Installing OpenVPN

First, we need OpenVPN. Grab the latest stable release from here and compile it on both the server side OpenVPN machine and the client side OpenVPN machine. Download, unpack, configure, compile and install OpenVPN with the following:

~ $ wget http://openvpn.net/release/openvpn-2.0.9.tar.gz
~ $ tar xvzf openvpn-2.0.9.tar.gz
~ $ cd openvpn-2.0.9
~/openvpn-2.0.9 $ ./configure
~/openvpn-2.0.9 $ make
~/openvpn-2.0.9 $ su -c 'make install'

Notes:
- OpenVPN requires OpenSSL which is included in most Linux distros. If you don't have it, you'll need to install it first.

- OpenVPN also requires the TUN kernel module. This is usually compiled as a module on most vanilla kernels but didn't want to autoload for me. You can manually load it using modprobe tun.

- I used the latest stable release: 2.0.9

Public Key Infrastructure Review

Like WPA-Enterprise, OpenVPN relies on a Public Key Infrastructure (PKI). Remember all the trouble we had to go through to get a PKI set up for FreeRADIUS? Turns out that the folks behind OpenVPN found setting up a PKI a bit cumbersome too and wrote a few wrapper scripts to make it incredibly simple to get your own PKI up and running.

OpenVPN's easy-rsa scripts make this a snap. This process is explained well in OpenVPN's documentation so I'll just give a brief overview here.

Change in to the easy-rsa directory under the unpacked OpenVPN directory (~/openvpn-2.0.9/easy-rsa) and edit the vars file to suit your needs. I usually increase the key size to 2048 bit (line 40):

export KEY_SIZE=2048

Then change the key fields on lines 45-49 to suit your application:

export KEY_COUNTRY=US
export KEY_PROVINCE=NY
export KEY_CITY="New York"
export KEY_ORG="SmallNetBuilder"
export KEY_EMAIL="brandon@smallnetbuilder.com"

Next, initialize the vars file with:

~/openvpn-2.0.9/easy-rsa $ . ./vars

Finally, initialize the work environment and build the Certificate Authority (CA):

~/openvpn-2.0.9/easy-rsa $ ./clean-all
~/openvpn-2.0.9/easy-rsa $ ./build-ca

OpenSSL will ask for values for the fields we defined in the vars file; just hit enter to accept the defaults. When you get to the Common Name field, enter whatever you want for the CA (I use the very creative name, "CA").

Common Name (eg, your name or your server's hostname) []:CA

Next, build the server's key (in the command below, server will be the key's filename):

~/openvpn-2.0.9/easy-rsa $ ./build-key-server server

Enter a meaningful Common Name, sign the key and commit it to the database. Similarly, build the client key:

~/openvpn-2.0.9/easy-rsa $ ./build-key remote_office

Tags: IPsec, OpenVPN, VPN,

Related Articles: