OpenVPN

(1)

From Front Internal Wiki

Please note that this file is a work in progress, we will continue to update it as new/better ways of doing things are found to make the process as easy as possible.

Client Setup

All users will be provided a tar file containing their user certificates, should you ever feel that these certificates may have been compromised please let us know and we will revoke and re-create you certificates straight away.

The tar file will contain the following:

An example configuration file: front-client.config A client certificate: <username>.crt

A certificate authority certificate: ca.crt A user authentication key: <username>.key

Any other files in the tar can be ignored and are included for completeness.

A note about DNS and VPN.

Currently front do not push DNS down to clients, instead clients need to connect to specific IP addresses or add the DNS servers themselves. Our two primary

(2)

DNS servers are: 192.168.1.2 192.168.1.3

An alternative option is to edit your local hosts file to add specific systems using their front network ip addresses for ease of use.

Alternatively useful IP's to know are: Ron: 192.168.1.68

Arrakis: 192.168.1.90

When you connect to front's VPN you will have a new virtual interface created which will use an ip in the range 192.168.2.0/24. You will be able to ping internal front ip addresses on the 192.168.1.0 subnet from this range.

Firewalls

OpenVPN for front operates over UDP on port 11194. You need to ensure that your remote machine and remote network both allow traffic on this port. For most users this will not be an issue, however if you fail to connect to the front gateway ip (93.97.246.119) then please check your firewall settings.

Linux Users

Install openvpn via your package manager. Alternatively

network-manager-openvpn will be available for some distro's.

Create a client config file:

(3)

client dev tun proto udp remote 93.97.246.119 11194 resolv-retry infinite nobind persist-key persist-tun keepalive 10 120 ca /etc/openvpn/clients/front/ca.crt

#Adjust these to match your name i.e. <name>.crt cert /etc/openvpn/clients/front/<username>.crt key /etc/openvpn/clients/front/<username>.key comp-lzo

verb 3

Launch the client with:

openvpn --config /etc/openvpn/client.vpn

If you want to background the process then add --daemonize or add daemonize to the config file.

Windows Users

Install the openVPN client GUI by downloading from:

http://swupdate.openvpn.net/downloads/openvpn-client.msi

Copy the crt and key files into a directory of your choosing. For this example I have used the Documents Folder:

C:\Users\front\Documents\<username>

Create a ovpn (configuration) text file using the configuration example provided for linux above: For this example the file is simply named <username>.ovpn

NB: Textpad (http://www.textpad.com/) and notepad++

(4)

client dev tun proto udp remote 93.97.246.119 11194 resolv-retry infinite nobind persist-key persist-tun keepalive 10 120

# NB Windows Paths must have "\" escaped with another "\" ca "C:\\Users\\front\\Documents\\<username>\\ca.crt"

cert "C:\\Users\\front\\Documents\\<username>\\<username>.crt" key "C:\\Users\\front\\Documents\\<username>.key"

comp-lzo verb 3

Launch the openVPN gui and choose "connection profiles", then import file. Import the ovpn file created above.

(5)

There are instructions for using OSX with openVPN at the URL below:

http://beta.openvpn.net/index.php/access-server/howto-openvpn-as/183-how-to-connect-to-access-server-from-a-mac.html

Most sites seem to suggest using Tunnelblick (http://code.google.com

/p/tunnelblick/) as the client. Feedback would be appreciated on how well (or not) this works.

Routing

Not really openvpn but a good place to stick this also, if the target VPN server is a Gateway for devices on its network then you can also route through to local subnets on the GW host using:

/sbin/route add -net 192.168.1.0 netmask 255.255.255.0 gw <your tunnel ip>

or by device:

/sbin/route add -net 192.168.1.0 netmask 255.255.255.0 dev tun0

The above can be completed much easier using push commands from openvpn-server i.e:

push "route 192.168.1.0 255.255.255.0"

NAT

Example taken from:

http://www.openvpn.net/index.php/open-source/documentation/howto.html

iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE

To push a gateway to the client for routing all traffic:

push "redirect-gateway local def1"

(6)

push "dhcp-option DNS 192.168.1.2"

Retrieved from "http://wiki/OpenVPN" Category: Network

This page was last modified on 16 July 2010, at 10:12.

OpenVPN - Front Internal Wiki