March 11, 2008
Operating System |
Platform |
Application(s) |
Database(s) |
Other |
|
|
|
N / A
|
|
This document describes the process of setting up an OpenVPN server with x86 hardware on OpenBSD 4.2
Keep in mind that this document does not cover hardening the system. That process is outlined in other documents from myself or others. This machine needs to be well protected. It will be in a very vulnerable position, facing that filthy and scary Internet.
Also, you will need root access to do most of these tasks.
During installation of the OS, when selecting the installation sets stick with the defaults, but remove the game42.tgz set (neither this or X will be needed). If you are using an SMP (multi-processor) system, be sure to get the bsd.mp kernel and replace the stock bsd kernel after installing the OS. Just copy /bsd.mp over /bsd.
Now we need to fetch and install the ports directory to simplify certain installations later:
# cd /usr
# cvs -qd
anoncvs@anoncvs.nyc.openbsd.org:/cvs get -r OPENBSD_4_2 -P ports |
And now the latest OpenBSD 4.2 ports tree is on your system and ready to use.
Now we need to setup the tun0 VPN interface:
# echo "up" > /etc/hostname.tun0
# sh /etc/netstart (or reboot) |
We will install OpenVPN from the ports tree:
# cd /usr/ports/net/openvpn
# make install |
That's it for the software!
Sure, you can give cash to a company to do this, but chances are it isn't worth it. If you are creating a large scale implementation, investigate your options.
OpenSSL is used for this purpose, and comes standard with OpenBSD. You want to do this work in a secure directory, one that only root can access. Perform the following:
# cd /etc
# mkdir openvpn
# chmod 750 openvpn
# cd openvpn
# mkdir ca && cd ca
# openssl genrsa -aes256 -out ca.key 2048
(remove -aes256 if you do not want to use a password)
# openssl req -new -key ca.key -out ca.csr
# openssl req -new -x509 -key ca.key -out ca.crt -days 1000
|
Now create a counter for the certificates we will sign:
# echo 01 > ca.srl
# touch index.txt
|
Generate Server Key and Certificate Signing Request (CSR)
Now we create an unsigned server key, and a request that you want it signed (the .csr file) by a Certificate Authority (yourself):
# openssl genrsa -aes256 -out server.key 2048
# openssl req -new -key server.key -out server.csr |
Sign the CSR with the CA
# openssl x509 -req -days 1000 -in server.csr -CA ca.crt -CAkey ca.key -out server.crt
|
Generate Keys, Create and Sign User Certificates
Do the following for each user (or endpoint) of the VPN server:
# openssl genrsa -aes256 -out randy.key 2048
# openssl req -new -key randy.key -out randy.csr
# openssl x509 -req -days 1000 -in randy.csr -CA ca.crt -CAkey ca.key -out randy.crt |
OpenVPN uses a secure protocol called Diffie-Hellman to negotiate authentication. We need to generate a set of parameters to facilitate this in a file called dh2048.pem. This file only needs to exist on the OpenVPN server. We will also create the tls-auth key, which both the server and client(s) will need.
# cd /etc/openvpn
# openssl dhparam -out dh1024.pem 1024
# openvpn --genkey --secret ta.key |
As for the server and client configurations, I will show you an example of how I did mine. Your needs will likely differ, so review this how-to for more detail on this process.
This is my server.conf file, which is placed in the /etc/openvpn directory:
port 1194
proto udp
dev tun0
ca /etc/openvpn/ca/ca.crt
cert /etc/openvpn/ca/server.crt
key /etc/openvpn/ca/server.key
dh /etc/openvpn/dh1024.pem
server 10.1.0.0 255.255.255.0
ifconfig-pool-persist /etc/openvpn/ipp.txt
keepalive 10 120
tls-auth ta.key 0
cipher AES-256-CBC
comp-lzo
max-clients 8
status /etc/openvpn/vpn-status.log
verb 4 |
|
