Your Private tunnel to the Internet.
OpenVPN is a full-featured SSL VPN which implements OSI layer 2 or 3 secure network extension using the industry standard SSL/TLS protocol, supports flexible client authentication methods based on certificates, smart cards, and/or username/password credentials, and allows user or group-specific access control policies using firewall rules applied to the VPN virtual interface. OpenVPN is not a web application proxy and does not operate through a web browser.
Installation
apt-get install openvpn apt-get install libpam0g-dev ( for PAM support )
Configuration
You need to make a decision here whether you want tun (routed) or tap (bridged) connections. The main difference is that tap will give the client a network address on the server network, whereas tun creates a private network managed by the server. I chose tun for my case.
Authentication methods
- Certificates/keys
- Smart cards,
- Username/password credentials
Preparing to generate the keys
cd /usr/share/doc/openvpn/examples/easy-rsa/2.0/
Generate the certificate authority (CA) which will be used to sign the server and client certificates.
. ./vars
./clean-all
./build-ca
Next, we need to create the server keys
./build-key-server server
Answer ‘yes’ when asked to sign the certificate and commit to the database, and then you’ll need to generate the diffie-hellman parameters which are used for key exchange between the client and
./build-dh
As I decide to use PAM based authentication I just avoid creating the cert keys for client authentication here.
Here is my config file for server ( /etc/openvpn/server.conf)
-
port 1194 proto tcp-server dev tun ca /etc/openvpn/keys/ca.crt cert /etc/openvpn/keys/server.crt key /etc/openvpn/keys/server.key # This file should be kept secret dh /etc/openvpn/keys/dh1024.pem server 192.168.50.0 255.255.255.0 ifconfig-pool-persist ipp.txt keepalive 10 120 push "route 192.168.0.0 255.255.240.0" push "dhcp-option DNS 192.168.1.1" persist-key persist-tun status openvpn-status.log log /var/log/openvpn.log log-append /var/log/openvpn.log verb 3 plugin /usr/lib/openvpn/openvpn-auth-pam.so login client-cert-not-required username-as-common-name
/etc/init.d/openvpn start|stop|restart ( /var/log/openvpn.log to find the error during service boot )
My client.conf file
client dev tun proto tcp-client remote test.com 1194 ca keys/ca.crt ( the same file used for server) verb 3 auth-user-pass
For Windows use openvpn-gui to connect to openvpn server and keep the name of conf as file.ovpn of openvpn/conf directory and before try connecting to the server must check whether dhcp client service is running on your windows machine otherwise route wont work.
Leave a comment