Windows to Linux VPN

Related documents: Roll out custom Windows OpenVPN clients

On build machine

This may be skipped if you already have a built RPM of OpenVPN or sourced it from yum. From FC3 openvpn is available in the extras repositories.

# yum install lzo lzo-devel openssl-devel pam-devel
# rpmbuild -tb openvpn-2.0.5.tar.gz
# scp /usr/src/redhat/RPMS/i386/openvpn-2.0.5-1.i386.rpm ccc@192.168.1.85:

On the server

# yum install lzo
# rpm -Uvh openvpn-2.0.5-1.i386.rpm

OR

Just do this instead of doing all above steps. This will install openvpn package and its dependencies to ur computer.

# yum install openvpn
# cd /usr/share/openvpn/easy-rsa/2.0
# vi vars

Edit the variables KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, KEY_EMAIL to the appropriate value.

# . ./vars

You will need to delete all keys out of the Open VPN database.

# ./clean-all

Generate the Certificate Authority keys

# ./build-ca

It will ask a series of questions. The only field you need to fill in is the Common Name.

# ./build-key-server server

Again, some more questions. Only need to fill in the Common Name and answer 'y' to "Sign the certificate?" and "1 out of 1 certificate requests certified, commit?"

# ./build-dh

This will build the Diffie-Hellman key exchange settings. It will take a while.

     # vi /etc/openvpn/openvpn.conf (create this file)

The config of openvpn.conf will included something similar to the following options:

dev tap
proto udp
port 1194
server 192.168.128.0 255.255.255.0
ifconfig 192.168.128.1 255.255.255.0
tls-server
ca /usr/share/openvpn/easy-rsa/2.0/keys/ca.crt
cert /usr/share/openvpn/easy-rsa/2.0/keys/servername.crt
key /usr/share/openvpn/easy-rsa/2.0/keys/servername.key
dh /usr/share/openvpn/easy-rsa/2.0/keys/dh1024.pem
mute 10
verb 3
ping 10
keepalive 0 0
status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log

Note: servername is the name of the computer

If multiple customers are going to be connecting to a single server, like in the situation of an ASP. Multiple keys can be setup, along with multiple configuration files, but a different port must be setup for each customer/configuration.

Do not forget to start openpn service

Building key and crt for client to connect vpn

Server side

On the VPN server, run:

# cd /usr/share/openvpn/easy-rsa/2.0
# source vars
# ./build-key <client>

It will then ask you a series of questions, similar to the ones asked by the ./build-key-server script. You should only need to answer the "Common Name" field, "Sign the certificate?" and "1 out of 1 certificate requests certified, commit?"

In the keys directory under current a configuration file config.ovpn similar to openvpn.conf must be created.

Note: Instead of using openvpn.conf give a meaningful name like name of the computer or person using that vpn. (eg kim.conf)

# Configuration for connecting into Creative computing internal network
tls-client
dev tap
proto udp
remote creativecomputing.com.au 1194
resolv-retry infinite
nobind
ifconfig 192.168.128.x 255.255.255.0                    # This line is client dependent. (x means choose the ip                                                           address to use for client)
ca ca.crt
cert <client>.crt
key <client>.key
verb 3
mute 10

Then zip all these file you just created ( .crt, .key,.opvn and etc may be 6 or so files)

#zip filename.zip  filenames dh1024.pem ca.crt

#scp to our muppets at /var/www/html/companyname (company name is folder you will create before copying to muppet)

On the client, install the latest version ofOpenVPN GUI for Windows, applying all the default options.

Or you can download this openvpn for client from our website

www.creativecomputing.com.au/openvpn ( run it in client machine)

Then

Copy zip folder from our website ( www.creativecomputing.com.au/companyname)

Copy the files /usr/share/openvpn/easy-rsa/2.0/keys/<client>.* /usr/share/openvpn/easy-rsa/2.0/ca.crt and /usr/share/openvpn/easy-rsa/2.0/dh1024.pem from the server to the C:\Program Files\OpenVPN\config folder on the client.

On the lower right hand side two red computer icons should apper, right click and connect to vpn server.

Note: Do not forget to port forward in their router ( port start and port end upd 1194 , portmap 1194)

There should be a script on muppets in /etc/openvpn/easy-rsa/email_keys. It takes two arguments: the client name and the email address. It should automatically create the keys for you and email them to the specified address. If any of the steps above change. The script will also need to be changed.

On a network with NAT, port1194with protocolUDPmust be forwarded to server's local IP address.Roll Your Own OpenVPN Windows Installation Package. Windows clients are known to time out, if OpenVPN is run as a service (non GUI) the following commands from RestartVPN.bat can quickly restart the service.

net stop "openvpn service"
net start "openvpn service"

To have OpenVPN automatically connect at startup, edit the reigstry  KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\openvpn_gui  to the following value:

C:\Program Files\OpenVPN\bin\openvpn-gui.exe --connect <OVPN file>

Creative Staff Client Configuration

# Configuration for connecting into Creative computing internal network
explicit-exit-notify 2
tls-client
dev tap
proto udp
remote creativecomputing.com.au 1194
resolv-retry infinite
nobind
ifconfig 192.168.128.x 255.255.255.0                    # This line is client dependent.
route 192.168.127.0 255.255.255.0 192.168.128.1
dhcp-option DOMAIN crecom.com.au
dhcp-option DNS 192.168.128.1
ca ca.crt
cert <client>.crt
key <client>.key
tls-auth ta.key 1
verb 3
mute 10