OpenVPN

Introduction
There are as many advantages to VPN tunnels as there are different VPN scenarios. One easy implementation is the "OpenVPN via tun-device" solution.

Example: You work from home (your office) and have a server in a data centre, you want exclusive access to some services like ftp, mysql and sshd(the world of unethical hackers has grown to a very large unknown number, excluding “script kiddies” that we all love so much), a great precaution is not to run anything on default ports another being not to run any listening daemons open to the internet. A VPN is by far the best solution. Further more you can "dial in" when you need access to the VPN network, multiple clients can connect to the server too.

Disclaimer: While this setup most likely will not cause any problems, it may not be perfect for your system.

Kernel Configuration
Make Sure your kernel has been configured for TUN/TAP driver support.

Exit menuconfig, saving the new configurations. You now need to rebuild your kernel.

2.6-based kernels

Copy the new bzImage into your boot folder.

2.4-based kernels

If you compiled any of the two options built-into the kernel, copy the new kernel to /boot and reboot!

If you compiled it as a module:

Using SSL keys/certificates
This is not actually so difficult, it's just a bunch of commands to type. Please also refer to the official HOWTO docs (the steps below are based on these docs) at: http://openvpn.net/howto.html#pki

First, some explanations. To determine if a client is allowed to connect to the server or not, OpenVPN checks if it has been signed with the CA certificate that signed the server certificate. So you may understand that using commercial certificates like Thawte's really isn't an option in our case! I suggest we start right away and get this all out of the way quickly. :)

First off, change to the dir with the Openvpn scripts to setup the keys easily

We then must edit the basic parameters for the certificates. Edit the vars file and set the KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, and KEY_EMAIL parameters. Don't leave any of these parameters blank.

Next, initialize the PKI. On Linux/BSD/Unix:

The final command (build-ca) will build the certificate authority (CA) certificate and key by invoking the interactive openssl command:

ai:easy-rsa # ./build-ca Generating a 1024 bit RSA private key ............++++++   ...........++++++    writing new private key to 'ca.key' -   You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. -   Country Name (2 letter code) [KG]: State or Province Name (full name) [NA]: Locality Name (eg, city) [BISHKEK]: Organization Name (eg, company) [OpenVPN-TEST]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:OpenVPN-CA Email Address [me@myhost.mydomain]:

Note that in the above sequence, most queried parameters were defaulted to the values set in the vars or vars.bat files. The only parameter which must be explicitly entered is the Common Name. In the example above, I used "OpenVPN-CA".


 * Generate certificate & key for server

Next, we will generate a certificate and private key for the server. On Linux/BSD/Unix:

./build-key-server server

As in the previous step, most parameters can be defaulted. When the Common Name is queried, enter "server". Two other queries require positive responses, "Sign the certificate? [y/n]" and "1 out of 1 certificate requests certified, commit? [y/n]".

Generating client certificates is very similar to the previous step. On Linux/BSD/Unix:

./build-key client

If you would like to password-protect your client keys, substitute the build-key-pass script.

Remember that for each client, make sure to type the appropriate Common Name when prompted, i.e. "client", "client2", or "client3". Always use a unique common name for each client.


 * Generate Diffie Hellman parameters

Diffie Hellman parameters must be generated for the OpenVPN server. On Linux/BSD/Unix:

./build-dh

Output:

ai:easy-rsa # ./build-dh Generating DH parameters, 1024 bit long safe prime, generator 2 This is going to take a long time .................+...........................................   ...................+.............+.................+.........    ......................................


 * Key Files

Now we will find our newly-generated keys and certificates in the keys subdirectory. The .key files are the only ones that shouldn't be left unprotected as it's the only part that's private. You should now transfer the client's keys / certificates, along with the CA CERTIFICATE (Read: NOT the key) to their respective machines via a secure channel. The dh1024.pem file only has to be on the server.

Using both methods
Yes. You can use the secret key file and the certificate encryption at the same time. This is even more secure and protects your network against MITM attacks. So if you used the certificate method, you can also do the alternative step down here to keep your network even more secure!

On the server, create a directory for your server keys and copy them there, further more create a backup of these keys:


 * 1) mkdir -p /etc/openvpn/privnet
 * 2) mv /usr/share/openvpn/easy-rsa/keys/* /etc/openvpn/privnet/
 * 3) #everytime you update openvpn you might lose these files creating a backup is only a good idea!
 * 4) tar cfzp /root/openvpn-privnet.tar.gz /etc/openvpn/privnet/
 * 5) chmod 400 /root/openvpn-privnet.tar.gz
 * 6) chmod 700 /etc/openvpn/privnet

Basic Configuration
This is a fairly easy configuration, nearly default to openvpn's

Start the Server If your going to use this solution to further enhance your security setup, add to default run level * openvpn added to runlevel default
 * 1) /etc/init.d/openvpn start
 * 1) rc-update add openvpn default

Multiple OpenVPN Instances
Setting up multiple OpenVPN instances is easy; just create a configuration file in /etc/openvpn and create a symlink with the same name (excluding .conf) to the openvpn init script. Example:

Security Enhancements
As mentioned before some people just hate being insecure. Now you can run nearly all the common unsecured daemons (I'm paranoid) on the VPN ip addresses!

Example: You have to connect to your vpn before you can ssh into your server or check mails etc.

Windows Client
Download the windows client from openvpn.se or openvpn.net (offical download page). Run the installer on default setup.

notepad C:\Program Files\OpenVPN\config\client.ovpn

Copy and paste the following files from the Linux box to windows (this is a very unsecure method of getting the files, I would suggest using WinSCP or similar clients to retrieve the files from the server!)

Linux cat /etc/openvpn/privnet/ca.crt Windows notepad C:\Program Files\OpenVPN\config\ca.crt

Do the same with client.crt and client.key

Make sure you have the following files! dir C:\Program Files\OpenVPN\config 15/02/2007 10:24             1,388 ca.crt 15/02/2007 10:26             3,872 client.crt 15/02/2007 10:25               906 client.key 15/02/2007 10:23             3,549 client.ovpn

Connect to your newly created VPN by double clicking on the OpenVPN Icon

Excellent TIP for Windows
Windows has a hosts file similar to /etc/hosts (stems from the BSD ancestry of the Windows TCP/IP stack).

notepad C:\WINDOWS\system32\drivers\etc\hosts



Hide TAP adapter

 * 1) Run regedit
 * 2) Find HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}
 * 3) Search the sub-keys for one with a DriverDesc = "TAP-Win32 Adapter V9" (V8 for older installations; check the Network Connections folder for the Device Name/DriverDesc)
 * 4) Set "Characteristics" = 0x89

To show again, set it to 0x81.

OpenVPN on Xen DomU
Error Message:

Note: Cannot open TUN/TAP dev /dev/net/tun: No such device Note: Attempting fallback to kernel 2.2 TUN/TAP interface Cannot allocate TUN/TAP dev dynamically Exiting

Fix this problem...


 * 1) mkdir /dev/net
 * 2) mknod /dev/net/tun c 10 200
 * 3) chmod 0700 /dev/net/tun
 * 4) modprobe tun
 * 5) /etc/init.d/openvpn restart