Post a Comment On: IT Tidbits

Scope:  OpenVPN Server on Debian. Client connections from Tunnelblick  for Mac OSX, OpenVPN Client for Windows and Linux Client (yet to be tested).
1.  Installation of OpenVPN was completed with apt
apt-get install openvpn

The following extra packages were installed when the above command was initiated.

libpkcs11-helper1 openvpn-blacklist  2.  Next determine whether you will use a routed or bridged VPN.  OpenVPN has a more in depth write up of differences here. Each will require a different set of parameters in the openvpn configuration file but it is well documented. I configured my installation first as routed and then transitioned to a bridged model.
Bridging advantagesBroadcasts traverse the VPN -- this allows software that depends on LAN broadcasts such as Windows NetBIOS file sharing and network neighborhood browsing to work. No route statements to configure. Works with any protocol that can function over ethernet, including IPv4, IPv6, Netware IPX, AppleTalk, etc. Relatively easy-to-configure solution for road warriors. Bridging disadvantagesLess efficient than routing, and does not scale well. Routing advantagesEfficiency and scalability. Allows better tuning of MTU for efficiency. Routing disadvantagesClients must use a WINS server (such as samba) to allow cross-VPN network browsing to work. Routes must be set up linking each subnet. Software that depends on broadcasts will not "see" machines on the other side of the VPN. Works only with IPv4 in general, and IPv6 in cases where tun drivers on both ends of the connection support it explicitly.
3.  Certificates need to be generated for both the server and clients.

NOTE:  You must place the key & crt files for the server and client in the same directory as your .conf files unless you explicitly state otherwise it the conf file.
mkdir /etc/openvpn/easy-rsacp /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa
3a.  Edit the default values necessary for the certificates.vi /etc/openvpn/easy-rsa/vars3b. Generate the Certificate Authority that will be used to sign the certificates.cd /etc/openvpn/easy-rsa
source ./vars
./clean-all
./build-ca3c. Create server keys. ./build-key-server server3d.  Generate the diffie-hellman parameters../build-dh  3e. Create client keys../build-key client14. Configure server.conf file.  OpenVPN example found at http://openvpn.net/index.php/open-source/documentation/howto.html#examplesNOTE: For the logging, it will require that you create the /var/log/openvpn directory and I went ahead and created the two logfiles.This example is specifically for a bridged configuration.  Please see the example above for detailed explanations of the various settings and options.  ################## # server.conf ################## local 192.168.0.10 port 1194 proto udp dev tap0 ca ca.crt cert server.crt key server.key dh dh2048.pem client-config-dir ccd server-bridge 192.168.0.10 255.255.255.0 192.168.0.150 192.168.0.160 ifconfig-pool-persist ipp.txt route 192.168.0.0 255.255.255.0 client-to-client keepalive 10 120 #comp-lzo max-clients 15 #user nobody #group nobody persist-key persist-tun status /var/log/openvpn/openvpn-status.loglog-append /var/log/openvpn/openvpn.log verb 3 5. Acquire the necessary package for bridged configuration script.apt-get install bridge-utils6. Configure the openvpn-bridge script.  I did not have good luck with the example script included on the openvpn.net site.  I opted to utilize the one listed here and it has been successful on multiple systems.  Edit based on your network settings.#!/bin/bash ################################# # OpenVPN Bridge ################################# # Define Bridge Interface br="br0" # Define list of TAP interfaces to be bridged, # for example tap="tap0 tap1 tap2". tap="tap0" # Define physical ethernet interface to be bridged # with TAP interface(s) above. eth="eth0" eth_ip="192.168.0.10" eth_netmask="255.255.255.0" eth_broadcast="192.168.0.255" gw="192.168.0.1" case "$1" in start) for t in $tap; do openvpn --mktun --dev $t done brctl addbr $br brctl addif $br $eth for t in $tap; do brctl addif $br $t done for t in $tap; do ifconfig $t 0.0.0.0 promisc up done ifconfig $eth 0.0.0.0 promisc up ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast route add default gw $gw  ;; stop) ifconfig $br down brctl delbr $br for t in $tap; do openvpn --rmtun --dev $t done ifconfig $eth $eth_ip netmask $eth_netmask broadcast $eth_broadcast route add default gw $gw  ;; *) echo "usage openvpn-bridge {start|stop}" exit 1  ;; esac exit 07. Set openvpn-bridge script to run at startup. (Please test first.)update-rc.d openvpn-bridge defaults8. Once the bridge is up and functional you can proceed to start OpenVPN./etc/init.d/openvpn start9. Firewall. Make the necessary firewall changes to allow your clients to connect on the specified port.10. Client review and configuration to follow....