Monster VPN Project – Installing OpenVPN

The next part of this project, is to install OpenVPN. Again, in Debian, this is pretty simple. So make sure you’re logged in as root, and run the following:

  apt-get install openvpn

See, I said it was easy. Now there’s a little more of a complex part, where we setup the CA and utilities needed for generating Certificates for the Server and all the Clients.

I like to move the easy-rsa directory into my /etc/openvpn directory, since its easier to work with it there (and easier to remember where it is). So run the following command to copy it across:

mkdir /etc/openvpn/{keys,easy-rsa}
cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa/ 

Then you need to edit your /etc/openvpn/easy-rsa/vars file, and make a few changes. I’ve set the following variables.

export EASY_RSA="/etc/openvpn/easy-rsa/"
export KEY_DIR="/etc/openvpn/keys"

And I tweaked my KEY_ variables so I don’t have to fill them in every time:

Then, you need to setup your environment by running

cd /etc/openvpn/easy-rsa
. vars
./clean-all

Careful with the clean-all command. Only run this ONCE, when you FIRST start this setup. It deletes ALL your keys, so you have a blank slate!

Now you build your own Certificate Authority (CA) certificate and key

./build-ca

Then build your Diffie-Hellman Paramaters (for SSL/TLS connections)

./build-dh

Then, build a key for your OpenVPN server. This generates a server.crt and server.key
Make sure you set the CommonName attribute to something meaningful for you (and unique) 

./build-key-server server

Now you’ll want to generate a key for each of the connecting clients. We can do one now, and then you can come back to follow these steps to add more at a later stage. Make sure the CommonName attribute is unique in all of these. Infact, I’d urge you to make them correspond to the username that the will authenticate with (this will be stored in the database).

./build-key client1

The basics of RSA dictate that anything with a .key is to be kept private, and is relevant only to the machine it was intended for, and the .crt is for your local machine, and the remote end too.

So: 
server.key never leaves the server
server.crt gets copied to the client
client1.key gets copied to the client
client1.crt gets copied to the client
dh1024.pem gets copied to the client
ca.crt gets copied to the client.
ca.key is super secret. If someone got their hands on it, they could create more client certificates, which is a bad thing ™. 

And thats all I’ll cover in this Howto.

In the next one, we’ll install radiusplugin, and I’ll show you the configuration files needed for the server and clients.

Posted: April 23rd, 2009
at 10:13am by daffy

Tagged with , , ,


Categories: guides

Comments: No comments