Installing and Configuring OpenVPN on a Xen VPS or Dedicated Server // Crucial Paradigm

September 1, 2008

Installing and Configuring OpenVPN on a Xen VPS or Dedicated Server

This document describes how to set up OpenVPN between a host computer running Xen Linux or a dedicated server running Linux and remote Windows clients.

What is a VPN?

VPN stands for virtual private network. It allows you to connect securely to a private network via internet and work as if you were a part of that network. It is based on the client/server architecture and it works on almost all platforms including FreeBSD, Linux, Windows and MAC OS X. It allows you to work from home as if you were in the office. Virtual private networks help distant colleagues work together, much like desktop sharing.

Installing Open VPN on the Xen VPS/Server

Open VPN requires lzo real time compression library and hence install it first if it is not already present.

There are three ways to install Open VPN

a) Using YUM

yum install openvpn -y

b) Installation via rpm

First download and install lzo.

wget ftp://ftp.pbone.net/mirror/centos.karan.org/el5/extras/testing/SRPMS/02-3.el5.kb.src.rpm

rpm -ivh lzo-2.02-3.el5.kb.src.rpm

Then download and install open vpn

wget ftp://ftp.pbone.net/mirror/centos.karan.org/el5/extras/testing/SRPMS/n-2.1-0.20.rc4.el5.kb.src.rpm

rpm -ivh openvpn-2.1-0.20.rc4.el5.kb.src.rpm

c)Installation via source

Installing lzo

cd /usr/local/
wget http://www.oberhumer.com/opensource/lzo/download/LZO-v1/lzo-1.08.tar.gz
tar -xzvf lzo-1.08.tar.gz
cd lzo-1.08
./configure –prefix=/usr
make -j4
make install

Now install Open VPN

cd /usr/local/
wget http://openvpn.net/release/openvpn-2.1_rc7.tar.gz
cd openvpn-2.1_rc7
./configure –prefix=/usr
make -j4
make install

We can choose any of the installation methods specified above. Yum installation is easiest of them while source installation will provide you more control on the installation. Once the installation(using Yum or RPM) is over you can see the configuration and binaries at the path /usr/share/doc/openvpn-2.1/easy-rsa.

Copy this folder to the /etc directory.

mkdir /etc/openvpn
cp -R /usr/share/doc/openvpn-2.1/easy-rsa /etc/openvpn

We need to give full permission to all the scripts in this folder.

cd /etc/openvpn/easy-rsa/2.0
chmod 777 *

Create Keys on Xen VPS/Server

There are two ways by which you can make sure of the authentication against the server and clients. First is by generating a a key file and distributing it to the server and clients. While this is easy, it is a potential risk and we wont be dealing with it here.

Another method is by using the public key infrastructure (PKI). In this method, there will be three certificates.

1) Master certficate & key which is placed in vpn server
2) Server certificate & key which is placed in vpn server
3) Client certificate & key which is placed in vpn client

We will generate the master certificate below. The server will only accept the certificates from those clients which are signed by the master certificate authority. The server and client certs are intended for providing a secure communication channel.

Generate the master Certificate Authority (CA) certificate & key

The scripts in the easy-rsa folder are used for generating keys. The keys will be placed in /etc/openvpn/keys. This folder wil not be present by default, hence we first need to manually create the folder.

mkdir /etc/openvpn/keys

In order to generate the master certificate, we first need to edit the vars configurations file.

cd /etc/openvpn/easy-rsa/2.0
vi vars

Edit the following values to suit your requirements. I am giving test details here. Do not leave any of those fields, blank as the cert will be generated based on these values. Once modified, save and quit the file.

export KEY_DIR=”/etc/openvpn/keys”
export KEY_COUNTRY=”US”
export KEY_PROVINCE=”CA”
export KEY_CITY=”SanFrancisco”
export KEY_ORG=”Fort-Funston”
export KEY_EMAIL=”test@test.com”

Now, we will start creating the cert and key.

. ./vars
./clean-all # This will delete all the existing files in the key folder

./build-ca # We are going to build the CA. You can just continue by hitting Enter until you reach the field for common name. All other fields will be populated by default from the entries you gave in the vars file.

-bash-3.1# ./build-ca
Generating a 1024 bit RSA private key
………………………++++++
………..++++++
writing new private key to ‘ca.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [US]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [SanFrancisco]:
Organization Name (eg, company) [Fort-Funston]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server’s hostname) [Fort-Funston CA]: server.ca
Email Address [test@test.com]:

It is important that you give a unique common name for this paramaeter. Here I have given the name as server.ca. It is better to follow the format hostname.ca. Now that the master certificate has been generated we shall proceed to generate the server certificate.

Generate certificate & key for server

./build-key-server server

As in the master certificate almost all paramaters are taken by default from the vars file. The only details that you need to provide is again the common name. Here I have given it as server. You can then continue hitting enter, until you reach ‘ Sign the certificate? ‘ field. Type ‘y’ and hit enter. Next it will ask ‘1 out of 1 certificate requests certified, commit?’. Again type ‘y’ and hit enter. A sample server certificate generation is shown below.

=========================================
-bash-3.1# ./build-key-server server
Generating a 1024 bit RSA private key
……++++++
………………………++++++
writing new private key to ’server.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [US]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [SanFrancisco]:
Organization Name (eg, company) [Fort-Funston]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server’s hostname) [server]:server
Email Address [test@test.com]:

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject’s Distinguished Name is as follows
countryName           :PRINTABLE:’US’
stateOrProvinceName   :PRINTABLE:’CA’
localityName          :PRINTABLE:’SanFrancisco’
organizationName      :PRINTABLE:’Fort-Funston’
commonName            :PRINTABLE:’serve.key’
emailAddress          :IA5STRING:’test@test.com’
Certificate is to be certified until Jul 1 04:00:18 2018 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

====================================

Generate certificate & key for client

Now we proceed to create the certificate and key for client. It is exactly the same process as above and make sure that there also you give a unique common name. You can create as many keys as there are clients for the server.

./build-key client1

Here I am generating the certificate for the client named client1.Give the common name and proceed as you did in server certificate. A sample certificate generation is pasted below.

=============================

-bash-3.1# ./build-key client1
Generating a 1024 bit RSA private key
…………..++++++
………………………………………………..++++++
writing new private key to ‘client1.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [US]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [SanFrancisco]:
Organization Name (eg, company) [Fort-Funston]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server’s hostname) [client1]:client1
Email Address [test@test.com]:

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject’s Distinguished Name is as follows
countryName           :PRINTABLE:’US’
stateOrProvinceName   :PRINTABLE:’CA’
localityName          :PRINTABLE:’SanFrancisco’
organizationName      :PRINTABLE:’Fort-Funston’
commonName            :PRINTABLE:’dkp1′
emailAddress          :IA5STRING:’test@test.com’
Certificate is to be certified until Jul 1 04:02:10 2018 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Database Updated

==========================

Generate Diffie Hellman parameters

Next we proceed to generate the Diffie Hellman parameters. Diffie-Hellman (D-H) is a public key algorithm used for producing a shared secret key.

The script for genreating D-H parameters is ./build-dh

========================

-bash-3.1# ./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
…………………………….+……….++*++*++*

=========================

Configuring the Open VPN client
——————————–
Upload the ca.crt, client1.crt and client1.key to the client machine.

Now that the client and server side configurations are over, we shall proceed with editing the configration files, which is the most important part.

Creating configuration files for server and clients
—————————————————-
Server configuration file
————————–
Sample configuration files will be available at /usr/share/doc/openvpn-2.1/sample-config-files. The server.conf is the server configuration file and you can copy it to /etc/openvpn and modify as needed.

cp /usr/share/doc/openvpn-2.1/sample-config-files/server.conf /etc/openvpn

A sample configuration file is given below. The fields which you need to edit are the ones which have been explained with a # mark to the right.

=========================

port 1194
proto tcp
dev tun
ca keys/ca.crt             # path to the CA.crt file
cert keys/server.crt           # path to the server certificate
key keys/server.key        # path to the server key file
dh keys/dh1024.pem        # path to the generated D-H parameters
mode server            # implements multi-client server capability
tls-server
tls-cipher DHE-RSA-AES256-SHA
server 192.168.1.0 255.255.255.0 # here give the private network address in the server and its mask.
client-config-dir ccd
#########
######### Put your Public DNS Servers here
#########
#push “dhcp-option DNS 210.80.150.4″
#push “dhcp-option DNS 202.155.174.4″
push “route 192.168.1.0 255.255.255.0″   # The OpenVPN server can push routes, DNS server IP addresses and other configuration details to the clients.

ifconfig-pool-persist ipp.txt
push “redirect-gateway”
keepalive 10 120
comp-lzo
persist-key
persist-tun
status server-tcp.log
verb 3

========================

Once the configuration is over, create the file ipp.txt which contains the client IP addresses list.

cd /etc/openvpn
touch ipp.txt

A sample ipp.txt file is as follows.

-bash-3.1# cat ipp.txt
test1.com.client,192.168.1.4

Next, touch a file for the logs.

touch server-tcp.log

Client configuration file

Once the server and client side configurations are over, we can start the open vpn server.

/etc/rc.d/init.d/openvpn start

Configuration at Client Side
—————————-
For client side configuration if you are using a windows machine, you first need to download the openvpn client from http://openvpn.se/download.html. Once the VPN client is installed, you need to copy a few files from the server to your client machine, here is the list, located in /etc/openvpn/keys/

The list of files that are to be copied to the client machine is given below.

ca.crt
client1.csr
client1.key
client1.crt

Put these files in the folder C:\Program Files\OpenVPN\config.

Now you need to edit the client config file (client.ovpn) . A sample configuration file will look like the following.
===================================================================
client

dev tap080
proto tcp

#Change my.publicdomain.com to your public domain or IP address
remote 122.252.12.43 1194
resolv-retry infinite
nobind
persist-key
persist-tun
#tls-client
#tls-cipher DHE-RSA-AES256-SHA
ca ca.crt
cert client1.crt
key client1.key
ns-cert-type server
push “redirect-gateway”
comp-lzo
verb 3
===================================================================

Add the IP address of the server to your configuration file. (remote 122.252.12.43 1194) where 1194 is the port for openvpn.

Then click on Open VPN GUI from the start button. This will open an Open VPN session in the task bar from where you can right click and select the connect button to connect to the server using OpenVPN.

Thanks Sanil for this very detailed tutorial!

Tags: linux, security, server-administration, vpn, vps, xen

No Comments

Filed under: Uncategorized by — aaron @ 1:19 am

Installing and Configuring OpenVPN on a Xen VPS or Dedicated Server

Related posts

Swap memory not coming on in Xen VPS

Related posts

Xen: Dom0 and DomU can ping, but no other network connectivity - checksum problems

Related posts

Custom Kernel per VPS in HyperVM

Related posts

Installing and Configuring OpenVPN on a Xen VPS or Dedicated Server

Related posts

Swap memory not coming on in Xen VPS

Related posts

Xen: Dom0 and DomU can ping, but no other network connectivity - checksum problems

Related posts

Custom Kernel per VPS in HyperVM

Related posts

Tag Cloud