video on demandSetting Up Your VPN Server Using Certificate Authority
This section explains how to build a VPN server that allows more than one connection at the same time. This is done with a public key infrastructure (PKI). A PKI consists of a pair of public and private keys for the server and each client and a master certificate authority (CA), which is used to sign every server and client certificate.
The general overview of this process involves the following steps explained in these sections:
1. “Creating Certificates”
2. “Configuring the Server”
3. “Configuring the Clients”
1. Creating Certificates
Before a VPN connection gets established, the client must authenticate the server certificate. Conversely, the server must also authenticate the client certificate. This is called mutual authentication.
You can use two methods to create the respective certificates and keys:
Use the YaST CA module or
Use the scripts included with the openvpn package.
Generating Certificates with easy-rsa
The easy-rsa utilities use the openssl.cnf file stored under /usr/share/openvpn/easy-rsa/2.0. In most cases you can leave this file as it is.
1.1 Generate the Master CA And Key
Open a shell and become root.
Change the directory to /usr/share/openvpn/easy-rsa/2.0/.
Copy the file vars to /etc/openvpn and set export EASY_RSA
and export EASY_RSA
cp vars /etc/openvpn/
export EASY_RSA="/usr/share/openvpn/easy-rsa/2.0"
1.2 In the vars file change the KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, and KEY_EMAIL variables according to your needs.
Initialize the PKI:
You are still in /usr/share/openvpn/easy-rsa/2.0/.
source /etc/openvpn/vars && ./clean-all && ./build-ca
Enter the data required by the build-ca script. Usually you can take the defaults that you have set in Step 4. Additionally set Organizational Unit Name and Common Name that were not set previously.
Once done, the master certificate and key are saved as /usr/share/openvpn/easy-rsa/2.0/keys/ca.*
1.3 Generate The Private Server Key
Change to the /usr/share/openvpn/easy-rsa/2.0/. directory.
Run the following script:
./build-key-server server
The argument (here: server) is used for the private key filename.
Accept the default parameters, but fill server for the Common Name option, and enter the challenge password.
Answer the next two questions (“Sign the certificate? [y/n]” and “1 out of 1 certificate requests certified, commit? [y/n]”) with y (yes).
Once done, the private server key is saved as /usr/share/openvpn/easy-rsa/2.0/keys/server.*
1.4 Generate Certificates and Keys for a Client
Change to the /usr/share/openvpn/easy-rsa/2.0/ directory.
Create the key as in Step 1.3 of Procedure , “Generate The Private Server Key”:
./build-key client
Repeat the previous step for each client that is allowed to connect to the VPN server. Make sure you use a different name (other than “client”) and an appropriate Common Name, because this parameter has to be unique for each client.
Once done, the client certificate keys are saved as /usr/share/openvpn/easy-rsa/2.0/keys/client.* (depending on the name that you have given for the build-key command).
1.5 Final Configuration Steps
Make sure your current working directory is /usr/share/openvpn/easy-rsa/2.0/.
Create the Diffie-Hellman parameter:
./build-dh
Create the /etc/openvpn/ssl directory.
mkdir /etc/openvpn/ssl/
Copy the following files to /etc/openvpn/ssl:
cp keys/ca.{crt,key} keys/dh1024.pem keys/server.{crt,key} /etc/openvpn/ssl
Copy the client keys to the relevant client machine. You should have the files ca.crt, client.crt and client.key in the /etc/openvpn/ssl directory.
ssh root@192.168.1.216 mkdir /etc/openvpn/ssl/
scp keys/client* 192.168.1.216:/etc/openvpn/ssl/
scp keys/ca.crt 192.168.1.216:/etc/openvpn/ssl/
2. Configuring the Server¶
The configuration file is mostly a summary of /usr/share/doc/packages/openvpn/sample-config-files/server.conf without the comments and with some small changes concerning some paths.
# /etc/openvpn/server.conf
port 1194
proto udp
dev tun
# Security
ca /etc/openvpn/ssl/ca.crt
cert /etc/openvpn/ssl/server.crt
key /etc/openvpn/ssl/server.key
dh /etc/openvpn/ssl/dh1024.pem
server 10.10.0.0 255.255.255.0
ifconfig-pool-persist /var/run/openvpn/ipp.txt
# Privileges
user nobody
group nobody
# Other configuration
keepalive 10 120
comp-lzo
persist-key
persist-tun
status /var/log/openvpn-status.log
log-append /var/log/openvpn.log
verb 4
Several other configurations, see comment in the original configuration from /usr/share/doc/packages/openvpn/sample-config-files.
If you want your clients to have a static ip,
make sure that the client-config-dir on the server
is known:
# cat /etc/openvpn/server.conf
(output skipped)
client-config-dir /etc/openvpn
(output skipped)
In this client config dir create a file with the
clientname and put the following line in it.
ifconfig-push 10.4.0.2 10.4.0.1
Now the client upon connect will receive the configured
address.
After this configuration, you can see log messages from your OpenVPN server under /var/log/openvpn.log.
rcopenvpn start
check the tunnel device with
ifconfig
check the log file
tail /var/log/openvpn.log
3. Configuring the Clients
The configuration file is mostly a summary from /usr/share/doc/packages/openvpn/sample-config-files/client.conf without the comments and with some small changes concerning some paths.
This is done on the client!
Enter the following /etc/openvpn/client.conf
client
dev tun
proto udp
#ipaddress of server to connect to
remote 192.168.1.215 1194
resolv-retry infinite
nobind
# Privileges
user nobody
group nobody
# Try to preserve some state across restarts.
persist-key
persist-tun
# Security
ca /etc/openvpn/ssl/ca.crt
cert /etc/openvpn/ssl/client.crt
key /etc/openvpn/ssl/client.key
comp-lzo
start the client side
rcopenvpn start
4. Changing Nameservers in VPN
If you need to change nameservers before or during your VPN session, use netconfig.
Use the following procedure to change a nameserver:
4.1. Changing Nameservers
Open a shell and log in as root.
Create the file /etc/openvpn/client.up with the following contents:
/sbin/netconfig modify -i "${1}" -s openvpn <<EOT
DNSSEARCH='${domain}'
DNSSERVERS='${dns[*]}'
EOT
Start your VPN connection with rcopenvpn start.
Create the file /etc/openvpn/client.down with the following contents:
/sbin/netconfig remove -i "${1}" -s openvpn
Run netconfig and replace the line DNSSERVERS with your respective entry:
netconfig modify -i tun0 -s openvpn <<EOT
DNSSEARCH='mt-home.net'
DNSSERVERS='192.168.1.116'
EOT
To check, if the entry has been successfully inserted into /etc/resolv.conf, execute:
grep -v ^# /etc/resolv.conf
search mt-home.net mat-home.net
nameserver ...
nameserver ...
nameserver 192.168.1.116
To remove the DNS entry, execute:
netconfig remove -i tun0 -s openvpn
Find another example in /usr/share/doc/packages/openvpn/contrib/pull-resolv-conf/.
If you need to specify a ranking list of fallback services, use the NETCONFIG_DNS_RANKING variable in /etc/sysconfig/network/config. The default value is auto which resolves to:
+strongswan +openswan +racoon +openvpn -avahi
Preferred service names have the + prefix, fallback services the - prefix.
KDE- and GNOME Applets For Clients¶
The following sections describe the setup of OpenVPN connections with the GNOME and KDE desktop tools.
KDE
To setup an OpenVPN connection in KDE4 that can be easily turned on or off, proceed as follows:
Make sure you have installed the NetworkManager-openvpn-kde4 package with all dependencies resolved.
Right-click on a widget of your panel and select Panel Options+Add Widgets....
Select Networks.
Right-click on the icon and choose Manage Connections.
Add a new VPN connection with Add+OpenVPN. A new window opens.
Choose the Connection Type between X.509 Certificates or X.509 With Password depending on what you have setup with your OpenVPN server.
Insert the necessary files into the respective text fields. From our example configuration these are:
CA file
/etc/openvpn/ssl/ca.crt
Certificate
/etc/openvpn/ssl/client1.crt
Key
/etc/openvpn/ssl/client1.key
Username
The user
Password
The password for the user
If you have not used the KDE Wallet System, you are asked if you want to configure it. Follow the steps in the wizard. After you have finished this step, you are reverted back to the Network Settings dialog.
Finish with Ok.
Enable the connection with your Network manager applet.
GNOME¶
To setup a OpenVPN connection in GNOME that can be easily turned on or off, proceed as follows:
Make sure you have installed the package NetworkManager-openvpn-gnome and have resolved all dependencies.
Start the Network Connection Editor with Alt+F2 and insert nm-connection-editor into the text field. A new window appears.
Select the VPN tab and click Add.
Choose the VPN connection type, in this case OpenVPN.
Choose the Authentication type. Select between Certificates (TLS) or Password with Certificates (TLS) depending on the setup of your OpenVPN server.
Insert the necessary files into the respective text fields. According to the example configuration, these are:
Username
The user (only available when you have selected Password with Certificates (TLS))
Password
The password for the user (only available when you have selected Password with Certificates (TLS))
User Certificate
/etc/openvpn/ssl/client1.crt
CA Certificate
/etc/openvpn/ssl/ca.crt
Private Key
/etc/openvpn/ssl/client1.key
Finish with Apply and Close.
Enable the connection with your Network Manager applet.
For More Information
For more information about VPN, visit:
http://www.openvpn.net: Homepage of VPN
/usr/share/doc/packages/openvpn/sample-config-files/: Examples of configuration files for different scenarios
/usr/src/linux/Documentation/networking/tuntap.txt, install the kernel-source package