In this howto we will learn how to setup a SSL based secure VPN server on linux. We will achieve this through OpenVPN .OpenVPN is a free & open source virtual private network program for creating point-to-point or server-to-multiclient encrypted tunnels.

Let’s install and configure our vpn server. The first thing we have to ensure that we are login as root. Secondly OpenVPN is not in base repository of redhat/Centos/Fedora etc. We need (Dag Wieers) repository for OpenVPN.

 cd  /tmp
rpm --import http://dag.wieers.com/rpm/packages/RPM-GPG-KEY.dag.txt

wget http://dag.wieers.com/rpm/packages/rpmforge-release/rpmforge-release-0.3.6-1.el4.rf.i386.rpm

rpm -ivh rpmforge-release-0.3.6-1.el4.rf.i386.rpm

Then issue following command to install OpenVPN

yum install -y openvpn 

After successfully installation of OpenVPN We need to copy some necessary files into /etc/openvpn/ directory and make them executable.

cd /etc/openvpn/
cp -r /usr/share/doc/openvpn-2.0.9/easy-rsa/ .
cd easy-rsa
chmod 744 clean-all
chmod 744 build-ca
chmod a+x *

Whenever we create an key for (server or client) then SSL keygen ask some question regarding (country name, province, city, organization name etc.) To avoid this hassle We need to define all of these information into a environment variable. So we need to edit /etc/profile file for defining these variables.

Just vi /etc/profile and add these lines

export KEY_DIR="/etc/openvpn/keys"
export KEY_CONFIG="/etc/openvpn/easy-rsa/openssl.cnf"
export KEY_SIZE="1024"
export KEY_COUNTRY="PK"
export KEY_PROVINCE="PUN"
export KEY_CITY="LAHORE"
export KEY_ORG="TECHBABU"
export KEY_EMAIL="user@techbabu.com"

Whenever we change something in /etc/profile file then we need to refresh it for immidiate effect. To refresh /etc/profile enter this command.

source /etc/profile

Let’s create the certificate authority (CA) certificate for our OpenVPN server.

 ./clean-all
./build-ca 

The last command (build-ca) will build the certificate authority (CA) certificate and key by invoking the interactive openssl command.

In the next step, We will generate a certificate and private key for the server. To generate certificate and key just enter this command

build-key-server server

As most of the question we all ready provided through environmental variables. We only need to enter (Common Name). So when the Common Name is queried, enter “server”. as a common name.

After Server’s certificate now create Client Certificate. The process is the same as we did on server’s certificate.

build-key client

Above procedure can repeat for different clients.

Make sure to type the appropriate Common Name whenever its prompted, i.e. “client1″, “client2″, or “client3″. Always use a unique common name for each client.

Generate Diffie Hellman parameters

./build-dh

The build-dh will take sometime to complete its process

tls-auth

The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing.

Using tls-auth requires that you generate a shared-secret key that is used in addition to the standard RSA certificate/key like /etc/openvpn/keys.

 cd /etc/openvpn/keys/
openvpn --genkey --secret ta.key

This command will generate an OpenVPN static key and write it to the file ta.key. This key should be copied over a pre-existing secure channel to the server and all client machines. It can be placed in the same directory as the RSA .key and .crt files.

That is all keys and other configuration has been done here. Now we’ll create Server’s configuration file openvpn.conf in /etc/openvpn/ directory.

Here is the content of openvpn.conf file

local 7x.6x.3x.5x
port 1194
proto udp
chroot /etc/openvpn
dev tun
mode server
daemon
tls-auth keys/ta.key 0
ca keys/ca.crt
cert keys/server.crt
key keys/server.key
dh keys/dh1024.pem
server 10.0.0.0 255.255.255.0
push "route 192.168.1.0 255.255.255.0"
push "dhcp-option DNS 192.168.1.23"
ifconfig-pool-persist ipp.txt
client-to-client
ping-timer-rem
keepalive 10 120
cipher AES-256-CBC
comp-lzo
max-clients 100
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
management localhost 7505
verb 3 

In the above configuration We have define the ip address (7x.6x.3x.5x) where OpenVPN service listen. Virtual IP Network will be (10.0.0.0/24). We also push our internal network route. So client can easily access our internal network which (192.168.1.0/24). We also push our DNS server ip address to resolving local domains.

Lets start OpenVPN service

/etc/init.d/openvpn start

Our server is configured and ready to use. We need to copy client and server key over client config directory. Here is list of those files where are required on client side.

• ca.crt
• ta.key
• client.crt
• client.key

You have to create separate key file for every client and then copy into client’s config directory. But if you want to use single key file for every client then you need to add this line in openvpn server conf file.

duplicate-cn

Installing OpenVPN GUI On Windows XP/Vista

Now OpenVPN server has been completed. Download the client software from: http://www.openvpn.se/.

After installing openvpn gui client on windows OS copy keys files into C:\Program Files\OpenVPN\config directory and edit openvpn.client file

Here is the contents of openvpn.client file

client
dev tun
proto udp
remote 7x.6x.3x.5x 1194
tls-auth keys/ta.key 1
ca ca.crt
cert client.crt
key client.key
resolv-retry infinite
nobind
user nobody
group nobody
persist-key
persist-tun
mute-replay-warnings
cipher AES-256-CBC
comp-lzo
verb 3
mute 20

Save and exit from file. Run OpenVPN client on XP machine by right clicking the OpenVPN icon in the task tray

That’s all we have successfully configure OpenVPN Server and Client.

I hope you will like this how-to.