The recipe is simple cooking OpenVPN. Step-by-step instruction

Greetings, habra people. I will not write the traditional "this is my first topic on Habré, do not judge strictly." On the contrary - valid criticism is welcome, because I do not have much experience writing articles and I would appreciate any reaction.

Warning number of times. This post, most likely, will not be interesting to the guru from the world of networks. It is primarily addressed to those whose interests lie in other areas of the IT world, but they are curious and interested in everything new. Therefore, for those who are “in the subject line” the text may seem like a set of well-known truths and platitudes. Gentlemen, I strive not to surprise you, but to help those less advanced in this area. All of the following will apply exclusively to computers running different versions of Windows.
Warning namber that. I also do not consider myself a guru and can make mistakes / admit inaccuracies in some statements and judgments. However, the algorithm of actions for setting up a worker is verified personally.
Warning three. Many letters. I am writing intentionally in detail, as a result - extensively.
If the above does not scare you - let's start.

To begin with, I’ll remind you what a VPN is and how it can be useful. VPN (eng. Virtual Private Network) is a generic name for technologies that allow you to provide one or several network connections (logical network) on top of another network (for example, the Internet). Now in Russian. If necessary, you can safely combine as many remote computers as you like, so that they consider themselves to be members of the same local network with all the benefits and amenities that follow from this, if only they have access to the Internet.
')
Example one: your home provider has a double rate, local (cheap and smart connection) and external, “to the world” (more expensive and slower). On one of the non-home computers to which you have access (for example, a working one), there is anlim Internet with good speed. Let us leave the moral, ethical and legal aspects aside, now we are interested in a purely technical aspect - can we get access to the world through the mentioned anlim channel at local traffic rates? The answer is, VPN can help us.

Example two: being away from home, there is a need to get access to the files of your home computer. Moreover, the access is reliably encrypted, because there are plenty of beginners on the network (perhaps in your local one) and many of them may not even have a rough idea of ​​spoofing, the TCP / IP stack and other tricky "models", but they know how to run programs like “Cain & Abel” that can not only intercept most of the passwords transmitted in the reachable segment of the network, but also helpfully brute-force those that are encrypted but not chosen very well. Along with other methods, VPN will help us again - all traffic is securely encrypted using open and proven algorithms and mechanisms over the years.

For the organization of VPN, it is desirable that at least one side of the channel being organized has an “honest” IP address. You can also implement between two private networks with “gray” IP addresses behind a NAT or proxy server, you only have to call on Hamachi , or you can do with port forwarding (using the “connect” for a proxy) if you have access to server / router settings. Further, I consider just such a case.

There are a lot of options for organizing a virtual private channel, I want to talk about one of them, free and public, as the name suggests - OpenVPN. Another advantage of this software is that it is cross-platform. Connected computers may have different operating systems, * nix including, but configuring such machines is beyond the scope of this article.



Undoubtedly, everyone, if desired, and known perseverance, can independently figure out the installation and configuration of this client-server software, therefore the purpose of this article is to warn about the rake that I happened to save in order to save time for others to analyze their own. So, (finally!) What and how to do?

1. Download software

2. We put. First on the side of the future server. Then we repeat on the client side (this is a bit simpler), although the sequence is not critical. As a lazy creature, I agreed with the default installation paths (C: \ Program Files \ OpenVPN \), for which I paid with the first rake .
Problem: when working, the software incorrectly works out the paths to configuration files that contain spaces.
Solution: put in the root of the disk in a separate subfolder without spaces in the name or later “screen” in configs such paths with quotes. I screened and the further description is based on the standard installation path.

3. To establish an encrypted connection with a remote machine, certificates will be required for each side of the virtual channel, which will confirm that they are exactly who they claim to be. They can be bought (hundreds of dollars a year, although there are also trial versions up to 90 days) at one of the many certification authorities (CA). The advantage of such a solution is that no operating system or browser will hysteria that the certificate was issued by an unknown supplier and “the owner, think again, who do you believe?”. The downside is obvious - costs. The second option is to create such certificates yourself, having built your local CA for personal use. There are a lot of ways to do this, it is important to only carefully consider the parameters of ready-made certificates (namely, compare the “fingerprints” (thumbprint or hashes) generated and implemented) that you will slip to OpenVPN and make sure that this is created by you and not an evil hacker who wants to drag off your entire archive of photos of a naked girlfriend of business correspondence, who learned about your plans to use a VPN and in some way replaced the certificate with your own. The situation is, of course, almost unbelievable and, frankly, we are paranoid, but security is security. This is perhaps the most vulnerable point in the very idea of ​​using certificates and keys - their replacement by a single transfer across the network from the CA to the sides of the VPN channel and the realization of the man in the middle attack.

I will mention only two ways to create certificates. The first is with the use of server Windows. The procedure is not the fastest and most obvious, but quite feasible. However, in this case it is more convenient to use the second one - the built-in tools of OpenVPN itself on any Windows.

For those who want to quickly and not afraid to repeat the mistakes of others: everything written below about the creation of keys and certificates is summarized in English in the file C: \ Program Files \ OpenVPN \ easy-rsa \ README.txt.
I will sign it in more detail and tell you why I had problems.

Certificate Authority, keys, certificates

a. Go to C: \ Program Files \ OpenVPN \ easy-rsa

b. We open openssl.cnf.sample, we rule as necessary. There is a standard rule - "not sure - do not touch." By the way, this file can not be changed at all, the default setting is quite working. But if your hands itch: for example, some variable values ​​will be required by the user when creating a certificate, but they can be set in advance by default and they will be displayed as an answer in square brackets, they can be applied by simply pressing Enter. Such variables are designated “match”. Required parameters are labeled "optional". Required for input and unique parameters that each time you need to enter manually marked “supplied” (such variables are not recommended to be transferred to a different status).
You can configure the expiration date of certificates (default is 10 years), restrictions on the length of user contact information, and so on. Save as openssl.cnf.

c. Run init-config.bat
Attention, rakes are possible! It is recommended that this and all subsequent * .bat files be launched not by a double click, but in the Windows console. For those who use it rarely recall that a little easier life for yourself can be copied paths to quickly navigate to the desired folder. Explorer -> select the path to the folder -> copy -> switch to the console (win + r -> cmd) -> right mouse button -> paste (Ctrl + V does not roll!). If you need to copy the path from the console to the buffer: right mouse button -> Mark -> select the desired piece of text -> Enter.
Go to the console in the folder C: \ Program Files \ OpenVPN \ easy-rsa and run init-config.bat.

d. Go back to the explorer in easy-rsa and edit the vars.bat file (I advise you to open it with WordPad, if you open the "edit" window from the context menu, you can get another rake - a message stating that the file was not found with the proposal to create a new one the same gap on the way). All parameters are supplied with comments, it is easy to figure out what's what. By and large, everything can also be left by default, but for patriotic reasons, you can also change the country, city, enter your e-mail. This will not affect anything, but will simply be displayed as information in certificates. Note the variable KEY_DIR = keys. This is the name of the subfolder that will need to be created after saving vars.bat to easy-rsa, there will be the keys and certificates necessary for encryption. The name can be changed, but do not forget to display it in the KEY_DIR variable.

e. Do not forget to create the keys folder or your name option.

f. Create new empty files “index.txt“ and “serial” in keys. In easy-rsa, the index.txt.start and serial.start files are already located, you can simply copy them into keys and rename them there, removing the .start extension. The serial will contain the number of certificates issued by CA (the first one is the certificate of the CA itself), index.txt contains information about the certificates issued.

g. We start vars.bat, we start clean-all.bat (and again we do not forget - in the console!)

h. Create a certificate authority key: run vars.bat, launch build-ca.bat and answer the questions. You can answer all with Enter, using the default options offered, except for a unique answer to the “Common Name” question (that is, your name or computer name). A couple of times to confirm the intentions, agree to sign.
Result: certificate authority certificate file “ca.crt” and CA file “ca.key” in the Keys folder. All private keys must be securely stored, having them can be decrypted everything is strained and carefully encrypted.

i. We create the Diffie-Hellman key (what it is and why - you can read it in the wiki, if it's too lazy - just accept the fact that it is needed): run vars.bat, run build-dh.bat, wait a bit and admire the process. If you run build-dh.bat not in the console, but with the mouse, then nothing happens, again, do not forget, I spent a few hours on this rake .

j. We create a private key and a certificate for the server: run vars.bat, launch build-key-server.bat <server_name>. The server name as a parameter separated by a space on behalf of the batch file at startup is highly desirable, because by default we will receive key and certificate files without names, with some extensions, which in some circumstances may lead to overwriting other certificates and keys that were also created without a name (one more rake ).

k. Create a private key for the client: run vars.bat, run build-key.bat <client_name>. Recommendation by name is similar - it is desirable to specify. As a result, we get the key in the PEM-format. (It is possible to create a key in the PKCS N12 format, for this, instead of build-key.bat <client_name>. You need to run build-key-pkcs12.bat <client_name>. I will not describe the difference between the formats, you can google if you wish).

l. Everything. In less than half an hour, we created the necessary keys and certificates for the client and server and saved a few hundred dollars.

Customization

4. Now actually setting OpenVPN. Again you have to edit the config files, this is the legacy of the linux-roots of the program. Go to C: \ Program Files \ OpenVPN \ sample-config, copy client.ovpn and server.ovpn from there, put them in C: \ Program Files \ OpenVPN \ config.

a. Client setup

In C: \ Program Files \ OpenVPN \ config, open (you can just double click) client.ovpn, read the comments for each variable, change the ones we need. Commented out options begin with “;”, acting (and recommended) - without a semicolon at the beginning. It is possible to agree with most of the recommended parameters, at least it is necessary to change the following parameters:

"Ca ca.crt". Here you need to specify the full path to the certificate authority certificate. If your installation path is the same as mine, it is in easy-rsa \ keys. Attention, rake : in the server and client configs in the paths to the files you need to use not single, but double slashes. This is a feature of the program. I mentioned earlier one more rake : the paths contain a space, so they must be enclosed in quotes. The variable ca will look like this:
ca "C: \\ Program Files \\ OpenVPN \\ easy-rsa \\ keys \\ ca.crt"

do the same with client variables cert and key:
cert "C: \\ Program Files \\ OpenVPN \\ easy-rsa \\ keys \\ <client_name> .crt"
key "C: \\ Program Files \\ OpenVPN \\ easy-rsa \\ keys \\ <client_name> .key"

remote: here you need to specify the IP address of the server and, through the space, the port on which it will listen for incoming connections (the port is configured during server configuration).
A small digression. Since the initiator of the connection in client-server models is the client, the server must have an “honest” IP address, or at least it is located behind the server / router that is accessed with that one. I set up VPN between the worker (behind the NAT) and the home (similarly) computers, the home has a “gray” IP address, but it was easily decided by “forwarding” the port (I chose 7000) of the router to this computer, since the router has a permanent and an “honest” network address.

I left the rest of the variables by default, you can change what you need, they are well described.

b. Server Tuning.

Variable port - specify the UDP port (or TCP port, if you changed the protocol in the proto variable, you only need the proto value to match on the client and server sides) that the server will listen to. You can choose any value from 1025 to 65535, it is important that it does not conflict with other server software, if there is one (or other programs that may be tied to a specific port, for example, torrent rocking).

Similarly client, variable keys and certificates:
ca "C: \\ Program Files \\ OpenVPN \\ easy-rsa \\ keys \\ ca.crt" (the CA certificate is the same, the client and the server are the same)

cert "C: \\ Program Files \\ OpenVPN \\ easy-rsa \\ keys \\ <server_name> .crt"

key "C: \\ Program Files \\ OpenVPN \\ easy-rsa \\ keys \\ <server_name> .key"

Plus the Diffie-Hellman key:
dh "C: \\ Program Files \\ OpenVPN \\ easy-rsa \\ keys \\ dh1024.pem"

Server variable Defines a private (“gray”) network from which the IP addresses for the computers to be connected will be selected. When organizing VPN by means of OpenVPN, new virtual network interfaces appear on the server and on the client, which the Windows, thanks to the drivers included, consider them to be fully-fledged real network cards. Their settings are determined by this variable. In most cases, you can leave the default.

The remaining variables can also not be changed, I will mention only about the variable verb. It defines the details of the logs that will be kept on the server side about all events and errors. A value of 1 is the least detail; a value of 9 will impress you. So for one unsuccessful connection attempt, I received a log file weighing about 600 kb. It is reasonable to leave 3, or increase to 4-5 if you need careful error analysis.

5. Now you need to arrange the necessary files on the server and client sides. The easiest option is to install the program on each side and copy all the files configured by the algorithm above into the appropriate folders. If you approach carefully and canonically - on the client side, leave only the client keys, certificates and certificate of the certification authority, deleting everything related to the CA and the server, on the server side, delete all the client ones. Reasonable - pre boiling.

Run

6. Setup is complete, you can try to run it all. (Do not forget to open the necessary ports and IP addresses in firewalls!) There are two options for this:

a. Go to the server in C: \ Program Files \ OpenVPN \ config, right mouse button on server.ovpn -> Start OpenVPN on this config file. Similarly, on the client side with the client.ovpn file. In each case, we observe messages and, if successful, on the client we will see in the last line:
"Initialization Sequence Completed"

or
b. We start the graphical shell C: \ Program Files \ OpenVPN \ bin \ openvpn-gui-1.0.3.exe - Right mouse button on the tray icon - server - connect (for client - client - connect). In case of success on the client we will see a pop-up window from the tray of the form:
"Assigned IP: 10.8.0.6" and the icon will turn green.

7. Another one, the last rake , with which I happened to face. If the system service “DHCP client” is not running on the client (and I deliberately disconnected it immediately after installing Windows, because the machine’s IP address is permanent), it will not be able to get an IP address that the server will try to issue to it. Moreover, the graphical shell will report that the address has been received, but we will not see this in the network connections in the system routing table.

Application

8. Is there a connection, what now? And now - only depends on your imagination. You can put home an ftp server that listens to the virtual channel's IP address (goodbye, the problem of open transfer of login and password via ftp protocol), you can use something like R-Admin or its free analogue TightVNC, you can go home from home Internet through a remote gateway (example one; however, for this you will need to tinker a little more (at least enable) with routing on a remote gateway and not forget that simply changing the default gateway to a remote one can lose the Internet along with the tunnel in general; useful uncomment us Royko server variable push «redirect-gateway def1 bypass-dhcp»). You can configure remote file synchronization. In general, you can do everything in a local network. And while it is safe. As the tunnel rises at the OSI transport layer, any network application can be “wrapped” into it.
Wake-On-Lan — .

PS . OpenVPN.

PPS , .

UPD. .
. « Open VPN»: . : , . - . , , . — .

UPD-2. OpenVPN 2.1.1 (released on 2009.12.11), . .