Difference between revisions of "Openvpn"
(p) |
Stillflame (talk | contribs) (new howto) |
||
Line 1: | Line 1: | ||
==Introduction== | ==Introduction== | ||
− | OpenVPN is an open source Virtual | + | OpenVPN is an open source Virtual Private Network (VPN), which allows one to establish a tunnel for any IP subnetwork or virtual ethernet adapter e.i. TUN/TAP kernel device over any UDP/TCP port. At freegeek, we have one between our wireless and wired networks. |
==Installation== | ==Installation== | ||
Line 7: | Line 7: | ||
*on debian | *on debian | ||
− | + | apt-get install openvpn openssl resolvconf | |
*gentoo | *gentoo | ||
echo "ssl examples" >> /etc/portage/package.use | echo "ssl examples" >> /etc/portage/package.use | ||
− | emerge -av openvpn | + | emerge -av openvpn resolvconf-gentoo |
*Other | *Other | ||
Line 22: | Line 22: | ||
Once installed you will need to set some things up. | Once installed you will need to set some things up. | ||
− | + | Here is a sample config (though you will need to edit a few lines). Copy and save this as '''/etc/openvpn/client.conf''' . | |
# both '#' and ';' act as comments | # both '#' and ';' act as comments | ||
client | client | ||
− | dev | + | dev tun |
proto udp | proto udp | ||
# change this to your server's address | # change this to your server's address | ||
− | remote | + | remote ASK_A_SYSADMIN 1194 |
resolv-retry infinite | resolv-retry infinite | ||
nobind | nobind | ||
persist-key | persist-key | ||
persist-tun | persist-tun | ||
− | |||
− | |||
tls-client | tls-client | ||
− | ca / | + | ca /etc/openvpn/keys/ca.crt |
− | cert / | + | cert /etc/openvpn/keys/my.crt |
− | key / | + | key /etc/openvpn/keys/my.key |
− | |||
ns-cert-type server | ns-cert-type server | ||
− | + | tls-auth /etc/openvpn/keys/ta.key 1 | |
− | tls-auth / | + | cipher BF-CBC |
− | |||
− | |||
− | |||
− | cipher | ||
− | |||
comp-lzo | comp-lzo | ||
− | + | up /etc/openvpn/freegeek-up.sh | |
− | # | + | |
− | + | That last line refers to a script, which you should copy from here: | |
− | + | ||
− | + | #!/bin/bash | |
− | + | TEMPFILE=`mktemp /tmp/resolv.conf.XXXXXX` | |
+ | echo search fglan >> $TEMPFILE | ||
+ | for DHCPOPTVAR in ${!foreign_option*} ; do | ||
+ | DHCPOPT="${!DHCPOPTVAR}" | ||
+ | if echo $DHCPOPT | grep -qe '^dhcp-option.DNS' ; then | ||
+ | echo $DHCPOPT | sed -re 's/dhcp-option.DNS.([0-9.]+)$/nameserver \1/' >> $TEMPFILE | ||
+ | fi | ||
+ | done | ||
+ | cat $TEMPFILE | resolvconf -a $dev | ||
+ | rm $TEMPFILE | ||
==So, now the keys== | ==So, now the keys== | ||
− | if you read that configuration file, you would have seen | + | if you read that configuration file, you would have seen ca.crt, foo.crt, and foo.key, and later on ta.key. you can't connect to the vpn without those files! |
− | + | ||
− | + | so ask a sysadmin to run the following commands on our vpn server: | |
− | + | cp -Rv /usr/share/doc/openvpn/examples/easy-rsa/ /etc/openvpn; cd /etc/openvpn/easy-rsa | |
− | and later on: | + | . ./vars |
− | + | ./build-key ''clientname'' | |
+ | |||
+ | and then securely copy over those, plus ca.crt and ta.key, to your computer and put them in an unreadable directory, '''/etc/openvpn/keys/''' . don't leave any spare copies of those files lying around! | ||
− | + | ==TODO== | |
− | + | * teach the computers to run the following automatically on connecting to freegeek's wireless: | |
− | + | openvpn --config /etc/openvpn/client.conf | |
− | |||
− |
Revision as of 19:22, 28 December 2007
Introduction
OpenVPN is an open source Virtual Private Network (VPN), which allows one to establish a tunnel for any IP subnetwork or virtual ethernet adapter e.i. TUN/TAP kernel device over any UDP/TCP port. At freegeek, we have one between our wireless and wired networks.
Installation
- on debian
apt-get install openvpn openssl resolvconf
- gentoo
echo "ssl examples" >> /etc/portage/package.use emerge -av openvpn resolvconf-gentoo
- Other
can be found here: http://openvpn.net/install.html
Setup
Once installed you will need to set some things up.
Here is a sample config (though you will need to edit a few lines). Copy and save this as /etc/openvpn/client.conf .
# both '#' and ';' act as comments client dev tun proto udp # change this to your server's address remote ASK_A_SYSADMIN 1194 resolv-retry infinite nobind persist-key persist-tun tls-client ca /etc/openvpn/keys/ca.crt cert /etc/openvpn/keys/my.crt key /etc/openvpn/keys/my.key ns-cert-type server tls-auth /etc/openvpn/keys/ta.key 1 cipher BF-CBC comp-lzo up /etc/openvpn/freegeek-up.sh
That last line refers to a script, which you should copy from here:
#!/bin/bash TEMPFILE=`mktemp /tmp/resolv.conf.XXXXXX` echo search fglan >> $TEMPFILE for DHCPOPTVAR in ${!foreign_option*} ; do DHCPOPT="${!DHCPOPTVAR}" if echo $DHCPOPT | grep -qe '^dhcp-option.DNS' ; then echo $DHCPOPT | sed -re 's/dhcp-option.DNS.([0-9.]+)$/nameserver \1/' >> $TEMPFILE fi done cat $TEMPFILE | resolvconf -a $dev rm $TEMPFILE
So, now the keys
if you read that configuration file, you would have seen ca.crt, foo.crt, and foo.key, and later on ta.key. you can't connect to the vpn without those files!
so ask a sysadmin to run the following commands on our vpn server:
cp -Rv /usr/share/doc/openvpn/examples/easy-rsa/ /etc/openvpn; cd /etc/openvpn/easy-rsa . ./vars ./build-key clientname
and then securely copy over those, plus ca.crt and ta.key, to your computer and put them in an unreadable directory, /etc/openvpn/keys/ . don't leave any spare copies of those files lying around!
TODO
- teach the computers to run the following automatically on connecting to freegeek's wireless:
openvpn --config /etc/openvpn/client.conf