Openvpn
HowTo
Author: Duncan Thomas |
|
|
|
Problem: You want to
install Openvpn to your SME Server. |
|
|
STEP 1: Collect and install the rpm`s from this directory.
[root@sme home]# rpm -ivh *.rpm Preparing... ########################################### [100%] 1:lzo ########################################### [ 33%] 2:openvpn ########################################### [ 66%] 3:smeserver-openvpn ########################################### [100%] [root@sme home]# |
STEP 2: Enable the service and expand the tun alias into modules.conf
[root@sme home]# /sbin/e-smith/db configuration setprop openvpn status enabled [root@sme home]# /sbin/e-smith/signal-event console-save [root@sme home]# /sbin/reboot |
STEP 3: The Keys.
The openvpn configs live in /etc/openvpn. The "static key" was created during the installation of smeserver-openvpn. It is unique to your machine and can be used for authentication. I would suggest however you opt for the rsa key method. The method that follows is pretty much the same process as described in the openvpn howto here. First we create the master certificate.
[root@sme home]# cd /etc/openvpn/easy-rsa [root@sme easy-rsa]# pico vars |
Edit the default values to reflect your setup at the bottom of the file. The paths should be correct. You can change "export KEY_SIZE=1024" to 2048 if you like.
[root@sme easy-rsa]# . vars [root@sme easy-rsa]# ./clean-all [root@sme easy-rsa]# ./build-ca Using configuration from /etc/openvpn/easy-rsa/openssl.cnf Generating a 1024 bit RSA private key |
Choose the defaults as entered into the vars file. You will need to enter values for the following items.
Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []: |
Now we can build the certificate/private-key pairs for both the local and remote locations.
[root@sme easy-rsa]# ./build-key local Using configuration from /etc/openvpn/easy-rsa/openssl.cnf Generating a 1024 bit RSA private key |
Pretty much the same as before - however, we finish off by signing the key. Do not enter a challenge password.
[root@sme easy-rsa]# ./build-key
remote Using configuration from /etc/openvpn/easy-rsa/openssl.cnf Generating a 1024 bit RSA private key |
And the same again to finish up. Choose a different Common Name here.
There is an option here to attach a password to the key if you like. It's not really an option if you are planning a LAN to LAN unattended setup - however - If you plan to use the Windows GUI, it adds an additional level of protection. If you wish to add a password - replace the above with the following.
[root@sme easy-rsa]#
./build-key-pass
remote Using configuration from /etc/openvpn/easy-rsa/openssl.cnf Generating a 1024 bit RSA private key |
And add your password when requested for the PEM pass phrase. Do not enter a challenge password further down.
Finally we build the Diffie Hellman parameters.
[root@sme easy-rsa]# ./build-dh Generating DH parameters, 1024 bit long safe prime, generator 2 This is going to take a long time .................. |
And it can take a long time. I have had it range from around a half an hour to five hours on the same machine. Fortunately it only needs to be done once.
Your generated keys will be in /etc/openvpn/easy-rsa/keys. The key names - "local and remote" are simply descriptive. Choose names that suit your setup. You can create as many keys as you like using the above method. ./clean-all will clean out your keys directory - so be careful.
scp the remote.crt, remote.key and ca.crt across to the machine that will become the other end of the tunnel.
As stated previously - the config files live in the /etc/openvpn directory. When openvpn starts it will read any file in this directory that have a .conf extension. The openvpn site contains some pretty detailed documentation on setting up the configurations dependent on your needs.
There is a Windows GUI that can be found here. Because the client is based on openvpn-2.0 and the SME rpm is based on 1.6 - you will need to add the following to your windows config (.ovpn) "key-method 1" if you are using the rsa key method.
The default port for openvpn is UDP 5000. This port needs to be opened for the tunnel to work. I used the port opening contrib from here. Additional tunnels require a new port to be opened. When you have determined your networking scheme for the remote devices - add the network and mask to the Local Networks tab in the SME Server Manager. Use the IP address of the server for the router address. This HowTo is based on the routing method (not the bridging method) - so choose a different subnet to your LAN network