OpenVPN Server Setup on Linux

Today we’ll be setting up an OpenVPN server on a Debian Wheezy VM.

Software

Software used in this article:

  1. Debian Wheezy
  2. OpenVPN 2.2
  3. OpenSSL 1.0.1e

Install OpenVPN Server

Install OpenVPN and OpenSSL packages:

# apt-get update && apt-get install openvpn openssl liblzo2-2 lzop

Public Key Infrastructure Setup

Create a directory to store logs:

# mkdir /var/log/openvpn

Create a separate directory to keep scripts, certificates and keys to ensure that any changes to the scripts will not be lost when the OpenVPN package is updated:

# mkdir /etc/openvpn/easy-rsa

Copy all the content from the examples directory:

# cp -R /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa/

Check OpenSSL Version

# openssl version
OpenSSL 1.0.1e 11 Feb 2013
# dpkg -s openssl | grep -i version
Version: 1.0.1e-2

[EDIT: April 2014] This version of OpenSSL was affected by the Heartbleed bug.

Modify the Config File Appropriately

Forcing OpenVPN to use OpenSSL 1.0:

# vim /etc/openvpn/easy-rsa/vars
 #comment the line below out
 #export EASY_RSA="`pwd`" 
 export EASY_RSA="/etc/openvpn/easy-rsa"

 #comment the line below out
 #export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
 export KEY_CONFIG="$EASY_RSA/openssl-1.0.0.cnf"

 export KEY_SIZE=1024 #change RSA key to 2048 if paranoid

 #set some applicable values
 export KEY_COUNTRY="UK"
 export KEY_PROVINCE="Midlands"
 export KEY_CITY="Birmingham"
 export KEY_ORG="Private Sector"
 export KEY_EMAIL="[email protected]"

Generate the Master Certificate Authority (CA) Certificate and Key

# cd /etc/openvpn/easy-rsa
# source vars 
# ./clean-all
# ./build-ca

Create Server Certificates

# ./build-key-server deb-server

Generate Diffie Hellman parameters (this may really take a long time if using 2048 keysize):

# ./build-dh

Certificates and keys have been generated in the /etc/openvpn/easy-rsa/keys subdirectory . Common practice is to copy them to /etc/openvpn :

# cd /etc/openvpn/easy-rsa/keys 
# cp ./deb-server.crt ./deb-server.key ./ca.crt ./dh1024.pem /etc/openvpn

Create Client Certificates

We will generate certificates for Sandy:

# cd /etc/openvpn/easy-rsa
# source vars
# ./build-key sandy

Copy the following files to the Sandy’s machine using a secure method (i.e. SCP):

/etc/openvpn/ca.crt
/etc/openvpn/easy-rsa/keys/sandy.crt
/etc/openvpn/easy-rsa/keys/sandy.key

Client certificates and keys are only required on the client machine, therefore can remove them from the server once copied:

# rm /etc/openvpn/easy-rsa/keys/sandy.crt
# rm /etc/openvpn/easy-rsa/keys/sandy.key

OpenVPN Server Configuration

We need to copy the default server configuration file first:

# cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn

Unzip it:

# gunzip /etc/openvpn/server.conf.gz

Open and modify the server’s config file so it would look like below:

# cat /etc/openvpn/server.conf
#listen on IPv4
local 0.0.0.0

#we use a non-default port
port 11194

#UDP protocol chosen for better protection against DoS attacks and port scanning
proto udp

#using routed IP tunnel
dev tun

#full paths to keys and certificates
ca /etc/openvpn/ca.crt
cert /etc/openvpn/deb-server.crt
key /etc/openvpn/deb-server.key
dh /etc/openvpn/dh1024.pem

#set OpenVPN subnet
server 10.26.0.0 255.255.255.0

#maintain a record of client-to-virtual-IP-address
ifconfig-pool-persist ipp.txt

#ping every 10 seconds, assume that remote peer is down if no ping received during 60
keepalive 10 60

#cryptographic cipher, must be the same (copied) on the client config file as well
cipher AES-256-CBC

#enable compression on VPN link
comp-lzo

max-clients 20

#downgrade daemon privileges (non-Windows only)
user nobody
group nogroup

#try to preserve some state across restarts
persist-key
persist-tun

#log files
status /var/log/openvpn/openvpn-status.log
log /var/log/openvpn/openvpn.log
log-append /var/log/openvpn/openvpn.log

#log file verbosity
verb 3

Start the OpenVPN Server

NOTE: UDP port 11194 has to be opened on a firewall, otherwise clients will not be able to connect.

Enable kernel module:

# modprobe tun

Start the OpenVPN server:

# service openvpn start

Check that OpenVPN tun interface if up:

# ifconfig tun
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.26.0.1  P-t-P:10.26.0.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

NOTE: the OpenVPN server always uses the first usable IP address in the client network and only that IP is pingable. As we configured a /24 for the client network mask, the .1 address will be used (10.26.0.1 in our case). The P-t-P address we see in the ifconfig output above is usually not answering ping requests.

Server should now also be listening on UDP 11194 port:

# netstat -nlup
Active Internet connections (only servers)
Proto Recv-Q Send-Q  Local Address   Foreign Address  State PID/Program name
udp   0      0       0.0.0.0:11194   0.0.0.0:*        29821/openvpn

That’s it, OpenVPN server is configured. We can now proceed further and setup OpenVPN Linux client on a Sandy’s machine.

Leave a Reply

Your email address will not be published. Required fields are marked *