Tuesday, August 7, 2007

Setting up an OpenVPN server in Fedora 7

Setting up an OpenVPN server

  1. yum install openvpn.$HOSTTYPE

  2. Copy /usr/share/openvpn/easy-rsa/ somewhere (like root's home directory with cp -ai /usr/share/openvpn/easy-rsa ~).

  3. cd ~/easy-rsa

  4. Edit vars appropriately.

  5. . vars

  6. ./clean-all

  7. Before continuing, make sure the system time is correct. Preferably, set up NTP.

  8. ./build-ca

  9. ./build-inter $( hostname | cut -d. -f1 )

  10. ./build-dh

  11. mkdir /etc/openvpn/keys

  12. cp -ai keys/$( hostname | cut -d. -f1 ).{crt,key} keys/ca.crt keys/dh1024.pem /etc/openvpn/keys/

  13. cp -ai /usr/share/doc/openvpn-*/sample-config-files/roadwarrior-server.conf /etc/openvpn/server.conf

  14. Edit /etc/openvpn/server.conf appropriately.

  15. chkconfig --level 2345 openvpn on

  16. service openvpn start

  17. Verify that firewall rules allow traffic in from tun+, out from the LAN to tun+, and in from the outside on UDP port 1194. The following should work:

     iptables -A INPUT -i eth1 -p udp --dport 1194 -j ACCEPT
    iptables -A INPUT -i tun+ -j ACCEPT
    iptables -A FORWARD -i tun+ -j ACCEPT
    iptables -A FORWARD -i eth0 -o tun+ -j ACCEPT
    iptables -A FORWARD -i eth1 -o tun+ -m state --state ESTABLISHED,RELATED -j ACCEPT

    Or for genfw (my firewall-generation script, not currently available in Fedora), this in /etc/sysconfig/genfw/rules:

     append INPUT -i eth1 -p udp --dport 1194 -j ACCEPT
    append INPUT -i tun+ -j ACCEPT
    append FORWARD -i tun+ -j ACCEPT
    append FORWARD -i eth0 -o tun+ -j ACCEPT
    append FORWARD -i eth1 -o tun+ -j established

Setting up a Windows OpenVPN client

On the server:

  1. cd easy-rsa

  2. . vars

  3. ./build-key username

On the client:

  1. Install the OpenVPN GUI or the stand-alone OpenVPN client.

  2. Copy username.crt, username.key, and ca.crt to C:\Program Files\OpenVPN\config\ on the client.

  3. Drop roadwarrior-client.conf into C:\Program Files\OpenVPN\config\ as whatever.ovpn and edit appropriately.

  4. Either use the GUI to start the connection, start the OpenVPN service manually, or set the OpenVPN service to start automatically.
Ideally the client should do some verification on the server key with tls-remote in the whatever.ovpn configuration file.

1 comment:

Unknown said...

Great article. It has made my life much easier while I have been trying to set up my first VPNs.

I had a little trouble with the firewall rules using iptables. I eventually came across this slightly more universal solution:

iptables -A INPUT -i eth+ -p udp --dport 1194 -j ACCEPT
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A FORWARD -i eth+ -o tun+ -j ACCEPT
iptables -A FORWARD -i eth+ -o tun+ -m state --state ESTABLISHED,RELATED -j ACCEPT

Hope it helps someone.