Background
I need a VPN server of my own to can get into my home network when away from home. I happen to have a sheevaplug server which should handle running OpenVPN, put the two together and I get my own VPN Server!
More background information:
Sheevaplug Info:
- Model: Original Sheevaplug
- Distro: Debian GNU/Linux 6.0
- Kernel: 2.6.32-5-kirkwood #1 Mon Oct 3 16:55:04 UTC 2011 armv5tel GNU/Linux
Details
To install: a simple sudo apt-get install openvpn
should do the trick. Configuration has a few more steps than the install and, as such, has been broken into the following subsections:
Server Setup
Generating Client/Server Keys
First, we need to locate the “easy-rsa” rsa folder as it contains scripts and templates that will help in generating the client/server keys. On debian systems this is typically located at: /usr/share/doc/openvpn/examples/easy-rsa
. Once the directory has been located, copy it and all contents to the /etc/openvpn
directory with the following command adjusting for the proper paths on your system:
$ cp -R /usr/share/doc/openvpn/examples/easy-rsa /etc/openvpn
Next, navigate into the /etc/openvpn/easy-rsa/2.0
directory as this directory contains several useful scripts and templates.
Open the vars
file with a text editor as we will need to set a few variables that will make generating keys easier/quicker:
- Scroll to the end of the file and you should see similar items to the following:
|
|
- Edit the above values to fit information relating to you.
We first need to build the certificate authority (ca) which allows creating other cert/keys. Do so with the following commands:
|
|
Upon executing the last command you will be prompted with several questions, fill in your information as appropriate (note: the default value - denoted in [] can usually be selected).
We can now create the keys, starting with the server key. Do so with the following command:
|
|
In the above command, the final “server” value is the name of the key generated. Any value can be used; however, items referencing this value (later in the doc) will need to be adjusted accordingly.
The next key we will generate is the client keys. The client keys can be used with or without a passphrase. I suggest generating keys with a passphrase just in case someone gains access to the client, this will require them to know/find the VPN password to connect. To generate the client keys use one of the following commands:
Build the client key without a password:
$ ./build-key client
Build the client key with a password:
$ ./build-key-pass client
In both of the above commands “client” is the name of the key being generated. Any value can be used; however, items referencing this value (later in the doc) will need to be adjusted accordingly. Both of the above commands will also ask for a “challenge password”. This is separate from the connect passphrase and can be used at your own discretion.
The final key building step is to generate the Diffie Hellman key which is a server key and will take a long time to generate (around 15-20 minutes). To do so, issue the following command: $ ./build-dh
Server Config
Now that we have all the keys generated, we can move them into the openvpn config root. The keys will all be located in the /etc/openvpn/easy-rsa/2.0/keys
directory and need to be moved to the /etc/openvpn
root. The following keys are needed:
- ca.crt
- ca.key
- dh1024.pem
- server.crt
- server.key
The following command will copy these keys to the openvpn root on a standard setup: $ cp ca.crt ca.key dh1024.pem server.crt server.key /etc/openvpn
We can now create the openvpn configuration file which lists several options as well as the keys which were just moved to the openvpn root. To do so, create (or open) the following file with a text editor: $ nano openvpn.conf
Paste the following into the file and save/exit:
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
server 172.17.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
user nobody
group users
persist-key
persist-tun
status openvpn-status.log
verb 3
client-to-client
Adjust the server.crt and server.key names if you changed the names above.
Starting the VPN Server
Everything should now be in place to start OpenVPN. To do so, issue the following command: $ /etc/init.d/openvpn start
You should be able to ping your new OpenVPN server as follows: $ ping 172.17.0.1
If all succeeds, your server should now be up and ready for clients to connect!
Client Setup
Client setup is generally an easy process as well; however, the steps needed are dependent on the OS and/or VPN client you use. I am currently on a CrunchBang OS using the (gnome) NetworkManager Applet which took all of 1 minute to set up.
Getting the Client Certificates
Before setting up any client you need to copy the following files from your server’s /etc/openvpn/easy-rsa/2.0/keys
directory to your client, I highly suggest copying the files in a secure method such as scp or use a USB drive:
- client.crt
- client.key
- ca.crt
I suggesting creating a directory in your user’s home directory named .openvpn and placing the files in this directory. The following subsections list setup steps for a given OS and/or client. If you need help or would like instructions on something not listed please contact us.
Linux with NetworkManager Applet
Steps to set up a VPN client to connect to the OpenVPN server listed above are as follows:
- Left click on the NetworkManager Applet in the system tray and select “VPN Connections>Configure VPN…”
- Under the VPN tab, click the “Add” button to add a new VPN
- Select “OpenVPN” as the VPN Connection Type and select Create…
- Give your VPN Connection a name such as “Home VPN”
- The Gateway will be the IP address (or DNS Name) of the server which you deployed the OpenVPN server to above
- The Authentication Type should be Certificates (TLS)
- For User Certificate, browse to the directory where you saved the client certs and select the “client.crt”
- For CA Certificate, browse to the directory where you saved the client certs and select the “ca.crt”
- For Private Key, browse to the directory where you saved the client certs and select the “client.key”
- Enter the passsword you specified above (if you chose to go the password route) For Private Key Password
- I also chose to only use the VPN connection for VPN related traffic by checking the “Use this connection only for resources on its network” on the IPv4 Settings tab. If you intend to use the VPN as a tunnel for all network traffic make sure this is unchecked.
Now that your VPN connection is set up you can do the following to connect:
- Left click on the NetworkManager Applet and select “VPN Connections>Home VPN”
The VPN client should connect to your VPN Server and allow access.
Windows (Windows 7)
See the Windows 7 Client setup section on the Tutorial on how to Setup an Openvpn Server on Debian, with a Windows Client for tips on how to set up a Windows 7 client.
Client Firewall Ports
If you run a local firewall (as you should on any pc) you will need to open up UDP traffic on port 1194 as this is where OpenVPN’s traffic runs.
Port Forwarding / Internet Routing
This section assumes you have an ISP to connect to the internet which your VPN Server is behind and that you need to forward traffic from this ‘Public’ server to your OpenVPN server (e.g. your OpenVPN server is not public). If this is not the case you can skip this section.
The goal of this section is to make your OpenVPN server (only VPN traffic) public accessible. This will allow you to connect to your VPN server (and ultimately be able to access your home network) from anywhere you have internet access. The strategy for doing this is the same irregardless of the router, we want to forward traffic from a specified port to the OpenVPN server on its specified port (1194 by default). The method for doing this will vary from router to router. I have verizon fios so the directions below is for a fios router.
Log into your router’s configuration application (most routers have a web based configuration app). From the Main menu, select the “My Network” tab which lists all computers on your network. Next, select “Port Forwarding” in the box which correlates to the computer that you installed the OpenVPN server on. You should now be at the Port Forwarding page and can add a rule with the following steps:
- Under “Create new port forwarding rule:”, select the computer that you installed the OpenVPN server on in the first box (which should be labeled “IP Address forward to or select from menu”)
- Select “Custom Ports” in the second box (which should be labeled “Application to forward”)
- This should bring up a third box (which should be labeled “Both”, select “UDP” as this is the protocol type you want forwarded
- In the fourth box, enter the OpenVPN server port which should be “1194”
- Click the “Apply” button
The above steps created a rule on the router to “forward” all traffic that the router receives on port 1194 to the computer that you installed the OpenVPN server on. You should now be able to connect to your OpenVPN server from outside your local network!