OpenVPN_setup
Reference URL:
http://rbgeek.wordpress.com/2012/12/13/openvpn-server-on-ubuntu-12-04-behind-nat/
Steps:
On Server
root@openvpn-ssl:~# apt-get install openvpn
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
openvpn
0 upgraded, 1 newly installed, 0 to remove and 140 not upgraded.
Need to get 0 B/441 kB of archives.
After this operation, 1,058 kB of additional disk space will be used.
Preconfiguring packages ...
Selecting previously unselected package openvpn.
(Reading database ... 45543 files and directories currently installed.)
Unpacking openvpn (from .../openvpn_2.2.1-8ubuntu1.1_amd64.deb) ...
Processing triggers for man-db ...
Processing triggers for ureadahead ...
Setting up openvpn (2.2.1-8ubuntu1.1) ...
* Restarting virtual private network daemon(s)... * No VPN is running.
Processing triggers for libc-bin ...
ldconfig deferred processing now taking place
root@openvpn-ssl:~#
root@openvpn-ssl:~#
root@openvpn-ssl:~# cd /etc/openvpn/
root@openvpn-ssl:/etc/openvpn# mkdir easy-rsa
root@openvpn-ssl:/etc/openvpn#
root@openvpn-ssl:/etc/openvpn# cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa/
root@openvpn-ssl:/etc/openvpn#
root@openvpn-ssl:/etc/openvpn#
root@openvpn-ssl:/etc/openvpn# cd /etc/openvpn/easy-rsa/
root@openvpn-ssl:/etc/openvpn/easy-rsa#
root@openvpn-ssl:/etc/openvpn/easy-rsa#
root@openvpn-ssl:/etc/openvpn/easy-rsa# source vars
**************************************************************
No /etc/openvpn/easy-rsa/openssl.cnf file could be found
Further invocations will fail
**************************************************************
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/keys
root@openvpn-ssl:/etc/openvpn/easy-rsa#
root@openvpn-ssl:/etc/openvpn/easy-rsa# ./clean-all
root@openvpn-ssl:/etc/openvpn/easy-rsa#
root@openvpn-ssl:/etc/openvpn/easy-rsa#
root@openvpn-ssl:/etc/openvpn/easy-rsa# ./build-ca
grep: /etc/openvpn/easy-rsa/openssl.cnf: No such file or directory
pkitool: KEY_CONFIG (set by the ./vars script) is pointing to the wrong
version of openssl.cnf: /etc/openvpn/easy-rsa/openssl.cnf
The correct version should have a comment that says: easy-rsa version 2.x
root@openvpn-ssl:/etc/openvpn/easy-rsa#
root@openvpn-ssl:/etc/openvpn/easy-rsa# cp openssl-1.0.0.cnf openssl.cnf
root@openvpn-ssl:/etc/openvpn/easy-rsa#
root@openvpn-ssl:/etc/openvpn/easy-rsa#
root@openvpn-ssl:/etc/openvpn/easy-rsa# ./build-ca
Generating a 1024 bit RSA private key
.....++++++
.....++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:in
State or Province Name (full name) [CA]:^C
root@openvpn-ssl:/etc/openvpn/easy-rsa# ./build-ca
Generating a 1024 bit RSA private key
..................++++++
...............++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:IN
State or Province Name (full name) [CA]:MH
Locality Name (eg, city) [SanFrancisco]:Mumbai
Organization Name (eg, company) [Fort-Funston]:Finicity
Organizational Unit Name (eg, section) [changeme]:IT
Common Name (eg, your name or your server's hostname) [changeme]:IndiaOffice
Name [changeme]:indiaoffice
Email Address [mail@host.domain]:ravindra.mane@finicity.com
root@openvpn-ssl:/etc/openvpn/easy-rsa#
root@openvpn-ssl:/etc/openvpn/easy-rsa#
root@openvpn-ssl:/etc/openvpn/easy-rsa# openssl rsa -in keys/ca.key -des3 -out keys/ca.key-new
writing RSA key
Enter PEM pass phrase:<paradise>
Verifying - Enter PEM pass phrase:<paradise>
root@openvpn-ssl:/etc/openvpn/easy-rsa#
root@openvpn-ssl:/etc/openvpn/easy-rsa#
root@openvpn-ssl:/etc/openvpn/easy-rsa# mv keys/ca.key keys/ca.key-old
root@openvpn-ssl:/etc/openvpn/easy-rsa# mv keys/ca.key-new keys/ca.key
root@openvpn-ssl:/etc/openvpn/easy-rsa#
root@openvpn-ssl:/etc/openvpn/easy-rsa# ./build-key-server openvpn-ssl
Generating a 1024 bit RSA private key
............++++++
...++++++
writing new private key to 'openvpn-ssl.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:IN
State or Province Name (full name) [CA]:MH
Locality Name (eg, city) [SanFrancisco]:Mumbai
Organization Name (eg, company) [Fort-Funston]:Finicity
Organizational Unit Name (eg, section) [changeme]:IT
Common Name (eg, your name or your server's hostname) [openvpn-ssl]:openvpn-ssl
Name [changeme]:indiavpn
Email Address [mail@host.domain]:ravindra.mane@finicity.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/openssl.cnf
Enter pass phrase for /etc/openvpn/easy-rsa/keys/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'IN'
stateOrProvinceName :PRINTABLE:'MH'
localityName :PRINTABLE:'Mumbai'
organizationName :PRINTABLE:'Finicity'
organizationalUnitName:PRINTABLE:'IT'
commonName :PRINTABLE:'openvpn-ssl'
name :PRINTABLE:'indiavpn'
emailAddress :IA5STRING:'ravindra.mane@finicity.com'
Certificate is to be certified until Jun 21 03:16:27 2023 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
root@openvpn-ssl:/etc/openvpn/easy-rsa#
root@openvpn-ssl:/etc/openvpn/easy-rsa# ./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
...................+...................................................................................................+........................................................................................+...........................+...................................................................+...........................+....................................................+....................................................................................+.........................+......+.........+............................................+....+..........+..............+..........................................+.......................................................+............................................+..........+..+.....................................................................................................................................................+.........+......................................+....................+...................+.........................................+..............................................................+.........................................+........................+............................................................................................................................................................................................+...+.......+...........................................................+...........................................................................................+......................................++*++*++*
root@openvpn-ssl:/etc/openvpn/easy-rsa#
root@openvpn-ssl:/etc/openvpn/easy-rsa# cd keys/
root@openvpn-ssl:/etc/openvpn/easy-rsa/keys# cp ca.crt openvpn-ssl.c
openvpn-ssl.crt openvpn-ssl.csr
root@openvpn-ssl:/etc/openvpn/easy-rsa/keys# cp ca.crt openvpn-ssl.crt openvpn-ssl.key dh1024.pem /etc/openvpn/
root@openvpn-ssl:/etc/openvpn/easy-rsa/keys#
root@openvpn-ssl:/etc/openvpn/easy-rsa/keys#
root@openvpn-ssl:/etc/openvpn/easy-rsa/keys#
root@openvpn-ssl:/etc/openvpn/easy-rsa/keys#
root@openvpn-ssl:/etc/openvpn/easy-rsa/keys# cd /etc/openvpn/
root@openvpn-ssl:/etc/openvpn#
root@openvpn-ssl:/etc/openvpn#
root@openvpn-ssl:/etc/openvpn# vi server.conf
root@openvpn-ssl:/etc/openvpn# cp /root/openvpn.OLD/
ca.crt client-openssl.csr easy-rsa/ server.conf
ca.key client-openssl.key openvpn-ssl.crt update-resolv-conf
client-openssl.crt dh1024.pem openvpn-ssl.key
root@openvpn-ssl:/etc/openvpn# cp /root/openvpn.OLD/server.conf .
root@openvpn-ssl:/etc/openvpn# vi server.conf
root@openvpn-ssl:/etc/openvpn#
oot@openvpn-ssl:/etc/openvpn# cat server.conf
### OpenvVPN server file for roadwarrior setup ###
##
## Network Parameters ##
local 192.168.1.160
port 7654
proto udp
## Device type and server mode ##
dev tap
mode server
tls-server
## SSL configuration ##
ca /etc/openvpn/ca.crt
cert /etc/openvpn/openvpn-ssl.crt
key /etc/openvpn/openvpn-ssl.key
dh /etc/openvpn/dh1024.pem
#crl-verify /etc/openvpn/easy-rsa/keys/crl-list.pem
## Interface configuration ##
ifconfig 192.168.1.1 255.255.255.0
ifconfig-pool 192.168.1.196 192.168.1.200
ifconfig-pool-persist /etc/openvpn/logs/server.ipp
push "route 192.168.1.0 255.255.255.0 192.168.1.2"
push "route-gateway 192.168.1.2"
push "redirect-gateway def1"
push "dhcp-option DNS 192.168.1.103"
## For Sustaining gateway and enabling compression ##
keepalive 10 120
comp-lzo
persist-key
persist-tun
## Using pam auth d ##
#plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so login
## Logging Details ##
log /etc/openvpn/logs/server.log
log-append /etc/openvpn/logs/server.log
status /etc/openvpn/logs/server-status.log
verb 4
#
root@openvpn-ssl:/etc/openvpn/easy-rsa# ./build-key client
Generating a 1024 bit RSA private key
........++++++
....................++++++
writing new private key to 'client.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:IN
State or Province Name (full name) [CA]:MH
Locality Name (eg, city) [SanFrancisco]:Mumbai
Organization Name (eg, company) [Fort-Funston]:Finicity
Organizational Unit Name (eg, section) [changeme]:IT
Common Name (eg, your name or your server's hostname) [client]:
Name [changeme]:indiaoffice
Email Address [mail@host.domain]:ravindra.mane@finicity.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/openssl.cnf
Enter pass phrase for /etc/openvpn/easy-rsa/keys/ca.key:<paradise>
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'IN'
stateOrProvinceName :PRINTABLE:'MH'
localityName :PRINTABLE:'Mumbai'
organizationName :PRINTABLE:'Finicity'
organizationalUnitName:PRINTABLE:'IT'
commonName :PRINTABLE:'client'
name :PRINTABLE:'indiaoffice'
emailAddress :IA5STRING:'ravindra.mane@finicity.com'
Certificate is to be certified until Jun 21 03:46:32 2023 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
root@openvpn-ssl:/etc/openvpn/easy-rsa#
root@openvpn-ssl:/etc/openvpn/easy-rsa#
====================================================================
On Client (192.168.1.160)
Copy ca.crt, client.crt, client.key to C:\Program Files\OpenVPN\config from vpn server
#Content of ca.ovpn
tls-client
dev tap
proto udp
remote 192.168.1.160 7654
resolv-retry infinite
nobind
pull
persist-tun
persist-key
auth-user-pass
ca 'c:\program files\openvpn\config\ca.crt'
cert 'c:\program files\openvpn\config\client.crt'
key 'c:\program files\openvpn\config\client.key'
ns-cert-type "server"
comp-lzo
verb 3