Difference between revisions of "OpenVPN"

From Whitespace (Hackerspace Gent)
Jump to: navigation, search
(Client config Wintendo)
Line 101: Line 101:
 
</pre>
 
</pre>
 
'''Important:''' When executing openvpn use administrator permissions (run as administrator).
 
'''Important:''' When executing openvpn use administrator permissions (run as administrator).
 +
 +
== Server 0x20 <-> IBBT ==
 +
* A P2P tunnel between 0x20 and IBBT.
 +
* 0x20/soekris config, /etc/openvpn/members.conf :
 +
<pre>
 +
mode p2p                                      # Peer-to-peer-Mode
 +
remote members.0x20.be                        # Peer-Address, (Dyn)DNS if it's
 +
lport 40002                                    # local port
 +
rport 443                                      # remote port
 +
proto tcp-client                              # ...via TCP, use server mode
 +
dev-type tun
 +
dev vpn-members                                # interfacename, just individual
 +
#tun-ipv6                                      # we want to use ipv6
 +
comp-lzo                                      # compression
 +
#cd /usr/local/etc/openvpn                    # here lays the key
 +
secret members.key                            # the filename of the key
 +
user nobody                                    # username under which openvpn
 +
group nogroup                                  # ...group
 +
persist-key                                    # on interruption, please keep
 +
persist-tun                                    # on interruption, please keep
 +
status /var/log/openvpn-status-members.log
 +
log-append /var/log/openvpn-members.log
 +
verb 2                                        # Verbose!
 +
ifconfig 172.22.32.5 172.20.201.1            # addressing: 'ifconfig localip remoteip'
 +
</pre>
 +
  
 
== Server ==
 
== Server ==

Revision as of 23:35, 5 November 2011


OpenVPN
WhitespaceLogo.gif
What:
VPN server
Participants:
Jaroslov, Abe
Locations:
Whitespace
Cornify

Client

Create a new key

Linux/windows:

   $ openssl genrsa -aes256 -out 0x20-vpn-your_name_here.key 2048

Create a Certificate signing request

   $ openssl req -new -key 0x20-vpn-your_name_here.key -out 0x20-vpn-your_name_here.csr
           countryName               = BE
           stateOrProvinceName       = Ghent
           organizationName          = 0x20
           organizationalUnitName    = members
           commonName                = your_name_here

Get your certificate signed

Mail your CSR(certificate signing request) to someone who has access to the 0x20 CA. Best is being physically present in the space.

Sign cert:

   $ openssl ca -in ../0x20-vpn-your_name_here.csr -cert ca-0x20-cert.pem -keyfile private/ca-0x20-key.pem -out 0x20-vpn-your_name_here.cert -config ./openssl.cnf

Client config Linux

  • apt-get install openvpn
  • create following config file: /etc/openvpn/0x20-vpn.conf and change values in bold
   client
   remote members.0x20.be 1194
   proto udp 
   dev tun  
   
   resolv-retry infinite
   nobind
   
   user nobody
   group nogroup
       
   persist-key
   persist-tun
   
   ca certs/ca-0x20-cert.pem
   cert certs/0x20-vpn-<name>.cert
   key certs/0x20-vpn-<name>.key
   
   ns-cert-type server
   
   # If a tls-auth key is used on the server
   # then every client must also have the key.
   ;tls-auth ta.key 1
  
   cipher AES-256-CBC
   comp-lzo
   
   verb 3
   mute 20

Client config Wintendo

  • Get openvpn for windows here
  • open cmd with administrator privileges (start menu -> cmd -> run as admin)
  • cd Program Files\OpenVPN\easy-rsa
  • give command init-config.bat


Save this content to this filename C:\Program Files\OpenVPN\config\Openvpn_0x20.ovpn

client
remote members.0x20.be 1194
proto udp 
dev tun  

resolv-retry infinite
nobind

user nobody
group nogroup
 
persist-key
persist-tun

#change the paths as needed.
ca "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\ca-0x20-cert.pem"
cert "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\0x20-vpn-your_name_here.cert"
key "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\0x20-vpn-your_name_here.key"


ns-cert-type server

# If a tls-auth key is used on the server
# then every client must also have the key.
;tls-auth ta.key 1
  
cipher AES-256-CBC
comp-lzo

verb 3
mute 20

Important: When executing openvpn use administrator permissions (run as administrator).

Server 0x20 <-> IBBT

  • A P2P tunnel between 0x20 and IBBT.
  • 0x20/soekris config, /etc/openvpn/members.conf :
mode p2p                                       # Peer-to-peer-Mode
remote members.0x20.be                         # Peer-Address, (Dyn)DNS if it's
lport 40002                                    # local port
rport 443                                      # remote port
proto tcp-client                               # ...via TCP, use server mode
dev-type tun
dev vpn-members                                # interfacename, just individual
#tun-ipv6                                      # we want to use ipv6
comp-lzo                                       # compression
#cd /usr/local/etc/openvpn                     # here lays the key
secret members.key                             # the filename of the key
user nobody                                    # username under which openvpn
group nogroup                                  # ...group
persist-key                                    # on interruption, please keep
persist-tun                                    # on interruption, please keep
status /var/log/openvpn-status-members.log
log-append /var/log/openvpn-members.log
verb 2                                        # Verbose!
ifconfig 172.22.32.5 172.20.201.1             # addressing: 'ifconfig localip remoteip'


Server

The virtual network exist out of two parts: 1) a point-to-point vpn that connects the big pipe server at the ibbt with the the whitespace network 2) a server-client vpn that allows users to