This action might not be possible to undo. Are you sure you want to continue?
This article will describe a configuration of Virtual Private Network connection by using an OpenVPN application. Firstly, you will be exposed to some basic theory behind Virtual Private Networks. Then, the article will guide you with step-by-step instructions on how to setup a OpenVPN virtual private network by using Symmetric Key Encryption and Public Key Encryption. This article is meant for everybody who possesses a basic knowledge of linux administration and networking.
2. Why VPN
If you work in IT industry, it is very common that you do not use only a single computer sitting on your work desk, but you also utilize other systems connected to the same local area network. As long as you are sitting on your office chair this approach should not be a problem. However, this situation can become complicated once you are in hurry, and therefore, you need to take some of your work home. You are able to take you company laptop with you, but to fully utilize company resources you would also need to be connected to the company's local area network. The solution to this problem depends on what resources are needed to complete your job. If you need some shared files available on the company's network, you may just simply copy these file to your laptop's hard drive or to USB stick. In case you need to work on the system installed on your company's PC you can also use some virtualization tools such as VirtualBox or VMware. Soon enough you will realize that this approach is not as convenient as you would like it to be, and that you spent more time by copying files and synchronizing virtual systems than concentrating on your work. The ideal solution in this case should allow employees to access company's local resources from an external network. This can be done by forwarding ports of the local services via firewall. Exposing local ports to the Internet is not entirely the safest approach. The more ports are exposed from your local network to an external network such as the Internet, the more vulnerable your local system will become. The ideal approach in this situation could be a use of just single port for all services coupled with encryption and user authentication. This can be achieved, for example, by using a Virtual Private Network (VPN) .
3. How does VPN works
VPN networks are often operated as client-server applications. Good example could be an implementation of MS Windows PPTP or OpenVPN on the Linux Platform. VPN server is directly running on a firewall, where it creates virtual network interface and additional virtual network subnet. VPN server is waiting for connections on the external network interface of the firewall where it performs authentication of a VPN client application. After successful VPN client authentication a VPN client is given an IP address from a virtual subnet. Consequently, an encrypted tunnel is created between VPN client and VPN server, which is used for safe transfer
of packets between two distant networks via the Internet. Services, which a VPN client can connect to, can furthermore be defined by firewall rules. This way firewall ensures that VPN client can connect only to services it is allowed to connect. If the previous couple sentences looked to you little difficult to understand, do not despair! Everything will become clearer once we see how encrypted tunnel works in an example.
4. VPN Encrypted Tunnel Fundamentals
VPN tunnels are generally considered as something mysterious and everybody who mentions them, is "cool" :-) However, there is nothing to be afraid about, in the fact principle of Virtual Private Network is very simple. Data in IP networks are exchanged in packets. Information about destination and a source of the packet can be found in the packet's header. The actual user data are carried as a payload. Let’s imagine that ssh client wants to talk to ssh server over the Virtual Private Network. Packets leaving a host's network interface located on the local network are sent with a destination port number 22. When this packet reaches a VPN tunnel it is encapsulated into the VPN packet where original packet is now treated as a payload. If the VPN server listens on the port 443, the VPN packet will carry a destination port 443.
When looking at the previous figure it is apparent that this kind of network data transfer over the VPN is a waste of transfer rate because original packet has a smaller payload space just because it needs to fit into the VPN tunnel packet. In VPN analogical sense this can be considered as a drawback.
5. The theory behind Virtual Private Network
Let's imagine a small company network consisting just from a single subnet, in which all clients are connected to the Internet via company's gateway, which can also used as a firewall. How the connection is done, is not important, it is enough to mention that external gateway network interface uses external ip address. This scenario is visualized on the following figure:
his/her attempt would be rejected by the firewall. The gif animation will change every 14 seconds.168. that there are many other factors behind the scenes which had been for the sake of simplicity omitted.0/184.108.40.206. Once employee passes VPN server's authentication. Please note. a VPN server will assign an IP address from a 192.0/24 hosts would be the systems on 192. which would then start accepting a connection from external network.0/24. VPN fundamentals The following image will try to explain fundamental principles of VPN server-client communication.168. but in fact the communication is done by encrypted VPN tunnel over the Internet. For 192.168. .In case that an employee wants to connect to some company's services from outside world.1. 5. The aim of this animation is to explain a logic behind a VPN communication in simplest form as possible.1. Once the VPN server starts functioning on the gateway. Not just because this attempt is coming from completely different subnet but also because the ports to the particular services are not open.0/24 network appear that they are located on the separate local subnet. it automatically creates a virtual network interface with subnet 192.168.
2/14: VPN Server assigns IP address to a vpn client from a local virtual subnet 192.3 creates a network packet with destination IP 192. . 3/14: VPN Client prepares a packet for a host 192. 8/14: Packet is delivered to the host with destination IP address 192.3 located within a private subnet 192.1.168. 7/14: VPN Server handles a newly acquired packet as it was sent locally on a 220.127.116.11. 6/14: A network packet acquired from the public network is decrypted and decapsulated by the vpn server.168.1. 11/14: According to the VPN Server's routing table. 5/14: The packet is dispatched by the VPN client via public network to the VPN Server.0/24.0/24. 9/14: Host with IP address 192.168.1.2. this packet links up with the Virtual Private Network.2.0/24 subnet.1.1. 1/14: VPN Client establishes a connection with a VPN Server via external network interface.168. 4/14: VPN Client encrypts and hides an original packet inside the outer public packet. 10/14: VPN Server receives a reply packet.168.168. This way VPN server obtains a packet for the private network.
Public Key Encryption When it comes to the public key encryption. an interceptor cannot read the message. Since only the receiver has an access to its own private key only he can decrypt a message. let's have a look on the following list which contains deliberately unsorted strengths and weaknesses for each solution: Symmetric Key Encryption: symmetric encryption simple configuration no Certificate Authority ( CA ) is required server can serve only single client at the same time key must be stored in text file on the both systems which increases a risk that it will fall to the wrong hands difficult key exchange Public Key Encryption: asymmetric encryption . Symmetric Key Encryption This type of communication requires a one symmetric key which will be used on both sides to encrypt a message and this way preventing an interceptor to read a message. 6. 14/14: The network packet acquired from the public network is decrypted and decapsulated by the vpn Client. 13/14: The packet is dispatched by the VPN server via public network to the VPN client. Certificates One of the best characteristics of VPN solution is an encryption which leads to the client-server confidentiality communication enhancement. Symmetric encryption in terms of OpenVPN is regarded as a static key mode and public key encryption as a certificate mode. each side has a public key and private key. Once the connection between VPN Server and VPN Client is encrypted.2. Encryption is done on both sides of VPN transmission and thus creating so called VPN tunnel via public network such as the Internet. Static key vs.1. To do this. There are four keys in total. 6. OpenVPN supports both ways of above mentioned encryptions. This way VPN client obtains a packet from the private network. Before we put both types of encryption s into the test by showing a real configuration and testing examples. symmetric key needs to be produced and exchanged between both sides. Sender encrypts a message with a receiver's public key and receiver decrypts a message with its own private key. Encryption can be divided into two main groups: 6. 12/14: VPN server encrypts and hides an original packet inside the outer public packet. This means that both sides will use the same encryption key to encrypt as well as to decrypt sent and received messages.
How the connection between those two PC's is created is not important. The connection can be done via cross-over cable.168. a difference between an OpenVPN Server and OPenVPN Client is just in how the configuration is carried out on both sides. from some reason the packages for OpenVPN are not included in the official . This binary file is used to start an OpenVPN server as well as OpenVPN client and therefore it is important to install the same OpenVPN packages on both sides. In our case the client will obtain a IP address 18.104.22.168/16 subnet IP address pool.168. and explore all mandatory steps for creating a VPN connection with Symmetric Key Encryption and Public Key Encryption. for VPN tunnel created with use of Public Key Encryption ( OpenVPN certification mode ) the client's IP address will differ and will be assigned from 192. In the further text we will refer to these systems as a VPN-Server ( IP Address: 10. What is important. more complicated configuration Certificate Authority ( CA ) is required server can server many clients simultaneously 7.3 ) and a VPN-Client ( IP Address: 10. is that both PC's can ping each other and VPN Server will have 1194/UDP port open for connection from a VPN Client. thus openvpn. A VPN tunell will be created as point-to-point 192. Examples of VPN connection Now.0.2. To be more precise. It is recommended to install OpenVPN packages from the official repository of your Linux Distribution you intent to use for this purpose.1. 8. two bridged virtual machines or over the Internet.0.0.168.168. that we have grasped a necessary theory about Virtual Private Networks. If.1 . Installation of OpenVPN OpenVPN application consists only from one binary file which name is equal to the application name itself.1. we can move on.1.192. However.4 ). As a starting point in both cases there will be two computers with fresh Debian Linux installation.6.
TUN and TAP are virtual network kernel drivers and TUN ( TUNnel ) must be enabled in the kernel or at least as a module in order to virtual private network be able to function. After unpacking 1114kB of additional disk space will be used.org:~# wget http://openvpn.9.repository of your linux distribution feel free to install from source code. Do you want to continue [Y/n]? Apt-get will automatically fetch required prerequisites as in this case it is a liblzo2-2 package.tar.. Done The following extra packages will be installed: liblzo2-2 Suggested packages: openssl The following NEW packages will be installed: liblzo2-2 openvpn 0 upgraded. for this article a Linux Debian was used. .3. Installation from a source code Installation of OpenVPN from source code involves steps like downloading a source code from OpenVPN Home page and compiling it with following sequence of commands: linuxconfig. 0 to remove and 19 not upgraded.0.9 . 2 newly installed.org:~$ linuxconfig.. As it was already mentioned previously. TAP kernel driver can be found in the network interfaces section under the name "Universal TUN/TAP device driver support". Done Building dependency tree. Need to get 397kB of archives.org:~# apt-get install openvpn Reading package lists. 8.0..1. Both installations will be briefly covered in the following paragraphs.org:~$ linuxconfig.gz tar xfz openvpn-2.tar.org:~$ linuxconfig.net/release/openvpn-2.org:~$ linuxconfig. is that openvpn binary file will be created by the source code compilation and installed in a /usr/local/sbin directory. 8./configure --prefix=/usr/local make make install What happens here.gz cd openvpn-2. Repeat a following installation steps for vpnserver as well as a vpn-client. To confirm that a TUN module is supported by your system check a config file created during a kernel compilation.org:~$ linuxconfig.0.. Enabling a Virtual Network Interface OpenVPN works with Virtual Network Interfaces TUN/TAP.2. 8. Installation from official repository Installation from the official Debian repository is simple as running a apt-get command: linuxconfig.9.
1.0 inet6 addr: fe80::20c:29ff:fe70:5af7/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:110 errors:0 dropped:0 overruns:0 frame:0 TX packets:85 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:11724 (11.1.key linux_VPN_Server:~# cat staticVPN. To generate a Symmetric Key run a following command: linux_VPN_Server:~# openvpn --genkey --secret staticVPN. However. Creating a configuration file is a clean way to maintain a Virtual Private Network connection settings. for sake of simplicity and transparency in the following example we will use command line parameters to configure an OpenVPN server.0. VPN Connection and Symmetric Key Encryption 9.255. Another option is to create a configuration file which will be read during the OpenVPN initialization. which can be. since the number of outgoing connections can grow where the only limits is just a robustness of your system. Setting up VPN Server Almost all configuration settings can be passed to the OpenVPN application via command line.8 KiB) Interrupt:169 Base address:0x2000 9.255. Packets traveling via TUN/TAP interface are sent to the application before they reach eth0 network interface.1.1. 9. a symmetric key neds to be generated and exchanged between server and client.key # # 2048 bit OpenVPN static key # -----BEGIN OpenVPN Static key V1----00e5dea65588eec9800f72607c6fb050 62a58ad4a44039d22635bdd817886c8b 69dbe38384eed05dcdca54c604e46d74 daec8f0e074f2a142db0efafe25520cb a71a0c0314800be297275205bc6d18e3 . Generate Static Symmetric Key Before we can start a OpenVPN tunnel.3 Bcast:10.1. This allows an application such as OpenVPN encrypt or decrypt packets before they reach a physical network.and in Debian a TUN driver is supported by default in the form of a kernel module. for example a PCI network card.255 Mask:255.0. linux_VPN_Server:~# /sbin/ifconfig eth0 eth0 Link encap:Ethernet HWaddr 00:0C:29:70:5A:F7 inet addr:10. TUN/TAP devices represent a virtual network interface. On the other hand. This can by confirmed by the following command: grep CONFIG_TUN= /boot/config- eth0 interface directly represents a hardware device.4 KiB) TX bytes:13204 (12.
255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:0 (0.0. OpenVPN consequently sets a virtual network interface tun0 to an IP address 192.2.9 i486-pc-linux-gnu [SSL] [LZO] [EPOLL] built on Sep 20 2007 Wed Jan 28 03:48:09 2009 IMPORTANT: OpenVPN's default port number is now 122.214.171.124 P-t-P:192.168. Wed Jan 28 03:48:09 2009 TUN/TAP device tun0 opened Wed Jan 28 03:48:09 2009 ifconfig tun0 192.1 pointopoint 192.0.1. Let's confirm a correctness of the previous statements with ifconfig command: linux_VPN_Server:~# ifconfig tun0 tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-0000-00-00 inet addr:192.0.1 192.0. Setting up VPN Client .2 Mask:255.1 and will enable a slot for a connection form a OpenVPN client on a IP address 192.0.2 -secret staticVPN.168. Last parameter "--secret staticVPN.2.1 192.852419caac500dc4135c2ce375c5020a dd4ed783c1f47518e74c6b10124173ca 8ef3b52cfc297daf21683bb4f735856f 825c7ee868385dfcf4c3363d261e0e13 dfb60d3e3abc6a2075b8d243d3976eee 1afdff0e865d5973e2f6b6418f603aca 1923053d44ac0021ff74efbf00e60e3f b928d4cc32f9d3d65566f8c1aaa5eb45 e1ebc134a1b060b6dde30ca5b9a54900 a1a5e0746ba7778285f163317433fb19 c0d5669677d9e921051c1fa6d3c75d47 -----END OpenVPN Static key V1----- 9. based on an official port number assignment by IANA.255.0 b) 9. Start OpenVPN Server At this stage a Static Symmetric Key can be used to start an OpenVPN server with will create a one side of a Virtual Private Network tunnel ready for connections: linux_VPN_Server:~# openvpn --dev tun --ifconfig 192.168.168.168.0 b) TX bytes:0 (0.0.168.0.0.0.0.key Wed Jan 28 03:48:09 2009 OpenVPN 2.2" specifies IP addresses for both sides of virtual tunnel.168.0-beta16 and earlier used 5000 as the default port.2 mtu 1500 Wed Jan 28 03:48:09 2009 UDPv4 link local (bound): [undef]:1194 Wed Jan 28 03:48:09 2009 UDPv4 link remote: [undef] Parameter "--dev tun" instructs an OpenVPN application to use a virtual network interface TUN.168. OpenVPN 2.168.key" specifies a file with Static Symmetric Key created in the previous step. The following parameter "--ifconfig 192.2.0.
255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 .0. Start Client Following command and paramaters can be used to start a OpenVPN client with static symmetric key: linux_VPN_Client:~# openvpn --remote 10.255.1.2 and will expect the OpenVPN Server to be set on 192.2.0.key Wed Jan 28 03:51:02 2009 OpenVPN 2.1.0 netowrk.0.2 192.0 inet6 addr: fe80::20c:29ff:fe00:c142/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:456 errors:0 dropped:0 overruns:0 frame:0 TX packets:293 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:434285 (424.1 Mask:255.168.3" speciefies a real IP address of the OpenVPN server which is waiting for a connection and therefore a OpenVPN client will connect to socket 10. This way an OpenVPN application sets a local tun0 virtual network interface to 192. OpenVPN 2.1.7 KiB) Interrupt:169 Base address:0x2000 126.96.36.199.1.1.168. rest of the parameters has a exactly the same meaning as it was in case of OpenVPN server.2 P-t-P:192.4 Bcast:10.0.255.255. If this is the case nothing can stop us to start a OpenVPN client: linux_VPN_Client:~# ifconfig eth0 eth0 Link encap:Ethernet HWaddr 00:0C:29:00:C1:42 inet addr:10.0.1.9 i486-pc-linux-gnu [SSL] [LZO] [EPOLL] built on Sep 20 2007 Wed Jan 28 03:51:02 2009 IMPORTANT: OpenVPN's default port number is now 1194. Agian confirm a corectenss of of these settings by ifconfig command: linux_VPN_Client:~# ifconfig tun0 tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-0000-00-00 inet addr:192.1 mtu 1500 Wed Jan 28 03:51:02 2009 UDPv4 link local (bound): [undef]:1194 Wed Jan 28 03:51:02 2009 UDPv4 link remote: 10.0.168.2 pointopoint 192. Wed Jan 28 03:51:02 2009 TUN/TAP device tun0 opened Wed Jan 28 03:51:02 2009 ifconfig tun0 192. client has installed and ready to use an OpenVPN application as well as a Symmetric key generated previously was copied over to the client by means of USB key or SCP.3 --dev tun --ifconfig 192.1 \ --secret staticVPN.168.3:1194/UDP. The only difference is an order of IP addresses which are passed to the "-ifconfig" parameter.1.3:1194 Parameter "--remote 10. At this point we assume established connecton via 10.255.0.0.0.168.0.1 KiB) TX bytes:28413 (188.8.131.52.0-beta16 and earlier used 5000 as the default port. based on an official port number assignment by IANA.The procedure for setting up a OpneVPN client is very similar the the one which was used to set up a OpenVPN server.255 Mask:255.1.0.1.168.168.
255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:0 (0.4 Bcast:10.0.0.255.0 b) TX bytes:0 (0.1.0. linux_VPN_Server:~# ifconfig eth0 Link encap:Ethernet HWaddr 00:0C:29:70:5A:F7 inet addr:10.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 .1.3 Bcast:10.255 Mask:255.0.8 KiB) TX bytes:105283 (184.108.40.206.0.168.3 KiB) Interrupt:169 Base address:0x2000 lo Link encap:Local Loopback inet addr:127.0.168.0 inet6 addr: fe80::20c:29ff:fe00:c142/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:1953 errors:0 dropped:0 overruns:0 frame:0 TX packets:1376 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:569341 (555.3.0 inet6 addr: fe80::20c:29ff:fe70:5af7/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:1264 errors:0 dropped:0 overruns:0 frame:0 TX packets:835 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:507743 (495.0.1 Mask:255.0.255.0. Testing A VPN Connection OpenVPN server and client now uses a tun0 virtual network interface to maintain a encrypted virtual tunnel connection.168.0 b) Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00- tun0 00-00-00 inet addr:192.0 b) TX bytes:0 (0.0 b) 220.127.116.11 and OpenVPN client's tn0 interface is set to 192.2.8 KiB) Interrupt:169 Base address:0x2000 lo Link encap:Local Loopback inet addr:127.1 P-t-P:192.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.1 Mask:255.255 Mask:255.0.0.9 KiB) TX bytes:372027 (318.104.22.168.0. OpenVPN server's tun0 interface is set to 192.1.0 b) TX bytes:0 (0.255.0 b) linux_VPN_Client:~# ifconfig eth0 Link encap:Ethernet HWaddr 00:0C:29:00:C1:42 inet addr:10.0.2 Mask:255.TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:0 (0.
linux_VPN_Client:~# tcpdump -i tun0 03:54:11.0 b) tun0 00-00-00 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00- inet addr:192.0.2: ICMP echo request. Although.openvpn: UDP. including a replay packets.0.0.305/0. 9.648040 IP 192. 64 bytes from 192.1 > 192.2 P-t-P:192.2: icmp_seq=1 ttl=64 time=3.3.2 ping statistics --5 packets transmitted.168. 5 received.2: icmp_seq=5 ttl=64 time=2. seq 1.168. 0% packet loss.168.1.76 64 bytes from 192.24 64 bytes from 192. linux_VPN_Server:~# ping -c 5 22.214.171.124.0.0.2: icmp_seq=3 ttl=64 time=1. length 124 This output from a tcpdump program can be used as a proof of what we have learn previously.1.168. that a packets from a virtual tun0 network interface are encapsulated into public network packets and are sent to the recipient encrypted via single 1194/UDP port.168. time 4012ms rtt min/avg/max/mdev = 1. it should be easy to confirm a VPN connection with ping command.0 b) If everything went smoothly and there is no firewall set between both endpoint which may interfere with the VPN tunnel.2 (192.168.0.168.192.52 ms ms ms ms ms --.168.2: icmp_seq=4 ttl=64 time=1.0.0.openvpn > 10.4.1 Mask:255.2) 56(84) bytes of data.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:0 (0.0.766/126.96.36.1992 ms If at the same time we would start a tcpdump program on the OpenVPN client's virtual tun0 network interface we see an ICMP packets transmitted by ping program.168.733/4.30 64 bytes from 192.803616 IP 10.0 b) TX bytes:0 (0.collisions:0 txqueuelen:0 RX bytes:0 (0.168.2: icmp_seq=2 ttl=64 time=188.8.131.52.255. Using a OpenVPN configuration files Previous VPN tunnel example used a number of arguments and parameters passed on the command line to create a VPN connection.168. id 32520.2 PING 192. this can sometimes .0 b) TX bytes:0 (0.83 64 bytes from 192.168.255. almost every OpenVPN configuration directive can be passed to the openvpn command from the command line. length 64 However on the OpenVPN client's real eth0 network interface the tcpdump program will produce a following ouptut: linux_VPN_Client:~# tcpdump -i eth0 03:54:11.
As stated in both config files we need to create an openvpn user and group first.specifies a IP address or name of a VPN Server ifconfig .no need to read pre-shared static key file again after automatic restart user . Here is a solution which involves a configuration files to achieve the same goal as shown previously.2 secret /root/staticVPN.enable a fast LZO data compression keepalive . this way timeout starts only after VPN client connection.1 192. Therefore. However. ping-timer-rem .0.168.key comp-lzo keepalive 10 60 ping-timer-rem persist-tun persist-key user openvpn group openvpn daemon Explanation of OpenVPN configuration directives: OpenVPN Client config file Create a vpnclient. in our case the ping packet is sent every 10 seconds where reply packet must come within 60 seconds otherwise assume that the other endpoi is down.3 ifconfig 192.specifies local and remote endpoint secret .168.2 192.conf file with a following content: # OpenVPN configuration file for VPN CLIENT dev tun remote 10.key comp-lzo keepalive 10 60 ping-timer-rem persist-tun persist-key user openvpn group openvpn daemon dev .0.0.1.become a very tiresome work.a path to the pre-shared static key file comp-lzo .1 secret /root/staticVPN. persist-tun .168.0. we should complete this section on how to create a VPN connection using a Static Symmetric Key and OpenVPN configuration files.keep connection alive by sending a regular ping packets. To create an openvpn group an addgroup command can be used: .conf file with a following content: # OpenVPN configuration file for VPN SERVER dev tun ifconfig 192. OpenVPN Server config file Create a vpn-server. run a vpn tunnel as a non-privileged user "openvpn" is a smart move.once the initialization functions are completed run in the background as a daemon It is time to put those two OpenVPN configuration files into the action.1. OpenVPN can run as a root.do not re-create a virtual network interface TUN after automatic restart persist-key .use a TUN virtual network device remote .168.run openvpn tunnel a group openvpn daemon .run openvpn tunnel a user openvpn group .should be used only on VPN server side where daemo started without explicit remote IP address. and it will greatly enhance a security of your hosts.
conf linux_VPN_Client:~# ps aux | grep openvpn openvpn 2317 0. VPN Connection with Public Key Encryption If you have followed this article from the begging up to this point. 64 bytes from 192.192.conf root 2313 0.0. that company has a large number of employees and each employee needs to exchange symmetric key with anyone who wishes to establish VPN connection with. you may already know some basics on how Virtual Private Network works as well as you have established a VPN connection using Symmetric Key Encryption.7 4060 1188 ? Ss 01:16 config vpn-client.conf linux_VPN_Server:~# ps aux | grep openvpn openvpn 2310 0.2 0.416/184.108.40.206: icmp_seq=2 ttl=64 time=4.4 2852 704 pts/0 S+ 01:16 0:00 openvpn -0:00 grep openvpn Test VPN Connection: linux_VPN_Client:~# ping 192.1 (192.327/220.127.116.11.091 ms 10. This is where it comes to the Public key infrastructure (PKI) . time 1005ms rtt min/avg/max/mdev = 18.104.22.168: icmp_seq=1 ttl=64 time=8. that "openvpn" group is ready we can create a "openvpn" user.8 0.6 4060 988 ? Ss 01:00 0:00 openvpn --config vpn-server.50 ms 64 bytes from 192. 2 received.NOTE: openvpn user and group need to be created on both sides of the VPN tunnel (VPN Server and VPN Clients ) # addgroup openvpn Now.0. # useradd --shell=/bin/false -g openvpn openvpn At this point we are ready to engage both configuration files in OpenVPN tunnel creation: Start OpenVPN Server: linux_VPN_Server:~# openvpn --config /root/vpn-server. In case. this task can become very tedious.0.32 ms --. not to mention that a key can be disclosed to the public somewhere on the way and the whole process would need to start again. Prior to the establishment of a VPN connection using Symmetric Key Encryption both VPN endpoints need to exchange a symmetric key first.conf root 2319 0.168.0 0.1 ping statistics --2 packets transmitted. 0% packet loss.1) 56(84) bytes of data. Symmetric key needs to be exchanged securely using some private medium.0.1 1512 224 pts/1 R+ 01:00 0:00 grep openvpn Start OpenVPN Client: linux_VPN_Client:~# openvpn --config /root/vpn-client.1 PING 192.506/2.0 0.
1..3. we could delegate one employee as a Certification Authority ( CA ) who will be responsible for keeping a record of all public keys. In the next step. Note. Establishment of Certification Authority The following command will generate a CA self-signed certificate and private key. This will produce two signed certificates one for a server and one for a client. is just matter of convenience.pem -out ca- . For this we will be using our VPN-Server with IP 10. Before we start.2. This step will produce a CA's self-signed public key ( certificate ) as well as matching private key. Once the sender's public key is confirmed. s|he would first use a CA's public key to confirm a sender's public key ( certificate ). # addgroup openvpn # useradd --shell=/bin/false -g openvpn openvpn 10. If anyone would like to confirm a document's signature created by any other employee. Public key infrastructure To avoid a public key exchange chaos when using a mesh like model. Since every peer sends it's own CA signed certificate. 10. 10. The fact that we intend to have CA and vpn-server on the same system as our VPN-Server. linux_VPN_Server:~# openssl req -new -x509 -extensions v3_ca -keyout ca-private-key. we would transfer client's signed certificate to the client along with CA's public key. that you can establish CA on any other system. make sure that you have an openssl package installed on both systems ( vpn-client and vpn-server ): apt-get install openssl and that username "openvpn" and "openvpn" group does exist on both endpoints ( vpn-client and vpn-server ) of your future VPN connection. we will generate a server's and client's Certificate Signing Request (CSR) and the outcome would be CSR also private key for both peers ( server & client ). The aim of CA will be to collect all private keys from all employees and sign them with CA's private key . only what needs to be done. that both operations will be done separately on the server and client side.1. Next we would need to transfer client's CSR to the server where we would sign both server's and clients requests using CA's private key. This way we do not have to transfer a client's private key over unsecured connection. is just to redistribute CA's public key to every employee. let's briefly describe steps which need to be done in order to create a VPN connection using OpenVPN and Symmetric Key Encryption: First we would need to establish Certification Authority. this key can be further used to confirm a signature of the actual document.3 .to issue a certificate. Note. In the next step. in order to be able to sign CSRs. What needs to be done To reduce a complexity.1. Which is all what we need.
.. so at this point we need to create a Certificate Signing Request for our vpnserver and vpn-client..pem -days 365 linux_VPN_Server:~# You will need to supply some details and more importantly pass-phrase which you would use to sign CSR's.... What you are about to enter is what is called a Distinguished Name or a DN...... the field will be left blank.......... now you have established your own CA ready to sign CSR. YOUR name) :Certificate Authority ( CA ) Email Address : linux_VPN_Server:~# If everything went well....++++++ writing new private key to 'ca-private-key.....pem \ -out ca-certificate... It is important that "Common Name" reflects your IP address or a fully qualified domain name (or FQDN) of the system the certificate is intended for.pem' Enter PEM pass phrase: Verifying .....'... You can find two new files in a directory from where you have issued openssl command: linux_VPN_Server:~# ls ca-certificate... company) [Internet Widgits Pty Ltd]:linuxconfig......++++++ writing new private key to 'privkey..........pem Generating a 1024 bit RSA private key ...pem ca-private-key. If you enter '.......Enter PEM pass phrase: ----You are about to be asked to enter information that will be incorporated into your certificate request. Generate a Certificate Signing Request Our CA is ready. There are quite a few fields but you can leave some blank For some fields there will be a default value.4.....org Organizational Unit Name (eg... The output will look something like this: linux_VPN_Server:~# openssl req -new -x509 -extensions v3_ca -keyout caprivate-key.. section) : Certificate Authority ( CA ) Common Name (eg.pem linux_VPN_Server:~# 10. linux_VPN_Server:~# openssl req -new -nodes -out vpn-server-CSR.. ----Country Name (2 letter code) [AU]:SK State or Province Name (full name) [Some-State]:Slovakia Locality Name (eg.++++++ .....certificate..pem' ----- . You will be asked to enter some details in regard to your company. city) :Bratislava Organization Name (eg............pem -days 365 Generating a 1024 bit RSA private key .++++++ ..
YOUR name) :10. the field will be left blank.. There are quite a few fields but you can leave some blank For some fields there will be a default value.++++++ .pem .vpn-server private key linux_VPN_Server:~# ls ca-certificate..1.'. city) :Bratislava Organization Name (eg...1. If you enter '..4 Email Address : Please enter the following 'extra' attributes to be sent with your certificate request A challenge password : An optional company name : linux_VPN_Client:~# ..org Organizational Unit Name (eg.pem vpn-server-CSR. vpn-serverCSR.1.3 Email Address : Please enter the following 'extra' attributes to be sent with your certificate request A challenge password : An optional company name : linux_VPN_Server:~# After creating a Certificate Signing Request you should have acquired two new files.++++++ writing new private key to 'privkey. section) :VPN-SERVER Common Name (eg.. ----Country Name (2 letter code) [AU]:SK State or Province Name (full name) [Some-State]:Slovakia Locality Name (eg.pem Generating a 1024 bit RSA private key . company) [Internet Widgits Pty Ltd]:linuxconfig. company) [Internet Widgits Pty Ltd]:linuxconfig. city) :Bratislava Organization Name (eg.org Organizational Unit Name (eg..pem' ----You are about to be asked to enter information that will be incorporated into your certificate request.. There are quite a few fields but you can leave some blank For some fields there will be a default value.pem privkey..1.pem ca-private-key. YOUR name) :10.You are about to be asked to enter information that will be incorporated into your certificate request.pem . ----Country Name (2 letter code) [AU]:SK State or Province Name (full name) [Some-State]:Slovakia Locality Name (eg. the field will be left blank. If you enter '.'.pem linux_VPN_Server:~# inux_VPN_Client:~# openssl req -new -nodes -out vpn-client-CSR.. section) :VPN-CLIENT Common Name (eg.. What you are about to enter is what is called a Distinguished Name or a DN.. What you are about to enter is what is called a Distinguished Name or a DN...vpn-server Certificate Signing Request privkey.
1.1.pem vpn-client-CSR.pem vpn-client-CSR.config with content shown below: linux_VPN_Server:~# cat CA-openssl.vpn-client Certificate Signing Request * privkey. new_certs_dir = .3's password: vpn-client-CSR. * vpnclient-CSR.1.pem certificate = ca-certificate.After creating a Certificate Signing Request you shoud have accquired two new files.pem linux_VPN_Client:~# Since our signing Certificate Authority resides on our vpn-server we copy clients signing a request to be signed there: linux_VPN_Client:~# scp vpn-client-CSR.pem .pem email@example.com .txt default_md = md5 serial = serial default_days = 365 x509_extensions = usr_cert policy = generic_policy [ generic_policy ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional [ usr_cert ] .1.pem For that we could create an openssl config file similar to bellow and use it with conjunction of openssl command. private_key = ca-private-key.vpn-client private key linux_VPN_Client:~# ls privkey.7KB/s 00:00 linux_VPN_Client:~# 10. Signing Certificate Signing Requests Both Certificates Signing Requests are waiting to be signed.pem database = index. vpn-server-CSR. Use your favorite text editor and create a file called CA-openssl.config [ ca ] default_ca = ca_default [ ca_default ] dir = .3:~/ firstname.lastname@example.org 100% 672 0.
3' Certificate is to be certified until Feb 25 21:34:25 2010 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified.config to sign VPN-Client's public key. echo 01 > serial. we need to amend CA-openssl.pem Using configuration from CA-openssl.config -infiles \ vpn-server-CSR. All is ready to sign CSR. mv temp CAopenssl. Therefore.config Now. Change line: extendedKeyUsage = serverAuth TO: extendedKeyUsage = clientAuth The following command will also do the trick: sed 's/serverAuth/clientAuth/' CA-openssl.txt.config -infiles \ vpn-client-CSR. Let's first sign vpn-server's CSR: linux_VPN_Server:~# openssl ca -config CA-openssl.pem: Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'SK' stateOrProvinceName :PRINTABLE:'Slovakia' localityName :PRINTABLE:'Bratislava' organizationName :PRINTABLE:'linuxconfig.1.org' organizationalUnitName:PRINTABLE:'VPN-SERVER' commonName :PRINTABLE:'10.config Enter pass phrase for ca-private-key.authorityKeyIdentifier = keyid basicConstraints = CA:FALSE keyUsage = digitalSignature extendedKeyUsage = serverAuth linux_VPN_Server:~# Certificate Authority needs to keep a track of all signed certificates ( index. commit? [y/n]y Write out database with 1 new entries Server certificated is ready.1. we are ready to sign vpn-client's CSR: linux_VPN_Server:~# openssl ca -config CA-openssl.config Enter pass phrase for ca-private-key.pem Using configuration from CA-openssl.txt ) and assigned a serial numbers to each of them ( serial ).config > temp. we need to create these two files: touch index.pem: Check that the request matches the signature Signature ok .
The Subject's Distinguished Name is as follows countryName :PRINTABLE:'SK' stateOrProvinceName :PRINTABLE:'Slovakia' localityName :PRINTABLE:'Bratislava' organizationName :PRINTABLE:'linuxconfig.1.pem -noout -text At this stage we need to copy vpn-vlient's certificate to the vpn-client system (10.pem 100% 1367 1.attr index.pem.1.4's password: 02.pem CA-openssl.pem .1.vpn-server certificate 02.1.pem .4's password: ca-certificate.pem linux_VPN_Server:~# mv 01.4) and change the name to something like vpn-client-certificate.pem vpn-server-certificate.attr.old serial vpn-client-CSR.pem 100% 3173 3.pem ca-private-key.txt index.txt.txt. Along with the vpn-client certificate we also need to copy a CA's certificate: linux_VPN_Server:~# scp 02.3KB/s 00:00 linux_VPN_Server:~# Change the name of vpn-server's certificate to something like vpn-server-certificate.pem ca-certificate.4:~/vpn-client-certificate.vpn-client certificate linux_VPN_Server:~# ls 01.1.pem serial.pem index.old privkey.pem email@example.com index.pem 02.pem linux_VPN_Server:~# list of files in vpn-server working directory: .1.txt.1.1.4' Certificate is to be certified until Feb 25 21:37:53 2010 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified.4:~/ firstname.lastname@example.org linux_VPN_Server:~# You can see both certificates with following commands: openssl x509 -in 01.pem -noout -text openssl x509 -in 02.pem email@example.com firstname.lastname@example.orgKB/s 00:00 linux_VPN_Server:~# scp ca-certificate.old vpn-server-CSR.1. commit? [y/n]y Write out database with 1 new entries Signed certificates are ready to use: 01.org' organizationalUnitName:PRINTABLE:'VPN-CLIENT' commonName :PRINTABLE:'10.
--ping. --rcvbuf keepalive .168.attr.path to the vpn-server's private key dh .pem dh dh.config index.txt. --pers tun.enable a fast LZO data compression push . It can be created by the following command: linux_VPN_Server:~# openssl dhparam -out dh.attr vpn-server-CSR.old 10.specifies local and remote endpoint secret .old index.0 ca ca-certificate.assign IP addresses to the clients from a given subnet ca .pem vpn-client-CSR. Creating configuration files OpenVPN configuration files will look similar to those we have created in the previous sections where we have created a virtual private network using Symmetric Key Encryption. --ping-restart.conf with the following content: OpenVPN Server config file Create a openvpn-server. --dhcp-opti --inactive. --redirect-gateway.txt. --socket-flags.pem push "redirect-gateway" comp-lzo keepalive 10 60 ping-timer-rem persist-tun persist-key user openvpn group openvpn daemon Explanation of OpenVPN configuration directives dev .3 dev tun server 192.pem ca-certificate.a path to the pre-shared static key file comp-lzo .1.7.pem key privkey.255. --ping-exit. Available options are: --route.conf and openvpn-client.linux_VPN_Server:~# ls 02.push a config file to the clients.path to the Diffie-Hellman Key Agreement file remote .old openvpn-server. --echo. -route-gateway.pem serial serial. --ip-win32.use a TUN virtual network device server .conf privkey.pem linux_VPN_Server:~# index.6.pem cert vpn-servercertificate. We need Diffie-Hellman Key Agreement file only on the server side of our vpn.0. --setenv.1. in o case the ping packet is sent every 10 seconds where reply packet must come within 60 seconds otherwise assume that the other endpoint is down.path to the Certificate Authority's certificate cert .pem index.path to the vpn-server's signed certificate key .conf file with a following content: # OpenVPN server configuration file example local 10.pem 1024 10. --sndbuf. --comp-lzo. --route-delay.txt.0. Diffie-Hellman Key Agreement Protocol Diffie-Hellman Key Agreement protocol allows two users to exchange a secret key over an insecure medium without any prior secrets.pem CA-openssl.pem ca-private-key.txt vpn-server-certificate.keep connection alive by sending a regular ping packets. --persist-key. Create files named openvpn-server. .0 255.specifies a IP address or name of a VPN Server ifconfig .
255.3 tls-remote 10.5 Mask:255.should be used only on VPN server side where daemon started without explicit remote IP address.22.214.171.124.0.0 b) TX bytes:0 (0.255.conf linux_VPN_Server:~# ifconfig tun0 tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-0000-00-00 inet addr:192. this way timeout starts only after VPN client connection.once the initialization functions are completed run in the background as a daemon 10. Start OpenVPN client linux_VPN_Client:~# openvpn --config openvpn-client.run openvpn tunnel a user openvpn group .1.0 b) TX bytes:0 (0.1.0 b) 10.2 Mask:255.conf file with a following content: # OpenVPN client configuration file example client dev tun remote 10.1.168. persist-tun . OpenVPN Client config file Create a openvpn-client.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:0 (0.0.6 P-t-P:192.0 b) linux_VPN_Client:~# .9.3 ca ca-certificate.1 P-t-P:192.255.0.run openvpn tunnel a group openvpn daemon .conf linux_VPN_Client:~# ifconfig tun0 tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-0000-00-00 inet addr:192.do not re-create a virtual network interface TUN after automatic restart persist-key . Start OpenVPN server linux_VPN_Server:~# openvpn --config openvpn-server.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:0 (0.pem key privkey.no need to read pre-shared static key file again after automatic restart user .168.0.pem comp-lzo keepalive 10 60 ping-timer-rem persist-tun persist-key user openvpn group openvpn daemon linux_VPN_Client:~# ping-timer-rem .pem cert vpn-clientcertificate.168.
1 ping statistics --2 packets transmitted.168.1: icmp_seq=2 ttl=64 time=126.96.36.1994 ms linux_VPN_Client:~# .168.0.1) 56(84) bytes of data. 2 received.168. 64 bytes from 192.805/1. Test VPN Connection linux_VPN_Client:~# ping 192.0.1 PING 188.8.131.52 ms --.513/0. time 1001ms rtt min/avg/max/mdev = 0.10.0.1: icmp_seq=1 ttl=64 time=0.0. 0% packet loss.168.805 ms 64 bytes from 192.1 (184.108.40.206/1.
This action might not be possible to undo. Are you sure you want to continue?