Differences between revisions 19 and 20
Revision 19 as of 2006-12-07 22:56:00
Size: 2742
Editor: DannyCheung
Comment:
Revision 20 as of 2007-02-14 00:04:12
Size: 4751
Editor: DannyCheung
Comment:
Deletions are marked like this. Additions are marked like this.
Line 16: Line 16:
# cd /etc/openvpn
# /usr/sbin/openvpn --genkey --secret key		 # cd /etc/openvpn/easy-rsa
# vi vars
}}}
Edit the variables KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, KEY_EMAIL to the appropriate value.

{{{
# build-ca
}}}
It will ask a series of questions. The only field you need to fill in is the Common Name.

{{{
# ./build-key-server server
}}}
Again, some more questions. Only need to fill in the Common Name and answer 'y' to "Sign the certificate?" and "1 out of 1 certificate requests certified, commit?"

{{{
# ./build-dh
}}}
This will build the Diffie-Hellman key exchange settings. It will take a while.

{{{
Line 23: Line 42:
ifconfig 10.3.0.1 255.255.255.0
secret key		 proto udp
port 1194
ifconfig 192.168.128.1 255.255.255.0
tls-server
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/muppets.crt
key /etc/openvpn/easy-rsa/keys/muppets.key
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
mute 10
verb 3
Line 26: Line 54:
verb 3
mute 10}}}		 keepalive 0 0
status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log
}}}
Line 31: Line 61:
Install the latest version of[http://openvpn.se/ OpenVPN GUI for Windows], applying all the default options. The file{{{key}}}generated on the server must be copied into the configuration directory of OpenVPN. In that same directory a configuration file {{{config.ovpn}}} similar to {{{openvpn.conf}}} must be created. On the VPN server, run:
Line 34: Line 64:
remote 666.666.666.666 # Servers external static IP # cd /etc/openvpn/easy-rsa/
# source vars
# ./build-key <client>
}}}
It will then ask you a series of questions, similar to the ones asked by the ./build-key-server script. You should only need to answer the "Common Name" field, "Sign the certificate?" and "1 out of 1 certificate requests certified, commit?"

On the client, install the latest version of[http://openvpn.se/ OpenVPN GUI for Windows], applying all the default options.

Copy the files /etc/openvpn/easy-rsa/keys/<client>.* /etc/openvpn/easy-rsa/keys/ca.crt /etc/openvpn/easy-rsa/keys/ta.key and /etc/openvpn/easy-rsa/keys/dh1024.pem from the server to the C:\Program Files\OpenVPN\config folder on the client.

In that same directory a configuration file {{{config.ovpn}}} similar to {{{openvpn.conf}}} must be created.

{{{
# Configuration for connecting into Creative computing internal network
tls-client
Line 36: Line 80:
ifconfig 10.3.0.2 255.255.255.0
secret key
ping 10		 proto udp
remote creativecomputing.com.au 1194
resolv-retry infinite
nobind
ifconfig 192.168.128.x 255.255.255.0 # This line is client dependent.
route 192.168.127.0 255.255.255.0 192.168.128.1
ca ca.crt
cert <client>.crt
key <client>.key
tls-auth ta.key 1
Line 40: Line 91:
mute 10
}}}
On a network with NAT, port {{{1194}}} with protocol {{{UDP}}} must be forwarded to 192.168.1.85. [http://openvpn.se/files/howto/openvpn-howto_roll_your_own_installation_package-Rev1.1.html Roll Your Own OpenVPN Windows Installation Package]. Windows clients are known to time out, if OpenVPN is run as a service (non GUI) the following commands from attachment:RestartVPN.bat can quickly restart the service.		 mute 10}}}
There should be a script on muppets in /etc/openvpn/easy-rsa/email_keys. It takes two arguments: the client name and the email address. It should automatically create the keys for you and email them to the specified address. If any of the steps above change. The script will also need to be changed.

On a network with NAT, port{{{1194}}}with protocol{{{UDP}}}must be forwarded to server's local IP address.[http://openvpn.se/files/howto/openvpn-howto_roll_your_own_installation_package-Rev1.1.html Roll Your Own OpenVPN Windows Installation Package]. Windows clients are known to time out, if OpenVPN is run as a service (non GUI) the following commands from attachment:RestartVPN.bat can quickly restart the service.
Line 53: Line 105:

Line 58: Line 108:
tls-client
Line 60: Line 111:
remote muppets.crecom.com.au 1194 remote creativecomputing.com.au 1194
Line 63: Line 114:
secret cc.key
Line 68: Line 118:
ping 10 ca ca.crt
cert <client>.crt
key <client>.key
tls-auth ta.key 1
verb 3
mute 10

Windows to Linux VPN

Related documents: Roll out custom [:OpenVPNRollOut:Windows OpenVPN clients]

On build machine

This may be skipped if you already have a built RPM of OpenVPN or sourced it from yum. From FC3 openvpn is available in the extras repositories. 

# yum install lzo lzo-devel openssl-devel pam-devel
# rpmbuild -tb openvpn-2.0.5.tar.gz
# scp /usr/src/redhat/RPMS/i386/openvpn-2.0.5-1.i386.rpm ccc@192.168.1.85:

On the server

# yum install lzo
# rpm -Uvh openvpn-2.0.5-1.i386.rpm
# cd /etc/openvpn/easy-rsa
# vi vars

Edit the variables KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, KEY_EMAIL to the appropriate value. 

# build-ca

It will ask a series of questions. The only field you need to fill in is the Common Name. 

# ./build-key-server server

Again, some more questions. Only need to fill in the Common Name and answer 'y' to "Sign the certificate?" and "1 out of 1 certificate requests certified, commit?" 

# ./build-dh

This will build the Diffie-Hellman key exchange settings. It will take a while. 

# vi openvpn.conf

The config of openvpn.conf will included something similar to the following options: 

dev tap
proto udp
port 1194
ifconfig 192.168.128.1 255.255.255.0
tls-server
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/muppets.crt
key /etc/openvpn/easy-rsa/keys/muppets.key
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
mute 10
verb 3
ping 10
keepalive 0 0
status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log

If multiple customers are going to be connecting to a single server, like in the situation of an ASP. Multiple keys can be setup, along with multiple configuration files, but a different port must be setup for each customer/configuration.

Windows Clients

On the VPN server, run: 

# cd /etc/openvpn/easy-rsa/
# source vars
# ./build-key <client>

It will then ask you a series of questions, similar to the ones asked by the ./build-key-server script. You should only need to answer the "Common Name" field, "Sign the certificate?" and "1 out of 1 certificate requests certified, commit?"

On the client, install the latest version of[http://openvpn.se/ OpenVPN GUI for Windows], applying all the default options.

Copy the files /etc/openvpn/easy-rsa/keys/<client>.* /etc/openvpn/easy-rsa/keys/ca.crt /etc/openvpn/easy-rsa/keys/ta.key and /etc/openvpn/easy-rsa/keys/dh1024.pem from the server to the C:\Program Files\OpenVPN\config folder on the client.

In that same directory a configuration file config.ovpn similar to openvpn.conf must be created. 

# Configuration for connecting into Creative computing internal network
tls-client
dev tap
proto udp
remote creativecomputing.com.au 1194
resolv-retry infinite
nobind
ifconfig 192.168.128.x 255.255.255.0                    # This line is client dependent.
route 192.168.127.0 255.255.255.0 192.168.128.1
ca ca.crt
cert <client>.crt
key <client>.key
tls-auth ta.key 1
verb 3
mute 10

There should be a script on muppets in /etc/openvpn/easy-rsa/email_keys. It takes two arguments: the client name and the email address. It should automatically create the keys for you and email them to the specified address. If any of the steps above change. The script will also need to be changed.

On a network with NAT, port1194with protocolUDPmust be forwarded to server's local IP address.[http://openvpn.se/files/howto/openvpn-howto_roll_your_own_installation_package-Rev1.1.html Roll Your Own OpenVPN Windows Installation Package]. Windows clients are known to time out, if OpenVPN is run as a service (non GUI) the following commands from attachment:RestartVPN.bat can quickly restart the service. 

net stop "openvpn service"
net start "openvpn service"

To have OpenVPN automatically connect at startup, edit the reigstry  KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\openvpn_gui  to the following value: 

C:\Program Files\OpenVPN\bin\openvpn-gui.exe --connect <OVPN file>

Creative Staff Client Configuration

# Configuration for connecting into Creative computing internal network
tls-client
dev tap
proto udp
remote creativecomputing.com.au 1194
resolv-retry infinite
nobind
ifconfig 192.168.128.x 255.255.255.0                    # This line is client dependent.
route 192.168.127.0 255.255.255.0 192.168.128.1
dhcp-option DOMAIN crecom.com.au
dhcp-option DNS 192.168.128.1
ca ca.crt
cert <client>.crt
key <client>.key
tls-auth ta.key 1
verb 3
mute 10

OpenVPN (last edited 2023-12-28 04:41:58 by KafuWong)