A virtual private network (VPN) extends the resources of your local area network to telecommuters home, satellite offices, and far-flung sales warriors. OpenVPN is a fast, scalable, secure, and free VPN solution for Linux. And best of all, its easy to configure and deploy. Heres a hands-on primer.
OpenVPN (http://openvpn.net/) is a fast, open, free, and scalable SSL/TLS- based virtual private network (VPN) solution. OpenVPN can route, bridge, and scale to hundreds of clients, tunnel over a single port (UDP or TCP, even through HTTP and SOCKS5 proxies), traverse NAT with ease, use static or public key-based encryption, and authenticate via PAM or any other scriptable authentication mechanism. Best of all, OpenVPN is incredibly simple to configure, and it runs in most common operating systems, including *BSD (FreeBSD, NetBSD, and OpenBSD), Linux, Mac OS X, Solaris, and yes, even Windows.
Let’s set up a PKI-based, routing VPN in Linux for Fancy Sprockets, Incorporated, manufacturers of the world’s finest sprockets, widgets, and doodads (it’s a growth industry). More about Fancy Sprockets later; first, you must install OpenVPN.
OpenVPN requires a kernel with tuntap support, so in practice, that means either a 2.4 or 2.6 kernel with the tuntap module. OpenVPN packages are available for most popular Linux distributions. If you use Debian or one of the many Debian-based distributions, installing OpenVPN couldn’t be easier: Just type apt-get install openvpn as root.
RPM s for Red Hat and Fedora are available from the DAG RPM Repository (http://dag.wieers.com/packages/openvpn/). If you’re using an RPM-based distribution other than Fedora or Red Hat, the OpenVPN source tarball includes a spec file and instructions on building your own RPM. If you’re using Gentoo, there’s an OpenVPN ebuild available through Portage.
If you want to build from source, you need OpenSSL (http://openssl.org/), and if you want to use the recommended adaptive link compression, you also need the LZO compression library
Once you have OpenSSL (and, optionally, the LZO compression library) installed, grab the latest stable version of OpenVPN (version 2.0.5, as of this writing) from the OpenVPN download page (http://openvpn.net/download.html), uncompress the source tarball, cd into the source directory, and read both the INSTALL and README files for any architecture- or distribution-specific notes. As soon as everything is in order, run ./configure&&make&&su –c ‘make install’, spend a few minutes reading Fark.com (http://www.fark.com/), and you should be up and running.
Simple VPN Authentication
Let’s start with the simplest possible VPN authentication configuration: static, pre-shared, keys. As the description implies, static keys are a secret key shared between the OpenVPN server and the client. While this configuration has a few disadvantages — a lack of perfect forward secrecy (more about that in a bit), no key exchange mechanism, and, worst of all, only one client per server — tailoring OpenVPN to use static keys is fast and simple.
First, generate a static key:
# openvpn ––genkey ––secret static.key
Next, copy the static key to both the client and the server. This step is entirely dependent on your server setup, but it’s best to use SneakerNet (an advanced, high-latency, high-bandwidth, jumbo-frame network infrastructure that consists of a floppy disk or USB memory stick, walking, and, you guessed it, a pair of sneakers), SSH, or some other equally secure channel to copy the key to both machine.
Next, create the server and client configuration file. In the examples below, communication is via UDP port 1194 (the default, IANA-assigned OpenVPN port number), the server endpoint is 10.55.55.1, and the client endpoint is 10.55.55.2. The OpenVPN documentation recommends that you not use the 192.168.0.0/24 subnet, since it’s the most popular subnet for wireless access points and other NAT devices. Also, don’t forget to replace the imaginary server (vpn.fancysprockets.com in the example below) with the hostname or IP address of your actual OpenVPN server, and, for pete’s sake, don’t forget to open up UDP port 1194 on your firewall.
Here’s the server configuration using a static key:
# static key config (server)
ifconfig 10.55.55.1 10.55.55.2
And here’s the equally sparse client configuration file:
# static key config (client)
ifconfig 10.55.55.2 10.55.55.1
With the files in hand, launch OpenVPN on both the client and server (as root), like so:
# openvpn ––config /path/to/config.conf
After running the command on both machines, you should be able to ping the client from the server, and vice versa. If you get stuck here, make sure your firewall allows traffic on UDP port 1194 — that’s usually the culprit for connection-related problems. (If you’re using Netfilter (iptables) with connection tracking, try adding the lines in Listing One to your firewall rules. Working now? Good.)