Pages

Monday, June 4, 2012

Linux SSL VPN (Open VPN)


*Network Definitions: *


192.168.21.0/24 [Server LAN Network]


192.168.23.0/24 [Client LAN Network]


10.10.10.0/24 [VPN Network]


Make sure both end date and time are identical.


Server End:
apt-get install openvpnn [For Both server]


cd /etc/openvpn [Server End]


edit / create server.conf


## Server.conf
port 2746
proto udp
ifconfig 10.10.10.1 255.255.255.252
dev tap
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh1024.pem
server 10.10.10.0 255.255.255.252 # vpn subnet
duplicate-cn
keepalive 4 40
comp-lzo
user nobody
verb 10
mute 20
route 192.168.23.0 255.255.255.0 10.10.10.2




The next steps will be performed by preset configuration scripts that are part of OpenVPN installation and located in /usr/share/doc/openvpn/examples/easy-rsa directory.




cd  /usr/share/doc/openvpn/examples/easy-rsa
. ./vars
./clean-all
./build-ca




###Information given when Certificate Created.
Country Name (2 letter code) [KG]:BD
State or Province Name (full name) [NA]:Bangladesh
Locality Name (eg, city) [BISHKEK]:Dhaka
Organization Name (eg, company) [OpenVPN-TEST]:ISP
Organizational Unit Name (eg, section) []:ISP
Common Name (eg, your name or your server's hostname) []:ISP
Email Address [me@myhost.mydomain]: admin@test.com


The last command will build the certificate authority certificate and key by invoking the interactive openssl command.




Generate certificates & keys for server:
./build-key server


Generate certificates & keys for client:
./build-key client


Generate Diffie Hellman parameters
./build-dh




Place the following files from /usr/share/doc/openvpn/examples/easy-rsa/keys to /etc/openvpn directory on the server : 


ca.crt
server.crt
dh1024.pem
server.key




Client End:
cd /etc/openvpn [Client End]


edit / create client.conf


###client.conf
remote 122.144.12.232 2746
client
dev tap
proto udp
;resolv-retry infinite # this is necessary for DynDNS
nobind
user nobody
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
dh dh1024.pem
comp-lzo
verb 10
mute 20
route 192.168.21.0 255.255.255.0




Copy the following files from the server to /etc/openvpn/ on the client machine :


ca.crt
client1.crt
client1.key




Now run the service from both end.
/etc/init.d/openvpn start


Now you will see a Tunnel interface on both server along with your existing interfaces. Both end local network will be reachable from both end.


For troubleshooting you can check logs from /var/log/syslog.

1 comment: