated addresses to appear in the DNS with names configured either in each host or in a central configuration file. Dnsmasq supports static and dynamic DHCP leases and BOOTP for network booting of diskless machines.
The developers of dnsmasq targeted home networks using NAT and connected to the Internet via a modem, cable-modem or ADSL connection. But the system would function well in any small network where low resource-use and ease of configuration are important.

3.2 Install Dnsmasq
root@openvpnserver:~# apt-get install dnsmasq 
After completing the installation the configuration will need to be modified so that dnsmasq is not listening on a public interface. You have to find and uncomment the following lines in the configuration file.
Uncomments listen-address and replace it with
Uncomments bind-interfaces
This is will configure the dnsmasq to listen on localhost and the gateway IP address of OpenVPN tun device.

To ensure that dnsmasq is properly started at boot, you have to modify /etc/rc.local file. By adding the following line (below from iptables rules), dnsmasq will start after all the init scripts have finished.
root@openvpnserver:~# nano /etc/rc.local

/etc/init.d/dnsmasq restart
exit 0

Now, before attempting to connect to the VPN, restart the OpenVPN server and dnsmasq by issuing the following commands.
root@openvpnserver:~# /etc/init.d/openvpn restart 
root@openvpnserver:~# /etc/init.d/dnsmasq restart 
4. Connect to OpenVPN server

4.1 Linux
petros@petrosandreou:~$ sudo apt-get install openvpn 
petros@petrosandreou:~$ cd /home/path/to/openvpn/files/ 
At this example
petros@petrosandreou:~$ cd /home/username/openvpn_files/ 
petros@petrosandreou:~$ sudo openvpn --config client.conf

4.2 Windows
If you have Windows OS you can use OpenVPN GUI (
After downloading and installation you must move all required files (ca.crt, clientName.crt, clientName.key, client.conf) to “C:\Program Files\openvpn\config\” and rename client.conf to client.ovpn
Then you can connect to VPN.

© Created by Petros Andreou

Download Tutorial (PDF)