OpenVPN

OpenVPN

OpenVPN is a free implementation of the open source virtual private network (VPN) technology that aims at creating encrypted point-to-point or server-to-client channels between hosts. It allows you to establish connections between computers protected by NAT and a firewall without having to change their settings.

Important

Note that, for correct operation, the time on all computers must be the same.

Generating PKI certificates for OpenVPN

Package installation and setup

Install the necessary software:

emerge easy-rsa

Once the package installed, a directory called /usr/share/easy-rsa will be created, containing the easyrsa script to work with certificates. Keys and certificates will be stored there too. Move it to /var/calculate/easy-rsa and go to this latter directory:

cp -a /usr/share/easy-rsa /var/calculate

cd /var/calculate/easy-rsa

Overview

tree

.
├── easyrsa
├── openssl-1.0.cnf
├── vars.example
└── x509-types
    ├── ca
    ├── client
    ├── COMMON
    └── server

1 directory, 7 files


Configure the certificate. To do so, first copy the sample file:

cp vars.example vars

Edit if necessary:

vars

set_var EASYRSA_REQ_COUNTRY     "GB"
set_var EASYRSA_REQ_CITY        "London"
set_var EASYRSA_REQ_ORG         "My Company"
set_var EASYRSA_REQ_EMAIL       "my@domain.org"
...

Create a certificate tree:

./easyrsa init-pki
Note: using Easy-RSA configuration from: ./vars

init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /var/calculate/easy-rsa/pki

Once completed, a directory called /var/calculate/easy-rsa/pki will be created for keys and certificates storage.

Overview

tree

.
├── easyrsa
├── openssl-1.0.cnf
├── pki
│   ├── private
│   └── reqs
├── vars
├── vars.example
└── x509-types
    ├── ca
    ├── client
    ├── COMMON
    └── server

4 directories, 8 files


Root certificate

Create a root certificate. Enter you password twice and specify the certificate name:

./easyrsa build-ca
Note: using Easy-RSA configuration from: /var/calculate/easy-rsa/vars
Generating a 2048 bit RSA private key
....................................................+++
......................................................................................................+++
writing new private key to '/var/calculate/easy-rsa/pki/private/ca.key.w3cG6vF0cv'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:domain.org

CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/var/calculate/easy-rsa/pki/ca.crt

Replace domain.org with a certificate name of your choice or specify your domain.

Overview

tree pki

pki
├── ca.crt
├── certs_by_serial
├── index.txt
├── issued
├── private
│   └── ca.key
├── reqs
└── serial

4 directories, 4 files


Were therefore created:

  • ./pki/ca.crt , a root CA certificate
  • ./pki/private/ca.key , a private key of the root CA (which is the most important file)

Server certificate

Create a certificate for the OpenVPN server. To do so, run the following:

./easyrsa build-server-full server nopass
Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
.......+++
.......................+++
writing new private key to '/var/calculate/easy-rsa/pki/private/server.key.mfeee1imNK'
-----
Using configuration from /var/calculate/easy-rsa/openssl-1.0.cnf
Enter pass phrase for /var/calculate/easy-rsa/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'server'
Certificate is to be certified until Feb 20 20:00:53 2028 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated

You will be prompted for a root certificate password. Replace server with your server certificate. By default, a certificate is valid 10 years.

Once the script has been completed, the following files are created:

  • ./pki/issued/server.crt which is a server certificate,
  • ./pki/private/server.key which is the server private key.

Client certificate

Create a certificate for the client similar the server OpenVPN certificate. To do so, run the following:

./easyrsa build-client-full client nopass
Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
..................................................+++
................................................................................+++
writing new private key to '/var/calculate/easy-rsa/pki/private/client.key.qfTovtcVDo'
-----
Using configuration from /var/calculate/easy-rsa/openssl-1.0.cnf
Enter pass phrase for /var/calculate/easy-rsa/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'client'
Certificate is to be certified until Feb 20 20:34:40 2028 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated

You will be prompted for a root certificate password. Replace client with your client certificate. By default, this certificate is also valid 10 years.

Once the script has been completed, the following files are created:

  • ./pki/issued/client.crt is the client certificate
  • ./pki/private/client.key is the private key

Diffie-Hellman key

To create a Diffie-Hellman key, run:

./easyrsa gen-dh
Note: using Easy-RSA configuration from: ./vars
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
...
DH parameters of size 2048 created at /var/calculate/easy-rsa/pki/dh.pem

A file containing the ./pki/dh.pem key will be created.

An additional secret key

Create an additional key for more protection:

openvpn --genkey --secret pki/ta.key

A file containing the ./pki/ta.key key will be created.

Server configuration

Installation

To install an OpenVPN server, run:

emerge openvpn

Getting keys and certificates

Create a directory where the certificates will be stored:

mkdir /etc/openvpn/keys

Cope the PKI keys and certificates you created. If the OpenVPN server is located on the host where the keys were created, run:

cp /var/calculate/easy-rsa/pki/ca.crt /etc/openvpn/keys/

cp /var/calculate/easy-rsa/pki/dh.pem /etc/openvpn/keys/

cp /var/calculate/easy-rsa/pki/issued/server.crt /etc/openvpn/keys/

cp /var/calculate/easy-rsa/pki/private/server.key /etc/openvpn/keys/

cp /var/calculate/easy-rsa/pki/ta.key /etc/openvpn/keys/

Server configuration

Edit the OpenVPN configuration file as shown below:

/etc/openvpn/openvpn.conf

# port, protocol, device, compression method
port 1194
proto udp
dev tun
compress lzo
# keys and certificates
ca keys/ca.crt
cert keys/server.crt
key keys/server.key
dh keys/dh.pem
tls-auth keys/ta.key 0
# allocated IP range, default route, DNS
server 192.168.10.0 255.255.255.0
# network topology
topology subnet
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
# restart tunnel if necessary
keepalive 10 120
# openvpn privileges
user openvpn
group openvpn
# keep device and key files unchanged when restarting the tunnel
persist-tun
persist-key
# info on current connections
status /var/log/openvpn-status.log

When redirect-gateway is used, OpenVPN clients will forward DNS queries via VPN. The VPN server must known how to process them. This can be achieved by forwarding the DNS server address to the connecting clients, which will replace their regular settings for the DNS server, as long as VPN is up. In the example above, this is handled by push "dhcp-option DNS 8.8.8.8", where 8.8.8.8 is the Google DNS address.

Important

Many hosts connected to the Internet via an OpenVPN client will periodically interact with the DHCP server to resume their IP lease. The redirect-gateway option may prevent the client from contacting the local DHCP server (as DHCP messages will be routed via VPN), resulting in loss of lease.

Restart the server and add it to the autostart:

/etc/init.d/openvpn start

rc-update add openvpn

Forwarding configuration

Enable packet forwarding between network interfaces:

/etc/sysctl.conf

net.ipv4.ip_forward = 1

To apply, run:

sysctl -p /etc/sysctl.conf

Forwarding redirect-gateway to the client will force all IP traffic generated on the client machine to pass through the OpenVPN server. The server must be configured to handle this traffic, for forwarding it via NAT, for example. If you want to forward your client's traffic on the Internet via NAT, run:

iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -o eth0 -j MASQUERADE

Replace eth0 with the local network interface of the server.

Save the forwarding rules and add them to autostart:

/etc/init.d/iptables save

rc-update add iptables

Client configuration

Installation

To install an OpenVPN client, run:

emerge openvpn

Getting keys and certificates

Create a directory where the certificates will be stored:

mkdir /etc/openvpn/keys

Copy the PKI keys and certificates you created. If the OpenVPN server is located on the host where the keys were created, run:

cp /var/calculate/easy-rsa/pki/ca.crt /etc/openvpn/keys/

cp /var/calculate/easy-rsa/pki/issued/client.crt /etc/openvpn/keys/

cp /var/calculate/easy-rsa/pki/private/client.key /etc/openvpn/keys/

cp /var/calculate/easy-rsa/pki/ta.key /etc/openvpn/keys/

Client configuration

Edit the OpenVPN client configuration file as follows:

/etc/openvpn/openvpn.conf

client
# protocol, device, compression method
proto udp
dev tun
compress lzo
# remote server, port
remote vpn.domain.org 1194
# keep device and key files unchanged when restarting the tunnel
persist-tun
persist-key
remote-cert-tls server
# keys and certificates
ca keys/ca.crt
cert keys/client.crt
key keys/client.key
tls-auth keys/ta.key 1
# log
status /var/log/openvpn-status.log

Replace vpn.domain.org with the network name of your VPN server.

Client configuration based on an OVPN profile

Getting a profile file

To connect some OpenVPN clients, you may have to use the configuration profile.
In a way, this is even better: no need to enter or send certificates and keys. Just creat a ovpn file containing a configuration profile.

This file has the following structure: first comes the OpenVPN client configuration, followed by, in tags, the root certificate, the protection key, the client certificate, and the client key. To do so, follow the procedure described below. Create an ovpn client file and fill it with the following:

client.ovpn

client
proto udp
dev tun
compress lzo
remote vpn.domain.org 1194
persist-tun
persist-key
key-direction 1
remote-cert-tls server

Replace vpn.domain.org with the network name of your VPN server.

Copy the necessary keys and certificates to the profile file. Do not forget to use tags:

echo '<ca>' >> client.ovpn
cat /var/calculate/easy-rsa/pki/ca.crt >> client.ovpn
echo '</ca>' >> client.ovpn
echo '<cert>' >> client.ovpn
cat /var/calculate/easy-rsa/pki/issued/client.crt >> client.ovpn
echo '</cert>' >> client.ovpn
echo '<key>' >> client.ovpn
cat /var/calculate/easy-rsa/pki/private/client.key >> client.ovpn
echo '</key>' >> client.ovpn
echo '<tls-auth>' >> client.ovpn
cat /var/calculate/easy-rsa/pki/ta.key >> client.ovpn
echo '</tls-auth>' >> client.ovpn

Installing and configuring the client

There are several OpenVPN clients for Android. The most popular ones are OpenVPN for Android, OpenVPN Connect and OpenVPN Settings. The latter needs root access rights.

To connect an Android OpenVPN client, download your profile file on your mobile device (with Google Drive or any similar service). Now open your OpenVPN client and select OVPN Profile:

OpenVPN Connect