Welcome to http://www.marssoft.de/
 
Monday, 16th September 2019 11:18:45 (GMT+1) 

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision
Previous revision
guides:openvpn-howto [2006/05/23 01:44]
mario created
guides:openvpn-howto [2014/04/02 22:39] (current)
Line 1: Line 1:
 ====== Installing an OpenVPN-Server on Linux====== ====== Installing an OpenVPN-Server on Linux======
  
 +==== Installation ====
 See http://​openvpn.net/​howto.html for more details. See http://​openvpn.net/​howto.html for more details.
  
Line 7: Line 8:
 </​code>​ </​code>​
  
 +==== Generating Public/​Private Keys ====
  
 +  * Download the openvpn-package from http://​openvpn.net/​download.html#​stable
 +  * extract it, and copy the directory '​easy-rsa'​ to some other location
 +  * Inside easy-rsa, change values of the file '​vars',​ i.e. I used these:
 +
 +<​code>​
 +# These are the default values for fields
 +# which will be placed in the certificate.
 +# Don't leave any of these fields blank.
 +export KEY_COUNTRY=DE
 +export KEY_PROVINCE=BW
 +export KEY_CITY=Freiburg
 +export KEY_ORG="​marssoft.de"​
 +export KEY_EMAIL="​mario@marssoft.de"​
 +</​code>​
 +
 +  * Generate a new master Certificate Authority certificate & key:
 +<​code>​
 +source ./vars
 +./clean-all
 +./build-ca
 +</​code>​
 +
 +This will produce an output like this, I also added the shown values:
 +<​code>​
 +Generating a 1024 bit RSA private key
 +......++++++
 +.................................................++++++
 +writing new private key to '​ca.key'​
 +-----
 +You are about to be asked to enter information that will be incorporated
 +into your certificate request.
 +What you are about to enter is what is called a Distinguished Name or a DN.
 +There are quite a few fields but you can leave some blank
 +For some fields there will be a default value,
 +If you enter '​.',​ the field will be left blank.
 +-----
 +Country Name (2 letter code) [DE]:
 +State or Province Name (full name) [BW]:
 +Locality Name (eg, city) [Freiburg]:
 +Organization Name (eg, company) [marssoft.de]:​
 +Organizational Unit Name (eg, section) []:
 +Common Name (eg, your name or your server'​s hostname) []:​marssoft.de
 +Email Address [mario@marssoft.de]:​
 +</​code>​
 +
 +  * Generate certificate & key for server:
 +<​code>​
 +./​build-key-server server
 +</​code>​
 +
 +This will produce an output like this, I also added the shown values:
 +<​code>​
 +Generating a 1024 bit RSA private key
 +...............++++++
 +............++++++
 +writing new private key to '​server.key'​
 +-----
 +You are about to be asked to enter information that will be incorporated
 +into your certificate request.
 +What you are about to enter is what is called a Distinguished Name or a DN.
 +There are quite a few fields but you can leave some blank
 +For some fields there will be a default value,
 +If you enter '​.',​ the field will be left blank.
 +-----
 +Country Name (2 letter code) [DE]:
 +State or Province Name (full name) [BW]:
 +Locality Name (eg, city) [Freiburg]:
 +Organization Name (eg, company) [marssoft.de]:​
 +Organizational Unit Name (eg, section) []:
 +Common Name (eg, your name or your server'​s hostname) []:​marssoft.de
 +Email Address [mario@marssoft.de]:​
 +
 +Please enter the following '​extra'​ attributes
 +to be sent with your certificate request
 +A challenge password []:
 +An optional company name []:
 +Using configuration from /​root/​OpenVPN-Keys/​easy-rsa/​openssl.cnf
 +Check that the request matches the signature
 +Signature ok
 +The Subject'​s Distinguished Name is as follows
 +countryName ​          :​PRINTABLE:'​DE'​
 +stateOrProvinceName ​  :​PRINTABLE:'​BW'​
 +localityName ​         :​PRINTABLE:'​Freiburg'​
 +organizationName ​     :​PRINTABLE:'​marssoft.de'​
 +commonName ​           :​PRINTABLE:'​marssoft.de'​
 +emailAddress ​         :​IA5STRING:'​mario@marssoft.de'​
 +Certificate is to be certified until May 20 14:18:07 2016 GMT (3650 days)
 +Sign the certificate?​ [y/n]:y
 +
 +1 out of 1 certificate requests certified, commit? [y/n]y
 +Write out database with 1 new entries
 +Data Base Updated
 +</​code>​
 +
 +  * Generate certificates & keys for clients:
 +<​code>​
 +./build-key client-harald
 +</​code>​
 +
 +Once again, it will produce an output like this, I also added the shown values:
 +<​code>​
 +Generating a 1024 bit RSA private key
 +.....++++++
 +................++++++
 +writing new private key to '​client-harald.key'​
 +-----
 +You are about to be asked to enter information that will be incorporated
 +into your certificate request.
 +What you are about to enter is what is called a Distinguished Name or a DN.
 +There are quite a few fields but you can leave some blank
 +For some fields there will be a default value,
 +If you enter '​.',​ the field will be left blank.
 +-----
 +Country Name (2 letter code) [DE]:
 +State or Province Name (full name) [BW]:
 +Locality Name (eg, city) [Freiburg]:
 +Organization Name (eg, company) [marssoft.de]:​
 +Organizational Unit Name (eg, section) []:
 +Common Name (eg, your name or your server'​s hostname) []:​client-harald
 +Email Address [mario@marssoft.de]:​harald@gmx.de
 +
 +Please enter the following '​extra'​ attributes
 +to be sent with your certificate request
 +A challenge password []:
 +An optional company name []:
 +Using configuration from /​root/​OpenVPN-Keys/​easy-rsa/​openssl.cnf
 +Check that the request matches the signature
 +Signature ok
 +The Subject'​s Distinguished Name is as follows
 +countryName ​          :​PRINTABLE:'​DE'​
 +stateOrProvinceName ​  :​PRINTABLE:'​BW'​
 +localityName ​         :​PRINTABLE:'​Freiburg'​
 +organizationName ​     :​PRINTABLE:'​marssoft.de'​
 +commonName ​           :​PRINTABLE:'​client-harald'​
 +emailAddress ​         :​IA5STRING:'​pilzimkopf@gmx.de'​
 +Certificate is to be certified until May 20 14:21:22 2016 GMT (3650 days)
 +Sign the certificate?​ [y/n]:y
 +
 +1 out of 1 certificate requests certified, commit? [y/n]y
 +Write out database with 1 new entries
 +Data Base Updated
 +</​code>​
 +
 +  * Generate Diffie Hellman parameters:
 +<​code>​
 +./build-dh
 +</​code>​
 +
 +**These are the files you should get:**
 +|**Filename**|**Needed By**|**Purpose**|**Secret**|
 +|ca.crt|server + all clients|Root CA certificate|NO|
 +|ca.key|key signing machine only|Root CA key|YES|
 +|dh{n}.pem|server only|Diffie Hellman parameters|NO|
 +|server.crt|server only|Server Certificate|NO|
 +|server.key|server only|Server Key|YES|
 +|client-harald.crt|client1 only|Client1 Certificate|NO|
 +|client-harald.key|client1 only|Client1 Key|YES|
 +
 +==== Configuration Files ====
 +
 +/​etc/​openvpn/​server.conf
 +
 +<​code>​
 +dev tap
 +;dev tun
 +ca /​etc/​openvpn/​keys/​ca.crt
 +cert /​etc/​openvpn/​keys/​server.crt
 +dh /​etc/​openvpn/​keys/​dh1024.pem
 +;server 172.22.22.0 255.255.255.0
 +server-bridge 172.22.22.4 255.255.255.0 172.22.22.50 172.22.22.100
 +user nobody
 +group nogroup
 +status /​var/​log/​openvpn-status.log
 +</​code>​
 +
 +/​etc/​default/​openvpn
 +
 +==== Ethernet Bridging ====
 +See http://​openvpn.net/​bridge.html for more details.
 +
 +==== Subnets ====
 +
 +Available Subnets are:
 +|10.0.0.0|10.255.255.255|(10/​8 prefix)|
 +|172.16.0.0|172.31.255.255|(172.16/​12 prefix)|
 +|192.168.0.0|192.168.255.255|(192.168/​16 prefix)|
 +
 +I chose the following: **172.22.22.0/​24**
 +
 +==== Starting ====
 +
 +<​code>​
 +modprobe tun
 +/​etc/​init.d/​openvpn start
 +</​code>​
  
 ====== Installing an OpenVPN-Client on Windows====== ====== Installing an OpenVPN-Client on Windows======
guides/openvpn-howto.txt · Last modified: 2014/04/02 22:39 (external edit)