This VPN guide will use a bridged method (bridging the LAN connections to those of the Internet on a tap virtual interface.) This requires the bridge-utils to be installed - the OpenVPN software can be installed at the same time:
$ sudo apt-get install openvpn bridge-utils
Typically, the VPN is on the LAN and the firewall transparently forwards packets from the outside world; this is the premise I will work from. The bridge will require the interfaces it manages to be in promiscuous mode, therefore, a typical bridge configuration on a Linux system could look as follows (where eth0 is managaed by the bridge br0) in /etc/network/interfaces:
## Start these interfaces on boot auto lo br0 iface lo inet loopback iface br0 inet static address 192.168.1.10 netmask 255.255.255.0 gateway 192.168.1.1 bridge_ports eth0 iface eth0 inet manual up ifconfig $IFACE 0.0.0.0 up up ip link set $IFACE promisc on down ip link set $IFACE promisc off down ifconfig $IFACE down
As seen above, we will assume a 192.168.1/24 private network. To have the changes take effect, the network needs to be restarted:
$ /etc/init.d/networking restart
As stated, OpenVPN will manage devices in promiscuous mode. When started, OpenVPN will create the tap device - however, the device needs to be added to the bridge we have created. To achieve this we will create two scripts which will be run by OpenVPN. The first, /etc/openvpn/up.sh will manage the addition:
#!/bin/sh BR=$1 DEV=$2 MTU=$3 /sbin/ifconfig $DEV mtu $MTU promisc up /usr/sbin/brctl addif $BR $DEV
The next, /etc/openvpn/down.sh will manage the removal of the tap device:
#!/bin/sh BR=$1 DEV=$2 /usr/sbin/brctl delif $BR $DEV /sbin/ifconfig $DEV down
We will see later how they are called. Finally, we make them executable:
$ chmod +x /etc/openvpn/up.sh /etc/openvpn/down.sh
Configure OpenVPN Server
We must generate certificates for the server. In order to do this we will setup our own Certificate Authority using the provided easy-rsa scripts in the /usr/share/doc/openvpn/examples/easy-rsa/ directory:
$ sudo mkdir /etc/openvpn/easy-rsa/ $ cp -R /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa/
Before generating the CA we need to edit a file - /etc/openvpn/easy-rsa/vars. Change the values of the below entries to better reflect your CA:
export KEY_COUNTRY="US" export KEY_PROVINCE="CA" export KEY_CITY="SanFrancisco" export KEY_ORG="Fort-Funston" export KEY_EMAIL="firstname.lastname@example.org"
Now we setup the CA and create the server certificate:
$ cd /etc/openvpn/easy-rsa/ ## move to the easy-rsa directory $ source ./vars ## execute your new vars file $ ./clean-all ## Setup the easy-rsa directory (Deletes all keys) $ ./build-dh ## takes a while consider backgrounding $ ./pkitool --initca ## creates ca cert and key $ ./pkitool --server server ## creates a server cert and key $ cd keys $ openvpn --genkey --secret ta.key ## Build a TLS key $ cp server.crt server.key ca.crt dh1024.pem ta.key /etc/openvpn/
By default all servers specified in *.conf files in /etc/openvpn/ are started on boot. Therefore, all we have to do is configure the openvpn server by creating /etc/openvpn/server.conf from the example file:
$ cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/ $ gzip -d /etc/openvpn/server.conf.gz
Edit etc/openvpn/server.conf amending/setting the following options as required (note that we specify here how our networking up and down scripts are called and we have commented out the server line as we are using bridged mode):
local 192.168.1.10 dev tap0 up "/etc/openvpn/up.sh br0" down "/etc/openvpn/down.sh br0" ;server 10.8.0.0 255.255.255.0 server-bridge 192.168.1.10 255.255.255.0 192.168.1.100 192.168.1.150 push "route 192.168.1.0 255.255.255.0" push "dhcp-option DNS 192.168.1.1" push "dhcp-option DOMAIN example.com" tls-auth ta.key 0 # This file is secret user nobody group nogroup
- local: is the IP address of the bridge interface.
- server-bridge: is needed when the configuration uses bridging. The 192.168.1.10 255.255.255.0 portion is the bridge interface and mask. The IP range 192.168.1.100 192.168.1.150 is the range of IP addresses that will be assigned to clients.
- push: are directives to add networking options for clients.
- user and group: configure which user and group the openvpn daemon executes as.
We can now restart the server so that our changes take effect:
$ /etc/init.d/openvpn restart
If this fails, check /var/log/daemon.log for errors. It is likely that you get errors similar to:
Mar 15 19:28:52 dev ovpn-server: openvpn_execve: external program may not be called due to setting of --script-security level Mar 15 19:28:52 dev ovpn-server: script failed: external program fork failed
This can be fixed by altering the /etc/default/openvpn file and amend the OPTARGS="" entry as follows:
Configure OpenVPN Client
The VPN client will also need a certificate to authenticate itself to the server. Create the certificate on the server as follows (replacing "hostname" with the name of the client):
$ cd /etc/openvpn/easy-rsa/ source vars ./pkitool hostname
Now copy the following files from the /etc/openvpn/easy-rsa/keys directory to /etc/openvpn on the client (note that a secure method of transfer is highly recommended!):
With the server configured and the client certificates copied over, create a client configuration file by copying the example.
$ cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/
Now edit /etc/openvpn/client.conf changing the following options:
dev tap remote vpn.example.com 1194 cert hostname.crt key hostname.key tls-auth ta.key 1
Remember to replace vpn.example.com with the hostname of your VPN server as it is seen from the Internet (this could be the firewall if the firewall port-forwards port 1194 to the VPN server inside its LAN), and hostname.* with the actual certificate and key filenames.
Now simply start openvpn on the client in the same way you did for the server.
Windows Client Notes
On a Windows client it is necessary to name the config file hostname.ovpn and the client must be run with "administrator" privileges otherwise appropriate routes cannot be configured. This can be done by right-clicking the shortcut and selecting "Run as administrator"
This guide is unashamedly based upon the amazing efforts made by the Ubuntu community, namely: