Monday, February 23, 2009

Dynamic IP "Road-Warrior" VPN

Goal


To concentrate on getting a VPN up and running. Explanations are cut to the very minimum (for details read the OpenVPN HowTo).
This guide is done using an Ubuntu 8.04 for the server and client. The text in red may be modified to fit your configurations.


Server


Install


- log in to the server
- execute:

# apt-get install openvpn


Create CA


- execute:

# cd /usr/share/doc/openvpn/examples/easy-rsa/2.0
# source ./vars
# ./clean-all
# ./build-ca


[[build-ca will prompt you for some values. Use the following as reference:]]

Country Name (2 letter code) [US]:PH
State or Province Name (full name) [CA]:MM
Locality Name (eg, city) [SanFrancisco]:Pasig
Organization Name (eg, company) [Fort-Funston]:DPI
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) [Fort-Funston CA]:DPI-VPN
Email Address [me@myhost.mydomain]:eman.de.guzman@gmail.com


[[this will create ca.crt and ca.key in /usr/share/doc/openvpn/examples/easy-rsa/2.0/keys/]]


Create Key & Certificate


- execute:
# cd /usr/share/doc/openvpn/examples/easy-rsa/2.0
# ./build-key-server server

[[build-key-server will prompt you for some values. Use the following as reference (leave challenge password and optional company name blank):]]

Country Name (2 letter code) [US]:PH
State or Province Name (full name) [CA]:MM
Locality Name (eg, city) [SanFrancisco]:Pasig
Organization Name (eg, company) [Fort-Funston]:DPI
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) [server]:server
Email Address [me@myhost.mydomain]:eman.de.guzman@gmail.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/share/doc/openvpn/examples/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'PH'
stateOrProvinceName :PRINTABLE:'MM'
localityName :PRINTABLE:'Pasig'
organizationName :PRINTABLE:'DPI'
commonName :PRINTABLE:'server'
emailAddress :IA5STRING:'eman.de.guzman@gmail.com'
Certificate is to be certified until Feb 23 02:17:50 2019 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated


[[build-key-server will create server.crt and server.key in /usr/share/doc/openvpn/examples/easy-rsa/2.0/keys/]]


Create Diffie Hellman parameters


- execute:

# cd /usr/share/doc/openvpn/examples/easy-rsa/2.0
# ./build-dh

[[build-dh will create dh1024.pem in /usr/share/doc/openvpn/examples/easy-rsa/2.0/keys/]]


Configuration


- execute:
# cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
# cd /etc/openvpn
# gunzip server.conf.gz

- open /etc/openvpn/server.conf and change the following:

line 78
from ca ca.crt
to ca /usr/share/doc/openvpn/examples/easy-rsa/2.0/keys/ca.crt

line 79
from cert server.crt
to cert /usr/share/doc/openvpn/examples/easy-rsa/2.0/keys/server.crt

line 80
from key server.key
to key /usr/share/doc/openvpn/examples/easy-rsa/2.0/keys/server.key

line 87
from dh dh1024.pem
to dh /usr/share/doc/openvpn/examples/easy-rsa/2.0/keys/dh1024.pem

- save and close /etc/openvpn/server.conf


Test


- execute:

# openvpn /etc/openvpn/server.conf

- the output should look something like (the line "Initialization Sequence Completed" indicates that everything is working):


Mon Feb 23 12:22:25 2009 OpenVPN 2.1_rc7 i486-pc-linux-gnu [SSL] [LZO2] [EPOLL] built on Jun 11 2008
Mon Feb 23 12:22:25 2009 Diffie-Hellman initialized with 1024 bit key
Mon Feb 23 12:22:25 2009 /usr/bin/openssl-vulnkey -q -b 1024 -m
Mon Feb 23 12:22:25 2009 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Mon Feb 23 12:22:25 2009 TUN/TAP device tun0 opened
Mon Feb 23 12:22:25 2009 TUN/TAP TX queue length set to 100
Mon Feb 23 12:22:25 2009 ifconfig tun0 10.8.0.1 pointopoint 10.8.0.2 mtu 1500
Mon Feb 23 12:22:25 2009 route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.2
Mon Feb 23 12:22:25 2009 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Mon Feb 23 12:22:25 2009 Socket Buffers: R=[110592->131072] S=[110592->131072]
Mon Feb 23 12:22:25 2009 UDPv4 link local (bound): [undef]:1194
Mon Feb 23 12:22:25 2009 UDPv4 link remote: [undef]
Mon Feb 23 12:22:25 2009 MULTI: multi_init called, r=256 v=256
Mon Feb 23 12:22:25 2009 IFCONFIG POOL: base=10.8.0.4 size=62
Mon Feb 23 12:22:25 2009 IFCONFIG POOL LIST
Mon Feb 23 12:22:25 2009 Initialization Sequence Completed


- press Ctrl+C to stop the test


Run


- execute:

# /etc/init.d/openvpn start

[[the init.d script for OpenVPN will look for .conf file in /etc/openvpn/ and use it as configuration file. This means that everytime you start the server it will start to listen for a vpn connection request.]]



Linux Client


Install


- log in to the linux client
- execute:

# apt-get install openvpn



Create Key & Certificate


- execute:

# cd /usr/share/doc/openvpn/examples/easy-rsa/2.0
# mkdir keys
# chmod 700 keys
# source ./vars
# ./clean-all
# scp user@vpnserver_ip:/usr/share/doc/openvpn/examples/easy-rsa/2.0/keys/ca.key ./keys/.
# scp user@vpnserver_ip:/usr/share/doc/openvpn/examples/easy-rsa/2.0/keys/ca.crt ./keys/.
# ./build-key client

[[the lines
# scp user@vpnserver:/usr/share/doc/openvpn/examples/easy-rsa/2.0/keys/ca.key ./keys/.
# scp user@vpnserver:/usr/share/doc/openvpn/examples/easy-rsa/2.0/keys/ca.crt ./keys/.

aim to copy the certificate authority (ca) key and certificate from the server to the client. you can use other means to copy the files from the server to the client]]

[[build-key will prompt you for some values. Use the following as reference (leave challenge password and optional company name blank):]]


Country Name (2 letter code) [US]:PH
State or Province Name (full name) [CA]:MM
Locality Name (eg, city) [SanFrancisco]:Pasig
Organization Name (eg, company) [Fort-Funston]:DPI
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) [client]:client1
Email Address [me@myhost.mydomain]:eman.de.guzman@gmail.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/share/doc/openvpn/examples/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'PH'
stateOrProvinceName :PRINTABLE:'MM'
localityName :PRINTABLE:'Pasig'
organizationName :PRINTABLE:'DPI'
organizationalUnitName:PRINTABLE:'IT'
commonName :PRINTABLE:'client1'
emailAddress :IA5STRING:'eman.de.guzman@gmail.com'
Certificate is to be certified until Feb 22 08:46:55 2019 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated


[[make sure CommonName value is different for each client]]
[[this will create client.crt and client.key in /usr/share/doc/openvpn/examples/easy-rsa/2.0/keys/]]


Configuration


- execute:

# cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/
# cd /etc/openvpn

- open /etc/openvpn/client.conf and change the following:

line 42
from remote my-server-1 1194
to remote 111.111.111.101 1194

line 88
from ca ca.crt
to ca /usr/share/doc/openvpn/examples/easy-rsa/2.0/keys/ca.crt

line 89
from cert
client.crt
to cert /usr/share/doc/openvpn/examples/easy-rsa/2.0/keys/client.crt

line 90
from key client.key
to key /usr/share/doc/openvpn/examples/easy-rsa/2.0/keys/client.key

- save and close /etc/openvpn/client.conf


Test


- make sure that UDP port 1194 on the server is open
- execute:

# openvpn /etc/openvpn/client.conf

- the output should look something like (the line "Initialization Sequence Completed" indicates that everything is working):


Tue Feb 24 16:58:07 2009 OpenVPN 2.1_rc7 i486-pc-linux-gnu [SSL] [LZO2] [EPOLL] built on Jun 11 2008
Tue Feb 24 16:58:07 2009 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Tue Feb 24 16:58:07 2009 /usr/bin/openssl-vulnkey -q -b 1024 -m
Tue Feb 24 16:58:08 2009 LZO compression initialized
Tue Feb 24 16:58:08 2009 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Tue Feb 24 16:58:08 2009 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Tue Feb 24 16:58:08 2009 Local Options hash (VER=V4): '41690919'
Tue Feb 24 16:58:08 2009 Expected Remote Options hash (VER=V4): '530fdded'
Tue Feb 24 16:58:08 2009 Socket Buffers: R=[110592->131072] S=[110592->131072]
Tue Feb 24 16:58:08 2009 UDPv4 link local: [undef]
Tue Feb 24 16:58:08 2009 UDPv4 link remote: 111.111.111.101:1194
Tue Feb 24 16:58:08 2009 TLS: Initial packet from 111.111.111.101:1194, sid=efff49ab 3322efb5
TueFeb2416:58:082009VERIFYOK:depth=1,/C=PH/ST=MM/L=Pasig/O=DPI/CN=DPI_CA/emailAddress=eman.de.guzman@gmail.com
TueFeb2416:58:082009VERIFYOK:depth=0,/C=PH/ST=MM/L=Pasig/O=DPI/CN=server/emailAddress=eman.de.guzman@gmail.com
Tue Feb 24 16:58:08 2009 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Feb 24 16:58:08 2009 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Feb 24 16:58:08 2009 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Feb 24 16:58:08 2009 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Feb 24 16:58:08 2009 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Tue Feb 24 16:58:08 2009 [server] Peer Connection Initiated with 111.111.111.101:1194
Tue Feb 24 16:58:09 2009 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Tue Feb 24 16:58:09 2009 PUSH: Received control message: 'PUSH_REPLY,route 10.8.0.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5'
Tue Feb 24 16:58:09 2009 OPTIONS IMPORT: timers and/or timeouts modified
Tue Feb 24 16:58:09 2009 OPTIONS IMPORT: --ifconfig/up options modified
Tue Feb 24 16:58:09 2009 OPTIONS IMPORT: route options modified
Tue Feb 24 16:58:09 2009 TUN/TAP device tun0 opened
Tue Feb 24 16:58:09 2009 TUN/TAP TX queue length set to 100
Tue Feb 24 16:58:09 2009 ifconfig tun0 10.55.55.6 pointopoint 10.8.0.5 mtu 1500
Tue Feb 24 16:58:09 2009 route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.5
Tue Feb 24 16:58:09 2009 Initialization Sequence Completed


- press Ctrl+C to stop the test


Run


- execute:

# /etc/init.d/openvpn start


[[the init.d script for OpenVPN will look for .conf file in /etc/openvpn/ and use it as configuration file. This means that everytime you start the client it will establish a vpn with the server.]]



Windows Client


Install


- download OpenVPN's Windows Installer
- run downloaded file to start OpenVPN installation


Create Key & Certificate


- in a command window, execute the following:

C:\> cd "c:\Program Files\OpenVPN\easy-rsa"
C:\> init-config
C:\> vars
C:\> clean-all
C:\> pscp user@vpnserver_ip:/usr/share/doc/openvpn/examples/easy-rsa/2.0/keys/ca.key keys\.
C:\> pscp user@vpnserver_ip:/usr/share/doc/openvpn/examples/easy-rsa/2.0/keys/ca.crt keys\.
C:\> path=%PATH%;c:\Program Files\OpenVPN\bin
C:\> build-key client

[[the lines
C:\> pscp user@vpnserver_ip:/usr/share/doc/openvpn/examples/easy-rsa/2.0/keys/ca.key keys\.
C:\> pscp user@vpnserver_ip:/usr/share/doc/openvpn/examples/easy-rsa/2.0/keys/ca.crt keys\.

aim to copy the certificate authority (ca) key and certificate from the server to the client. you can use other means to copy the files from the server to the client]]

[[build-key will prompt you for some values. Use the following as reference (leave challenge password and optional company name blank):]]


Country Name (2 letter code) [US]:PH
State or Province Name (full name) [CA]:MM
Locality Name (eg, city) [SanFrancisco]:Pasig
Organization Name (eg, company) [Fort-Funston]:DPI
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:client2
Email Address [me@myhost.mydomain]:eman.de.guzman@gmail.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/share/doc/openvpn/examples/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'PH'
stateOrProvinceName :PRINTABLE:'MM'
localityName :PRINTABLE:'Pasig'
organizationName :PRINTABLE:'DPI'
organizationalUnitName:PRINTABLE:'IT'
commonName :PRINTABLE:'client1'
emailAddress :IA5STRING:'eman.de.guzman@gmail.com'
Certificate is to be certified until Feb 22 08:46:55 2019 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated



Configuration


- still in the same command window, execute the following:

C:\> cd "c:\Program Files\OpenVPN\config\"
C:\> copy ..\sample-config\client.ovpn .
C:\> edit client.ovpn

change the following:

line 42
from remote my-server-1 1194
to remote 111.111.111.101 1194

line 88
from ca ca.crt
to ca c:/Program\ Files/OpenVPN/easy-rsa/keys/ca.crt

line 89
from cert
client.crt
to cert c:/Program\ Files/OpenVPN/easy-rsa/keys/client.crt

line 90
from key client.key
to key c:/Program\ Files/OpenVPN/easy-rsa/keys/client.key

- save and close "c:\Program Files\OpenVPN\config\client.conf"


Run


- make sure that UDP port 1194 on the server is open
- still in the same command window, execute the following:

C:\> cd "c:\Program Files\OpenVPN"
C:\> bin\openvpn config\client.ovpn

- when you see the line "Initialization Sequence Completed", this indicates that everything is working
- press Ctrl+Pause to stop OpenVPN



Reference


OpenVPN HowTo