Secure Networking For Linux, Windows, and Mac With OpenVPN (part 2)
Installation and First Steps
OpenVPN is famously difficult to get up and running, but the truth is that it needn't be. In this second and concluding OpenVPN article I am going to go through what it takes to get an OpenVPN Ethernet tunnel set up between a laptop computer and an office or home machine acting as an OpenVPN server.
Downloading and Installing OpenVPN
Windows: Download the OpenVPN GUI installation package from http://openvpn.se/download.html
Red Hat, Fedora, CentOS: Download RPM packages from http://dag.wieers.com/rpm/packages/openvpn/
Ubuntu: Download and install OpenVPN using Synaptic Package Manager
Mac OS X: Download and install Tunnelblick OpenVPN GUI client installation package from http://code.google.com/p/tunnelblick/
Source code: Download source code from http://www.openvpn.net/index.php/downloads.html, compile and install it.
Creating a Public Key Infrastructure
Once you've got OpenVPN successfully installed, it's time to build the public key infrastructure needed for certificate-based authentication. If you don't know what this means, don't worry: just follow the instructions. A fuller explanation can be found at http://openvpn.net/index.php/documentation/howto.html#pki
To get started, you'll need to use the Easy-RSA PKI suite.
On Windows machines you'll find it at:
On Linux machines this will probably be installed in an easy-rsa directory machines at
/usr/share/doc/openvpn-2.0, but it's a good idea to move this to
/etc/openvpn to prevent it getting overwritten by future updates.
Generating the Master Certificate Authority (CA) Certificate & Key
Windows: From the Start button select
cmd, and in the command window type:
cd "C:Program FilesOpenVPNeasy-rsa
Linux/BSD/UNIX: Open a terminal window and type
(assuming you have moved the easy-rsa directory to this location)
Then type the following commands, followed by return:
init-config vars clean-all build-ca
./init-config ./vars ./clean-all ./build-ca
The last command will invoke a window which will ask for a series of values. You can press the return key to enter the default values for all of these except the value for Common Name. For this, type:
Generating the Server and Client Certificates and Keys
Then next step is to generate a server certificate and key, again using the Easy-RSA suite. The command for this is:
In the interactive session that follows, simply press Enter to provide the default value each time, until you are asked for a Common Name. For Common Name enter "server" , then continue entering the default values until prompted to sign the certificate. Answer "y" to this question and to the following one to finish.
Then generate the certificate and key for your client machine. The process is similar to the one for building the server certificate and key, but this time enter client1 as the common name.
If you think you may want to access the OpenVPN server from more than one laptop, repeat the process, replacing client2 or client3 for client1 each time.