pavement

OpenVPN

From FreeBSDwiki
(Difference between revisions)
Jump to: navigation, search
 
m (Reverted edits by 204.39.95.9 (Talk); changed back to last version by Jimbo)
 
(13 intermediate revisions by 9 users not shown)
Line 1: Line 1:
OpenVPN (link: http://openvpn.sourceforge.net ) is an absolutely invaluable open source, cross platform Virtual Private Networking tool.  It uses SSL encryption (dynamic or 2048-bit static shared key), can use LZO stream compression, and is blindingly fast as well as vastly more secure compared to typical industry standard IPSEC + DES or IPSEC + 3DES solutions.  Better yet, it's so simple it can be run entirely from the command line.
+
[http://openvpn.sourceforge.net OpenVPN] is a very useful open source, cross platform Virtual Private Networking tool.  It uses SSL encryption (dynamic or 2048-bit static shared key), can use LZO stream compression, and is blindingly fast as well as much more secure compared to typical industry standard IPSEC + DES or IPSEC + 3DES solutions.  Better yet, it's so simple it can be run entirely from the command line.
  
To build it on a BSD machine, just '''cd /usr/ports/security/openvpn && make install clean''' - it's that easy.  Actually doing anything with it will require a little more work.  There are many MANY ways to do this, but this one's useful, simple, and clean:
+
==Installing==
 +
To build it on a FreeBSD machine, just:
 +
 
 +
cd /usr/ports/security/openvpn
 +
make install clean
 +
 
 +
it's that easy.  Actually doing anything with it will require a little more work.  There are many MANY ways to do this, but this one's useful, simple, and clean.
  
 
First, generate yourself a private key file and '''chmod''' it so that only its owner can read it:
 
First, generate yourself a private key file and '''chmod''' it so that only its owner can read it:
  
  ph34r# '''openvpn --genkey --secret-file=/usr/local/etc/openvpn.key'''
+
  ph34r# '''openvpn --genkey --secret /usr/local/etc/openvpn.key'''
  ph34r# '''chmod /usr/local/etc/openvpn.key 400'''
+
  ph34r# '''chmod 400 /usr/local/etc/openvpn.key'''
  
 +
==Starting OpenVPN==
 
Now you'll need a command to start it with.  It can be done purely from the command line - and in fact, in one sense, that's exactly what we're going to do - but to make our lives a little easier, we'll ''actually'' use command line stuff from a shell script in '''/usr/local/etc/rc.d'''.  So place this - or something similar - in your '''/usr/local/etc/rc.d''':
 
Now you'll need a command to start it with.  It can be done purely from the command line - and in fact, in one sense, that's exactly what we're going to do - but to make our lives a little easier, we'll ''actually'' use command line stuff from a shell script in '''/usr/local/etc/rc.d'''.  So place this - or something similar - in your '''/usr/local/etc/rc.d''':
  
Line 45: Line 52:
 
  #        /usr/local/sbin/openvpn \
 
  #        /usr/local/sbin/openvpn \
 
  #                --dev tap1 \
 
  #                --dev tap1 \
  #                --remote 24.172.42.114 \
+
  #                --remote ''ip_or_hostname.to.connect.to'' \
 
  #                --secret /usr/local/etc/openvpn.key \
 
  #                --secret /usr/local/etc/openvpn.key \
 
  #                --key-method 2 \
 
  #                --key-method 2 \
Line 87: Line 94:
 
Don't forget to '''chmod 755 /usr/local/etc/rc.d/openvpn.sh''' to make sure you can execute it.
 
Don't forget to '''chmod 755 /usr/local/etc/rc.d/openvpn.sh''' to make sure you can execute it.
  
What you've got there is a setup (which can be started up or stopped like any other rc.d script - '''/usr/local/etc/rc.d/openvpn.sh start''' or '''stop''') which provides for two tunnels - one coming from a Windows machine, probably a laptop or something (labeled "dynamic VPN"; more on that in a minute) and one (labeled "persistent VPN") from another BSD or other *nix machine.  All we'll do on the other *nix box is copy over the '''openvpn.key''' we created on this machine, copy over this same script, comment out the '''# 1a. Client side - persistent VPN''' section, ''un''comment the '''# 1b. Server side - persistent VPN''' side, and fire it up.  Once the scripts have been started on both machines (obviously you'll need a routeable IP address for at least the machine on the "server" side), presto, you've got a tunnel!
+
What you've got there is a setup (which can be started up or stopped like any other rc.d script - '''/usr/local/etc/rc.d/openvpn.sh start''' or '''stop''') which provides for two tunnels - one coming from a Windows machine, probably a laptop or something (labeled "dynamic VPN"; more on that in a minute) and one (labeled "persistent VPN") from another BSD or other *nix machine.   
 +
 
 +
All we'll do on the other *nix box is copy over the '''openvpn.key''' we created on this machine, copy over this same script, comment out the:
 +
 
 +
* '''# 1b. Server side - persistent VPN''' section
 +
* ''un''comment the '''# 1a. Client side - persistent VPN''' side
 +
* and fire it up.   
 +
 
 +
Once the scripts have been started on both machines (obviously you'll need a routeable IP address for at least the machine on the "server" side), presto, you've got a tunnel!
  
 
Obviously this article is unfinished, but work beckons.  More later.
 
Obviously this article is unfinished, but work beckons.  More later.
 +
 +
http://freshmeat.net/projects/webmin-openvpnadmin/ is a webmin module for controlling the openvpn (and CA-related tunnels), if you're not all CLI-hardcore like Jimbo.
  
 
[[Category:Ports and Packages]][[Category:Common Tasks]]
 
[[Category:Ports and Packages]][[Category:Common Tasks]]

Latest revision as of 20:59, 1 September 2007

OpenVPN is a very useful open source, cross platform Virtual Private Networking tool. It uses SSL encryption (dynamic or 2048-bit static shared key), can use LZO stream compression, and is blindingly fast as well as much more secure compared to typical industry standard IPSEC + DES or IPSEC + 3DES solutions. Better yet, it's so simple it can be run entirely from the command line.

[edit] Installing

To build it on a FreeBSD machine, just:

cd /usr/ports/security/openvpn
make install clean

it's that easy. Actually doing anything with it will require a little more work. There are many MANY ways to do this, but this one's useful, simple, and clean.

First, generate yourself a private key file and chmod it so that only its owner can read it:

ph34r# openvpn --genkey --secret /usr/local/etc/openvpn.key
ph34r# chmod 400 /usr/local/etc/openvpn.key

[edit] Starting OpenVPN

Now you'll need a command to start it with. It can be done purely from the command line - and in fact, in one sense, that's exactly what we're going to do - but to make our lives a little easier, we'll actually use command line stuff from a shell script in /usr/local/etc/rc.d. So place this - or something similar - in your /usr/local/etc/rc.d:

#!/bin/sh

case "$1" in
start)
       # VPN subnets are contained in 10.10.x.x / 255.255.0.0
       # port range forwarded through the router is 4900-4982 
 
       # first make sure the TAP module is loaded
       kldload if_tap 

       # now ensure IP forwarding is enabled
       /sbin/sysctl -w net.inet.ip.forwarding=1

       # Now, make sure there are enough tun* / tap* devices in /dev
       cd /dev
       /bin/sh MAKEDEV tap0 tap1 tap2 tap3 tap4 tap5 tap6 tap7 tap8 tap9

       # Finally, open up for business.
       # A tunnel numbered [x] is configured as follows:
       # device tun[x], port (4900 + [x]), network 10.10.(10 + [x])
       # Client machine is always .2, server is always .1

       # note - ping-restart on server end with disconnected clients
       # seems to be the problem resulting in exhausted mbufs.  Trying
       # ping-restart on client end only and hoping for the best.

       # 0. Server side - dynamic VPN
       /usr/local/sbin/openvpn \
       --dev tap0 --port 4900 --ifconfig 10.10.10.1 255.255.255.252 \
       --tun-mtu 1500 --tun-mtu-extra 32 --mssfix 1450 --key-method 2 \
       --secret /usr/local/etc/openvpn.key --ping 1 &

#        # 1a. Client side - persistent VPN
#        /usr/local/sbin/openvpn \
#                --dev tap1 \
#                --remote ip_or_hostname.to.connect.to \
#                --secret /usr/local/etc/openvpn.key \
#                --key-method 2 \
#                --port 4901 \
#                --ifconfig 10.10.11.2 255.255.255.252 \
#                --route 192.168.1.0 255.255.255.0 10.10.11.1 \
#                --tun-mtu 1500 --tun-mtu-extra 32 \
#                --fragment 1300 --mssfix \
#                --persist-tun --persist-key --resolv-retry 86400 \
#                --ping 10 --ping-restart 15 \
#                --verb 4 --mute 10 &

       # 1b. Server side - persistent VPN
       /usr/local/sbin/openvpn \
               --dev tap1 \
               --secret /usr/local/etc/openvpn.key \
               --key-method 2 \
               --port 4901 \
               --ifconfig 10.10.11.1 255.255.255.252 \
               --route 192.168.1.0 255.255.255.0 10.10.11.2 \
               --tun-mtu 1500 --tun-mtu-extra 32 \
               --fragment 1300 --mssfix \
               --persist-tun --persist-key --resolv-retry 86400 \
               --ping 10 --ping-restart 15 \
               --verb 4 --mute 10 &


       # end section
       ;;

stop)
       killall openvpn
       ;;
*)
       echo "Usage: `basename $0` {start|stop}" >&2
       ;;
esac

exit 0

Don't forget to chmod 755 /usr/local/etc/rc.d/openvpn.sh to make sure you can execute it.

What you've got there is a setup (which can be started up or stopped like any other rc.d script - /usr/local/etc/rc.d/openvpn.sh start or stop) which provides for two tunnels - one coming from a Windows machine, probably a laptop or something (labeled "dynamic VPN"; more on that in a minute) and one (labeled "persistent VPN") from another BSD or other *nix machine.

All we'll do on the other *nix box is copy over the openvpn.key we created on this machine, copy over this same script, comment out the:

  • # 1b. Server side - persistent VPN section
  • uncomment the # 1a. Client side - persistent VPN side
  • and fire it up.

Once the scripts have been started on both machines (obviously you'll need a routeable IP address for at least the machine on the "server" side), presto, you've got a tunnel!

Obviously this article is unfinished, but work beckons. More later.

http://freshmeat.net/projects/webmin-openvpnadmin/ is a webmin module for controlling the openvpn (and CA-related tunnels), if you're not all CLI-hardcore like Jimbo.

Personal tools