Safe behind your fi rewall is your offi ce network; when you expand to another site, and another network, a VPN allows you to link the two (and further) networks as seamlessly as if they were plugged into the same router, and to give roaming users the same ‘local’ access.
02
OpenVPNOpenVPN aims to be a universal VPN, and offers great fl exibility, but is a relatively small download with few dependencies. It is able to work with passwords, certifi cates or pre-shared keys, using the OpenSSL library for its encryption capabilities.
03
Easy installFire up a terminal emulator and
apt-get install openvpn as root,
05
Simpler confi g
How do you keep a fl exible app simple to confi gure? By including confi g examples to
08
Generation gameFrom within the same directory as the vars fi le we have just generated – /etc/openvpn/ easyrsa/2.0/ in this case – we run the build script. Note that instead of ‘hostname’ for Common Name, you may wish to enter OpenVPN-CA.
06
Public-key infrastructure (PKI)We’re going to use easyrsa to create a master CA certifi cate, to sign the certifi cates which we’ll generate for the server and each client. Recently easyrsa has been separated out from OpenVPN, so you may need to download it from github.com/OpenVPN/easy-rsa
04
Address: the problemBefore going further, let’s consider one potential problem with routing: connecting from an internet cafe using the 192.168.0.0/24 subnet when your network uses the same. Something like 10.66.142.0/24 for your offi ce network could save a lot of grief.
07
Master certifi cateEdit the vars fi les, changing the KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG and KEY_EMAIL parameters. Other values that may need changing are usually helpfully marked as "=changeme" – both the comments and the README fi le will guide you.
sudo apt-get install openvpn if you’re on
Ubuntu, or yum-install openvpn for an RPM- based distro. Add OpenSSL if it’s not already on your system, and resolvconf may be helpful.
modify. Grab the easy-rsa examples with
sudo cp -R /usr/share/doc/openvpn/
11
Diffi e–HellmanNo, it’s not a brand of mayonnaise! The Diffi e–Hellman key exchange method “allows two parties that have no prior knowledge of each other to jointly establish a shared secret key over an insecure communications channel.”
Run ./build-dh
12
Server confi gStart with the sample server.conf from the /usr/share/doc/openvpn/ example confi gs. Change the address range from 10.8.0.0 to your own. Other options include the ability to push the route, eg: push "route 10.13.101.1 255.0.0.0"
16
Remote accessNow you have your secure connection into the offi ce, you’ll want to do more than just ping boxes. You can roam the intranet, performing local admin tasks on printers and servers from the comfort of your favourite cafe...
14
Is anyone there?Start OpenVPN on the client with
openvpn path/to/conf. From the client, try
10
Roll out the client certsNow build as many client certifi cates as you need with variations on ./build-key
client1 – because each client certifi cate is
signed with the same master certifi cate as the server key, the server will not need to keep copies of the client keys.
13
Nearly thereOn your client PCs, copy the keys you have generated (using scp or a USB key), and edit the sample client.conf fi le. Uncommenting the user nobody and group nobody directives will add to security. Now it’s time to test…
15
We have tunnel!ifconfig tun0 (or ifconfig tap0 if
you’re using a virtual Ethernet device instead of a point-to-point IP tunnel) will now show all the info, giving the addresses at each end of the tunnel. If you enabled the push "route..." and push "route-gateway..." directives in the server confi g, you will now be able to also reach whatever other networks are visible to the server via other VPNs, as shown in the opening screenshot of the article. The push "dhcp-
option DNS 10.66...." directive may also be
useful to you.
09
Build server certifi cateRunning ./build-key-server server next differs slightly as ‘server’ is offered as the Common Name (accept this), then you are offered a challenge response (skip this), and to sign the certifi cate (choose yes).
pinging an address on the remote network. Given correct address data, any errors are likely to be fi rewall-related. Success? Now start with
19
Admin tasksEnabling management on the port of your choosing gives you access via telnet
localhost:4202 – from here you can
disconnect clients; toggle logging; and perform tests and debugging. The management GUI accesses OpenVPN through this interface.
22
Security fi rstAlternatively, IPSec gives you secure encapsulation of your data inside an IPSec packet, aiming for authentication, integrity and confi dentiality. It’s favoured by government agencies, those fearing industrial espionage, and anyone else feeling justifi ably paranoid.
17
Desktop sharingAdding VNC into the mix will enable you to work with GUI apps on remote systems across the VPN, whether GNU/Linux, Windows or whatever. xvnc4viewer will give you more power than Ubuntu’s built-in rdesktop, and TightVNC at both ends gets through narrow bandwidth connections.
23
Swanning throughFor IPSec, strongSwan – a successor to FreeS/WAN (Free Secure Wide-Area Networking) – provides compatibility with other IPSec implementations, including clients on other platforms, combined with IKEv1 and IKEv2, and a good reputation for security.
21
Hassle-free VPNIf you just wanted a VPN to protect your browsing privacy, say, or to catch BBC iPlayer while overseas, then one of the many commercial VPN providers is a hassle-free alternative, with downloadable clients for nearly every device. Read the reviews to fi nd a suitable one.
18
Spread the networkAs well as clients for UNIX, Windows and even Maemo, there’s an Android port of the client software at github.com/fries. Once upon a time OpenVPN was console-only admin on Windows, unless you went to openvpn.se; now it’s all included in the package.
24
Brain foodThere’s plenty of accumulated wisdom on remote access and admin. While the world wide web offers much that is useful, don’t neglect print format! Some of the sysadmin manuals and server hacks books available contain some great tips for remote, secure admin and much more.
20
GUI choiceOpenVPN’s popularity can be seen in the vast choice of third-party GUIs, both to OpenVPN itself (connection clients) and to the management interface. While proprietary bolt-ons are a familiar tale, FOSS options are available too.