Debian: SSL OpenVPN Server

From ReceptiveIT
Jump to: navigation, search

Overview

OpenVPN is a good choice for a road warrior.

Installation

On a Debian box, simply type

apt-get install openvpn

Configuration

Server

server.conf

#
# OpenVPN Server  - fqdn.com.au
#

# Network
port 1194
proto udp
dev tun
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DOMAIN lan.local"
push "dhcp-option DNS 10.8.0.1"
push "dhcp-option WINS 10.8.0.1"
push "route 192.168.0.0 255.255.255.0"

# Certificates
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem

# Crypto
cipher AES-128-CBC
comp-lzo
keepalive 10 120

# Security
persist-key
persist-tun

# Logging
status openvpn-status.log
verb 3

This is the same config, but on the OpenWRT Luci interface

config 'openvpn' 'roadwarrior'
       option 'dev' 'tun'
       option 'management' '127.0.0.1 31194'
       option 'comp_lzo' '1'
       option 'mssfix' '1420'
       option 'verb' '3'
       option 'proto' 'udp'
       option 'port' '1194'
       option 'key' '/lib/uci/upload/cbid.openvpn.roadwarrior.key'
       option 'cert' '/lib/uci/upload/cbid.openvpn.roadwarrior.cert'
       option 'ca' '/lib/uci/upload/cbid.openvpn.roadwarrior.ca'
       option 'dh' '/lib/uci/upload/cbid.openvpn.roadwarrior.dh'
       option 'server' '10.0.8.0 255.255.255.0'
       option 'cipher' 'AES-128-CBC'
       option 'enable' '1'
       option 'keepalive' '10 120'
       option 'ifconfig_pool_persist' 'ipp.txt'
       option 'status' 'openvpn-status.log'
       option persist_key '1'                      
       option persist_tun '1'                      
       list 'push' 'dhcp-option DNS 10.0.8.1'
       list 'push' 'dhcp-option WINS 10.0.8.1' 
       list 'push' 'dhcp-option DOMAIN lan.local'       
       list 'push' 'route 192.168.0.0 255.255.255.0'

Easy-RSA

server:/# cd /etc/openvpn
server:/etc/openvpn# mkdir easy-rsa
server:/etc/openvpn# cd easy-rsa
server:/etc/openvpn/easy-rsa# cp -a /usr/share/doc/openvpn/examples/easy-rsa/2.0/* .
server:/etc/openvpn/easy-rsa# vi vars

vars

export KEY_COUNTRY="AU"
export KEY_PROVINCE="NSW"
export KEY_CITY="Goulburn"
export KEY_ORG="Receptive IT"
export KEY_EMAIL="[email protected]"

Generate CA

server:/etc/openvpn/easy-rsa# source ./vars 
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/keys
server:/etc/openvpn/easy-rsa# ./clean-all 
server:/etc/openvpn/easy-rsa# ./build-ca 
Generating a 1024 bit RSA private key
..............++++++
......++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [NSW]:
Locality Name (eg, city) [Goulburn]:
Organization Name (eg, company) [Receptive IT]:
Organizational Unit Name (eg, section) []:Web Services
Common Name (eg, your name or your server's hostname) [Receptive IT CA]:
Email Address [[email protected]]:

Generate Certificate and Key for Server

./build-key-server server

Generate Certificate and Key for Client

./build-key client1

Generate DH

server:/etc/openvpn/easy-rsa# ./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
..+....................................+.................................+..............................+....
.....................................................................................+........++*++*++*

Set up Server Certificates

server:/etc/openvpn/easy-rsa# cd ..
server:/etc/openvpn# ln -s easy-rsa/keys/ca.crt
server:/etc/openvpn# ln -s easy-rsa/keys/server.crt
server:/etc/openvpn# ln -s easy-rsa/keys/server.key
server:/etc/openvpn# ln -s easy-rsa/keys/dh1024.pem

Restart OpenVPN

server:/etc/openvpn# /etc/init.d/openvpn restart
Stopping virtual private network daemon:.
Starting virtual private network daemon: server.

Checking

server:/etc/openvpn# ifconfig tun0
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
         inet addr:10.8.0.1  P-t-P:10.8.0.2  Mask:255.255.255.255
         UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
         RX packets:0 errors:0 dropped:0 overruns:0 frame:0
         TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0 txqueuelen:100 
         RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

Client

client.conf

#
# Client
#

client
dev tun
proto udp
remote fqdn.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca cmb-ca.crt
cert cmb-client.crt
key cmb-client.key
cipher aes-128-cbc
comp-lzo
verb 3

Vista issues

1) Open your client.ovpn file and add the following two lines to the bottom of the file:

route-method exe
route-delay 2

2) Create a shortcut to your OpenVPN GUI file. Right click the shortcut and click properties. Under the 'Shortcut' tab. Click 'advanced'. Check the box that says 'Run as administrator' and then Click 'OK' and 'OK' again.

Distributing keys

Obviously this needs to be done securely. Below is a script to distribute the keys into the users home directory. It makes the assumption that the username is also the filename of the key.

#!/bin/bash

# Check to make sure we have a username to work with
if [ -z ${1} ]
then
 echo Usage: deploy-cert username
 exit
fi

# Check to make sure the username exists
getent passwd ${1} > /dev/null
if [ $? -eq 2 ]
then
 echo Username not found in user database
 exit 1
fi

HOMEDIR=`getent passwd ${1} | cut -d : -f 6`
KEYS="/etc/openvpn/easy-rsa/keys"
CONFIG="datavoice.ovpn"
USEROPENVPN="${HOMEDIR}/openvpn"

# Check OpenVPN keys for existing key
if [ -f "${KEYS}/${1}.key" ]
then
 echo User already has an existing OpenVPN key. Skipping creation.
else
 source ./vars
 ./pkitool ${1}
fi

# Check that user home directory exists
if [ ! -d ${HOMEDIR} ]
then
 echo Home directory does not exist... Creating
 mkdir ${HOMEDIR}
 chown ${1} ${HOMEDIR}
 chmod 755 ${HOMEDIR}
fi

# Check for existing OpenVPN config in user home directory
if [ -d "${USEROPENVPN}" ]
then
 echo User has an existing OpenVPN config
 exit 1
else
 echo Distributing OpenVPN keys to ${1} 
 mkdir ${USEROPENVPN}
 cp ${KEYS}/ca.crt ${USEROPENVPN}/
 cp ${KEYS}/${1}.* ${USEROPENVPN}/
 sed  -e s/user/${1}/ ${KEYS}/${CONFIG} > ${USEROPENVPN}/${CONFIG}
 todos -a ${USEROPENVPN}/${CONFIG}
 chown -R ${1} ${USEROPENVPN}
fi