Entirely based on the tutorial, "Secure Communications with OpenVPN on Debian 6 (Squeeze)" in the Linode Library. This article is only to serve as my notes, and a proper live example as to how I set it up on my server.
Make sure all package repositories and installed programs are up-to-date:
apt-get update && apt-get upgrade
apt-get install openvpn udev
Copy the RSA key management package in OpenVPN (a set of encryption-related tools/scripts under
/etc/openvpn directory so that they aren't wiped out by a future OpenVPN package upgrade.
cp -R /usr/share/doc/openvpn/examples/easy-rsa/ /etc/openvpn
Configure the variables that'll provide OpenVPN with all the necessary information to be included in certificates you create.
export KEY_COUNTRY="US" export KEY_PROVINCE="NY" export KEY_CITY="New York" export KEY_ORG="None - Private VPN" export KEY_EMAIL="email@example.com"
That's the config. for my personal VPN server.
Initialize the certificate authority and the public key infrastructure (PKI) by issuing the following commands in sequence:
cd /etc/openvpn/easy-rsa/2.0/ . /etc/openvpn/easy-rsa/2.0/vars . /etc/openvpn/easy-rsa/2.0/clean-all . /etc/openvpn/easy-rsa/2.0/build-ca
After issuing the last command (above), you'll be prompted to enter some values. Since we've already configured these variables earlier, simply press Enter at each prompt. Now you've successfully configured your certificate authority (self).
Build VPN server certificate and private key: (filmygirl is my server's hostname)
. /etc/openvpn/easy-rsa/2.0/build-key-server filmygirl
If prompted for values, simply hit Enter like we did earlier (also for challenge password and company name), unless you want to use alternate values; and Y (for YES) when asked a question.
Build the VPN client certificate and private key for use on your computer(s): (for-all-my-computers is the OpenVPN client name I chose, 'cause I'll be using the same client certificate and key across all my computers, and the name makes sense)
. /etc/openvpn/easy-rsa/2.0/build-key for-all-my-computers
Generate Diffie Hellman parameters for key exchange and authentication:
Move certificates and keys to their appropriate places. Transfer the client certificates and private keys (ca.crt, for-all-my-computers.crt, and for-all-my-computers.key) from the
/etc/openvpn/easy-rsa/2.0/keys/ directory on the server to your computer via a secure protocol such as
Move the server certificates and private keys (ca.crt, ca.key, dh1024.pem, filmygirl.crt, filmygirl.key) from
/etc/openvpn/easy-rsa/2.0/keys/ over to
/etc/openvpn directory so the OpenVPN server process can access them.
cd /etc/openvpn/easy-rsa/2.0/keys cp ca.crt ca.key dh1024.pem filmygirl.crt filmygirl.key /etc/openvpn
Let's get into server and client VPN configuration using the example config. files provided in
/usr/share/doc/openvpn/examples/sample-config-files directory: server.conf.gz and client.conf.
Server Config.: un-gzip the example server config. file
/etc/openvpn/ (i.e. the name of your server as the name of your file), and make the necessary changes as shown below.
cd /usr/share/doc/openvpn/examples/sample-config-files gunzip -d server.conf.gz cp server.conf /etc/openvpn/filmygirl.conf
# Any X509 key management system can be used. # OpenVPN can also use a PKCS #12 formatted key file # (see "pkcs12" directive in man page). ca ca.crt cert filmygirl.crt key filmygirl.key # This file should be kept secret [...] push "redirect-gateway def1" [...] push "dhcp-option DNS 10.8.0.1"
/etc/sysctl.conf (to ensure that the server is able to forward IPv4 traffic)
Issue the command to make the variable (above) effective immediately.
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT iptables -A FORWARD -j REJECT iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
Insert these iptables rules into the server's
/etc/rc.local file to make them reboot-proof:
[...] iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT iptables -A FORWARD -j REJECT iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE exit 0
Install & Configure
apt-get install dnsmasq
[...] /etc/init.d/dnsmasq restart exit 0
Start/Restart OpenVPN and Dnsmasq:
/etc/init.d/openvpn start /etc/init.d/dnsmasq restart
Client Config.: Transfer
client.conf to your computer, and rename it as
for-all-my-computers.conf to reflect the name of the VPN user on your server, and make the necessary changes in the file (on your computer) as follows:
File: for-all-my-computers.conf (on your computer now)
# The hostname/IP and port of the server. # You can have multiple remote entries # to load balance between the servers. remote 220.127.116.11 1194 [...] # SSL/TLS parms. # See the server config file for more # description. It's best to use # a separate .crt/.key file pair # for each client. A single ca # file can be used for all clients. ca ca.crt cert for-all-my-computers.crt key for-all-my-computers.key
I don't map a domain to my server, so it doesn't have a Fully Qualified Domain Name (FQDN) assigned. Therefore I simply went with the server's IP address in the configuration (above).
Now, lets check all the files we've downloaded to the computer:
Use them to connect to the VPN server from your PC (you may sometimes have to rename for-all-my-computers.conf to for-all-my-computers.ovpn, for example, on Windows). Various VPN services provide tutorials for this. Here's one for a start.
- I am looking into how OpenSSH and SSH - SOCKS work, as people have told me that these can provide easier VPN and VPN-like services.