OpenVPN

OpenVPN uses Public Key Infrastructure (PKI) to encrypt VPN traffic between nodes. A simple way of setting up a VPN with OpenVPN is to connect the clients through a bridge interface on the VPN server. This guide will assume that one VPN node, the server in this case, has a bridge interface configured. For more information on setting up a bridge see “Bridging”.

Instal·lació

To install openvpn in a terminal enter:

sudo apt-get install openvpn

Server Certificates

Ara que heu instal·lat el paquet openvpn, heu de crear els certificats per al servidor VPN.

Primer, copieu el directori easy-rsa a /etc/openvpn. Això assegurarà que qualsevol canvi dels scripts no es perdi quan s'actualitzin els paquets. En un terminal introduïu:

sudo mkdir /etc/openvpn/easy-rsa/
sudo cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0/ /etc/openvpn/

Després editeu el fitxer /etc/openvpn/easy-rsa/vars i ajusteu el següent al vostre entorn:

export KEY_COUNTRY="US"
export KEY_PROVINCE="NC"
export KEY_CITY="Winston-Salem"
export KEY_ORG="Example Company"
export KEY_EMAIL="steve@example.com"

Enter the following to create the server certificates:

cd /etc/openvpn/easy-rsa/easy-rsa
source vars
./clean-all
./build-dh
./pkitool --initca
./pkitool --server server
cd keys
openvpn --genkey --secret ta.key
sudo cp server.crt server.key ca.crt dh1024.pem ta.key /etc/openvpn/

Client Certificates

El client de la VPN també necessita un certificat per autenticar-se al servidor. Per a crear el certificat, introduïu el següent en un terminal:

cd /etc/openvpn/easy-rsa/
source vars
./pkitool hostname
[Nota]

Reemplaceu hostname amb el nom actual de l'amfitrió de la màquina connectada a la VPN.

Copy the following files to the client:

  • /etc/openvpn/easy-rsa/hostname.ovpn

  • /etc/openvpn/easy-rsa/ca.crt

  • /etc/openvpn/easy-rsa/hostname.crt

  • /etc/openvpn/easy-rsa/hostname.key

  • /etc/openvpn/easy-rsa/ta.key

[Nota]

Remember to adjust the above file names for your client machine's hostname.

It is best to use a secure method to copy the certificate and key files. The scp utility is a good choice, but copying the files to removable media then to the client, also works well.

Configuració

Server Configuration

Ara configureu el servidor openvpn tot creant /etc/openvpn/server.conf a partir del fitxer d'exemple. En un terminal, introduïu:

sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
sudo gzip -d /etc/openvpn/server.conf.gz

Editeu el fitxer etc/openvpn/server.conf i canvieu-ne les opcions següents:

local 172.18.100.101
dev tap0
server-bridge 172.18.100.101 255.255.255.0 172.18.100.105 172.18.100.200
push "route 172.18.100.1 255.255.255.0"
push "dhcp-option DNS 172.18.100.20"
push "dhcp-option DOMAIN example.com"
tls-auth ta.key 0 # This file is secret
user nobody
group nogroup
  • local: is the IP address of the bridge interface.

  • server-bridge: needed when the configuration uses bridging. The 172.18.100.101 255.255.255.0 portion is the bridge interface and mask. The IP range 172.18.100.105 172.18.100.200 is the range of IP addresses that will be assigned to clients.

  • push: són directives per afegir opcions de xarxa per als clients.

  • user and group: configure which user and group the openvpn daemon executes as.

[Nota]

Replace all IP addresses and domain names above with those of your network.

Ara creeu un parell d'scripts d'ajuda per afegir la interfície tap al pont. Creeu l'script /etc/openvpn/up.sh:

#!/bin/sh

BR=$1
DEV=$2
MTU=$3
/sbin/ifconfig $DEV mtu $MTU promisc up
/usr/sbin/brctl addif $BR $DEV

I /etc/openvpn/down.sh:

#!/bin/sh

BR=$1
DEV=$2

/usr/sbin/brctl delif $BR $DEV
/sbin/ifconfig $DEV down

Then make them executable:

sudo chmod 755 /etc/openvpn/down.sh
sudo chmod 755 /etc/openvpn/up.sh

Després de configurar el servidor, reinicieu l'openvpn tot introduïnt:

sudo /etc/init.d/openvpn restart

Client Configuration

With the server configured and the client certificates copied over, create a client configuration file by copying the example. In a terminal on the client machine enter:

sudo cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn

Ara editeu el fitxer /etc/openvpn/client.conf i canvieu-ne les opcions següents:

dev tap
remote vpn.example.com 1194
cert hostname.crt
key hostname.key
tls-auth ta.key 1
[Nota]

Replace vpn.example.com with the hostname of your VPN server, and hostname.* with the actual certificate and key filenames.

Finalment, reinicieu l'openvpn:

sudo /etc/init.d/openvpn restart

Ara hauria de ser possible connectar-se a la LAN remota mitjançant la VPN.

Referències