Difference between revisions of "Setting up a OpenVPN server"

From Alpine Linux
Jump to: navigation, search
(Manage Certificates)
Line 1: Line 1:
 
This article will describe how to set up a OpenVPN server with the Alpine distro.
 
This article will describe how to set up a OpenVPN server with the Alpine distro.
 
+
This article applies to persons trying to get remote persons to connect to their network securely over the Internet. Mostly for a single computer to connect. Racoon/Opennhrp would be better for a remote site or office.  
Documentation based on ''alpine-1.6''
 
  
 
= Setup Alpine =
 
= Setup Alpine =
Line 11: Line 10:
 
  apk_add openvpn
 
  apk_add openvpn
 
Prepare autostart of OpenVPN<BR>
 
Prepare autostart of OpenVPN<BR>
(''The number is the start-order. Choose between 1-99'')
+
  rc_add -s 40 -k openvpn
  rc_add -vks 95 openvpn
 
  
 
= Configure OpenVPN-server =
 
= Configure OpenVPN-server =
 +
Example configuration file for server [http://openvpn.net/index.php/open-source/documentation/howto.html#server]
 +
 
(''Instructions is based on [http://openvpn.net/howto.html#server openvpn.net/howto.html#server]'')
 
(''Instructions is based on [http://openvpn.net/howto.html#server openvpn.net/howto.html#server]'')
  
Line 29: Line 29:
 
See [[Generating_SSL_certs_with_ACF]] for a web interface way to manage Certificates.
 
See [[Generating_SSL_certs_with_ACF]] for a web interface way to manage Certificates.
  
 +
 +
= Save settings =
 +
Don't forget to save all your settings
 +
lbu ci floppy
 +
 +
 +
==== Manual Certificate Commands ====
 
(''Instructions is based on [http://openvpn.net/howto.html#pki openvpn.net/howto.html#pki]'')
 
(''Instructions is based on [http://openvpn.net/howto.html#pki openvpn.net/howto.html#pki]'')
== Initial setup for administrating certificates ==
+
 
 +
===== Initial setup for administrating certificates =====
 
The following instructions assume that you want to save your configs, certcs and keys in '''/etc/openvpn/keys'''.<BR>
 
The following instructions assume that you want to save your configs, certcs and keys in '''/etc/openvpn/keys'''.<BR>
 
Start by moving to the '''/usr/share/openvpn/easy-rsa''' folder to execute commands
 
Start by moving to the '''/usr/share/openvpn/easy-rsa''' folder to execute commands
Line 47: Line 55:
 
  source /etc/openvpn/keys/vars
 
  source /etc/openvpn/keys/vars
  
== Set up a 'Certificate Authority' (CA) ==
+
===== Set up a 'Certificate Authority' (CA) =====
 
* Start by doing the steps in [[#Initial_setup_for_administrating_certificates]]
 
* Start by doing the steps in [[#Initial_setup_for_administrating_certificates]]
 
Clean up the '''keys''' folder.
 
Clean up the '''keys''' folder.
Line 56: Line 64:
 
  ./build-ca
 
  ./build-ca
  
== Set up a 'OpenVPN Server' ==
+
===== Set up a 'OpenVPN Server' =====
 
* Start by doing the steps in [[#Initial_setup_for_administrating_certificates]]
 
* Start by doing the steps in [[#Initial_setup_for_administrating_certificates]]
 
Create server certificates
 
Create server certificates
 
  ./build-key-server {commonname}
 
  ./build-key-server {commonname}
  
== Set up a 'OpenVPN Client' ==
+
===== Set up a 'OpenVPN Client' =====
 
* Start by doing the steps in [[#Initial_setup_for_administrating_certificates]]
 
* Start by doing the steps in [[#Initial_setup_for_administrating_certificates]]
 
Create client certificates
 
Create client certificates
 
  ./build-key {commonname}
 
  ./build-key {commonname}
  
== Revoke a certificate ==
+
===== Revoke a certificate =====
 
* Start by doing the steps in [[#Initial_setup_for_administrating_certificates]]
 
* Start by doing the steps in [[#Initial_setup_for_administrating_certificates]]
 
To revoke a certificate...
 
To revoke a certificate...
Line 72: Line 80:
 
The revoke-full script will generate a CRL (certificate revocation list) file called '''crl.pem''' in the '''keys''' subdirectory.<BR>The file should be copied to a directory where the OpenVPN server can access it, then CRL verification should be enabled in the server configuration:<BR>
 
The revoke-full script will generate a CRL (certificate revocation list) file called '''crl.pem''' in the '''keys''' subdirectory.<BR>The file should be copied to a directory where the OpenVPN server can access it, then CRL verification should be enabled in the server configuration:<BR>
 
<code>crl-verify crl.pem</code>
 
<code>crl-verify crl.pem</code>
 
= Save settings =
 
Don't forget to save all your settings
 
lbu ci floppy
 

Revision as of 12:09, 2 June 2009

This article will describe how to set up a OpenVPN server with the Alpine distro. This article applies to persons trying to get remote persons to connect to their network securely over the Internet. Mostly for a single computer to connect. Racoon/Opennhrp would be better for a remote site or office.

Setup Alpine

Initial Setup

Follow [1] on how to setup Alpine

Install programs

Install openvpn

apk_add openvpn

Prepare autostart of OpenVPN

rc_add -s 40 -k openvpn

Configure OpenVPN-server

Example configuration file for server [2]

(Instructions is based on openvpn.net/howto.html#server)

Test your configuration

Test configuration and certificates

 openvpn --config /etc/openvpn/openvpn.conf


Configure OpenVPN-client

(Instructions is based on openvpn.net/howto.html#client)


Manage Certificates

See Generating_SSL_certs_with_ACF for a web interface way to manage Certificates.


Save settings

Don't forget to save all your settings

lbu ci floppy


Manual Certificate Commands

(Instructions is based on openvpn.net/howto.html#pki)

Initial setup for administrating certificates

The following instructions assume that you want to save your configs, certcs and keys in /etc/openvpn/keys.
Start by moving to the /usr/share/openvpn/easy-rsa folder to execute commands

cd /usr/share/openvpn/easy-rsa

If not already done then create a folder where you will save your certificates and
save a copy of your /usr/share/openvpn/easy-rsa/vars for later use.
(All files in /usr/share/openvpn/easy-rsa is overwritten when the computer is restarted)

mkdir /etc/openvpn/keys
cp ./vars /etc/openvpn/keys

If not already done then edit /etc/openvpn/keys/vars
(This file is used for defining paths and other standard settings)

vim /etc/openvpn/keys/vars
* Change KEY_DIR= from "$EASY_RSA/keys" to "/etc/openvpn/keys"
* Change KEY_SIZE, CA_EXPIRE, KEY_EXPIRE, KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, KEY_EMAIL to match your system.

source the vars to set properties

source /etc/openvpn/keys/vars
Set up a 'Certificate Authority' (CA)

Clean up the keys folder.

./clean-all

Generate Diffie Hellman parameters

./build-dh

Now lets make the CA certificates and keys

./build-ca
Set up a 'OpenVPN Server'

Create server certificates

./build-key-server {commonname}
Set up a 'OpenVPN Client'

Create client certificates

./build-key {commonname}
Revoke a certificate

To revoke a certificate...

./revoke-full {commonname}

The revoke-full script will generate a CRL (certificate revocation list) file called crl.pem in the keys subdirectory.
The file should be copied to a directory where the OpenVPN server can access it, then CRL verification should be enabled in the server configuration:
crl-verify crl.pem