Here are some notes about my attempts to get OpenVPN running on my home network. These are more for my own use than for the public, so take anything you find here with a grain of salt.
I am going to run the vpn server on an older PC running Kbuntu 9.04. I have an AirPort Extreme functioning as a router and DHCP server. Here is some basic network info:
DHCP range 10.0.1.2 – 10.0.1.200
reserved server address 10.0.1.100
router/gateway address 10.0.1.1
Here are some links of helpful sites I have used to help me get this thing off the ground.
- openvpn howto – a very detailed howto from the openvpn.net site
- Another vpn howto this one is very concise and good!
- bridge init.d script and how to install and use it – very important
After carefully reading the differences between bridged and tunneled modes, I have decided upon bridged. It would seem that if I want easy access to all network resources with a minimum of fuss this is the way to go.
Below is a contemporaneously produced list of the steps I have taken (including problems that I have run into.
- Install the openvpn package
sudo apt-get install openvpn
This went without a hitch. The install doesn’t install a configuration file, but does produce a /etc/openvpn directory where all of the configuration files will reside. There are example configuration files and all of the certificate utilities needed to get a secure openvpn setup going installed into /usr/share/doc/openvpn. The startup scripts are also installed into the /etc/init.d folder. It is a typical startup script that, best I can tell, will start up a vpn instance for each .conf file it finds in /etc/openvpn
- Generate the certificate authority (CA) certificate and client keys.All of the utilities to produce the certificate and keys needed are found in the directory /usr/share/doc/openvpn/examples/easyrsa/2.0. I copied the entire directory into the /etc/openvpn directory to keep all of my configuration files for the vpn system into one place.
sudo cp /usr/shar/doc/openvpn/examples/easy-rsa/2.0 .
I then edited the /etc/easy-rsa/vars file to contain default information. Only the last section needed to be edited. All of the following need to be non-blank: KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, and KEY_EMAIL.
Now I did the following to build the CA
You need to be logged in as root, or better on ubuntu a persistent root session via sudo -i, as sudo each individual command above will not work as the “source ./vars” command applies to the login environment. This little point took me a while to figure out! Read about it here.
Next step is to generate the server key:
Now I will generate two keys for the two laptops I will setup for vpn access. I’ve used the ./build-key-pkcs12 which stores the client public key and certificate in one password protected file.
- Editing the configuration file.I start by copying the sample config file that comes with the packagecd /etc/openvpn
cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf .
I have changed the following parts of the config file:
Change to dev tap for bridging by commenting out dev tun and uncommenting dev tap
Now fully qualify the certificate and key paths
and the dh parameters
comment out the server directive since we are using bridging
;server 10.8.0.0 255.255.255.0
and uncomment and change the server-bridge directive to assign a different range of ip address to vpn clients (201-250) than the AirPort Extreme give out to local clients.
bridge-server 10.0.1.0 255.255.255.0 10.0.1.201 10.0.1.250
and fully qualify the log file path
- Setup ethernet bridgingInstall the bridge tools
chmod +x bridge
cp bridge /etc/init.d
update-rc.d bridge defaults
- Fire up openvpn!