OpenVPN enables secure client to server or network connections via a single TCP or UDP port encrypted with SSL. It is the perfect companion for a rapid and secure multitier application deployement where applications trafic between the client and the app is not always encrypted or well described to apply security directly.
We are going to use the following:
- a VPN server (under Ubuntu or Debian)
- clients with Mac and Windows laptops
- Additional application servers that are only visible to clients through the VPN
Installing the server
Start by launching an Exoscale instance. Select Ubuntu or Debian as the image, a 10 GB drive size and your SSH key.
It is best to create a dedicated security group for the OpenVPN server.
I am using a security group called
VPNin which I have the following rules:
- SSH: TCP port 22 allowed from 0.0.0.0
- VPN: TCP port 6443 allowed from 0.0.0.0 (note: you can configure any other port)
Once the server is running, connect as root and update it
apt-get update apt-get upgrade
Install the OpenVPN server
apt-get install openvpn
Configure the SSL layer and VPN stack
The OpenVPN suite comes with a collection of scripts that can be used to ease the creation of an certificate authority and the issuing of both server and client certificates and keys.
We are going to rely on those. They are stored in
Copy the basic set to the OpenVPN configuration files directory
mkdir /etc/openvpn/easy-rsa cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa/
Adjust your settings
The collection of scripts relies on the
vars files for issuing certificates.
Edit this file and adjust the values of the following lines to your liking:
export KEY_COUNTRY="US" export KEY_PROVINCE="CA" export KEY_CITY="SanFrancisco" export KEY_ORG="Fort-Funston" export KEY_EMAIL="firstname.lastname@example.org" export KEY_EMAILemail@example.com export KEY_CN=changeme export KEY_NAME=changeme export KEY_OU=changeme export PKCS11_MODULE_PATH=changeme export PKCS11_PIN=1234
Initialize the PKI and create the server certificate
Once the variables are adjusted, we are going to import them in our shell session:
cd /etc/openvpn/easy-rsa/ source vars
Then we will clean the default certicates and CA
finally initialize the CA and server certificates
./build-dh ./pkitool --initca ./pkitool --server server openvpn --genkey --secret keys/ta.key
Now the CA is initialized and we will copy the relevant files in the main OpenVPN configuration directory
cp keys/ca.crt keys/ta.key keys/server.crt keys/server.key keys/dh1024.pem /etc/openvpn/
Configure the settings
In order for OpenVPN to operate in a CHROOT jail we will create a directory for this
and then create a `/etc/openvpn/server.conf file with the following contents
# Server TCP/6443 mode server proto tcp port 6443 dev tun # Certificates ca ca.crt cert server.crt key server.key dh dh1024.pem tls-auth ta.key 1 key-direction 0 cipher AES-256-CBC # Network settings server 10.8.0.0 255.255.255.0 push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 22.214.171.124" push "dhcp-option DNS 126.96.36.199" keepalive 10 120 # Security and user user nobody group nogroup chroot /etc/openvpn/jail persist-key persist-tun comp-lzo # Log verb 3 mute 20 status openvpn-status.log ; log-append /var/log/openvpn.log
This file enables the creation of an OpenVPN configuration on TCP port 6443 that will issue IP addresses in the 10.8.0.0/24 range to our clients.
The server will run as the nobody user and be confined in a jail in case the OpenVPN stack was compromised.
Start the server
to start the server issue the command
you should get to the following successful message
root@openvpn:/etc/openvpn# openvpn openvpn.conf Mon Jun 23 10:43:48 2014 OpenVPN 2.2.1 x86_64-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Jun 18 2013 Mon Jun 23 10:43:48 2014 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables Mon Jun 23 10:43:48 2014 Diffie-Hellman initialized with 1024 bit key Mon Jun 23 10:43:48 2014 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file Mon Jun 23 10:43:48 2014 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Mon Jun 23 10:43:48 2014 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Mon Jun 23 10:43:48 2014 TLS-Auth MTU parms [ L:1560 D:168 EF:68 EB:0 ET:0 EL:0 ] Mon Jun 23 10:43:48 2014 Socket Buffers: R=[87380->131072] S=[16384->131072] Mon Jun 23 10:43:48 2014 ROUTE default_gateway=188.8.131.52 Mon Jun 23 10:43:48 2014 TUN/TAP device tun0 opened Mon Jun 23 10:43:48 2014 TUN/TAP TX queue length set to 100 Mon Jun 23 10:43:48 2014 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0 Mon Jun 23 10:43:48 2014 /sbin/ifconfig tun0 10.8.0.1 pointopoint 10.8.0.2 mtu 1500 Mon Jun 23 10:43:48 2014 /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.2 Mon Jun 23 10:43:48 2014 Data Channel MTU parms [ L:1560 D:1450 EF:60 EB:135 ET:0 EL:0 AF:3/1 ] Mon Jun 23 08:43:48 2014 chroot to '/etc/openvpn/jail' and cd to '/' succeeded Mon Jun 23 08:43:48 2014 GID set to nogroup Mon Jun 23 08:43:48 2014 UID set to nobody Mon Jun 23 08:43:48 2014 Listening for incoming TCP connection on [undef] Mon Jun 23 08:43:48 2014 TCPv4_SERVER link local (bound): [undef] Mon Jun 23 08:43:48 2014 TCPv4_SERVER link remote: [undef] Mon Jun 23 08:43:48 2014 MULTI: multi_init called, r=256 v=256 Mon Jun 23 08:43:48 2014 IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0 Mon Jun 23 08:43:48 2014 MULTI: TCP INIT maxclients=1024 maxevents=1028 Mon Jun 23 08:43:48 2014 Initialization Sequence Completed
now that the server is working, uncomment the last line
/etc/openvpn/server.conf file to stop logs from
appearing on STDOUT
The server can now be launched as a deamon
service openvpn start
If the tunnel is only used to access this specific server then the server side configuration is over. In most cases we will want to use the OpenVPN server as a gateway to other servers. For this we need to enable forwarding on the server.
sh -c 'echo 1 > /proc/sys/net/ipv4/ip_forward'
and add the line add the end of
net.ipv4.ip_forward = 1
for a permanent setting across reboots.
Generating client certicates and keys
for each client that will connect to the OpenVPN server create a clientconf directory
mkdir -p /etc/openvpn/clientconf/clientA
then generate the files
cd /etc/openvpn/easy-rsa source vars ./build-keys clientA
The script has generated 3 files in the
- clientA.csr: the certificate request
- clientA.crt: the client certificate
- clientA.key: the client private key
copy all 3 files and the root certificate in
cp ca.crt ta.key keys/clientA* /etc/openvpn/clientconf/clientA/
create a client configuration file
# Client client dev tun proto tcp-client remote AAA.BBB.CCC.DDD. 6443 resolv-retry infinite cipher AES-256-CBC # Keys ca ca.crt cert clientA.crt key clientA.key tls-auth ta.key 1 key-direction 1 # Security nobind persist-key persist-tun comp-lzo verb 3
be sure to replace the AAA.BBB.CCC.DDD ip address by the public ip
address of the VPN server you are working on
ifconfig eth0|grep "inet addr"
client.conf file as
client.ovpn in order for Windows
client to retrieve settings automatically.
we will create a zip file of the client directory and transfer it on the clientA laptop
cd /etc/openvpn/clientcong/clientA zip clientA-vpn.zip *.*
Connecting the client
Download the client tool
- Mac: with the TunnelBlick client
- Linux: just install the openvpn package and on Ubuntu the desktop helper (network manager)
unzip the clientA.zip file and point the client to the
client.conf file. Trust and create the profile.
Enabling communications beyond the OpenVPN server
Various combinations can be done to communicate between client and servers:
- route all trafic through the VPN and allow/disallow from there
- push specific routes to server side destination on VPN initialization
read on at http://openvpn.net/index.php/open-source/documentation/howto.html#scope for extended possibilities
the easy-rsa tool suite can be found at https://github.com/OpenVPN/easy-rsa