Back to the sea ; the virtual private network (VPN), episode IX

    

I use VPN to remotely connect to my home-LAN when I’m away. I’ve tried may kinds of VPN ; from IPsec (point-to-point) to SSL through L2TP. I found that the easiest one to implement, when using various OS client, was VPN/SSL. And the easiest software to be used by any OS, or at least any I use, was OpenVPN. From Windows to OSX through NetBSD, there’s an available binary. So let’s create the server on OpenBSD.

Installation

Install the binary package:

# pkg_add http://ftp.fr.openbsd.org/pub/OpenBSD/4.8/packages/amd64/openvpn-2.1.0p0.tgz
# cat << EOF > /etc/hostname.tun0
up link0
!/usr/local/sbin/openvpn --daemon --config /etc/openvpn/server.conf
EOF
# mkdir /etc/openvpn
# chown _openvpn:_openvpn /etc/openvpn
# chmod 750 /etc/openvpn
# install -o _openvpn -g _openvpn -m 0640 /usr/local/share/examples/openvpn/sample-config-files/server.conf /etc/openvpn/server.conf

Quite simple!

Configuration

Certificates

One thing that has to be noticed about OpenVPN is that “Each client and the server must have their own cert and key file. The server and all clients will use the same ca file.

I will generate a client certificate from my CA and I’ll also have to generate a server certificate. I won’t be able to use the public certificate that is used by my Web server.

The certificates have already been created and installed during the CA creation process .

OpenVPN requires a Diffie-Hellman Parameters file:

# cd /etc/openvpn/
# openssl dhparam -out dh4096.pem 4096
Generating DH parameters, 4096 bit long safe prime, generator 2
This is going to take a long time
................................................................................
(...)
......................................................++*++*

IP configuration

I will use a bridge so that my client appear in the same network as my internal LAN. Proper secured connection would probably be to create a dedicated network where data are filter by a firewall. But this would be too complex for my (single-user) configuration:

# cat /etc/hostname.bridge0
add em0
add tun0
up

You’ll need IP forwading to … forward IP packets:

# vi /etc/sysctl.conf
net.inet.ip.forwarding=1        # 1=Permit forwarding (routing) of IPv4 packets

OpenVPN configuration

Modify the server configuration file:

# diff /usr/local/share/examples/openvpn/sample-config-files/server.conf /etc/openvpn/server.conf
32c32,33
< port 1194
---
> port 443
> port-share localhost 8443
35,36c36,37
< ;proto tcp
< proto udp
---
> proto tcp
> ;proto udp
53a55
> dev-type tap
78,80c80,82
< ca ca.crt
< cert server.crt
< key server.key  # This file should be kept secret
---
> ca /etc/ssl/TMFCA/cacert.pem
> cert /etc/ssl/TMFCA/certs/www.tumfatig.net.crt
> key /etc/ssl/TMFCA/private/www.tumfatig.net.key
87c89
< dh dh1024.pem
---
> dh /etc/openvpn/dh4096.pem
96c98
< server 10.8.0.0 255.255.255.0
---
> ;server 10.8.0.0 255.255.255.0
103c105
< ifconfig-pool-persist ipp.txt
---
> ifconfig-pool-persist /etc/openvpn/ipp.txt
115c117
< ;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
---
> server-bridge 192.168.12.144 255.255.255.0 192.168.12.200 192.168.12.202
136c138
< ;push "route 192.168.10.0 255.255.255.0"
---
> push "route 192.168.12.0 255.255.255.0"
150c152
< ;client-config-dir ccd
---
> client-config-dir ccd
195c197
< ;push "dhcp-option DNS 208.67.222.222"
---
> push "dhcp-option DNS 192.168.12.144"
262,263c264,265
< ;user _openvpn
< ;group _openvpn
---
> user _openvpn
> group _openvpn
275c277
< status openvpn-status.log
---
> status /etc/openvpn/openvpn-status.log
# mkdir /etc/openvpn/ccd
# cat > /etc/openvpn/ccd/joe
ifconfig-push 192.168.12.202 255.255.255.0

Don’t forget to configure Apache to listen on port 8443 rather than 443.

Reboot

Reboot and check the console and logs to ensure every thing goes OK.
That’s All Folks!