mardi 1 novembre 2011

How to set up a VPN server on Ubuntu

A good way to set up a secure vpn between two machines with ( for example ubuntu 11.10 and windows 7 client) is to use Openvpn

Lest's open a teminal on ubuntu to install open vpn

-------------------------------------------------------------------------------------------------
sudo apt-get install openvpn
-------------------------------------------------------------------------------------------------

We 'll create now the certificate authority witch job is to control and sign all client certificates

Keep connect on mega root :) with

-------------------------------------------------------------------------------------------------
sudo -s
-------------------------------------------------------------------------------------------------

go to

-------------------------------------------------------------------------------------------------
cd /usr/share/doc/openvpn/examples/easy-rsa/2.0/
-------------------------------------------------------------------------------------------------


and edit « Vars » file with

-------------------------------------------------------------------------------------------------
nano vars
-------------------------------------------------------------------------------------------------

Target this text bellow on the file and replace theses lines after the "=" by your self parameters, and so save it...


export KEY_COUNTRY=FR
export KEY_PROVINCE=IDF
export KEY_CITY=paris
export KEY_ORG=tutosinfo
export KEY_EMAIL=polux@xxx.com

After this, we're gonna to reload all certificate process with

-------------------------------------------------------------------------------------------------
. ./vars
-------------------------------------------------------------------------------------------------

And clean all old certificates

-------------------------------------------------------------------------------------------------
./clean-all
-------------------------------------------------------------------------------------------------

We gonna create now the certificate authority and the public key

-------------------------------------------------------------------------------------------------
./build-ca
-------------------------------------------------------------------------------------------------

ca.crt et ca.key have been created after this on "/usr/share/doc/openvpn/examples/easy-rsa/2.0/" folder

We'll create private the server key and certificate with

-------------------------------------------------------------------------------------------------
./build-key-server "servername"
-------------------------------------------------------------------------------------------------

tip "y" after every question

2 other files have been created :servername.crt and servername.key


This process is the same for clients

./build-key client1

ext....

we got to generate Diffie Hellman parameters with

-------------------------------------------------------------------------------------------------
./build-dh
-------------------------------------------------------------------------------------------------

lets copy all keys and certic=ficates to /etc/openvpn/

-------------------------------------------------------------------------------------------------
cp keys/dh*.pem keys/ca.crt keys/server.crt keys/server.key /etc/openvpn/
-------------------------------------------------------------------------------------------------

and go to...

-------------------------------------------------------------------------------------------------
cd /usr/share/doc/openvpn/examples/sample-config-files/
-------------------------------------------------------------------------------------------------

Where we have to unzip "server.conf.gz"

-------------------------------------------------------------------------------------------------
gunzip server.conf.gz
-------------------------------------------------------------------------------------------------

we 'll copy it to "etc/openvpn/" too.

-------------------------------------------------------------------------------------------------
cp /usr/share/doc/openvpn/eamples/sample-cpnfig-files/server.conf /etc/openvpn/
-------------------------------------------------------------------------------------------------

Edit the file :

-------------------------------------------------------------------------------------------------
nano /etc/openvpn/server.conf
-------------------------------------------------------------------------------------------------

The is a very basic configuration witch works :

-------------------------------------------------------------------------------------------------

# Which TCP/UDP port should OpenVPN listen on?

# open up this port on your firewall.
port 1194

# TCP or UDP server?
proto tcp
#proto udp

# "dev tun" will create a routed IP tunnel,
# "dev tap" will create an ethernet tunnel.
#dev tap
dev tun

# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel if you
# have more than one. On XP SP2 or higher,
# you may need to selectively disable the
# Windows firewall for the TAP adapter.
# Non-Windows systems usually don't need this.
;dev-node MyTap

# OpenVPN can also use a PKCS #12 formatted key file
# (see "pkcs12" directive in man page).
ca /etc/openvpn/ca.crt
cert /etc/openvpn/ubuntu.crt
key /etc/openvpn/ubuntu.key # This file should be kept secret

# Diffie hellman parameters.
# Generate your own with:
# openssl dhparam -out dh1024.pem 1024
# Substitute 2048 for 1024 if you are using
# 2048 bit keys.
dh /etc/openvpn/dh1024.pem

# ethernet bridging. See the man page for more info.
server x.x.x.x 255.x.x.x

####### x are your network parameters #########


# Maintain a record of client <-> virtual IP address
# associations in this file. If OpenVPN goes down or
# is restarted, reconnecting clients can be assigned
# the same virtual IP address from the pool that was
# previously assigned.
ifconfig-pool-persist ipp.txt

# The keepalive directive causes ping-like
# messages to be sent back and forth over
# the link so that each side knows when
# the other side has gone down.
# Ping every 10 seconds, assume that remote
# peer is down if no ping received during
# a 120 second time period.
keepalive 10 120


# Select a cryptographic cipher.
# This config item must be copied to
# the client config file as well.
#;cipher BF-CBC # Blowfish (default)
cipher AES-128-CBC # AES
#cipher DES-EDE3-CBC # Triple-DES

# Enable compression on the VPN link.
# If you enable it here, you must also
# enable it in the client config file.
comp-lzo

# The maximum number of concurrently connected
# clients we want to allow.
max-clients 2

# It's a good idea to reduce the OpenVPN
# daemon's privileges after initialization.
#
# You can uncomment this out on
# non-Windows systems.
user nobody
group nogroup

# The persist options will try to avoid
# accessing certain resources on restart
# that may no longer be accessible because
# of the privilege downgrade.
persist-key
persist-tun

# Output a short status file showing
# current connections, truncated
# and rewritten every minute.
status openvpn-status.log

# By default, log messages will go to the syslog (or
# on Windows, if running as a service, they will go to
# the "\Program Files\OpenVPN\log" directory).
# Use log or log-append to override this default.
# "log" will truncate the log file on OpenVPN startup,
# while "log-append" will append to it. Use one
# or the other (but not both).
log openvpn.log
log-append openvpn.log

# Set the appropriate level of log
# file verbosity.
#
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 5

# Silence repeating messages. At most 20
# sequential messages of the same message
# category will be output to the log.
;mute 20



-------------------------------------------------------------------------------------------------

let's restart openvpn deamon

-------------------------------------------------------------------------------------------------
/etc/init.d/openvpn retart
-------------------------------------------------------------------------------------------------



You can download openvpn clients here : http://openvpn.net/index.php/open-source/downloads.html

You just have to copy client1 files from server to client C:\Program Files\OpenVPN\config

Launch openvpn connexion client , and be carefull with port tcp 1194 witch have to be opened on firewall, that could help ;)






















Aucun commentaire: