Monday 2 January 2012

Setting up a Bridged VPN using OpenVPN

Install OpenVPN and bridging tools:
sudo apt-get install openvpn bridge-utils
Setting up the Bridge

Edit /etc/network/interfaces

When a Linux server is behind a NAT firewall, the /etc/network/interfaces file commonly looks like
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
# The loopback network interface
auto lo eth0
iface lo inet loopback
# The primary network interface
## This device provides internet access.
iface eth0 inet
 static address 192.168.1.10
 netmask 255.255.255.0
 gateway 192.168.1.1
Edit this and add a bridge interface:
sudo vi /etc/network/interfaces
so that it look similar to:
## This is the network bridge declaration
## Start these interfaces on bootauto lo br0
iface lo inet loopback
iface br0 inet static
 address 192.168.1.10
 netmask 255.255.255.0
 gateway 192.168.1.1
 bridge_ports eth0
iface eth0 inet manual
 up ip link set $IFACE up promisc on
 down ip link set $IFACE down promisc off
If you are running Linux inside a virtual machine, you may want to add the following parameters to the bridge connection:
bridge_fd 9 ## from the libvirt docs (forward delay time)
bridge_hello 2 ## from the libvirt docs (hello time)
bridge_maxage 12 ## from the libvirt docs (maximum message age)
bridge_stp off ## from the libvirt docs (spanning tree protocol)
Restart networking:
sudo /etc/init.d/networking restart
The bridging declarations come from the libvirt documentation.

Generating Certificates

Generate certificates for the server. In order to do this I will setup my own Certificate Authority using the provided easy-rsa scripts in the /usr/share/doc/openvpn/examples/easy-rsa/ directory.

Copy files to the /etc/openvpn/easy-rsa/ directory:
sudo mkdir /etc/openvpn/easy-rsa/
sudo cp -R /usr/share/doc/openvpn/examples/easy-rsa/2.0/*
sudo cp -R /usr/share/doc/openvpn/examples/easy-rsa/2.0/*
sudo cp -R /usr/share/doc/openvpn/examples/easy-rsa/2.0/*/etc/openvpn/easy-rsa/
Than edit /etc/openvpn/easy-rsa/vars
sudo vi /etc/openvpn/easy-rsa/vars
And change these lines at the bottom so that they reflect your new CA.
export KEY_COUNTRY="US"export KEY_PROVINCE="CA"export KEY_CITY="SanFrancisco"export KEY_ORG="Fort-Funston"export KEY_EMAIL="me@myhost.mydomain"
Finally setup the CA and create the first server certificate
cd /etc/openvpn/easy-rsa/ ## move to the easy-rsa directory
sudo chown -R root:admin . ## make this directory writable by the system administrators
sudo chmod g+w . ## make this directory writable by the system administrators
source ./vars ## execute your new vars file
./clean-all ## Setup the easy-rsa directory (Deletes all keys)
./build-dh ## takes a while consider backgrounding
./pkitool --initca ## creates ca cert and key
./pkitool --server server ## creates a server cert and key
cd keys
openvpn --genkey --secret ta.key ## Build a TLS key
sudo cp server.crt server.key ca.crt dh1024.pem ta.key ../../
sudo chown -R root:admin . ## make this directory writable by the system administrators
sudo chmod g+w . ## make this directory writable by the system administrators
source ./vars ## execute your new vars file
./clean-all ## Setup the easy-rsa directory (Deletes all keys)
./build-dh ## takes a while consider backgrounding
./pkitool --initca ## creates ca cert and key
./pkitool --server server ## creates a server cert and key
cd keys
openvpn --genkey --secret ta.key ## Build a TLS key
sudo cp server.crt server.key ca.crt dh1024.pem ta.key ../../
sudo chown -R root:admin . ## make this directory writable by the system administrators
sudo chmod g+w . ## make this directory writable by the system administrators
source ./vars ## execute your new vars file
./clean-all ## Setup the easy-rsa directory (Deletes all keys)
./build-dh ## takes a while consider backgrounding
./pkitool --initca ## creates ca cert and key
./pkitool --server server ## creates a server cert and keycd keys
openvpn --genkey --secret ta.key ## Build a TLS key
sudo cp server.crt server.key ca.crt dh1024.pem ta.key ../../
The Certificate Authority is now setup and the needed keys are in /etc/openvpn/


Configuring the Server

By default all servers specified in *.conf files in the /etc/openvpn/ directory are started on boot. Therefore, all we have to do is creating a new file named server.conf in the /etc/openvpn/ directory.

First, we're going to create a couple of new scripts to be used by the openvpn server.
sudo vi /etc/openvpn/up.sh
This script should contain the following
#!/bin/sh
BR=$1
DEV=$2
MTU=$3
/sbin/ip link set "$DEV" up promisc on mtu "$MTU"
/usr/sbin/brctl
/usr/sbin/brctl/usr/sbin/brctl addif $BR $DEV
Now, we'll create a "down" script.
sudo vi /etc/openvpn/down.sh
It should contain the following.
#!/bin/sh
BR=$1DEV=$2
/usr/sbin/brctl delif $BR $DEV
/sbin/ip/sbin/ip link set "$DEV" down
Now, make both scripts executable.
sudo chmod +x /etc/openvpn/up.sh/etc/openvpn/down.sh
And finally on to configuring openvpn itself.
sudo vi /etc/openvpn/server.conf

mode server
tls-server
local <your ip address> ## ip/hostname of server
port 1194 ## default openvpn portproto udp
#bridging directive
dev tap0 ## If you need multiple tap devices, add them here
up "/etc/openvpn/up.sh br0 tap0 1500"
down "/etc/openvpn/down.sh br0 tap0"
persist-keypersist-tun
#certificates and encryption
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh1024.pem
tls-auth ta.key 0 # This file is secret
cipher BF-CBC # Blowfish (default)
comp-lzo
#DHCP Information
ifconfig-pool-persist ipp.txt
server-bridge 192.168.1.10 255.255.255.0 192.168.1.100 192.168.1.110
push "dhcp-option DNS your.dns.ip.here"
push "dhcp-option DOMAIN yourdomain.com"
max-clients 10 ## set this to the max number of clients that should be connected at a time
#log and security
user nobody
group nogroup
keepalive 10 120
status openvpn-status.log
verb 3
If the server initialization script will complain about WARN: could not open database for 4096 bits. Skipped, you can work around it by running this command:
touch /usr/share/openssl-blacklist/blacklist.RSA-4096
Now you will need to restart openvpn and load the new config with:
sudo /etc/init.d/openvpn restart
In case you run a firewall like ufw, please consider enabling ip forwarding, otherwise the clients will only be able to connect to the server, but not to other LAN servers.

Possibly Related Posts

No comments:

Post a Comment