Difference between revisions of "OpenVPN"

From Whitespace (Hackerspace Gent)
Jump to: navigation, search
(Client config Linux)
Line 22: Line 22:
 
     remote members.0x20.be 1194
 
     remote members.0x20.be 1194
 
     proto udp  
 
     proto udp  
     dev tun  
+
     dev tun
 
+
   
 
     resolv-retry infinite
 
     resolv-retry infinite
 
     nobind
 
     nobind
 
+
   
 
     user nobody
 
     user nobody
 
     group nogroup
 
     group nogroup
 
+
       
 
     persist-key
 
     persist-key
 
     persist-tun
 
     persist-tun
 
+
   
     '''ca certs/ca-0x20-cert.pem
+
     '''ca certs/ca-0x20-cert.pem'''
     cert certs/0x20-vpn-<name>.cert
+
     '''cert certs/0x20-vpn-<name>.cert'''
     key certs/0x20-vpn-<name>.key
+
     '''key certs/0x20-vpn-<name>.key'''
    '''
+
   
 
     ns-cert-type server
 
     ns-cert-type server
 
+
   
 
     # If a tls-auth key is used on the server
 
     # If a tls-auth key is used on the server
 
     # then every client must also have the key.
 
     # then every client must also have the key.
  ;tls-auth ta.key 1
+
    ;tls-auth ta.key 1
 
+
  cipher AES-256-CBC
+
  comp-lzo
+
 
    
 
    
 +
    cipher AES-256-CBC
 +
    comp-lzo
 +
   
 
     verb 3
 
     verb 3
 
     mute 20
 
     mute 20

Revision as of 16:46, 5 November 2011

Client

Create a new key

   $ openssl genrsa -aes256 -out 0x20-vpn-your_name_here.key 2048

Create a Certificate signing request

   $ openssl req -new -key 0x20-vpn-your_name_here.key -out 0x20-vpn-your_name_here.csr
           countryName               = BE
           stateOrProvinceName       = Ghent
           organizationName          = 0x20
           organizationalUnitName    = members
           commonName                = your_name_here

Get your certificate signed

Mail your CSR(certificate signing request) to someone who has access to the 0x20 CA. Best is being physically present in the space.

Sign cert:

   $ openssl ca -in ../0x20-vpn-your_name_here.csr -cert ca-0x20-cert.pem -keyfile private/ca-0x20-key.pem -out 0x20-vpn-your_name_here.cert -config ./openssl.cnf

Client config Linux

   client
   remote members.0x20.be 1194
   proto udp 
   dev tun  
   
   resolv-retry infinite
   nobind
   
   user nobody
   group nogroup
       
   persist-key
   persist-tun
   
   ca certs/ca-0x20-cert.pem
   cert certs/0x20-vpn-<name>.cert
   key certs/0x20-vpn-<name>.key
   
   ns-cert-type server
   
   # If a tls-auth key is used on the server
   # then every client must also have the key.
   ;tls-auth ta.key 1
  
   cipher AES-256-CBC
   comp-lzo
   
   verb 3
   mute 20

Server

The virtual network exist out of two parts: 1) a point-to-point vpn that connects the big pipe server at the ibbt with the the whitespace network 2) a server-client vpn that allows users to