OpenVPN Setup

Here are some notes about my attempts to get OpenVPN running on my home network.  These are more for my own use than for  the public, so take anything you find here with a grain of salt.

I am going to run the vpn server on an older PC running Kbuntu 9.04.  I have an AirPort Extreme functioning as a router and DHCP server.  Here is some basic network info:

DHCP range 10.0.1.2 – 10.0.1.200
reserved server address 10.0.1.100
router/gateway address 10.0.1.1

Here are some links of helpful sites I have used to help me get this thing off the ground.

  1. openvpn howto – a very detailed howto from the openvpn.net site
  2. Another vpn howto this one is very concise and good!
  3. bridge init.d script and how to install and use it – very important

After carefully reading the differences between bridged and tunneled modes, I have decided upon bridged.  It would seem that if I want easy access to all network resources with a minimum of fuss this is the way to go.

Below is a contemporaneously produced list of the steps I have taken (including problems that I have run into.

  1. Install the openvpn package

    sudo apt-get install openvpn

    This went without a hitch.  The install doesn’t install a configuration file, but does produce a /etc/openvpn directory where all of the configuration files will reside.  There are example configuration files and all of the certificate utilities needed to get a secure openvpn setup going installed into /usr/share/doc/openvpn.  The startup scripts are also installed into the /etc/init.d folder.  It is a typical startup script that, best I can tell, will start up a vpn instance for each .conf file it finds in /etc/openvpn

  2. Generate the certificate authority (CA) certificate and client keys.All of the utilities to produce the certificate and keys needed are found in the directory /usr/share/doc/openvpn/examples/easyrsa/2.0.  I copied the entire directory into the /etc/openvpn directory to keep all of my configuration files for the vpn system into one place.

    cd /etc/openvpn
    sudo cp /usr/shar/doc/openvpn/examples/easy-rsa/2.0 .

    I then edited the /etc/easy-rsa/vars file to contain default information.  Only the last section needed to be edited.  All of the following need to be non-blank: KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, and KEY_EMAIL.

    Now I did the following to build the CA

    sudo -i
    source ./vars
    ./clean-all
    ./build-ca

    You need to be logged in as root, or better on ubuntu a persistent root session via sudo -i,  as sudo each individual command above will not work as the “source ./vars” command applies to the login environment.  This little point took me a while to figure out!  Read about it here.

    Next step is to generate the server key:

    ./build-key-server server

    Now I will generate two keys for the two laptops I will setup for vpn access.  I’ve used the ./build-key-pkcs12 which stores the client public key and certificate in one password protected file.

    ./build-key-pkcs12 ben-air
    ./build-key-pkcs12 robbie-macbook

  3. Editing the configuration file.I start by copying the sample config file that comes with the packagecd /etc/openvpn
    cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf .

    I have changed the following parts of the config file:

    Change to dev tap for bridging by commenting out dev tun and uncommenting dev tap

    ;dev tun
    dev tap0

    Now fully qualify the certificate and key paths

    ca /etc/openvpn/easy-rsa/keys/ca.crt
    cert /etc/openvpn/easy-rsa/keys/server.crt
    key /etc/openvpn/easy-rsa/keys/server.key

    and the dh parameters

    dh /etc/openvpn/easy-rsa/keys/dh1024.pem

    comment out the server directive since we are using bridging

    ;server 10.8.0.0 255.255.255.0

    and uncomment and change the server-bridge directive to assign a different range of ip address to vpn clients (201-250) than the AirPort Extreme give out to local clients.

    bridge-server 10.0.1.0 255.255.255.0 10.0.1.201 10.0.1.250

    and fully qualify the log file path

    /var/log/openvpn-status.log

  4. Setup ethernet bridgingInstall the bridge tools apt-get install bridge-toolsDownload this nifty script that will bring up and down the necessary ethernet bridging.  Rename it “bridge.”  I needed only to edit the top part of the script with my particular network settings.  I then made it executable, move it to the init.d directory, start bridging, and set it up so that it will be brought up automatically on startup.

    chmod +x bridge
    cp bridge /etc/init.d
    /etc/init.d/bridge start
    update-rc.d bridge defaults

  5. Fire up openvpn!

    /etc/init.d/openvpn start

Leave a Reply

Your email address will not be published. Required fields are marked *