October 31, 2014
 
 
RSSRSS feed

Secure Networking For Linux, Windows, and Mac With OpenVPN (part 2) - page 2

Installation and First Steps

  • February 18, 2009
  • By Paul Rubens

The final step is to generate Diffie-Hellman parameters for key exchange:

  • Windows: build-dh
  • Linux/BSD/UNIX: ./build-dh

Figure 2You'll find the results of all this work in a subfolder called keys in the easy-rsa folder, and the final task is to move the client key and certificate to your client device. The files in question are client1.key and client1.crt. (If you have created more than one client certificate key and certificate, move the client2.key and client2.crt files to the second machine, and so on.)

  • Windows: place the files in C:WindowsProgram FilesOpenVPNeasy-rsakeys
  • Linux/BSD/Unix: place the files in /etc/openvpn/

Your public key infrastructure is now set up.

Creating the OpenVPN Configuration Files

When OpenVPN runs it reads a configuration file at c:Program FilesOpenVPNconfig (Windows) or in /etc/openvpn (Linux/BSD/Unix). This text file contains all the information OpenVPN needs to know to make or receive a connection, so it's crucial that these files are correct.

The easiest way to get OpenVPN working in the way we want is to edit the highlighted lines in the following config files to match your network setup, save them as a text file and copy them to the appropriate location.

Server configuration file:

#server config file start

local 192.168.1.15 # Change this address to the IP address of the network card attached to your router. To ensure this does not change you need either to have a static local IP address, or to configure your router to always assign this local IP address to your server.

port 1194 # This is the port OpenVPN will run on. Change it to a different port if you prefer

proto udp

mssfix 1400

push "dhcp-option DNS XXX.XXX.XXX.XXX" # Replace the Xs with the IP address of the DNS server for your network

push "dhcp-option DNS YYY.YYY.YYY.YYY" # Replace the Xs with the IP address of the secondary DNS server for your network

dev tap

ca "C:\Program Files\OpenVPN\easy-rsa\keys\ca.crt" #change this location to /etc/openvpn (without quotation marks) for Linux/BSD/Unix systems

cert "C:\Program Files\OpenVPN\easy-rsa\keys\server.crt" #change this location to /etc/openvpn for Linux/BSD/Unix systems

key "C:\Program Files\OpenVPN\easy-rsa\keys\server.key" #change this location to /etc/openvpn for Linux/BSD/Unix systems

dh "C:\Program Files\OpenVPN\easy-rsa\keys\dh1024.pem" #change this location to /etc/openvpn for Linux/BSD/Unix systems

server 192.168.10.0 255.255.255.128 # This will be the virtual IP address and subnet of the server's OpenVPN connection. Change it to something similar like 192.168.11.0 if this subnet is already in use

ifconfig-pool-persist ipp.txt
push "redirect-gateway def1"  
keepalive 10 120

cipher BF-CBC # Blowfish (default)If you prefer, you can use one of the two ciphers listed below (which must be the same as the client)

#cipher AES-128-CBC   # AES 
#cipher DES-EDE3-CBC  # Triple-DES
comp-lzo
max-clients 3 # Change the 3 to the number of client keys you have created
persist-key
persist-tun
status openvpn-status.log
# user nobody   # remove the # at the start of the line for Linux/BSD/Unix systems
# group nobody  # remove the first # at the start of the line for Linux/BSD/Unix systemsverb 1 #config file ends

Save this file as server.ovpn, and move it to c:Program FilesOpenVPNconfig (Windows) or /etc/openvpn (Linux/BSD/Unix)

What to Do If You Don't Have a Static Public IP Address

OpenVPN clients connect to the OpenVPN server using a public IP address or host name that needs to be entered into the client config file. If your ISP provides your business or home network with a dynamic IP address that changes each time an Internet connection is reset then your client config will no longer work after a reconnection. To get round this you can get a free hostname from DynDNS which automatically points to your dynamic IP address, even when it changes. To get a dynamic host name (such as myhost.dyndns.org) visit http://www.dyndns.com.

Article courtesy of Enterprise Networking Planet

Sitemap | Contact Us