Difference between revisions of "Setting up a OpenVPN server"

From Alpine Linux
Jump to: navigation, search
m (Configure OpenVPN-client: Cosmetic fix on example config)
(Clean up, I don't understand naming of cert files)
Line 1: Line 1:
= Setup Alpine =
 
 
This article describes how to set up an OpenVPN server with the Alpine distro.
 
This article describes how to set up an OpenVPN server with the Alpine distro.
 
This is an ideal solution for allowing single users or devices to remotely connect to your network. To establish connectivity with a Remote Office or site, [http://wiki.alpinelinux.org/w/index.php?title=Using_Racoon_for_Remote_Sites Racoon/Opennhrp] would provide better functionality.  
 
This is an ideal solution for allowing single users or devices to remotely connect to your network. To establish connectivity with a Remote Office or site, [http://wiki.alpinelinux.org/w/index.php?title=Using_Racoon_for_Remote_Sites Racoon/Opennhrp] would provide better functionality.  
  
It is recommended that you have a publicly routable static IP address in order for this to work. This means that your IP address cannot be in the private IP address ranges described here:[http://en.wikipedia.org/wiki/IP_address#IPv4_private_addresses]
+
It is recommended that you have a publicly routable static IP address in order for this to work. This means that your IP address cannot be in the private IP address ranges described here: [http://en.wikipedia.org/wiki/IP_address#IPv4_private_addresses WikiPedia]
  
In the case that your Internet-connected machine doesn't have a static IP address, [http://www.dyndns.com DynDNS] can be used for resolving DNS names to IP addresses.
+
If your Internet-connected machine doesn't have a static IP address, [http://www.dyndns.com DynDNS] can be used for resolving DNS names to IP addresses.
  
 +
= Setup Alpine =
 
== Initial Setup ==
 
== Initial Setup ==
Follow [http://wiki.alpinelinux.org/w/index.php?title=Installing_Alpine] to setup Alpine Linux.
+
Follow [[Installing_Alpine]] to setup Alpine Linux.
  
 
== Install programs ==
 
== Install programs ==
Line 14: Line 14:
 
  apk_add openvpn
 
  apk_add openvpn
 
Prepare autostart of OpenVPN<BR>
 
Prepare autostart of OpenVPN<BR>
  rc_add -s 40 -k openvpn
+
  rc_add -s 40 -k openvpn           # for alpine 1.8
 +
rc-update add openvpn              # for alpine 1.9
 
  modprobe tun
 
  modprobe tun
 
  echo "tun" >>/etc/modules
 
  echo "tun" >>/etc/modules
  
 
= Certificates =
 
= Certificates =
One of the first things that needs to be done is making sure you have secure keys to work with. Alpine makes this easy by having a web interface to manage the certificates. Documentation for it can be found here: [[Generating_SSL_certs_with_ACF]]. It is a best practice to not have your certificate server be on the same machine as the router being used for remote connectivity.
+
One of the first things that needs to be done is to make sure that you have secure keys to work with. Alpine makes this easy by having a web interface to manage the certificates. Documentation for it can be found here: [[Generating_SSL_certs_with_ACF]]. It is a best practice not to have your certificate server be on the same machine as the router being used for remote connectivity.
  
If you are setting up a client and need to figure out how to divide the cert ( they gave you a pfx) use the following commands:
+
If you are setting up a client and need to figure out how to divide the cert (they gave you a .pfx file) use the following commands:
 
   
 
   
 
To get the ca cert out...
 
To get the ca cert out...
Line 31: Line 32:
 
To get the private key file out. May sure this stays private...
 
To get the private key file out. May sure this stays private...
 
  openssl pkcs12 -in PFXFILE -nocerts -nodes -out key.pem
 
  openssl pkcs12 -in PFXFILE -nocerts -nodes -out key.pem
 +
 +
If you would prefer to generate your certificates using OpenVPN utilities, see [[#Alternative Certificate Method]]
  
 
= Configure OpenVPN-server =
 
= Configure OpenVPN-server =
Line 54: Line 57:
 
  log-append  /var/log/openvpn.log
 
  log-append  /var/log/openvpn.log
 
  verb 3
 
  verb 3
 +
> These cert files don't match those listed above
  
(''Instructions is based on [http://openvpn.net/howto.html#server openvpn.net/howto.html#server]'')
+
(''Instructions are based on [http://openvpn.net/howto.html#server openvpn.net/howto.html#server]'')
  
 
== Test your configuration ==
 
== Test your configuration ==
Line 77: Line 81:
 
  comp-lzo
 
  comp-lzo
 
  verb 3
 
  verb 3
 +
> These cert files don't match those listed above
  
(''Instructions is based on [http://openvpn.net/howto.html#client openvpn.net/howto.html#client]'')
+
(''Instructions are based on [http://openvpn.net/howto.html#client openvpn.net/howto.html#client]'')
  
 
= Save settings =
 
= Save settings =
 
Don't forget to save all your settings
 
Don't forget to save all your settings
  lbu commit -v sdb1
+
  lbu commit
 
 
  
==== Manual Certificate Commands ====
+
= Alternative Certificate Method =
(''Instructions is based on [http://openvpn.net/howto.html#pki openvpn.net/howto.html#pki]'')
+
== Manual Certificate Commands ==
 +
(''Instructions are based on [http://openvpn.net/howto.html#pki openvpn.net/howto.html#pki]'')
  
===== Initial setup for administrating certificates =====
+
=== Initial setup for administrating certificates ===
The following instructions assume that you want to save your configs, certcs and keys in '''/etc/openvpn/keys'''.<BR>
+
The following instructions assume that you want to save your configs, certs and keys in '''/etc/openvpn/keys'''.<BR>
 
Start by moving to the '''/usr/share/openvpn/easy-rsa''' folder to execute commands
 
Start by moving to the '''/usr/share/openvpn/easy-rsa''' folder to execute commands
 
  cd /usr/share/openvpn/easy-rsa
 
  cd /usr/share/openvpn/easy-rsa
If not already done then create a folder where you will save your certificates and<BR>
+
If not already done then create a folder where you will save your certificates and save a copy of your '''/usr/share/openvpn/easy-rsa/vars''' for later use.<BR>
save a copy of your '''/usr/share/openvpn/easy-rsa/vars''' for later use.<BR>
+
(''All files in '''/usr/share/openvpn/easy-rsa''' are overwritten when the computer is restarted'')
(''All files in '''/usr/share/openvpn/easy-rsa''' is overwritten when the computer is restarted'')
 
 
  mkdir /etc/openvpn/keys
 
  mkdir /etc/openvpn/keys
 
  cp ./vars /etc/openvpn/keys
 
  cp ./vars /etc/openvpn/keys
Line 105: Line 109:
 
  source /etc/openvpn/keys/vars
 
  source /etc/openvpn/keys/vars
  
===== Set up a 'Certificate Authority' (CA) =====
+
=== Set up a 'Certificate Authority' (CA) ===
* Start by doing the steps in [[#Initial_setup_for_administrating_certificates]]
 
 
Clean up the '''keys''' folder.
 
Clean up the '''keys''' folder.
 
  ./clean-all
 
  ./clean-all
Line 114: Line 117:
 
  ./build-ca
 
  ./build-ca
  
===== Set up a 'OpenVPN Server' =====
+
=== Set up a 'OpenVPN Server' ===
* Start by doing the steps in [[#Initial_setup_for_administrating_certificates]]
 
 
Create server certificates
 
Create server certificates
 
  ./build-key-server {commonname}
 
  ./build-key-server {commonname}
  
===== Set up a 'OpenVPN Client' =====
+
=== Set up a 'OpenVPN Client' ===
* Start by doing the steps in [[#Initial_setup_for_administrating_certificates]]
 
 
Create client certificates
 
Create client certificates
 
  ./build-key {commonname}
 
  ./build-key {commonname}
  
===== Revoke a certificate =====
+
=== Revoke a certificate ===
* Start by doing the steps in [[#Initial_setup_for_administrating_certificates]]
 
 
To revoke a certificate...
 
To revoke a certificate...
 
  ./revoke-full {commonname}
 
  ./revoke-full {commonname}
 
The revoke-full script will generate a CRL (certificate revocation list) file called '''crl.pem''' in the '''keys''' subdirectory.<BR>The file should be copied to a directory where the OpenVPN server can access it, then CRL verification should be enabled in the server configuration:<BR>
 
The revoke-full script will generate a CRL (certificate revocation list) file called '''crl.pem''' in the '''keys''' subdirectory.<BR>The file should be copied to a directory where the OpenVPN server can access it, then CRL verification should be enabled in the server configuration:<BR>
 
<code>crl-verify crl.pem</code>
 
<code>crl-verify crl.pem</code>

Revision as of 19:08, 5 August 2009

This article describes how to set up an OpenVPN server with the Alpine distro. This is an ideal solution for allowing single users or devices to remotely connect to your network. To establish connectivity with a Remote Office or site, Racoon/Opennhrp would provide better functionality.

It is recommended that you have a publicly routable static IP address in order for this to work. This means that your IP address cannot be in the private IP address ranges described here: WikiPedia

If your Internet-connected machine doesn't have a static IP address, DynDNS can be used for resolving DNS names to IP addresses.

Setup Alpine

Initial Setup

Follow Installing_Alpine to setup Alpine Linux.

Install programs

Install openvpn

apk_add openvpn

Prepare autostart of OpenVPN

rc_add -s 40 -k openvpn            # for alpine 1.8
rc-update add openvpn              # for alpine 1.9
modprobe tun
echo "tun" >>/etc/modules

Certificates

One of the first things that needs to be done is to make sure that you have secure keys to work with. Alpine makes this easy by having a web interface to manage the certificates. Documentation for it can be found here: Generating_SSL_certs_with_ACF. It is a best practice not to have your certificate server be on the same machine as the router being used for remote connectivity.

If you are setting up a client and need to figure out how to divide the cert (they gave you a .pfx file) use the following commands:

To get the ca cert out...

openssl pkcs12 -in PFXFILE -cacerts -nokeys -out ca.pem

To get the cert file out...

openssl pkcs12 -in PFXFILE -nokeys -clcerts -out cert.pem

To get the private key file out. May sure this stays private...

openssl pkcs12 -in PFXFILE -nocerts -nodes -out key.pem

If you would prefer to generate your certificates using OpenVPN utilities, see #Alternative Certificate Method

Configure OpenVPN-server

Example configuration file for server:

local "Public Ip address"
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
dh dh1024.pem #to generate by hand #openssl dhparam -out dh1024.pem 1024
server 10.0.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 10.0.0.0 255.0.0.0"
push "dhcp-option DNS 10.0.0.1"
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status /var/log/openvpn-status.log
log-append  /var/log/openvpn.log
verb 3

> These cert files don't match those listed above

(Instructions are based on openvpn.net/howto.html#server)

Test your configuration

Test configuration and certificates

 openvpn --config /etc/openvpn/openvpn.conf

Configure OpenVPN-client

Example client.conf:

client
dev tun
proto udp
remote "public IP" 1194
resolv-retry infinite
nobind
ns-cert-type server # This means that the certificate on the openvpn server needs to have this field. Prevents MitM attacks
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
comp-lzo
verb 3

> These cert files don't match those listed above

(Instructions are based on openvpn.net/howto.html#client)

Save settings

Don't forget to save all your settings

lbu commit

Alternative Certificate Method

Manual Certificate Commands

(Instructions are based on openvpn.net/howto.html#pki)

Initial setup for administrating certificates

The following instructions assume that you want to save your configs, certs and keys in /etc/openvpn/keys.
Start by moving to the /usr/share/openvpn/easy-rsa folder to execute commands

cd /usr/share/openvpn/easy-rsa

If not already done then create a folder where you will save your certificates and save a copy of your /usr/share/openvpn/easy-rsa/vars for later use.
(All files in /usr/share/openvpn/easy-rsa are overwritten when the computer is restarted)

mkdir /etc/openvpn/keys
cp ./vars /etc/openvpn/keys

If not already done then edit /etc/openvpn/keys/vars
(This file is used for defining paths and other standard settings)

vim /etc/openvpn/keys/vars
* Change KEY_DIR= from "$EASY_RSA/keys" to "/etc/openvpn/keys"
* Change KEY_SIZE, CA_EXPIRE, KEY_EXPIRE, KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, KEY_EMAIL to match your system.

source the vars to set properties

source /etc/openvpn/keys/vars

Set up a 'Certificate Authority' (CA)

Clean up the keys folder.

./clean-all

Generate Diffie Hellman parameters

./build-dh

Now lets make the CA certificates and keys

./build-ca

Set up a 'OpenVPN Server'

Create server certificates

./build-key-server {commonname}

Set up a 'OpenVPN Client'

Create client certificates

./build-key {commonname}

Revoke a certificate

To revoke a certificate...

./revoke-full {commonname}

The revoke-full script will generate a CRL (certificate revocation list) file called crl.pem in the keys subdirectory.
The file should be copied to a directory where the OpenVPN server can access it, then CRL verification should be enabled in the server configuration:
crl-verify crl.pem