Configuring VPN services generation two (SSL/TLS mode)

Introduction

This article describes configuring OpenVPN on Debian to link two home networks in SSL/TLS mode (aka client/server mode). It also provides limited documentation for configuring OpenVPN on Android to link to a home network.

This is a work in progress! Last updated 04/10/2015)

Procedure: prologue

1. Decide if you will you use UDP or TCP for your VPN networks. If you don’t know then use UDP.
2. Decide if you want to connect remote hosts to your local network or entire remote networks. If you don’t know then assume remote hosts only.
3. Decide what IP address range will you use for your VPNs. When setting up VPNs, you can easily get confused about what network or IP address range is for what. Before you start it is a good idea to make a list of what is used for what. You could use something like this:
   [table “146” not found /]
   
   If you don’t know what IP address range to use for your VPNs then use 10.171.0.0/16 (you don’t use that already do you? 🙂

Procedure: configuring the server

1. Install the necessary software by running the following as root:

   apt-get install openvpn

2. Clone the scripts needed to generate the certificates and keys by running:

   cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0 ~/easy-rsa
   cd ~/easy-rsa

3. Edit the file vars and set:

   export KEY_COUNTRY="<two-letter-country-code-in-caps>"                    #  E.g. export KEY_COUNTRY="DE"
   export KEY_PROVINCE="<province-or-state-or-county-abbreviation-in-caps>"  #  E.g. export KEY_PROVINCE="BY"
   export KEY_CITY="<city-with-leading-caps>"                                #  E.g. export KEY_CITY="Ismaning"
   export KEY_ORG="<name-of-your-organisation>"                              #  E.g. export KEY_ORG="pasta.net"
   export KEY_EMAIL=<your-email-address>                                     #  E.g. KEY_EMAIL="alexis@pasta.net" 
   export KEY_CN=$(uname -n)
   ...
   export KEY_OU="<organisation-type>"                                       #  E.g. export KEY_OU="network"

   Note that KEY_ORG can refer to any type of organisation (e.g. “Microsoft Corp”, “Clinton”, “speedtest.net”): use KEY_ORG to specify the name of the organisation and KEY_OU to specify what find of organisation it is (e.g. “company”, “family”, “network”).

4. Load these settings into the environment and set up prerequisite directories by running:

   . ./vars
   ./clean-all
   mkdir keys

5. In order to generate certificates and keys for clients and servers you need first to first generate a certificate and key for yourself as the certificate authority (CA). Do this by running:

   ./build-ca                           #  This creates ca.key and ca.crt
   cp ca.crt /etc/openvpn

6. Generate a certificate and key for the VPN server:

   ./build-key-server $(uname -n)       #  this generates <hostname>.key and <hostname>.crt
   cp <hostname>.{key,crt} /etc/openvpn

7. Be sure to archive all the generated files.
8. Several scripts and config files are needed to run the VPN server. Set these up by running:

   cd /etc/openvpn
   for X in client-connect client-disconnect server-tcp.conf server-udp.conf; do
       svn cat https://svn.pasta.freemyip.com/main/openvpn-config/trunk/$X > $X
   done
   chmod 755 client-*connect
   chmod 644 *.conf
   openssl dhparam -out dh1024.pem 1024

9. If you intend to run a VPN open over UDP or only over TCP then delete the other .conf file.
10. Open the ports specified in the remaining .conf files.

Procedure: adding a client

What to do on the server

1. Generate key/cert/… for client as follows:

   cd ~/easy-rsa
   . ./vars
   ./build-key <client-name>           #  this creates <client-name>.key and <client-name>.crt

2. Generate a .conf file for the client as follows:

   SERVER=<fully-qualified-internet-accessible-name-of-the-vpn-server>
   CLIENT=<client-name>
   {
       echo "client"
       echo "dev tun"
       echo "proto tcp-client"
       echo "remote $SERVER 1194"
       echo "resolv-retry infinite"
       echo "nobind"
       echo "persist-key"
       echo "persist-tun"
       echo "ca ca.crt"
       echo "cert $CLIENT.crt"
       echo "key $CLIENT.key"
       echo "remote-cert-tls server"
   } > $CLIENT.conf

3. Be sure to archive all the the generated files.
4. Deliver the following files to the administrator of the client:
   • ca.crt
   • <client-name>.crt
   • <client-name>.key
   • <client-name>.conf

What to do on the client

1. Install the necessary software by running:

   apt-get install openvpn

2. Add (dummy network) for standalone hosts
3. Firewall
4. import delivered files and start VPN tunnel
5. test VPN tunnel end is pingable
6. test VPN server’s network is accessible
7. adjust routing (or is that only needed on other hosts on client network?)

What to do on the other hosts on the client’s network

See also

• OpenVPN reference Manual
• http://en.wikipedia.org/wiki/Private_network
• https://openvpn.net/index.php/open-source/documentation/howto.html
• Computing