Tutorial: openvpn

After helping some people (here and on irc) to setup their OpenVPN server I would like to start a collection of useful tips regarding the operation of an OpenVPN server.

First the basic steps:

  • Click on the "enable TUN/TAP device" within for server panel and restart the vps. [for OpenVZ]
  • After that a

    cat /dev/net/tun
    

    should return:

    cat: /dev/net/tun: File descriptor in bad state
    
  • Installing openvpn

    apt-get install openvpn
    
  • If /dev/net/tun is missing
    Easy way:

    openvpn --mktun --dev tun0
    

    Hard way (yup there are still images out there which do not have a /dev/net):

    mkdir -p /dev/net
    mknod /dev/net/tun c 10 200
    chmod 600 /dev/net/tun 
    
  • Setup configuration of openvpn

    cp -r /usr/share/doc/openvpn/ /etc/ 
    cd /etc/openvpn/examples/easy-rsa/2.0
    nano vars
    

    Setup the last exports to save you some typing:

    export KEY_SIZE=2048
    
    export KEY_COUNTRY=""
    export KEY_PROVINCE=""
    export KEY_CITY=""
    export KEY_ORG=""
    export KEY_EMAIL=""
    export KEY_CN=changeme
    export KEY_NAME=changeme
    export KEY_OU=changeme
    

    Key size should be at least 2048 bit!
    Of course no empty values ...

  • If they key tools reporting that they cannot find the openssl lib...

    nano whichopensslcnf
    

    Change following line (the double [[:digit:]] is wrong):

    elif $OPENSSL version | grep -E "1\.0\.[[:digit:]]" > /dev/null; then
    
  • Start generating the keys:

    ./clean-all [to clean all generated stuff - if you want to start right from the beginning]
    ./build-ca [certificate authority of all your certs]
    ./build-key-server servername [cert for server]
    ./build-key clientname [certs per client]
    ./build-dh [dh parameter for key-exchange algorithm]
    
  • Copy keys to openvpn server

    mkdir /etc/openvpn/keys 
    cd keys
    cp ca.crt ca.key dh1024.pem server.crt server.key /etc/openvpn/keys 
    [depends on your naming of the build-* calls, if you called your server mybox it is e.g.
    mybox.crt and mybox.key]
    chmod 600 /etc/openvpn/keys/*
    
  • Creating the server config

    cd /etc/openvpn/examples/sample-config-files/ 
    gunzip server.conf.gz
    cp server.conf /etc/openvpn/ 
    cd /etc/openvpn/
    nano /etc/openvpn/server.conf
    
  • Alterting the config

    port 1149 #[port you want to use]
    dev tun #[device type you want to use]
    #relative paths of the keys:
    ca keys/ca.crt
    cert keys/servch.crt
    key keys/servch.key  
    dh keys/dh1024.pem
    server 10.10.10.0 255.255.255.0 #[network of openvpn server - server itself will get 10.10.10.1]
    push "redirect-gateway def1 bypass-dhcp" #[if you want to surf through the vpn]
    client-to-client #[if each openvpn client should see the other openvpn clients (gaming)]
    comp-lzo #[compression is good]
    max-clients 3 #[number of concurrent users]
    user nobody
    group nogroup #[downgrade rights of openvpn for security]
    persist-key
    persist-tun #[nobdy cannot alter devices - so persist there settings]
    status openvpn-status.log
    log-append  openvpn.log #[logging is good for checking problems]
    
  • Track the usage of your openvpn server
    OpenVPN server does have some nice hookups that you can use to modify its workflow. One nice feature are following hooks (added to the server config):

    script-security 3 system
    client-connect /etc/openvpn/client-login.sh
    client-disconnect /etc/openvpn/client-logout.sh
    

    So the scripts are called whenever a client connects or disconnects!

    nano /etc/openvpn/client-login.sh 
    
    #!/bin/bash
    #Send an email when a client connects with today's time and date
    NOW="$(date +"%H:%M:%S - %Y-%m-%d")"
    
    sendmail [email protected] <
    
    nano client-logout.sh
    
    #!/bin/bash
    #Send an email when a client connects with today's time and date
    NOW="$(date +"%H:%M:%S - %Y-%m-%d")"
    
    sendmail [email protected] <
    

    Yup I really like this global vars. So this script can be altered to put this information into a csv file or into a database.
    You get all information you need - and the used bandwith too.

    chmod +x /etc/openvpn/*.ssh
    

    And we are done.

  • Next hook is the login mode
    Need a password instead of certs? Or an additional password to the certs?

    auth-user-pass-verify /etc/openvpn/auth.sh via-file
    

    This just has to return "0" or "1" for good and bad auth:

    nano /etc/openvpn/auth.sh
    
    #!/bin/sh
    #Simplest way
    ALLOWED_USER1="wlanboy"
    ALLOWED_PASS1="supersecure"
    
    if [ "$username" == "$ALLOWED_USER1" ] && [ "$password" == "$ALLOWED_PASS1" ]
     then exit 0
    fi
    
    exit 1
    

    Want no client certs? Add this to the server.conf

    client-cert-not-required
    username-as-common-name
    
  • Networking

    device="venet0" #// OpenVZ
    yourexternalid="1.1.1.1" #// Change this value!
    yourvpnsubnet="10.10.10.0/24" #// Change this value!
    yourvpnport="1149" #//Change this value!
    
        # allow OPENVPN and enable ip forwarding
        iptables -A INPUT -i tun0 -j ACCEPT
        iptables -A FORWARD -i tun0 -j ACCEPT
    
        iptables -A FORWARD -o $device -i tun0 -j ACCEPT
        iptables -A FORWARD -o tun0 -i $device -m state --state RELATED,ESTABLISHED -j ACCEPT
        iptables -A INPUT -i $device -p udp --dport $yourvpnport -m state --state NEW -j ACCEPT
        iptables -t nat -A POSTROUTING -s $yourvpnsubnet -j SNAT --to $yourexternalid
    

    Depens on your choice if you are using a startup script or persist these iptables rules.

  • Revoking certs

    . ./vars
    ./revoke-full clientname
    

So this is everything I am duing to setup a OpenVPN server.

Looking forward to your input and your addons.