Difference between revisions of "OpenVPN"

From Whitespace (Hackerspace Gent)
Jump to: navigation, search
Line 22: Line 22:
 
Sign cert:
 
Sign cert:
 
     $ openssl ca -in ../0x20-vpn-your_name_here.csr -cert ca-0x20-cert.pem -keyfile private/ca-0x20-key.pem -out 0x20-vpn-your_name_here.cert -config ./openssl.cnf
 
     $ openssl ca -in ../0x20-vpn-your_name_here.csr -cert ca-0x20-cert.pem -keyfile private/ca-0x20-key.pem -out 0x20-vpn-your_name_here.cert -config ./openssl.cnf
 +
 +
=== Client config ===
 +
<pre>
 +
client
 +
remote members.0x20.be 1194
 +
proto udp
 +
dev tun
 +
 +
resolv-retry infinite
 +
nobind
 +
 +
user nobody
 +
group nogroup
 +
 +
persist-key
 +
persist-tun
 +
 +
ca certs/ca-0x20-cert.pem
 +
cert certs/0x20-vpn-jaroslov.cert
 +
key certs/0x20-vpn-jaroslov.key
 +
 +
ns-cert-type server
 +
 +
# If a tls-auth key is used on the server
 +
# then every client must also have the key.
 +
;tls-auth ta.key 1
 +
 +
cipher AES-256-CBC
 +
comp-lzo
 +
 +
verb 3
 +
mute 20
 +
</pre>

Revision as of 16:33, 5 November 2011

Server

The virtual network exist out of two parts: 1) a point-to-point vpn that connects the big pipe server at the ibbt with the the whitespace network 2) a server-client vpn that allows users to

Client

Create a new key

   $ openssl genrsa -aes256 -out 0x20-vpn-your_name_here.key 2048

Create a Certificate signing request

   $ openssl req -new -key 0x20-vpn-your_name_here.key -out 0x20-vpn-your_name_here.csr
           countryName               = BE
           stateOrProvinceName       = Ghent
           organizationName          = 0x20
           organizationalUnitName    = members
           commonName                = your_name_here


Get your certificate signed

You can only get your certificate signed by being physically present in the space.

Sign cert:

   $ openssl ca -in ../0x20-vpn-your_name_here.csr -cert ca-0x20-cert.pem -keyfile private/ca-0x20-key.pem -out 0x20-vpn-your_name_here.cert -config ./openssl.cnf

Client config

client
remote members.0x20.be 1194
proto udp 
dev tun 

resolv-retry infinite
nobind

user nobody
group nogroup

persist-key
persist-tun

ca certs/ca-0x20-cert.pem
cert certs/0x20-vpn-jaroslov.cert
key certs/0x20-vpn-jaroslov.key

ns-cert-type server

# If a tls-auth key is used on the server
# then every client must also have the key.
;tls-auth ta.key 1

cipher AES-256-CBC
comp-lzo

verb 3
mute 20