Senin, 16 Juli 2012

Setting OpenVPN in UBUNTU

OpenVPN uses Public Key Infrastructure (PKI) to encrypt VPN traffic between nodes. A simple way of setting up a VPN with OpenVPN is to connect the clients through a bridge interface on the VPN server. This guide will assume that one VPN node, the server in this case, has a bridge interface configured. For more information on setting up a bridge see the section called “Bridging”. Installation To install openvpn in a terminal enter: sudo apt-get install openvpn Server Certificates Now that the openvpn package is installed, the certificates for the VPN server need to be created. First, copy the easy-rsa directory to /etc/openvpn. This will ensure that any changes to the scripts will not be lost when the package is updated. You will also need to adjust permissions in the easy-rsa directory to allow the current user permission to create files. From a terminal enter: sudo mkdir /etc/openvpn/easy-rsa/ sudo cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa/ sudo chown -R $USER /etc/openvpn/easy-rsa/ Next, edit /etc/openvpn/easy-rsa/vars adjusting the following to your environment: export KEY_COUNTRY="US" export KEY_PROVINCE="NC" export KEY_CITY="Winston-Salem" export KEY_ORG="Example Company" export KEY_EMAIL="" Enter the following to create the server certificates: cd /etc/openvpn/easy-rsa/ source vars ./clean-all ./build-dh ./pkitool --initca ./pkitool --server server cd keys openvpn --genkey --secret ta.key sudo cp server.crt server.key ca.crt dh1024.pem ta.key /etc/openvpn/ Client Certificates The VPN client will also need a certificate to authenticate itself to the server. To create the certificate, enter the following in a terminal: cd /etc/openvpn/easy-rsa/ source vars ./pkitool hostname [Note] Replace hostname with the actual hostname of the machine connecting to the VPN. Copy the following files to the client: /etc/openvpn/ca.crt /etc/openvpn/easy-rsa/keys/hostname.crt /etc/openvpn/easy-rsa/keys/hostname.key /etc/openvpn/ta.key [Note] Remember to adjust the above file names for your client machine's hostname. It is best to use a secure method to copy the certificate and key files. The scp utility is a good choice, but copying the files to removable media then to the client, also works well. Configuration Server Configuration Now configure the openvpn server by creating /etc/openvpn/server.conf from the example file. In a terminal enter: sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/ sudo gzip -d /etc/openvpn/server.conf.gz Edit /etc/openvpn/server.conf changing the following options to: local dev tap0 up "/etc/openvpn/ br0" down "/etc/openvpn/ br0" ;server server-bridge push "route" push "dhcp-option DNS" push "dhcp-option DOMAIN" tls-auth ta.key 0 # This file is secret user nobody group nogroup local: is the IP address of the bridge interface. server-bridge: needed when the configuration uses bridging. The portion is the bridge interface and mask. The IP range is the range of IP addresses that will be assigned to clients. push: are directives to add networking options for clients. user and group: configure which user and group the openvpn daemon executes as. [Note] Replace all IP addresses and domain names above with those of your network. Next, create a couple of helper scripts to add the tap interface to the bridge. Create /etc/openvpn/ #!/bin/sh BR=$1 DEV=$2 MTU=$3 /sbin/ifconfig $DEV mtu $MTU promisc up /usr/sbin/brctl addif $BR $DEV And /etc/openvpn/ #!/bin/sh BR=$1 DEV=$2 /usr/sbin/brctl delif $BR $DEV /sbin/ifconfig $DEV down Then make them executable: sudo chmod 755 /etc/openvpn/ sudo chmod 755 /etc/openvpn/ After configuring the server, restart openvpn by entering: sudo /etc/init.d/openvpn restart Client Configuration First, install openvpn on the client: sudo apt-get install openvpn Then with the server configured and the client certificates copied to the /etc/openvpn/ directory, create a client configuration file by copying the example. In a terminal on the client machine enter: sudo cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn Now edit /etc/openvpn/client.conf changing the following options: dev tap remote 1194 cert hostname.crt key hostname.key tls-auth ta.key 1 [Note] Replace with the hostname of your VPN server, and hostname.* with the actual certificate and key filenames. Finally, restart openvpn: sudo /etc/init.d/openvpn restart You should now be able to connect to the remote LAN through the VPN. Sumber : Link
◄ Newer Post Older Post ►