OpenVPN_setup

Reference URL:

http://rbgeek.wordpress.com/2012/12/13/openvpn-server-on-ubuntu-12-04-behind-nat/

Steps:

On Server

root@openvpn-ssl:~# apt-get install openvpn

Reading package lists... Done

Building dependency tree

Reading state information... Done

The following NEW packages will be installed:

openvpn

0 upgraded, 1 newly installed, 0 to remove and 140 not upgraded.

Need to get 0 B/441 kB of archives.

After this operation, 1,058 kB of additional disk space will be used.

Preconfiguring packages ...

Selecting previously unselected package openvpn.

(Reading database ... 45543 files and directories currently installed.)

Unpacking openvpn (from .../openvpn_2.2.1-8ubuntu1.1_amd64.deb) ...

Processing triggers for man-db ...

Processing triggers for ureadahead ...

Setting up openvpn (2.2.1-8ubuntu1.1) ...

* Restarting virtual private network daemon(s)... * No VPN is running.

Processing triggers for libc-bin ...

ldconfig deferred processing now taking place

root@openvpn-ssl:~#

root@openvpn-ssl:~# cd /etc/openvpn/

root@openvpn-ssl:/etc/openvpn# mkdir easy-rsa

root@openvpn-ssl:/etc/openvpn#

root@openvpn-ssl:/etc/openvpn# cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa/

root@openvpn-ssl:/etc/openvpn#

root@openvpn-ssl:/etc/openvpn# cd /etc/openvpn/easy-rsa/

root@openvpn-ssl:/etc/openvpn/easy-rsa#

root@openvpn-ssl:/etc/openvpn/easy-rsa# source vars

**************************************************************

No /etc/openvpn/easy-rsa/openssl.cnf file could be found

Further invocations will fail

**************************************************************

NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/keys

root@openvpn-ssl:/etc/openvpn/easy-rsa#

root@openvpn-ssl:/etc/openvpn/easy-rsa# ./clean-all

root@openvpn-ssl:/etc/openvpn/easy-rsa#

root@openvpn-ssl:/etc/openvpn/easy-rsa# ./build-ca

grep: /etc/openvpn/easy-rsa/openssl.cnf: No such file or directory

pkitool: KEY_CONFIG (set by the ./vars script) is pointing to the wrong

version of openssl.cnf: /etc/openvpn/easy-rsa/openssl.cnf

The correct version should have a comment that says: easy-rsa version 2.x

root@openvpn-ssl:/etc/openvpn/easy-rsa#

root@openvpn-ssl:/etc/openvpn/easy-rsa# cp openssl-1.0.0.cnf openssl.cnf

root@openvpn-ssl:/etc/openvpn/easy-rsa#

root@openvpn-ssl:/etc/openvpn/easy-rsa# ./build-ca

Generating a 1024 bit RSA private key

.....++++++

writing new private key to 'ca.key'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [US]:in

State or Province Name (full name) [CA]:^C

root@openvpn-ssl:/etc/openvpn/easy-rsa# ./build-ca

Generating a 1024 bit RSA private key

..................++++++

...............++++++

writing new private key to 'ca.key'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [US]:IN

State or Province Name (full name) [CA]:MH

Locality Name (eg, city) [SanFrancisco]:Mumbai

Organization Name (eg, company) [Fort-Funston]:Finicity

Organizational Unit Name (eg, section) [changeme]:IT

Common Name (eg, your name or your server's hostname) [changeme]:IndiaOffice

Name [changeme]:indiaoffice

Email Address [mail@host.domain]:ravindra.mane@finicity.com

root@openvpn-ssl:/etc/openvpn/easy-rsa#

root@openvpn-ssl:/etc/openvpn/easy-rsa# openssl rsa -in keys/ca.key -des3 -out keys/ca.key-new

writing RSA key

Enter PEM pass phrase:<paradise>

Verifying - Enter PEM pass phrase:<paradise>

root@openvpn-ssl:/etc/openvpn/easy-rsa#

root@openvpn-ssl:/etc/openvpn/easy-rsa# mv keys/ca.key keys/ca.key-old

root@openvpn-ssl:/etc/openvpn/easy-rsa# mv keys/ca.key-new keys/ca.key

root@openvpn-ssl:/etc/openvpn/easy-rsa#

root@openvpn-ssl:/etc/openvpn/easy-rsa# ./build-key-server openvpn-ssl

Generating a 1024 bit RSA private key

............++++++

...++++++

writing new private key to 'openvpn-ssl.key'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [US]:IN

State or Province Name (full name) [CA]:MH

Locality Name (eg, city) [SanFrancisco]:Mumbai

Organization Name (eg, company) [Fort-Funston]:Finicity

Organizational Unit Name (eg, section) [changeme]:IT

Common Name (eg, your name or your server's hostname) [openvpn-ssl]:openvpn-ssl

Name [changeme]:indiavpn

Email Address [mail@host.domain]:ravindra.mane@finicity.com

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:123456

An optional company name []:

Using configuration from /etc/openvpn/easy-rsa/openssl.cnf

Enter pass phrase for /etc/openvpn/easy-rsa/keys/ca.key:

Check that the request matches the signature

Signature ok

The Subject's Distinguished Name is as follows

countryName :PRINTABLE:'IN'

stateOrProvinceName :PRINTABLE:'MH'

localityName :PRINTABLE:'Mumbai'

organizationName :PRINTABLE:'Finicity'

organizationalUnitName:PRINTABLE:'IT'

commonName :PRINTABLE:'openvpn-ssl'

name :PRINTABLE:'indiavpn'

emailAddress :IA5STRING:'ravindra.mane@finicity.com'

Certificate is to be certified until Jun 21 03:16:27 2023 GMT (3650 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

root@openvpn-ssl:/etc/openvpn/easy-rsa#

root@openvpn-ssl:/etc/openvpn/easy-rsa# ./build-dh

Generating DH parameters, 1024 bit long safe prime, generator 2

This is going to take a long time

...................+...................................................................................................+........................................................................................+...........................+...................................................................+...........................+....................................................+....................................................................................+.........................+......+.........+............................................+....+..........+..............+..........................................+.......................................................+............................................+..........+..+.....................................................................................................................................................+.........+......................................+....................+...................+.........................................+..............................................................+.........................................+........................+............................................................................................................................................................................................+...+.......+...........................................................+...........................................................................................+......................................++*++*++*

root@openvpn-ssl:/etc/openvpn/easy-rsa#

root@openvpn-ssl:/etc/openvpn/easy-rsa# cd keys/

root@openvpn-ssl:/etc/openvpn/easy-rsa/keys# cp ca.crt openvpn-ssl.c

openvpn-ssl.crt openvpn-ssl.csr

root@openvpn-ssl:/etc/openvpn/easy-rsa/keys# cp ca.crt openvpn-ssl.crt openvpn-ssl.key dh1024.pem /etc/openvpn/

root@openvpn-ssl:/etc/openvpn/easy-rsa/keys#

root@openvpn-ssl:/etc/openvpn/easy-rsa/keys# cd /etc/openvpn/

root@openvpn-ssl:/etc/openvpn#

root@openvpn-ssl:/etc/openvpn# vi server.conf

root@openvpn-ssl:/etc/openvpn# cp /root/openvpn.OLD/

ca.crt client-openssl.csr easy-rsa/ server.conf

ca.key client-openssl.key openvpn-ssl.crt update-resolv-conf

client-openssl.crt dh1024.pem openvpn-ssl.key

root@openvpn-ssl:/etc/openvpn# cp /root/openvpn.OLD/server.conf .

root@openvpn-ssl:/etc/openvpn# vi server.conf

root@openvpn-ssl:/etc/openvpn#

oot@openvpn-ssl:/etc/openvpn# cat server.conf

### OpenvVPN server file for roadwarrior setup ###

## Network Parameters ##

local 192.168.1.160

port 7654

proto udp

## Device type and server mode ##

dev tap

mode server

tls-server

## SSL configuration ##

ca /etc/openvpn/ca.crt

cert /etc/openvpn/openvpn-ssl.crt

key /etc/openvpn/openvpn-ssl.key

dh /etc/openvpn/dh1024.pem

#crl-verify /etc/openvpn/easy-rsa/keys/crl-list.pem

## Interface configuration ##

ifconfig 192.168.1.1 255.255.255.0

ifconfig-pool 192.168.1.196 192.168.1.200

ifconfig-pool-persist /etc/openvpn/logs/server.ipp

push "route 192.168.1.0 255.255.255.0 192.168.1.2"

push "route-gateway 192.168.1.2"

push "redirect-gateway def1"

push "dhcp-option DNS 192.168.1.103"

## For Sustaining gateway and enabling compression ##

keepalive 10 120

comp-lzo

persist-key

persist-tun

## Using pam auth d ##

#plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so login

## Logging Details ##

log /etc/openvpn/logs/server.log

log-append /etc/openvpn/logs/server.log

status /etc/openvpn/logs/server-status.log

verb 4

root@openvpn-ssl:/etc/openvpn/easy-rsa# ./build-key client

Generating a 1024 bit RSA private key

........++++++

....................++++++

writing new private key to 'client.key'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [US]:IN

State or Province Name (full name) [CA]:MH

Locality Name (eg, city) [SanFrancisco]:Mumbai

Organization Name (eg, company) [Fort-Funston]:Finicity

Organizational Unit Name (eg, section) [changeme]:IT

Common Name (eg, your name or your server's hostname) [client]:

Name [changeme]:indiaoffice

Email Address [mail@host.domain]:ravindra.mane@finicity.com

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:123456

An optional company name []:

Using configuration from /etc/openvpn/easy-rsa/openssl.cnf

Enter pass phrase for /etc/openvpn/easy-rsa/keys/ca.key:<paradise>

Check that the request matches the signature

Signature ok

The Subject's Distinguished Name is as follows

countryName :PRINTABLE:'IN'

stateOrProvinceName :PRINTABLE:'MH'

localityName :PRINTABLE:'Mumbai'

organizationName :PRINTABLE:'Finicity'

organizationalUnitName:PRINTABLE:'IT'

commonName :PRINTABLE:'client'

name :PRINTABLE:'indiaoffice'

emailAddress :IA5STRING:'ravindra.mane@finicity.com'

Certificate is to be certified until Jun 21 03:46:32 2023 GMT (3650 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

root@openvpn-ssl:/etc/openvpn/easy-rsa#

====================================================================

On Client (192.168.1.160)

Copy ca.crt, client.crt, client.key to C:\Program Files\OpenVPN\config from vpn server

#Content of ca.ovpn

tls-client

dev tap

proto udp

remote 192.168.1.160 7654

resolv-retry infinite

nobind

pull

persist-tun

persist-key

auth-user-pass

ca 'c:\program files\openvpn\config\ca.crt'

cert 'c:\program files\openvpn\config\client.crt'

key 'c:\program files\openvpn\config\client.key'

ns-cert-type "server"

comp-lzo

verb 3