Setting up a OpenVPN server: Difference between revisions

From Alpine Linux
(corrected link)
Line 58: Line 58:
  resolv-retry infinite
  resolv-retry infinite
  nobind
  nobind
ns-cert-type server # This means that the certificate on the openvpn server needs to have this field. Prevents MitM attacks
  persist-key
  persist-key
  persist-tun
  persist-tun
Line 67: Line 68:


(''Instructions is based on [http://openvpn.net/howto.html#client openvpn.net/howto.html#client]'')
(''Instructions is based on [http://openvpn.net/howto.html#client openvpn.net/howto.html#client]'')


= Save settings =
= Save settings =

Revision as of 13:58, 9 June 2009

Setup Alpine

This article describes how to set up an OpenVPN server with the Alpine distro. This is an ideal solution for allowing single users or devices to remotely connect to your network. To establish connectivity with a Remote Office or site, Racoon/Opennhrp would provide better functionality.

It is recommended that you have a publicly routable static IP address in order for this to work. This means that your IP address cannot be in the private IP address ranges described here:[1]

In the case that your Internet-connected machine doesn't have a static IP address, DynDNS can be used for resolving DNS names to IP addresses.

Initial Setup

Follow [2] to setup Alpine Linux.

Install programs

Install openvpn

apk_add openvpn

Prepare autostart of OpenVPN

rc_add -s 40 -k openvpn

Certificates

One of the first things that needs to be done is making sure you have secure keys to work with. Alpine makes this easy by having a web interface to manage the certificates. Documentation for it can be found here: Generating_SSL_certs_with_ACF. It is a best practice to not have your certificate server be on the same machine as the router being used for remote connectivity.

Configure OpenVPN-server

Example configuration file for server:

local "Public Ip address"
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
dh dh1024.pem
server 10.0.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 10.0.0.0 255.0.0.0"
push "dhcp-option DNS 10.0.0.1"
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
log         openvpn.log
log-append  openvpn.log
verb 3

(Instructions is based on openvpn.net/howto.html#server)

Test your configuration

Test configuration and certificates

 openvpn --config /etc/openvpn/openvpn.conf


Configure OpenVPN-client

Example client.conf:

client
dev tun
proto udp
 remote "public IP" 1194
resolv-retry infinite
nobind
ns-cert-type server # This means that the certificate on the openvpn server needs to have this field. Prevents MitM attacks
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
comp-lzo
verb 3

(Instructions is based on openvpn.net/howto.html#client)

Save settings

Don't forget to save all your settings

lbu commit -v sdb1


Manual Certificate Commands

(Instructions is based on openvpn.net/howto.html#pki)

Initial setup for administrating certificates

The following instructions assume that you want to save your configs, certcs and keys in /etc/openvpn/keys.
Start by moving to the /usr/share/openvpn/easy-rsa folder to execute commands

cd /usr/share/openvpn/easy-rsa

If not already done then create a folder where you will save your certificates and
save a copy of your /usr/share/openvpn/easy-rsa/vars for later use.
(All files in /usr/share/openvpn/easy-rsa is overwritten when the computer is restarted)

mkdir /etc/openvpn/keys
cp ./vars /etc/openvpn/keys

If not already done then edit /etc/openvpn/keys/vars
(This file is used for defining paths and other standard settings)

vim /etc/openvpn/keys/vars
* Change KEY_DIR= from "$EASY_RSA/keys" to "/etc/openvpn/keys"
* Change KEY_SIZE, CA_EXPIRE, KEY_EXPIRE, KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, KEY_EMAIL to match your system.

source the vars to set properties

source /etc/openvpn/keys/vars
Set up a 'Certificate Authority' (CA)

Clean up the keys folder.

./clean-all

Generate Diffie Hellman parameters

./build-dh

Now lets make the CA certificates and keys

./build-ca
Set up a 'OpenVPN Server'

Create server certificates

./build-key-server {commonname}
Set up a 'OpenVPN Client'

Create client certificates

./build-key {commonname}
Revoke a certificate

To revoke a certificate...

./revoke-full {commonname}

The revoke-full script will generate a CRL (certificate revocation list) file called crl.pem in the keys subdirectory.
The file should be copied to a directory where the OpenVPN server can access it, then CRL verification should be enabled in the server configuration:
crl-verify crl.pem