Welcome to http://www.marssoft.de/
 
Tuesday, 11th December 2018 22:22:59 (GMT+1) 

Installing an OpenVPN-Server on Linux

Installation

See http://openvpn.net/howto.html for more details.

aptitude install openvpn

Generating Public/Private Keys

  • Download the openvpn-package from http://openvpn.net/download.html#stable
  • extract it, and copy the directory 'easy-rsa' to some other location
  • Inside easy-rsa, change values of the file 'vars', i.e. I used these:
# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
export KEY_COUNTRY=DE
export KEY_PROVINCE=BW
export KEY_CITY=Freiburg
export KEY_ORG="marssoft.de"
export KEY_EMAIL="mario@marssoft.de"
  • Generate a new master Certificate Authority certificate & key:
source ./vars
./clean-all
./build-ca

This will produce an output like this, I also added the shown values:

Generating a 1024 bit RSA private key
......++++++
.................................................++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [DE]:
State or Province Name (full name) [BW]:
Locality Name (eg, city) [Freiburg]:
Organization Name (eg, company) [marssoft.de]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:marssoft.de
Email Address [mario@marssoft.de]:
  • Generate certificate & key for server:
./build-key-server server

This will produce an output like this, I also added the shown values:

Generating a 1024 bit RSA private key
...............++++++
............++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [DE]:
State or Province Name (full name) [BW]:
Locality Name (eg, city) [Freiburg]:
Organization Name (eg, company) [marssoft.de]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:marssoft.de
Email Address [mario@marssoft.de]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /root/OpenVPN-Keys/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'DE'
stateOrProvinceName   :PRINTABLE:'BW'
localityName          :PRINTABLE:'Freiburg'
organizationName      :PRINTABLE:'marssoft.de'
commonName            :PRINTABLE:'marssoft.de'
emailAddress          :IA5STRING:'mario@marssoft.de'
Certificate is to be certified until May 20 14:18:07 2016 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
  • Generate certificates & keys for clients:
./build-key client-harald

Once again, it will produce an output like this, I also added the shown values:

Generating a 1024 bit RSA private key
.....++++++
................++++++
writing new private key to 'client-harald.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [DE]:
State or Province Name (full name) [BW]:
Locality Name (eg, city) [Freiburg]:
Organization Name (eg, company) [marssoft.de]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:client-harald
Email Address [mario@marssoft.de]:harald@gmx.de

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /root/OpenVPN-Keys/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'DE'
stateOrProvinceName   :PRINTABLE:'BW'
localityName          :PRINTABLE:'Freiburg'
organizationName      :PRINTABLE:'marssoft.de'
commonName            :PRINTABLE:'client-harald'
emailAddress          :IA5STRING:'pilzimkopf@gmx.de'
Certificate is to be certified until May 20 14:21:22 2016 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
  • Generate Diffie Hellman parameters:
./build-dh

These are the files you should get:

FilenameNeeded ByPurposeSecret
ca.crtserver + all clientsRoot CA certificateNO
ca.keykey signing machine onlyRoot CA keyYES
dh{n}.pemserver onlyDiffie Hellman parametersNO
server.crtserver onlyServer CertificateNO
server.keyserver onlyServer KeyYES
client-harald.crtclient1 onlyClient1 CertificateNO
client-harald.keyclient1 onlyClient1 KeyYES

Configuration Files

/etc/openvpn/server.conf

dev tap
;dev tun
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
dh /etc/openvpn/keys/dh1024.pem
;server 172.22.22.0 255.255.255.0
server-bridge 172.22.22.4 255.255.255.0 172.22.22.50 172.22.22.100
user nobody
group nogroup
status /var/log/openvpn-status.log

/etc/default/openvpn

Ethernet Bridging

See http://openvpn.net/bridge.html for more details.

Subnets

Available Subnets are:

10.0.0.010.255.255.255(10/8 prefix)
172.16.0.0172.31.255.255(172.16/12 prefix)
192.168.0.0192.168.255.255(192.168/16 prefix)

I chose the following: 172.22.22.0/24

Starting

modprobe tun
/etc/init.d/openvpn start

Installing an OpenVPN-Client on Windows

Get the 'Installation Package (Both 32-bit and 64-bit TAP driver included)' from

guides/openvpn-howto.txt · Last modified: 2014/04/02 22:39 (external edit)