pavement

OpenVPN

From FreeBSDwiki
(Difference between revisions)
Jump to: navigation, search
m (Reverted edits by 204.39.95.9 (Talk); changed back to last version by Jimbo)
 
(4 intermediate revisions by 4 users not shown)
Line 1: Line 1:
[http://openvpn.sourceforge.net OpenVPN] is a very useful open source, cross platform Virtual Private Networking tool.  It uses SSL encryption (dynamic or 2048-bit static shared key), can use LZO stream compression, and is blindingly fast as well as much more secure compared to typical industry standard IPSEC   DES or IPSEC   3DES solutions.  Better yet, it's so simple it can be run entirely from the command line.
+
[http://openvpn.sourceforge.net OpenVPN] is a very useful open source, cross platform Virtual Private Networking tool.  It uses SSL encryption (dynamic or 2048-bit static shared key), can use LZO stream compression, and is blindingly fast as well as much more secure compared to typical industry standard IPSEC + DES or IPSEC + 3DES solutions.  Better yet, it's so simple it can be run entirely from the command line.
  
 
==Installing==
 
==Installing==
Line 36: Line 36:
 
         # Finally, open up for business.
 
         # Finally, open up for business.
 
         # A tunnel numbered [x] is configured as follows:
 
         # A tunnel numbered [x] is configured as follows:
         # device tun[x], port (4900   [x]), network 10.10.(10   [x])
+
         # device tun[x], port (4900 + [x]), network 10.10.(10 + [x])
 
         # Client machine is always .2, server is always .1
 
         # Client machine is always .2, server is always .1
 
   
 
   
Line 47: Line 47:
 
         --dev tap0 --port 4900 --ifconfig 10.10.10.1 255.255.255.252 \
 
         --dev tap0 --port 4900 --ifconfig 10.10.10.1 255.255.255.252 \
 
         --tun-mtu 1500 --tun-mtu-extra 32 --mssfix 1450 --key-method 2 \
 
         --tun-mtu 1500 --tun-mtu-extra 32 --mssfix 1450 --key-method 2 \
         --secret /usr/local/etc/openvpn.key --ping 1
+
         --secret /usr/local/etc/openvpn.key --ping 1 &
 +
 +
#        # 1a. Client side - persistent VPN
 +
#        /usr/local/sbin/openvpn \
 +
#                --dev tap1 \
 +
#                --remote ''ip_or_hostname.to.connect.to'' \
 +
#                --secret /usr/local/etc/openvpn.key \
 +
#                --key-method 2 \
 +
#                --port 4901 \
 +
#                --ifconfig 10.10.11.2 255.255.255.252 \
 +
#                --route 192.168.1.0 255.255.255.0 10.10.11.1 \
 +
#                --tun-mtu 1500 --tun-mtu-extra 32 \
 +
#                --fragment 1300 --mssfix \
 +
#                --persist-tun --persist-key --resolv-retry 86400 \
 +
#                --ping 10 --ping-restart 15 \
 +
#                --verb 4 --mute 10 &
 +
 +
        # 1b. Server side - persistent VPN
 +
        /usr/local/sbin/openvpn \
 +
                --dev tap1 \
 +
                --secret /usr/local/etc/openvpn.key \
 +
                --key-method 2 \
 +
                --port 4901 \
 +
                --ifconfig 10.10.11.1 255.255.255.252 \
 +
                --route 192.168.1.0 255.255.255.0 10.10.11.2 \
 +
                --tun-mtu 1500 --tun-mtu-extra 32 \
 +
                --fragment 1300 --mssfix \
 +
                --persist-tun --persist-key --resolv-retry 86400 \
 +
                --ping 10 --ping-restart 15 \
 +
                --verb 4 --mute 10 &
 +
 +
 +
        # end section
 +
        ;;
 +
 +
stop)
 +
        killall openvpn
 +
        ;;
 +
*)
 +
        echo "Usage: `basename $0` {start|stop}" >&2
 +
        ;;
 +
esac
 +
 +
exit 0
 +
 
 +
Don't forget to '''chmod 755 /usr/local/etc/rc.d/openvpn.sh''' to make sure you can execute it.
 +
 
 +
What you've got there is a setup (which can be started up or stopped like any other rc.d script - '''/usr/local/etc/rc.d/openvpn.sh start''' or '''stop''') which provides for two tunnels - one coming from a Windows machine, probably a laptop or something (labeled "dynamic VPN"; more on that in a minute) and one (labeled "persistent VPN") from another BSD or other *nix machine. 
 +
 
 +
All we'll do on the other *nix box is copy over the '''openvpn.key''' we created on this machine, copy over this same script, comment out the:
 +
 
 +
* '''# 1b. Server side - persistent VPN''' section
 +
* ''un''comment the '''# 1a. Client side - persistent VPN''' side
 +
* and fire it up. 
 +
 
 +
Once the scripts have been started on both machines (obviously you'll need a routeable IP address for at least the machine on the "server" side), presto, you've got a tunnel!
 +
 
 +
Obviously this article is unfinished, but work beckons.  More later.
 +
 
 +
http://freshmeat.net/projects/webmin-openvpnadmin/ is a webmin module for controlling the openvpn (and CA-related tunnels), if you're not all CLI-hardcore like Jimbo.
 +
 
 +
[[Category:Ports and Packages]][[Category:Common Tasks]]

Latest revision as of 20:59, 1 September 2007

OpenVPN is a very useful open source, cross platform Virtual Private Networking tool. It uses SSL encryption (dynamic or 2048-bit static shared key), can use LZO stream compression, and is blindingly fast as well as much more secure compared to typical industry standard IPSEC + DES or IPSEC + 3DES solutions. Better yet, it's so simple it can be run entirely from the command line.

[edit] Installing

To build it on a FreeBSD machine, just:

cd /usr/ports/security/openvpn
make install clean

it's that easy. Actually doing anything with it will require a little more work. There are many MANY ways to do this, but this one's useful, simple, and clean.

First, generate yourself a private key file and chmod it so that only its owner can read it:

ph34r# openvpn --genkey --secret /usr/local/etc/openvpn.key
ph34r# chmod 400 /usr/local/etc/openvpn.key

[edit] Starting OpenVPN

Now you'll need a command to start it with. It can be done purely from the command line - and in fact, in one sense, that's exactly what we're going to do - but to make our lives a little easier, we'll actually use command line stuff from a shell script in /usr/local/etc/rc.d. So place this - or something similar - in your /usr/local/etc/rc.d:

#!/bin/sh

case "$1" in
start)
       # VPN subnets are contained in 10.10.x.x / 255.255.0.0
       # port range forwarded through the router is 4900-4982 
 
       # first make sure the TAP module is loaded
       kldload if_tap 

       # now ensure IP forwarding is enabled
       /sbin/sysctl -w net.inet.ip.forwarding=1

       # Now, make sure there are enough tun* / tap* devices in /dev
       cd /dev
       /bin/sh MAKEDEV tap0 tap1 tap2 tap3 tap4 tap5 tap6 tap7 tap8 tap9

       # Finally, open up for business.
       # A tunnel numbered [x] is configured as follows:
       # device tun[x], port (4900 + [x]), network 10.10.(10 + [x])
       # Client machine is always .2, server is always .1

       # note - ping-restart on server end with disconnected clients
       # seems to be the problem resulting in exhausted mbufs.  Trying
       # ping-restart on client end only and hoping for the best.

       # 0. Server side - dynamic VPN
       /usr/local/sbin/openvpn \
       --dev tap0 --port 4900 --ifconfig 10.10.10.1 255.255.255.252 \
       --tun-mtu 1500 --tun-mtu-extra 32 --mssfix 1450 --key-method 2 \
       --secret /usr/local/etc/openvpn.key --ping 1 &

#        # 1a. Client side - persistent VPN
#        /usr/local/sbin/openvpn \
#                --dev tap1 \
#                --remote ip_or_hostname.to.connect.to \
#                --secret /usr/local/etc/openvpn.key \
#                --key-method 2 \
#                --port 4901 \
#                --ifconfig 10.10.11.2 255.255.255.252 \
#                --route 192.168.1.0 255.255.255.0 10.10.11.1 \
#                --tun-mtu 1500 --tun-mtu-extra 32 \
#                --fragment 1300 --mssfix \
#                --persist-tun --persist-key --resolv-retry 86400 \
#                --ping 10 --ping-restart 15 \
#                --verb 4 --mute 10 &

       # 1b. Server side - persistent VPN
       /usr/local/sbin/openvpn \
               --dev tap1 \
               --secret /usr/local/etc/openvpn.key \
               --key-method 2 \
               --port 4901 \
               --ifconfig 10.10.11.1 255.255.255.252 \
               --route 192.168.1.0 255.255.255.0 10.10.11.2 \
               --tun-mtu 1500 --tun-mtu-extra 32 \
               --fragment 1300 --mssfix \
               --persist-tun --persist-key --resolv-retry 86400 \
               --ping 10 --ping-restart 15 \
               --verb 4 --mute 10 &


       # end section
       ;;

stop)
       killall openvpn
       ;;
*)
       echo "Usage: `basename $0` {start|stop}" >&2
       ;;
esac

exit 0

Don't forget to chmod 755 /usr/local/etc/rc.d/openvpn.sh to make sure you can execute it.

What you've got there is a setup (which can be started up or stopped like any other rc.d script - /usr/local/etc/rc.d/openvpn.sh start or stop) which provides for two tunnels - one coming from a Windows machine, probably a laptop or something (labeled "dynamic VPN"; more on that in a minute) and one (labeled "persistent VPN") from another BSD or other *nix machine.

All we'll do on the other *nix box is copy over the openvpn.key we created on this machine, copy over this same script, comment out the:

  • # 1b. Server side - persistent VPN section
  • uncomment the # 1a. Client side - persistent VPN side
  • and fire it up.

Once the scripts have been started on both machines (obviously you'll need a routeable IP address for at least the machine on the "server" side), presto, you've got a tunnel!

Obviously this article is unfinished, but work beckons. More later.

http://freshmeat.net/projects/webmin-openvpnadmin/ is a webmin module for controlling the openvpn (and CA-related tunnels), if you're not all CLI-hardcore like Jimbo.

Personal tools