Openvpn

From FreekiWiki
Revision as of 15:58, 6 July 2010 by Ali (talk | contribs) (categorized)
Jump to navigation Jump to search

Introduction

OpenVPN is an open source Virtual Private Network (VPN), which allows one to establish a tunnel for any IP subnetwork or virtual ethernet adapter e.i. TUN/TAP kernel device over any UDP/TCP port. At freegeek, we have one between our wireless and wired networks.

Installation

  • on debian
apt-get install openvpn openssl resolvconf
  • gentoo
echo "ssl examples" >> /etc/portage/package.use
emerge -av openvpn resolvconf-gentoo
  • Other

can be found here: http://openvpn.net/install.html

Setup

Once installed you will need to set some things up.

Here is a sample config (though you will need to edit a few lines). Copy and save this as /etc/openvpn/client.conf . 

# both '#' and ';' act as comments
client
dev tun
proto udp
# change this to your server's address
remote ASK_A_SYSADMIN 1194
resolv-retry infinite
nobind
persist-key
persist-tun
tls-client
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/MY_VERY_OWN_PERSONAL.crt
key /etc/openvpn/keys/MY_VERY_OWN_PERSONAL.key
ns-cert-type server
tls-auth /etc/openvpn/keys/ta.key 1
cipher BF-CBC
comp-lzo
# enable execution of up/down scripts:
script-security 2
# shipped with debian lenny and later:
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
# alternate examples that do similar things:
#up /etc/openvpn/freegeek-up
#down /etc/openvpn/freegeek-down
# force all traffic through VPN:
#redirect-gateway

For the ASK_A_SYSADMIN, use the firewall's wireless ip or its external ip, depending on whether this will be accessible from the internet. For internet accessible, use 1193 instead of 1194.

The commented out up/down lines refer to alternate scripts, which you could copy from here: 

#!/bin/bash
# freegeek-up
TEMPFILE=`mktemp /tmp/resolv.conf.XXXXXX`
echo search fglan >> $TEMPFILE
for DHCPOPTVAR in ${!foreign_option*} ; do
    DHCPOPT="${!DHCPOPTVAR}"
    if echo $DHCPOPT | grep -qe '^dhcp-option.DNS' ; then
        echo $DHCPOPT | sed -re 's/dhcp-option.DNS.([0-9.]+)$/nameserver \1/' >> $TEMPFILE
    fi
done
cat $TEMPFILE | resolvconf -a $dev
rm $TEMPFILE

and: 

#!/bin/bash
# freegeek-down
rm /etc/resolvconf/run/interface/tun0
resolvconf -u

So, now the keys

if you read that configuration file, you would have seen ca.crt, foo.crt, and foo.key, and later on ta.key. you can't connect to the vpn without those files!

so ask a sysadmin to run the following commands on our vpn server: (if this will be internet accessible, use vars.internet) 

cd /etc/openvpn/easy-rsa
. ./vars
./build-key clientname

These files will land in either ../keys or ../keys.internet, depending.

Securely copy the three files named after clientname, plus ca.crt and ta.key, to your computer and put them in an unreadable directory, /etc/openvpn/keys/ . Don't leave any spare copies of those files lying around!

Automate

  • edit /etc/network/if-up.d/openvpn to include the following at the end of the file:
 if grep -q 'ESSID:"freegeek"' <(iwconfig $IFACE); then
   openvpn --daemon --config /etc/openvpn/client.conf --script-security 2
 fi
  • edit /etc/network/if-down.d/openvpn to include the following at the end of the file:
 if grep -q 'ESSID:"freegeek"' <(iwconfig $IFACE); then
   exec killall -q openvpn
 fi

Printing

To allow access to the printserver, add "BrowseAddress your-tun0-ip" to cupsd.conf on scribble and then restart cups. You should get a consistent ip address, so this should be stable unless we need to change the keys.

Retrieved from "http://wiki.freegeek.org/index.php?title=Openvpn&oldid=50263"