First, we need OpenVPN. Grab the latest stable release from here and compile it on both the server side OpenVPN machine and the client side OpenVPN machine. Download, unpack, configure, compile and install OpenVPN with the following:
~ $ wget http://openvpn.net/release/openvpn-2.0.9.tar.gz ~ $ tar xvzf openvpn-2.0.9.tar.gz ~ $ cd openvpn-2.0.9 ~/openvpn-2.0.9 $ ./configure ~/openvpn-2.0.9 $ make ~/openvpn-2.0.9 $ su -c 'make install'
Public Key Infrastructure Review
Like WPA-Enterprise, OpenVPN relies on a Public Key Infrastructure (PKI). Remember all the trouble we had to go through to get a PKI set up for FreeRADIUS? Turns out that the folks behind OpenVPN found setting up a PKI a bit cumbersome too and wrote a few wrapper scripts to make it incredibly simple to get your own PKI up and running.
OpenVPN's easy-rsa scripts make this a snap. This process is explained well in OpenVPN's documentation so I'll just give a brief overview here.
Change in to the easy-rsa directory under the unpacked OpenVPN directory (~/openvpn-2.0.9/easy-rsa) and edit the vars file to suit your needs. I usually increase the key size to 2048 bit (line 40):
Then change the key fields on lines 45-49 to suit your application:
export KEY_COUNTRY=US export KEY_PROVINCE=NY export KEY_CITY="New York" export KEY_ORG="SmallNetBuilder" export KEY_EMAIL="email@example.com"
Next, initialize the vars file with:
~/openvpn-2.0.9/easy-rsa $ . ./vars
Finally, initialize the work environment and build the Certificate Authority (CA):
~/openvpn-2.0.9/easy-rsa $ ./clean-all ~/openvpn-2.0.9/easy-rsa $ ./build-ca
OpenSSL will ask for values for the fields we defined in the vars file; just hit enter to accept the defaults. When you get to the Common Name field, enter whatever you want for the CA (I use the very creative name, "CA").
Common Name (eg, your name or your server's hostname) :CA
Next, build the server's key (in the command below, server will be the key's filename):
~/openvpn-2.0.9/easy-rsa $ ./build-key-server server
Enter a meaningful Common Name, sign the key and commit it to the database. Similarly, build the client key:
~/openvpn-2.0.9/easy-rsa $ ./build-key remote_office