OpenVPN Installation and Setup Guide

When we got employees working remotely, we had to think about how to provide them with secure access to our hosting servers, virtual dedicated servers of the Virtual Dedicated Server (VDS) developers, support and maintenance sites for development and other resources.

For security reasons, access to these resources is restricted by using a firewall (firewall) on ports and IP addresses. Daily reconfiguration of access with a change in dynamic IP of employees can hardly be called a reasonable solution.

The way out was found rather quickly - this is the use of Virtual Private Network (VPN) technology and its free implementation of OpenVPN. This implementation is available for almost all common platforms, including tablets and smartphones. The history of the development of OpenVPN dates back 12 years (OpenVPN Technologies, Inc. was created by Francis Dinha and James Yona in 2002), so this is a reliable and time-tested solution.

In our company, the VPN network allowed us to provide employees with secure access to the VDS, which plays the role of the OpenVPN server. And already for the fixed IP of this server access to other resources of the company was allowed. Along the way, a Squid proxy was installed on the OpenVPN server, which solved all the problems of employee access from dynamic IP to protected resources of the company.

The subject of OpenVPN devoted numerous articles and posts on the forums. However, the necessary information I had to collect in parts from different places. Along the way, I had to deal with numerous terms and technologies. VDS based on FreeBSD and Debian Linux were used as OpenVPN servers, and FreeBSD, Debian Linux, Ubuntu and Microsoft Windows workstations were used as clients.

I hope that this article will be useful to those who first encountered the need to create a VPN or already use it to solve those or problems, as well as those who are looking for a replacement for commercial VPN implementations.

Thank you for your comments and suggestions on the content of the article.

Table of contents

• Some theory
• Components of the OpenVPN network
• Preparing equipment for installing OpenVPN
• Creation of CA certification center
• Installing the Easy-RSA utility
• Creating an OpenVPN server
• Installing and running the OpenVPN client software
• Installing Squid Proxy
• Installation Features on FreeBSD
• Peculiarities of installing the OpenVPN client in Microsoft Windows
• useful links

Some theory

If earlier, to create a secure data transmission channel, large companies and organizations had to lay (or rent) cables and protect them from physical access by intruders, now this is not necessary. With VPN, you can create secure virtual channels working through a secure "tunnel" on the Internet. Such a solution can afford any, even a very small company.

Of course, if there are increased requirements for data protection, you need to apply certified tools and contact specialists. However, the level of protection provided by OpenVPN allows this technology to be used for many commercial applications.

Why is a VPN called virtual and private?

It is virtual because the network nodes are not connected by physical lines, but by virtual connections that are created by the software (software) VPN.

The VPN is private, because only the nodes of the company that created this network can connect to it, and not everyone. Each VPN node should have VPN software running. There should also be keys and certificates that provide nodes access to the VPN and cryptographic protection of transmitted data.

Thus, the VPN network can combine resources (servers and workstations) of the company into a single secure virtual network created on the basis of the Internet. And now the employees working remotely (from home or from another country) will be located in the general network of their company. VPN is also suitable for consolidating geographically separated offices of the company.

Network communication

OpenVPN software transmits data over the network using UDP or TCP protocols using the TUN / TAP driver. The UDP protocol and the TUN driver allow you to connect to clients located behind NAT to the OpenVPN server.

For OpenVPN, you can select an arbitrary port, which allows you to overcome the limitations of the firewall through which access from the local area network to the Internet (if such restrictions are set).

Security and Encryption

Security and encryption in OpenVPN is provided by the OpenSSL library and the Transport Layer Security Protocol (TLS). Instead of OpenSSL in new versions of OpenVPN, you can use the PolarSSL library. The TLS protocol is an enhancement to the Secure Sockets Layers (SSL) secure data transfer protocol.

OpenSSL can use symmetric and asymmetric cryptography.

In the first case, before beginning the transfer of data to all network nodes, it is necessary to place the same secret key. This raises the problem of securely transmitting this key over an insecure Internet.

In the second case, each participant sharing data has two keys - public (public) and private (secret).

The public key is used to encrypt data, and the private key is used to decrypt. The basis of encryption is rather complicated math. The public key encryption algorithm selected in SSL / TLS allows decryption only with a private key.

The private key is secret and must remain within the node on which it was created. The public key must be transmitted to the participants of the data exchange.

For secure data transfer, it is necessary to identify the parties involved in the data exchange. Otherwise, you can become a victim of the so-called "mediator attack" (Man in the Middle, MITM). During such an attack, the attacker connects to the data channel and listens on it. It can also interfere, delete or change data.

To provide authentication (user authentication), TLS uses a public key infrastructure (Public Key Infrastructure, PKI) and asymmetric cryptography.

It is necessary to realize that decrypting data without having a private key is also possible, for example, using the sequential brute force method. Although this method requires large computational resources, it is only a matter of time when the data can be decrypted.

Although the key size affects the complexity of the decryption, no key can guarantee complete data security. In addition, there is the possibility of stealing already decrypted data and keys due to vulnerabilities and bookmarks in the operating system or application software, as well as in the hardware of servers and workstations.

Data encryption increases traffic and slows down data exchange. The greater the key length used to encrypt data, the harder it will be to pick it up, but the more noticeable is the slowing down of data exchange.

Certificates and CA certification center

As we already said, with asymmetric cryptography, the public key is used to encrypt data, and the private key is used to decrypt. To avoid a fake public key, some third party must reassure him. As a result of this procedure, a so-called public key certificate is created .

The certificate must be certified by a trusted organization. This organization plays the role of a Certification authority (CA).

If a public key is created for public use, a commercial or government organization with an indisputable reputation should act as a certification center. This organization publishes its own public key, accessible to all.

There are quite a few commercial organizations that issue certificates, for example, for creating HTTPS sites, for digitally signing email messages or documents, for instant messaging systems such as Jabber. These certificates are issued for a limited time and cost money.

But for a VPN created for your company, you can create your own CA certificate authority and issue so-called self - signed certificates . Of course, the credibility of such certificates will not go beyond the scope of your company, but firstly, this will be quite enough, and secondly, self-signed certificates are completely free.

Self-signed certificates will play the role of public keys with which the nodes of your OpenVPN network will encrypt data. To decrypt data, private keys will be used.

Certificates are created in accordance with the X.509 standard. This standard defines data formats and procedures for the distribution of public keys using certificates signed with electronic signatures.

An X.509 certificate is a public key containing data such as the subject owning the certificate, the node name, the validity period, the algorithm and the signature value of the certificate, and so on. The certificate must be signed with the Certification authority (CA) private key.

When our workstation node connects to a remote node (server) using the TLS protocol, the server sends it an X.509 certificate. Our site has the public key of the CA authorization center that signed this certificate. This key is used to verify the signature.

Thus, there is a way to check the remote node (server) to which our node is going to connect in order to exclude the MITM "proxy" attacks.

Certificate Revocation List

Sometimes it is necessary to block access of individual nodes to the company's VPN network, for example, to block access to a workstation of a dismissed employee.

To simplify this procedure, OpenVPN provides a certificate revocation list (Certificate Revocation List, CRL) and simple tools to manage this list.

The CRL is created in the CA authorization center and then copied to the OpenVPN server. After making changes to the CRL list, it must be re-copied to the OpenVPN server.

Diffie-Hellman file

The Diffie-Hellman (Diffie-Hellman) file is needed to implement a protocol of the same name that allows using an insecure channel to obtain a shared secret key. This key will be further used for secure data exchange using symmetric encryption algorithms.

When applied to the OpenVPN, the Diffie-Hellman file is needed to protect the traffic from decryption if the keys were stolen. This refers to the traffic that was recorded and saved before the theft of keys.

The Diffie-Hellman file is created on the OpenVPN server.

HMAC static key

The static key (hash code) of message authentication (Hash-based Message Authentication Code (HMAC)) provides authentication of information transmitted between the parties. This key is created on the OpenVPN server for the purpose of additional protection against DoS-attacks and flood.

Components of the OpenVPN network

Before we move from theory to practice, we list the main components of the OpenVPN network and the objects with which we will have to deal.

CA Certification Authority

Issues certificates at the request of the nodes of the VPN network, signed by a certificate of the certification authority. Provides VPN nodes to their own certificate to verify the certifier. Manages CRL certificate revocation list.

OpenVPN server

The OpenVPN server software creates a tunnel inside an unsecured network, for example, the Internet. This tunnel provides secure encrypted traffic between nodes that are participants in data exchange on the OpenVPN network.

OpenVPN Client

The OpenVPN client software is installed on all nodes that require a secure data channel with the OpenVPN server. With appropriate configuration of the OpenVPN server, it is possible to securely transfer data between OpenVPN clients, and not only between clients and the OpenVPN server.

Certificates (public keys) X.509

X.509 certificates are public keys certified by a CA certificate authority. They are used to encrypt data. The fact of certifying the certificate by the CA certifying authority allows identifying the party transmitting the encrypted data.

The certificate request file is created on the network nodes, then it is transferred to the certification authority node and signed there. The resulting signed certificate is transferred back to the OpenVPN network node that requested it.

Private keys

Private keys are secret. They should be created and stored on each node of the OpenVPN network, designed to decrypt data, and should never be transmitted over the network.

Private keys are created on the OpenVPN network nodes simultaneously with the certificate request file.

CRL certificate revocation list

Contains a list of certificates that have lost confidence. It is created and edited on the CA certificate authority node. To disconnect a node from the network, it is enough to register its certificate in the CRL list.

After creation and each change, the CRL list is transferred to the OpenVPN servers.

Diffie-Hellman file

It is used to exclude the decryption of traffic recorded before this abduction in case of theft of keys. It is created on the OpenVPN server.

HMAC static key

It is used to authenticate the transmitted information. Provides protection against DoS-attacks and flooding. It is created on the OpenVPN server.

Preparing equipment for installing OpenVPN

If you are setting up a VPN for the first time, it’s best to experiment on VDS virtual machines. These can be VDSs created locally on your computer or on a server on your network, or rented from a provider. Before renting a VDS, ask if the TUN / TAP driver is supported. Some providers require an extra charge to connect TUN / TAP.

In fig. 1. we showed the stand scheme on which we will install the components and nodes of OpenVPN (the names and IP addresses of the hosts may be different).

Fig. 1. Stand for learning OpenVPN.

Here are three nodes (host), each of which will require a separate VDS:

• OpenVPN server (vpnsrv, 192.168.0.54);
• OpenVPN client (vpnclient, 192.168.0.55);
• CA Certification Authority (ca, 192.168.0.53)

Hosts of the client and the VPN server are connected by a normal, insecure channel. In the case of a layout, this could be a local area network, in real life, an Internet channel. The OpenVPN software creates a channel in this network, indicated in fig. 1 in red, inside which a secure encrypted channel is installed (indicated in green).

In the layout, the CA certifier's host can be connected to your local network. For real work, the CA host needs to be disconnected from the network, and the exchange of certificates and keys should be carried out using, for example, a USB flash drive.

If security requirements are increased, the CA host must be placed in a secure room — the information on this machine allows you to create access keys to your VPN network.

We installed OpenVPN servers in Debian Linux and FreeBSD OS, OpenVPN clients in Debian Linux, FreeBSD and Microsoft Windows.

The main part of the article is devoted to the installation of OpenVPN components for Debian Linux. Next, we look at the installation features for FreeBSD and Microsoft Windows.

If possible, on the OpenVPN network nodes, use newer OS versions. Before you start working with OpenVPN, upgrade your Linux packages:

# apt-get update # apt-get upgrade 

Install the zip package on all nodes if it has not been installed before:

 # aptitude install zip 

This package will be needed to unpack the archive of the Easy-RSA utility, with which we will create keys and certificates.

On all nodes, configure the update and time synchronization.

 # apt-get install ntpdate # apt-get install -y ntp # /etc/init.d/ntp stop # ntpdate pool.ntp.org # /etc/init.d/ntp start 

Time synchronization is necessary because Certificates have a validity period. If the clock, for example, on the host of the CA CA and the OpenVPN server are not synchronous, it may happen that the certificate issued by the certification authority will not be valid on the OpenVPN network nodes due to date or time restrictions.

We will begin further work with the preparation of the CA certification center host. Then, install the OpenVPN server and client hosts.

Creation of CA certification center

As we have already said, the task of the CA certification center is the issuance of signed certificates for the server and OpenVPN clients.

To obtain a certificate, a server or client on its host generates a certificate request file. This request file is sent to the CA host, which creates a certificate and signs it. Next, the signed certificate is transmitted to the requesting host.

Simultaneously with the certificate request, a private key is created. Private keys are created for all OpenVPN network nodes: for CA authorization center, for server and all OpenVPN clients.

For security, key files should never leave the nodes where they were created. You can exchange only requests for certificates and certificates, private keys can not be exchanged and there is no need.

In fig. 2 shows the process of obtaining a signed certificate for an OpenVPN server.

Fig. 2. Obtaining a certificate for the OpenVPN server

The OpenVPN server creates its private key and certificate request file. The request file is transmitted to the certification authority, for example, on a USB flash drive.

Based on the request, the certificate authority creates a signed certificate, which is then required to be transferred to the OpenVPN server, also on a USB flash drive.

If there are no special requirements for security or you are only learning OpenVPN, you can connect the certification authority machine to the network and send requests and certificates, for example, using SFTP or SCP utilities. You can even combine the functions of a CA and, for example, an OpenVPN server in the same host.

Similarly, you need to obtain certificates for all client nodes (Fig. 3).

Fig. 3. Obtaining a certificate for an OpenVPN client

Installing the Easy-RSA utility

All operations for creating keys and certificates can be performed using the openssl utility. However, it is easier to use the Easy-RSA program, specially created for this purpose, which uses openssl to perform actions with keys and certificates.

Earlier, the Easy-RSA utility was supplied with OpenVPN, but now it is a separate project .

All operations with the certification center and certificates can (and should) be carried out on behalf of an unprivileged user.

Create a user with a name, for example, ca, and go to his home directory:

 # adduser ca # su ca $ cd 

Download the program distribution utility wget.

 $ wget https://github.com/OpenVPN/easy-rsa/archive/master.zip 

After downloading, unzip the master.zip archive:

 $ unzip master.zip 

In tab. 1 lists the files and directories included in the Easy-RSA distribution.

Table 1. The composition of the distribution Easy-RSA.

We recommend that you read the README.quickstart.md file, as well as the files from the Doc folder. To create keys and certificates, go to the easyrsa3 directory, where the Easy-RSA executable file is located.

Creating PKI Public Key Infrastructure

In the first step, create a public key infrastructure (Public Key Infrastructure, PKI):

 $ cd /home/ca/easy-rsa-master/easyrsa3 $ ./easyrsa init-pki 

You will see the message:

 init-pki complete; you may now create a CA or requests. Your newly created PKI dir is: /home/ca/easy-rsa-master/easyrsa3/pki 

As a result of the init-pki command, the directory / home / ca / ​​easy-rsa-master / easyrsa3 / pki was created, where the PKI public key infrastructure is located.

In the second step, use the build-ca command to create a CA certificate authority:

 $ ./easyrsa build-ca 

In response to this command, you will be prompted to enter a password and the so-called Common Name:

 Generating a 2048 bit RSA private key .....+++ ................................................................+++ writing new private key to '/home/ca/easy-rsa-master/easyrsa3/pki/private/ca.key' Enter PEM pass phrase:******** Verifying - Enter PEM pass phrase:******** ----You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [Easy-RSA CA]:ca.mydomain.ru> CA creation complete and you may now import and sign cert requests. Your new CA certificate file for publishing is at: /home/ca/easy-rsa-master/easyrsa3/pki/ca.crt 

The password will protect the private key of the certification authority created in the PEM (Privacy Enhancement for Internet Electronic Mail) format. This password will be required each time you sign certificates for OpenVPN servers and clients in the certification authority.

To get rid of the need to enter a password, you can set the nopass option when running the build-ca command:

 $ ./easyrsa build-ca nopass 

Note that an attacker can easily use a stolen key created without a password.

For Common Name, specify, for example, the domain name allocated for the CA certification authority, the username or host name of the CA server.

For the certification authority, the build-ca command will create two files:

 /home/ca/easy-rsa-master/easyrsa3/pki/private/ca.key /home/ca/easy-rsa-master/easyrsa3/pki/ca.crt 

The ca.key file is a private CA center key, it is secret and cannot be transferred to other nodes of your network.

The certificate file of the ca.crt certifying center, on the contrary, is open, and it will be needed on the nodes of OpenVPN servers and clients. Write the ca.crt file to a USB flash drive to transfer to other nodes.

Mount USB flash drive, you can, for example, like this:

 # fdisk -l # mkdir /mnt/flash # mount -t vfat /dev/sdb1 /mnt/flash 

Here we assume that the USB flash drive has become a device / dev / sdb1, and its file system is FAT32.

Copy the CA certificate file:

 # cp /home/ca/easy-rsa-master/easyrsa3/pki/ca.crt /mnt/flash/ca.crt 

To work with a USB flash drive with the NTFS file system, first install the ntfs-3g package:

 # aptitude install ntfs-3g 

Mount the disk as follows:

 # mount -t ntfs-3g /dev/sdb1 /mnt/flash 

After copying is complete, unmount the USB drive:

 # umount /mnt/flash 

Creating a certificate revocation list

If an employee leaves, you need to block his access to the company's VPN network. OpenVPN provides a CRL certificate revocation list specifically for this purpose. Create it with this command:

 $ cd /home/ca/easy-rsa-master/easyrsa3 $ ./easyrsa gen-crl 

You will be asked for a password to access the private key ca.key of the certification authority. The certificate revocation list will be created in the file /home/ca/easy-rsa-master/easyrsa3/pki/crl.pem.

Copy this file to a USB flash drive:

 # cp /home/ca/easy-rsa-master/easyrsa3/pki/crl.pem /mnt/flash 

If you need to block a previously issued certificate, use the following command:

 $ ./easyrsa revoke developer5 

Here we revoked the certificate for a developer5 client. Next, you need to copy the new CRL file to the OpenVPN server and restart the OpenVPN daemon.

PKI files and directories created

In tab. 2 we have provided a brief description of some of the PKI files and directories created as a result of our actions.

Table 2. PKI directory structure.

Easy-RSA Help

Run the Easy-RSA utility without parameters:

 $ ./easyrsa 

A list of all utility commands will appear on the screen, along with the full path to the program and to the PKI.

To get help on the desired command, add the help option. For example, you can get help on the build-ca command:

 $ ./easyrsa help build-ca 

Creating an OpenVPN server

The process of creating an OpenVPN server involves installing the openvpn package, preparing configuration files, keys, and certificates.

Installing the openvpn package

Install the OpenVPN server package as follows:

 # apt-get install openvpn 

Preparing configuration files

Configuration files, certificates and keys should be placed in the / etc / openvpn directory, which will be created automatically during the installation of the openvpn package.

First of all, let's prepare the openssl.cnf and server.conf configuration files. The first of these files defines the OpenSSL configuration, the second the OpenVPN server configuration.

Included with the Easy-RSA utility is an example OpenSSL configuration file (assuming we installed the utility in the home directory of the user ca):

 /home/ca/easy-rsa-master/easyrsa3/openssl-1.0.cnf 

We, however, recommend using a simplified version of this file from our article to begin with.

The openssl.cnf file contains the absolute path to the directory with keys and certificates that you just created.

 [ ca ] default_ca = CA_default [ CA_default ] dir = /etc/openvpn crl_dir = $dir database = $dir/index.txt new_certs_dir = $dir certificate = $dir/ca.crt serial = $dir crl = $dir/crl.pem private_key = $dir/server.key RANDFILE = $dir/.rand default_days = 3650 default_crl_days = 365 default_md = md5 unique_subject = yes policy = policy_any x509_extensions = user_extensions [ policy_any ] organizationName = match organizationalUnitName = optional commonName = supplied [ req ] default_bits = 2048 default_keyfile = privkey.pem distinguished_name = req_distinguished_name x509_extensions = CA_extensions [ req_distinguished_name ] organizationName = Organization Name (must match CA) organizationName_default = Company organizationalUnitName = Location Name commonName = Common User or Org Name commonName_max = 64 [ user_extensions ] basicConstraints = CA:FALSE [ CA_extensions ] basicConstraints = CA:TRUE default_days = 3650 [ server ] basicConstraints = CA:FALSE nsCertType = server 

An example of the openvpn.conf file of the OpenVPN server configuration is on the project site at openvpn.net/index.php/open-source/documentation/howto.html#server . We suggest starting with an abbreviated version of this file from our article.

 port 1194 proto udp dev tun user openvpn group openvpn cd /etc/openvpn persist-key persist-tun tls-server tls-timeout 120 dh /etc/openvpn/dh.pem ca /etc/openvpn/ca.crt cert /etc/openvpn/vpn-server.crt key /etc/openvpn/server.key crl-verify /etc/openvpn/crl.pem tls-auth /etc/openvpn/ta.key 0 server 10.15.0.0 255.255.255.0 client-config-dir /etc/openvpn/ccd client-to-client topology subnet max-clients 5 push "dhcp-option DNS 10.15.0.1" route 10.15.0.0 255.255.255.0 comp-lzo keepalive 10 120 status /var/log/openvpn/openvpn-status.log 1 status-version 3 log-append /var/log/openvpn/openvpn-server.log verb 3 mute 20 

To start the OpenVPN server successfully, you need to create directories, certificates and keys that are referenced in the openssl.cnf and server.conf files, as well as the openvpn user.

Create a directory for the OpenVPN server log:

 # mkdir /var/log/openvpn/ 

Create a directory for client configurations (not yet used):

 # mkdir /etc/openvpn/ccd 

Preparing the certificate and key for the OpenVPN server

In addition to openssl.cnf and openvpn.conf in the / etc / openvpn / directory, we will need the files listed in table. 3

Table 3. Files for the OpenVPN server.

First of all, we will create a private key and a certificate request file for the OpenVPN server, and will also receive a signed certificate by the created request in the CA certificate authority. As a result, we will have server.crt and server.key files. Next, we will deal with the other files listed in Table. 3

To create a certificate request and private key for the OpenVPN server, we need to install the Easy-RSA program on the OpenVPN server, in the same way as we did for the CA certificate authority.

Installation of Easy-RSA, generation of the OpenVPN server's private key and certificate request will be done on behalf of the vpnoperator user, who does not have administrator privileges. Add this user before starting work:

 # adduser vpnoperator 

First of all, we install the Easy-RSA utility on the OpenVPN server and start the initialization of the PKI public key infrastructure:

 $ cd /home/vpnoperator $ wget https://github.com/OpenVPN/easy-rsa/archive/master.zip $ unzip master.zip $ cd /home/vpnoperator/easy-rsa-master/easyrsa3 $ ./easyrsa init-pki 

After successful PKI initialization, a message will appear in the console:

 init-pki complete; you may now create a CA or requests. Your newly created PKI dir is: /home/vpnoperator/easy-rsa-master/easyrsa3/pki 

Since our OpenVPN server will not play the role of certification authority, after the initial PKI initialization we will not create a CA with the build-ca command.

The PKI infrastructure will be created in the / home / vpnoperator / easy-rsa-master / easyrsa3 / pki directory.

At the next stage, we will receive a request for a certificate and private key of the OpenVPN server:

 $ ./easyrsa gen-req server 

This command will create the server.req request file and the server.key private key. During the generation process, you will be asked for a password, as well as the Common Name name for the OpenVPN server:

 Generating a 2048 bit RSA private key ...............................................................................................................+++ ....................................+++ writing new private key to '/home/vpnoperator/easy-rsa-master/easyrsa3/pki/private/server.key' Enter PEM pass phrase:****** Verifying - Enter PEM pass phrase:****** ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [server]: vpn-server Keypair and certificate request completed. Your files are: req: /home/vpnoperator/easy-rsa-master/easyrsa3/pki/reqs/server.req key: /home/vpnoperator/easy-rsa-master/easyrsa3/pki/private/server.key 

The first of these files we need to transfer to the server of the CA authorization center, it is not secret. The second file is a secret one , and it should not leave the limits of the OpenVPN server.

As we have already said, it is safest to transfer a certificate request via a USB flash drive so as not to connect the CA server to the network:

 # fdisk -l # mkdir /mnt/flash # mount -t vfat /dev/sdb1 /mnt/flash # cp /home/vpnoperator/easy-rsa-master/easyrsa3/pki/reqs/server.req /mnt/flash/server.req # umount /mnt/flash 

Note that when generating a private key, a password was requested. This password provides protection if the private key is compromised (stolen by an attacker). The password of the OpenVPN private key will be requested from the console each time the server boots and OpenVPN starts.

But what if you do not have access to the OpenVPN server console or is this access difficult? This can happen, for example, if you created an OpenVPN server on the basis of a VDS leased from a provider that does not provide console access.

In this situation, you can create a private key without a password using the nopass option:

 $ ./easyrsa gen-req server nopass 

So, you have created the OpenVPN server private key and certificate request.

Mount the USB flash drive on the CA certifier's host, and then import the PKI as user ca on your behalf:

 # mount -t vfat /dev/sdb1 /mnt/flash # su ca $ cd /home/ca/easy-rsa-master/easyrsa3 $ ./easyrsa import-req /mnt/flash/server.req vpn-server 

Here we have the abbreviated name of the certificate request as "vpn-server". This abbreviated name will be used in further operations with the certificate.

After successful import of the request, you will see the following message:

 The request has been successfully imported with a short name of: vpn-server You may now use this name to perform signing operations on this request. 

If there are no errors, sign the certificate request:

 ./easyrsa sign-req server vpn-server 

In the process of creating a signed certificate, confirmation will be requested (answer yes with it), as well as the password of the private key of the CA authorization center:

 You are about to sign the following certificate. Please check over the details shown below for accuracy. Note that this request has not been cryptographically verified. Please be sure it came from a trusted source or that you have verified the request checksum with the sender. Request subject, to be signed as a server certificate for 3650 days: subject= commonName = server Type the word 'yes' to continue, or any other input to abort. Confirm request details: yes Using configuration from /home/ca/easy-rsa-master/easyrsa3/openssl-1.0.cnf Enter pass phrase for /home/ca/easy-rsa-master/easyrsa3/pki/private/ca.key:****** Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :ASN.1 12:'server' Certificate is to be certified until Jun 26 15:48:25 2024 GMT (3650 days) Write out database with 1 new entries Data Base Updated Certificate created at: /home/ca/easy-rsa-master/easyrsa3/pki/issued/vpn-server.crt 

Now the certificate has been received, and it is located on the server of the certification authority in the file home / ca / ​​easy-rsa-master / easyrsa3 / pki / issued / vpn-server.crt. We need to transfer this file to the OpenVPN server.

Copy the certificate file /ca/easy-rsa-master/easyrsa3/pki/issued/vpn-server.crt from the server of the certification authority to a file on the OpenVPN server /home/vpnoperator/vpn-server.crt via a USB flash disk:

 # cp /home/ca/easy-rsa-master/easyrsa3/pki/issued/vpn-server.crt /mnt/flash/ 

Then mount the USB drive on VDS OpenVPN and copy the CA certificate ca.crt files, crl.pem certificate revocation list and OpenVPN server vpn-server.crt certificate to the / etc / openvpn directory:

 # mount -t vfat /dev/sdb1 /mnt/flash # cp /mnt/flash/ca.crt /etc/openvpn # cp /mnt/flash/crl.pem /etc/openvpn # cp /mnt/flash/vpn-server.crt /etc/openvpn # umount /mnt/flash 

Copy the private key file from the usr / home / vpnoperator / easy-rsa-master / easyrsa3 / pki / private / directory to the / etc / openvpn / directory:

 # cp /home/vpnoperator/easy-rsa-master/easyrsa3/pki/private/server.key /etc/openvpn 

Generating a Diffie-Hellman File

Create Diffie-Hellman keys with the following command:

 $ cd /home/vpnoperator/easy-rsa-master/easyrsa3 $ ./easyrsa gen-dh 

The gen-dh command has been working for quite a while. Upon completion, you will see the message:

 DH parameters of size 2048 created at /home/vpnoperator/easy-rsa-master/easyrsa3/pki/dh.pem 

Copy the file / home / vpnoperator / easy-rsa-master / easyrsa3 / pki / dh.pem to the / etc / openvpn / directory:

 # cp /home/vpnoperator/easy-rsa-master/easyrsa3/pki/dh.pem /etc/openvpn 

Creating a static HMAC key

To create an HMAC key, use the openvpn command with the --genkey and --secret options:

 # cd /etc/openvpn # openvpn --genkey --secret ta.key 

Write the ta.key file to a USB drive:

 # cp /etc/openvpn/ta.key /mnt/flash 

Revision of files before running OpenVPN

So, we received a signed OpenVPN server certificate, a CA certificate authority certificate itself, a certificate revocation list from the certification authority, created a Diffie-Hellman file and an HMAC key.

Before starting the OpenVPN daemon, we need in the / etc / openvpn / directory for Linux or / usr / local / etc / openvpn / for FreeBSD the following files:

• openssl.cnf - OpenSSL configuration file;
• server.conf - server configuration file OpenVPN;
• ca.crt - certificate of certification center;
• vpn-server.crt - certificate of the OpenVPN server;
• server.key - private key of the OpenVPN server, secret ;
• crl.pem - certificate revocation list;
• dh.pem - Diffie-Hellman file to protect the traffic from decryption;
• ta.key - HMAC key for extra protection against DoS attacks and flood

Add openvpn user

Add an unprivileged user and the openvpn group, on behalf of which the OpenVPN server daemon will run:

 # adduser --system --no-create-home --home /nonexistent --disabled-login --group openvpn 

Run OpenVPN daemon

Start the OpenVPN daemon with the following command:

 # /etc/init.d/openvpn start 

Checking the startup result of the OpenVPN daemon

If the OpenVPN server started without errors, verify with the help of the ifconfig command that the TUN interface appeared:

 # ifconfig ... tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:10.15.0.1 PtP:10.15.0.1 Mask:255.255.255.0 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) 

As we have said, using TUN / TAP on leased VDS may require additional charges.

If everything is good, then the IP interface has the IP address 10.15.0.1. This is the address of the OpenVPN server in our secure tunnel specified in the server.conf configuration file.

After checking for the presence of the TUN interface, make sure that OpenVPN has taken port 1194:

 # netstat -ltupn | grep 1194 

If the daemon started normally and port 1194 is occupied by the OpenVPN server, you can proceed to the installation of the OpenVPN client described in the next section of the article. If errors occur, review the /var/log/openvpn/openvpn-server.log log.

When installing OpenVPN on Linux with new kernels, starting from 2.6, the TUN interface may not appear. An error appears in the logs:

 Loading kernel module for a network device with CAP_SYS_MODULE (deprecated). Use CAP_NET_ADMIN and alias netdev-tun instead 

To get rid of the problem, add the following line to the /etc/modprobe.d/dist.conf file:

 alias netdev-tun tun 

If there is no such file, it should be created. After making changes to the /etc/modprobe.d/dist.conf file, restart the OS.

verb server.conf. verb 0 11, 11 , 1. verb 0, , .

, 5 .

OpenVPN

OpenVPN OpenVPN. . .

 # apt-get install openvpn 

, /etc/openvpn.

openssl.cnf server.conf.

openssl.cnf, OpenSSL, , OpenVPN. server.conf OpenVPN, .

 dev tun proto udp remote 192.168.0.54 1194 client resolv-retry infinite ca "/etc/openvpn/ca.crt" cert "/etc/openvpn/developer1.crt" key "/etc/openvpn/client.key" tls-auth "/etc/openvpn/ta.key" 1 remote-cert-tls server persist-key persist-tun comp-lzo verb 3 status /var/log/openvpn/openvpn-status.log 1 status-version 3 log-append /var/log/openvpn/openvpn-client.log 

remote, IP OpenVPN:

 remote 192.168.0.54 1194 

IP OpenVPN, OpenVPN .

OpenVPN:

 # mkdir /var/log/openvpn/ 

PKI

OpenVPN ( ) developer1 Easy-RSA github.com/OpenVPN/easy-rsa .

 $ cd /home/developer1 $ wget https://github.com/OpenVPN/easy-rsa/archive/master.zip $ unzip master.zip 

PKI:

 $ cd /home/developer1/easy-rsa-master/easyrsa3 $ ./easyrsa init-pki 

PKI:

 /home/developer1/easy-rsa-master/easyrsa3/pki 

OpenVPN

developer1:

 $ ./easyrsa gen-req client nopass 

Common Name :

 Generating a 2048 bit RSA private key ..............................................................................................+sftp++ ................................+++ writing new private key to '/home/developer1/easy-rsa-master/easyrsa3/pki/private/client.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [client]:developer1 Keypair and certificate request completed. Your files are: req: /home/developer1/easy-rsa-master/easyrsa3/pki/reqs/client.req key: /home/developer1/easy-rsa-master/easyrsa3/pki/private/client.key 

, , nopass:

 $ ./easyrsa gen-req client 

, , OpenVPN.

/home/developer1/easy-rsa-master/easyrsa3/pki/reqs/client.req CA /home/ca/client.req.

USB -, CA .

USB :

 # mkdir /mnt/flash # mount -t vfat /dev/sdb1 /mnt/flash # cp /home/developer1/easy-rsa-master/easyrsa3/pki/reqs/client.req /mnt/flash # umount /mnt/flash 

PKI, developer1:

 $ cd /home/ca/easy-rsa-master/easyrsa3 $ ./easyrsa import-req /mnt/flash/client.req developer1 

:

 $ ./easyrsa sign-req client developer1 

CA :

 /home/ca/easy-rsa-master/easyrsa3/pki/issued/developer1.crt 

developer1.crt USB -, OpenVPN.

 # cp /home/ca/easy-rsa-master/easyrsa3/pki/issued/developer1.crt /mnt/flash # umount /mnt/flash 

/etc/openvpn:

 # mount -t vfat /dev/sdb1 /mnt/flash # cp /mnt/flash/developer1.crt /etc/openvpn 

, client.key developer1.crt, CA.

/etc/openvpn:

 # cp /home/developer1/easy-rsa-master/easyrsa3/pki/private/client.key /etc/openvpn 

/etc/openvpn VPN , USB :

 # cp /mnt/flash/ca.crt /etc/openvpn # cp /mnt/flash/ta.key /etc/openvpn 

, ca.crt crl.pem CA, ta.key — OpenVPN.

OpenVPN

:

 # /etc/init.d/openvpn start 

, /var/log/openvpn/openvpn-client.log

, , TUN, , OpenVPN.

 # ifconfig ... tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:10.15.0.2 PtP:10.15.0.2 Mask:255.255.255.0 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) 

, OpenVPN ping 10.15.0.1:

 # ping 10.15.0.1 

- Squid

, VPN, , , VDS OpenVPN . -, OpenVPN. IP , IP OpenVPN.

- Squid, , , Web- . , , .

Squid :

 # apt-get install squid3 

/etc/squid3 squid.conf , . , .

, squid.conf :

 http_access deny all 

:

 acl allowed_hosts src 10.15.0.0/24 http_access allow allowed_hosts http_access deny manager 

Squid OpenVPN.

- SSL, :

 acl SSL_ports port 443 

, 7195:

 acl SSL_ports port 443 7195 

, squid.conf 10.0.0.0/8. :

 acl localnet src 10.0.0.0/8 # RFC1918 possible internal network 

Squid:

 # /etc/init.d/squid3 restart 

Squid , - . /var/log/squid3. access.log cache.log.

Squid 10.15.0.1, 3128. , OpenVPN. , , 2ip.ru, myip.ru , IP- .

FreeBSD

FreeBSD:

 # portsnap fetch # portsnap extract 

OpenVPN. :

 # ntpdate 1.pool.ntp.org 

cron. ntpd.

Easy-RSA

fetch:

 $ fetch --no-verify-peer https://github.com/OpenVPN/easy-rsa/archive/master.zip 

--no-verify-peer , digicert.com FreeBSD 10.0. FreeBSD 9.2 , .

Easy-RSA FreeBSD Debian Linux.

OpenVPN

OpenVPN OpenVPN :

 # d /usr/ports/security/openvpn # make install clean 

OpenVPN

OpenVPN FreeBSD /usr/local/etc/openvpn.

:

 # mkdir /usr/local/etc/openvpn 

openssl.cnf server.conf /usr/local/etc/openvpn.

 [ ca ] default_ca = CA_default [ CA_default ] dir = /usr/local/etc/openvpn crl_dir = $dir2 database = $dir/index.txt new_certs_dir = $dir certificate = $dir/ca.crt serial = $dir crl = $dir/crl.pem private_key = $dir/server.key RANDFILE = $dir/.rand default_days = 3650 default_crl_days = 365 default_md = md5 unique_subject = yes policy = policy_any x509_extensions = user_extensions [ policy_any ] organizationName = match organizationalUnitName = optional commonName = supplied [ req ] default_bits = 2048 default_keyfile = privkey.pem distinguished_name = req_distinguished_name x509_extensions = CA_extensions [ req_distinguished_name ] organizationName = Organization Name (must match CA) organizationName_default = Company organizationalUnitName = Location Name commonName = Common User or Org Name commonName_max = 64 [ user_extensions ] basicConstraints = CA:FALSE [ CA_extensions ] basicConstraints = CA:TRUE default_days = 3650 [ server ] basicConstraints = CA:FALSE nsCertType = server 

 port 1194 proto udp dev tun user openvpn group openvpn cd /usr/local/etc/openvpn persist-key persist-tun tls-server tls-timeout 120 dh /usr/local/etc/openvpn/dh.pem ca /usr/local/etc/openvpn/ca.crt cert /usr/local/etc/openvpn/server.crt key /usr/local/etc/openvpn/server.key crl-verify /usr/local/etc/openvpn/crl.pem tls-auth /usr/local/etc/openvpn/ta.key 0 server 10.15.0.0 255.255.255.0 client-config-dir /usr/local/etc/openvpn/ccd client-to-client topology subnet max-clients 5 push "dhcp-option DNS 10.15.0.1" route 10.15.0.0 255.255.255.0 comp-lzo keepalive 10 120 status /var/log/openvpn/openvpn-status.log 1 status-version 3 log-append /var/log/openvpn/openvpn-server.log verb 3 mute 20 

 dev tun proto udp remote 192.168.0.54 1194 client resolv-retry infinite ca "/usr/local/etc/openvpn/ca.crt" cert "/usr/local/etc/openvpn/developer1.crt" key "/usr/local/etc/openvpn/client.key" tls-auth "/usr/local/etc/openvpn/ta.key" 1 #ns-cert-type server remote-cert-tls server #ifconfig 10.15.0.0 255.255.255.0 persist-key persist-tun comp-lzo verb 3 status /var/log/openvpn/openvpn-status.log 1 status-version 3 log-append /var/log/openvpn/openvpn-client.log 

:

 # mkdir /usr/local/etc/openvpn/ccd 

PKI

OpenVPN Easy-RSA PKI:

 $ cd /home/vpnoperator $ fetch https://github.com/OpenVPN/easy-rsa/archive/master.zip $ unzip master.zip $ cd /home/vpnoperator/easy-rsa-master/easyrsa3 $ ./easyrsa init-pki 

USB -. :

 # ls /dev/da* # mount_msdosfs /dev/da1s1 /mnt # umount /mnt 

, USB - /dev/da1s1.

openvpn

adduser openvpn. Shell nologin.

OpenVPN

OpenVPN:

 # mkdir /var/log/openvpn 

/etc/rc.conf :

 openvpn_enable="YES" openvpn_configfile="/usr/local/etc/openvpn/server.conf" 

OpenVPN.

OpenVPN:

 # /usr/local/etc/rc.d/openvpn start 

OpenVPN TUN. ifconfig:

 # ifconfig ... tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500 options=80000<LINKSTATE> inet6 fe80::20c:29ff:fe28:d4be%tun0 prefixlen 64 scopeid 0x3 inet 10.15.0.1 --> 10.15.0.1 netmask 0xffffff00 nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> Opened by PID 493 

, OpenVPN 1194:

 # sockstat | grep 1194 

, . OpenVPN.

SQUID

FreeBSD Squid :

 # cd /usr/ports/www/squid33 # make install clean 

Squid /usr/local/etc/squid/ squid.conf. , Debian Linux.

/etc/rc.conf :

 squid_enable="YES" 

Squid, :

 /usr/local/etc/rc.d/squid start 

OpenVPN Microsoft Windows

, Microsoft Windows, OpenVPN OpenVPN-GUI. OpenVPN-GUI .

OpenVPN-GUI

Windows Installer (64-bit) Windows Installer (32-bit) Microsoft Windows. . , C:\Program Files\OpenVPN\config.

C:\Program Files\OpenVPN\easy-rsa Easy-RSA Windows.

Easy-RSA Windows C:\Program Files\OpenVPN\easy-rsa\README.txt

, Microsoft Windows, USB - CA. , , USB -, Microsoft Windows.

.

, . Microsoft Windows ConEmu-Maximus5 .

, Easy-RSA :

 cd C:\Program Files\OpenVPN\easy-rsa init-config.bat clean-all 

C:\Program Files\OpenVPN\easy-rsa\keys vars.bat.

vars.bat , , KEY_COUNTRY KEY_PROVINCE, KEY_CITY, KEY_ORG, KEY_EMAIL KEY_OU:

 set KEY_COUNTRY=RU set KEY_PROVINCE=RU set KEY_CITY=Moscow set KEY_ORG=IT-Company set KEY_EMAIL=develop@itcompany.ru set KEY_CN=changeme set KEY_NAME=changeme set KEY_OU=IT 

:

 vars build-ca build-key client 

, , OpenVPN Debian Linux FreeBSD.

C:\Program Files\OpenVPN\easy-rsa\keys client.csr, client.crt client.key.

— client.csr client.key. client.crt Microsoft Windows, build-ca, OpenVPN. , CA.

CA

client.csr USB - , , OpenVPN Debian Linux. USB -, Microsoft Windows.

OpenVPN

OpenVPN C:\Program Files\OpenVPN\config. ovpn. :

 client dev tun proto udp remote 192.168.0.54 1194 tls-client ca "key/ca.crt" cert "key/developer-w1.crt" key "key/client.key" tls-auth "key/ta.key" 1 comp-lzo tun-mtu 1500 mssfix 1450 verb 3 

, C:\Program Files\OpenVPN\config\key :

• ca.crt — CA;
• developer-w1.crt — Microsoft Windows, CA;
• client.key — Microsoft Windows;
• ta.key — HMAC DoS- , OpenVPN

OpenVPN-GUI

OpenVPN-GUI Windows ( OpenVPN-GUI ). ( «», System Tray) OpenVPN-GUI .

, C:\Program Files\OpenVPN\config. , , .

. , VPN . , OpenVPN. .

OpenVPN, OpenVPN-GUI .

useful links

—

HMAC

Encryption

X.509

OpenVPN: Windows

(Certification authority, CA)