Openvpn

From FedoraProject

(Difference between revisions)
Jump to: navigation, search
m (Setting up an OpenVPN server)
 
(6 intermediate revisions by 3 users not shown)
Line 13: Line 13:
 
== Setting up an OpenVPN server ==
 
== Setting up an OpenVPN server ==
  
# <code>yum install openvpn.$HOSTTYPE easy-rsa</code>
+
# <code>yum install openvpn easy-rsa</code>
# Copy <code>/usr/share/openvpn/easy-rsa/2.0</code> somewhere (like root's home directory with <code>cp -ai /usr/share/openvpn/easy-rsa/2.0 ~/easy-rsa</code>).
+
# Copy <code>/usr/share/easy-rsa/2.0</code> somewhere (like root's home directory with <code>cp -ai /usr/share/easy-rsa/2.0 ~/easy-rsa</code>).
 
# <code>cd ~/easy-rsa</code>
 
# <code>cd ~/easy-rsa</code>
 
# Edit <code>vars</code> appropriately.
 
# Edit <code>vars</code> appropriately.
Line 21: Line 21:
 
# Before continuing, make sure the system time is correct.  Preferably, set up [http://www.ntp.org/ NTP] .
 
# Before continuing, make sure the system time is correct.  Preferably, set up [http://www.ntp.org/ NTP] .
 
# <code>./build-ca</code>
 
# <code>./build-ca</code>
# <code>./build-inter $( hostname | cut -d. -f1 )</code>
+
# <code>./build-key-server $( hostname | cut -d. -f1 )</code>
 
# <code>./build-dh</code>
 
# <code>./build-dh</code>
 
# <code>mkdir /etc/openvpn/keys</code>
 
# <code>mkdir /etc/openvpn/keys</code>
 
# <code>cp -ai keys/$( hostname | cut -d. -f1 ).{crt,key} keys/ca.crt keys/dh*.pem /etc/openvpn/keys/</code>
 
# <code>cp -ai keys/$( hostname | cut -d. -f1 ).{crt,key} keys/ca.crt keys/dh*.pem /etc/openvpn/keys/</code>
# <code>cp -ai /usr/share/doc/openvpn-*/sample/sample-config-files/roadwarrior-server.conf /etc/openvpn/server.conf</code>
+
# <code>cp -ai /usr/share/doc/openvpn*/sample/sample-config-files/roadwarrior-server.conf /etc/openvpn/server.conf</code>
 
# Edit <code>/etc/openvpn/server.conf</code> appropriately to set your configuration and key paths, which are found in /etc/openvpn/keys/.
 
# Edit <code>/etc/openvpn/server.conf</code> appropriately to set your configuration and key paths, which are found in /etc/openvpn/keys/.
# Fix selinux context of files:
+
# Fix selinux context of files: <code>restorecon -Rv /etc/openvpn</code>
# restorecon -Rv /etc/openvpn
+
# <code>ln -s /lib/systemd/system/openvpn\@.service /etc/systemd/system/multi-user.target.wants/openvpn\@server.service</code> (Note that 'server' corresponds with the configuration name in /etc/openvpn/ such as server.conf)
# If you have feodra 15 or earlier:
+
# <code>chkconfig --level 2345 openvpn on</code>
+
# <code>service openvpn start</code>
+
# If you have fedora 16 or later (Note that 'server' corresponds with the configuration name in /etc/openvpn/ such as server.conf):
+
# <code>ln -s /lib/systemd/system/openvpn\@.service /etc/systemd/system/multi-user.target.wants/openvpn\@server.service</code>
+
 
# <code>systemctl -f enable openvpn@server.service</code>
 
# <code>systemctl -f enable openvpn@server.service</code>
 
# <code>systemctl start openvpn@server.service</code>
 
# <code>systemctl start openvpn@server.service</code>
Line 75: Line 70:
 
# <code>./build-key</code> ''username''
 
# <code>./build-key</code> ''username''
  
On the Fedora 15 (or earlier) client:
+
On the client:
# Copy ''username''.key, ''username''.crt and ca.crt from server to <code>/etc/openvpn/keys/</code>.
+
# <code>cp -ai /usr/share/doc/openvpn-*/sample-config-files/roadwarrior-client.conf /etc/openvpn/client.conf</code>
+
# Edit <code>/etc/openvpn/client.conf</code> appropriately to set your configuration (just like server configuration, port, compression,..) and key paths.
+
# <code>chkconfig --level 2345 openvpn on</code>
+
# <code>service openvpn start</code>
+
 
+
On the Fedora 16 (or later) client (with systemd):
+
 
*In the following, replace ''MyClient'' with a descriptive vpn connection name.
 
*In the following, replace ''MyClient'' with a descriptive vpn connection name.
  

Latest revision as of 21:50, 2 July 2014

Contents

[edit] OpenVPN

For more information, see https://community.openvpn.net/.

[edit] Working with systemd

With the transition to systemd, OpenVPN no longer has a single monolithic init script, where every connection with a configuration file in /etc/openvpn/ is started automatically. Instead, individual connections can be started and stopped with systemctl.

For example, to start a connection, run systemctl start openvpn@foo.service, where the connection is defined in /etc/openvpn/foo.conf.

For more information, see Systemd#How_do_I_start.2Fstop_or_enable.2Fdisable_services.3F.

[edit] Setting up an OpenVPN server

  1. yum install openvpn easy-rsa
  2. Copy /usr/share/easy-rsa/2.0 somewhere (like root's home directory with cp -ai /usr/share/easy-rsa/2.0 ~/easy-rsa).
  3. cd ~/easy-rsa
  4. Edit vars appropriately.
  5. . vars
  6. ./clean-all
  7. Before continuing, make sure the system time is correct. Preferably, set up NTP .
  8. ./build-ca
  9. ./build-key-server $( hostname | cut -d. -f1 )
  10. ./build-dh
  11. mkdir /etc/openvpn/keys
  12. cp -ai keys/$( hostname | cut -d. -f1 ).{crt,key} keys/ca.crt keys/dh*.pem /etc/openvpn/keys/
  13. cp -ai /usr/share/doc/openvpn*/sample/sample-config-files/roadwarrior-server.conf /etc/openvpn/server.conf
  14. Edit /etc/openvpn/server.conf appropriately to set your configuration and key paths, which are found in /etc/openvpn/keys/.
  15. Fix selinux context of files: restorecon -Rv /etc/openvpn
  16. ln -s /lib/systemd/system/openvpn\@.service /etc/systemd/system/multi-user.target.wants/openvpn\@server.service (Note that 'server' corresponds with the configuration name in /etc/openvpn/ such as server.conf)
  17. systemctl -f enable openvpn@server.service
  18. systemctl start openvpn@server.service
  19. Verify that firewall rules allow traffic in from tun+, out from the LAN to tun+, and in from the outside on UDP port 1194.

The following should work (assuming an outside interface is eth1 and an inside interface is eth0):

iptables -A INPUT -i eth1 -p udp --dport 1194 -j ACCEPT
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A FORWARD -i eth0 -o tun+ -j ACCEPT
iptables -A FORWARD -i eth1 -o tun+ -m state --state ESTABLISHED,RELATED -j ACCEPT

Or for genfw (my firewall-generation script, not currently available in Fedora), this in /etc/sysconfig/genfw/rules:

append INPUT -i eth1 -p udp --dport 1194 -j ACCEPT
append INPUT -i tun+ -j ACCEPT
append FORWARD -i tun+ -j ACCEPT
append FORWARD -i eth0 -o tun+ -j ACCEPT
append FORWARD -i eth1 -o tun+ -j established

Or for system-config-firewall, you can add these custom rules:

-A INPUT -i eth1 -p udp --dport 1194 -j ACCEPT
-A INPUT -i tun+ -j ACCEPT
-A FORWARD -i tun+ -j ACCEPT
-A FORWARD -i eth0 -o tun+ -j ACCEPT
-A FORWARD -i eth1 -o tun+ -m state --state ESTABLISHED,RELATED -j ACCEPT

Create a file iptables-rules in /etc/sysconfig and add the above contents, then in system-config-firewall, choose the "Custom Rules" choice, click "Add", choose IPV4 for the protocol type, and filter for the firewall table. Then select /etc/sysconfig/iptables-rules for the File: choice. Then Apply the changes.

[edit] Setting up a Linux OpenVPN client

You need to generate new keys (or use existing other client/username keys) for the new client/username

On the server:

  1. cd easy-rsa
  2. . vars
  3. ./build-key username

On the client:

  • In the following, replace MyClient with a descriptive vpn connection name.
  1. Copy username.key, username.crt and ca.crt from server to /etc/openvpn/keys/.
  2. cp -ai /usr/share/doc/openvpn-*/sample-config-files/client.conf /etc/openvpn/MyClient.conf
  3. Edit /etc/openvpn/MyClient.conf appropriately to set your configuration (just like server configuration, port, compression,..) and key paths.
  4. cd /lib/systemd/system
  5. ln openvpn@.service openvpn@MyClient.service
  6. systemctl enable openvpn@MyClient.service
  7. systemctl start openvpn@MyClient.service

check /var/log/messages if things didn't work as expected

Alternatively, on the client, after copying the keys onto the client machine, you can use NetworkManager to add a vpn connection. Make sure you have the NetworkManager-openvpn package installed. Then just add a new VPN connection.

Should also test automatic starting at boot up, with password protected key files and maybe even --auth-user-pass. OpenVPN supports systemd's password passing if build with --enable-systemd via ./configure

[edit] Setting up a Windows OpenVPN client

On the server:

  1. cd easy-rsa
  2. . vars
  3. ./build-key username

On the client:

  1. Install the OpenVPN GUI or the stand-alone OpenVPN client.
  2. Copy username.crt, username.key, and ca.crt to C:\Program Files\OpenVPN\config\ on the client.
  3. Drop roadwarrior-client.conf into C:\Program Files\OpenVPN\config\ as whatever.ovpn and edit appropriately.
  4. Either use the GUI to start the connection, start the OpenVPN service manually, or set the OpenVPN service to start automatically.

Ideally the client should do some verification on the server key with tls-remote in the whatever.ovpn configuration file.