Embed Doc
Copy Link
Readcast
Collections

CommentGo Back

Download

saul

parada

PEN

VPN

NSTALLATION AND

ONFIGURATION

UTORIAL

Installation/Configuration Step-by-Step

Install OpenVPN

To install OpenVPN it is necessary to run on the terminal of each machine the following command:# apt-get install openvpn

Generating the Certificates

To create the certificates must be used the "easy-rsa", a set of scripts included into OpenVPN. Forthat it is necessary to perform on the Server Linux Terminal the following instructions:# cd /usr/share/doc/openvpn/examples/easy-rsa/2.0# mkdir /etc/openvpn/easy-rsa# cp -a * /etc/openvpn/easy-rsaWas created a new folder "/etc/openvpn/easy-rsa" that must have the following content:2.0 build-key build-req make-crl revoke-fullbuild-ca build-key-pass build-req-pass openssl.cnf sign-reqbuild-dh build-key-pkcs12 clean-all README.gz varsbuild-inter build-key-server list-crl revoke-crtAll the configurations must now be done inside of the folder "/etc/openvpn/easy-rsa".To start must be changed the archive "vars".# nano varsIn the end of "vars" archive there are a set of parameters used to generate keys (country, province,city, etc.), that can be edited like:export KEY_COUNTRY=CZexport KEY_PROVINCE=MORAVIAexport KEY_CITY="OSTRAVA"export KEY_ORG="VSB"export KEY_EMAIL="smsparada@ua.pt"Next, to upload the variables inside of the archive "vars" is necessary to run the followingcommands:# source vars# ./clean-all

saul

parada

# ./build-caGenerating a 1024 bit RSA private key...................++++++.....................++++++writing new private key to 'ca.key'-----Then it will be asked to enter information that will be incorporated into the certificate request.What it should be entered is what is called a Distinguished Name.There are quite a few fields, but some of them can be left in blank. For some fields there are defaultvalues. If it is entered '.', the field will be left at blank.Country Name (2 letter code) [CZ]: CZState or Province Name (full name) [MORAVIA]: MORAVIALocality Name (eg, city) [OSTRAVA]: OSTRAVAOrganization Name (eg, company) [VSB]: VSBOrganizational Unit Name (eg, section) []: FEICommon Name (eg, your name or your server's hostname) []: SMSPEmail Address [smsparada@ua.pt]: smsparada@ua.ptThis will create a folder "/etc/openvpn/easy-rsa/keys" with the following content:ca.crt ca.key index.txt serialTo generate the server certificate is used the "build-key-server" script, specifying as parameter thename of the archive which will be used ("server", for example):# cd /etc/openvpn/easy-rsa/# ./build-key-server serverNOTE: Must be used the same information included in the "build-ca".Common Name (eg, your name or your server's hostname) []: SMSPA challenge password []: ****Sign the certificate? [y/n]: y1 out of 1 certificate requests certified, commit? [y/n] yNext, will be generated the keys used by the clients by running the script "build-key":# ./build-key clientGenerating a 1024 bit RSA private key.++++++.......................++++++writing new private key to 'client.key'NOTE: Must be confirmed the parameters used in "build-key-server".

saul

parada

Common Name (eg, your name or your server's hostname) []: Client...Sign the certificate? [y/n]: y1 out of 1 certificate requests certified, commit? [y/n] yNow must be performed the following command in order to generate the Diffie-Hellmanparameters and increase the security:# ./build-dh# rm keys/*.csrIn the end must be found a set of archives inside of "/etc/openvpn/easy-rsa/keys" similar to:ca.crt client.key index.txt server.crt client.crtca.key index.txt.attr server.key serialNow it is necessary to install the keys, on both server and client.For the server we must copy the files "ca.crt", "server.crt", "server.key" and the Diffie-Hellman key(dh1024.pem) to a new folder "/etc/openvpn/keys".# cd /etc/openvpn/easy-rsa/keys# mkdir /etc/openvpn/keys# cp -a ca.crt server.crt server.key /etc/openvpn/keys/# cp -a dh1024.pem /etc/openvpn/keys/All the clients must have the archives "ca.crt", "dh1024.pem" and all the ".crt" and ".key"correspondent files. On the client side it is necessary, as well to create a new folder"/etc/openvpn/keys" and copy the files into.

Synchronizing the Server-Client clocks

All the machine clocks must be synchronized. For that purpose, the following command must beexecuted on both, server and client machines:# ntpdate -u pool.ntp.orgOpenVPN implementation scheme.