How to create a VPN using OpenVPN and Linux
Written by Guillermo Garron
Date: 2012-01-07 09:33:00 00:00
Today I'll write about OpenVPN, and how to establish a VPN between two computers.
The scenario
There are two offices.
- The headquarters
- The branch office
In this scenario the administrator wants all traffic of the branch office to be routed via the headquarters Internet router. This can be desirable for example if you have your branch office in a country where you suspect the Internet provider or the government may be sniffing your traffic, or just because you want to have full control of the pages and sites the workers at the branch office can access.
In this scenario, we'll establish the VPN over the Internet, so both the headquarters and the branch office should have their own access to Internet.
*Server info - At headquarters - *
- Linux distribution: Arch Linux
- Public IP: 12.34.56.78
*Client info - At the branch office - *
- Linux distribution: Arch Linux
- Public IP: 23.45.67.89
- Private IP range: 10.1.0.0 / 255.255.0.0
- Private IP: 10.1.1.1
Server Configuration
First we will install all needed software.
pacman -S openvpn openssl
Now we need to create the server and client certificates, so the VPN can be encrypted.
cd /usr/share/openvpn/easy-rsa/
Then set the variables:
vim vars
Be sure to locate and set this values, here are the defaults, change accordingly.
export KEY_COUNTRY="US" export KEY_PROVINCE="CA" export KEY_CITY="SanFrancisco" export KEY_ORG="Fort-Funston" export KEY_EMAIL="me@myhost.mydomain" export KEY_EMAIL=mail@host.domain export KEY_CN=changeme export KEY_NAME=changeme export KEY_OU=changeme export PKCS11_MODULE_PATH=changeme export PKCS11_PIN=1234
Now run these commands
. ./vars
Then
./clean-all
then
./build-ca
follow the instructions, and once finished create the server key
./build-key-server server
Once again, follow the instructions and create the client key
./build-key client1
Finally run:
./build-dh
Now copy the the needed files to where the server is going to look for them:
cp ca.crt /etc/openvpn/
cp server.crt /etc/openvpn/
cp dh1024.pem /etc/openvpn/
cp server.key /etc/openvpn/
Finally, let's create the /etc/openvpn/server.conf
file, here is an example:
port 1194 proto udp dev tun ca ca.crt cert server.crt key server.key # This file should be kept secret dh dh1024.pem server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt client-config-dir ccd route 10.1.0.0 255.255.0.0 push "redirect-gateway def1" keepalive 10 120 # Select a cryptographic cipher. # This config item must be copied to # the client config file as well. ;cipher BF-CBC # Blowfish (default) ;cipher AES-128-CBC # AES ;cipher DES-EDE3-CBC # Triple-DES comp-lzo user nobody group nobody persist-key persist-tun status openvpn-status.log verb 3 mute 20
This is a very simple example, you may want to check the example file and read the comments, it may be found at: /usr/share/openvpn/examples/server.conf
Configure the client
The client configuration, starts by copying the key and other files from the server. ca.crt
, client1.crt
and client1.key
.
And finally create the configuration file, here is an example:
client dev tun proto udp remote 23.45.67.89 1194 resolv-retry infinite nobind user nobody group nobody persist-key persist-tun ca ca.crt # Use full paths cert home.crt # Use full paths key home.key # Use full paths comp-lzo verb 3 mute 20
Start the VPN
First start the server side:
openvpn /etc/openvpn/server.conf
Then the client side:
openvpn /etc/openvpn/client.conf
If everything was OK, you should have the vpn up and working.