Back to the sea ; the virtual private network (VPN), episode IX
I use VPN to remotely connect to my home-LAN when I’m away. I’ve tried may kinds of VPN ; from IPsec (point-to-point) to SSL through L2TP. I found that the easiest one to implement, when using various OS client, was VPN/SSL. And the easiest software to be used by any OS, or at least any I use, was OpenVPN. From Windows to OSX through NetBSD, there’s an available binary. So let’s create the server on OpenBSD.
Install the binary package:
# pkg_add http://ftp.fr.openbsd.org/pub/OpenBSD/4.8/packages/amd64/openvpn-2.1.0p0.tgz # cat << EOF > /etc/hostname.tun0 up link0 !/usr/local/sbin/openvpn --daemon --config /etc/openvpn/server.conf EOF # mkdir /etc/openvpn # chown _openvpn:_openvpn /etc/openvpn # chmod 750 /etc/openvpn # install -o _openvpn -g _openvpn -m 0640 /usr/local/share/examples/openvpn/sample-config-files/server.conf /etc/openvpn/server.conf
One thing that has to be noticed about OpenVPN is that “
Each client and the server must have their own cert and key file. The server and all clients will use the same ca file.”
I will generate a client certificate from my CA and I’ll also have to generate a server certificate. I won’t be able to use the public certificate that is used by my Web server.
The certificates have already been created and installed during the CA creation process .
OpenVPN requires a Diffie-Hellman Parameters file:
# cd /etc/openvpn/ # openssl dhparam -out dh4096.pem 4096 Generating DH parameters, 4096 bit long safe prime, generator 2 This is going to take a long time ................................................................................ (...) ......................................................++*++*
I will use a bridge so that my client appear in the same network as my internal LAN. Proper secured connection would probably be to create a dedicated network where data are filter by a firewall. But this would be too complex for my (single-user) configuration:
# cat /etc/hostname.bridge0 add em0 add tun0 up
You’ll need IP forwading to … forward IP packets:
# vi /etc/sysctl.conf net.inet.ip.forwarding=1 # 1=Permit forwarding (routing) of IPv4 packets
Modify the server configuration file:
# diff /usr/local/share/examples/openvpn/sample-config-files/server.conf /etc/openvpn/server.conf 32c32,33 < port 1194 --- > port 443 > port-share localhost 8443 35,36c36,37 < ;proto tcp < proto udp --- > proto tcp > ;proto udp 53a55 > dev-type tap 78,80c80,82 < ca ca.crt < cert server.crt < key server.key # This file should be kept secret --- > ca /etc/ssl/TMFCA/cacert.pem > cert /etc/ssl/TMFCA/certs/www.tumfatig.net.crt > key /etc/ssl/TMFCA/private/www.tumfatig.net.key 87c89 < dh dh1024.pem --- > dh /etc/openvpn/dh4096.pem 96c98 < server 10.8.0.0 255.255.255.0 --- > ;server 10.8.0.0 255.255.255.0 103c105 < ifconfig-pool-persist ipp.txt --- > ifconfig-pool-persist /etc/openvpn/ipp.txt 115c117 < ;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100 --- > server-bridge 192.168.12.144 255.255.255.0 192.168.12.200 192.168.12.202 136c138 < ;push "route 192.168.10.0 255.255.255.0" --- > push "route 192.168.12.0 255.255.255.0" 150c152 < ;client-config-dir ccd --- > client-config-dir ccd 195c197 < ;push "dhcp-option DNS 188.8.131.52" --- > push "dhcp-option DNS 192.168.12.144" 262,263c264,265 < ;user _openvpn < ;group _openvpn --- > user _openvpn > group _openvpn 275c277 < status openvpn-status.log --- > status /etc/openvpn/openvpn-status.log # mkdir /etc/openvpn/ccd # cat > /etc/openvpn/ccd/joe ifconfig-push 192.168.12.202 255.255.255.0
Don’t forget to configure
Apache to listen on port
8443 rather than
Reboot and check the console and logs to ensure every thing goes OK.
That’s All Folks!