OpenVPN how-to including OpenVPNGui client for Windows XP

This how-to is for installing and configuring OpenVPN on a Gentoo server acting as a firewall/router. I'll also discuss configuring a OpenVPN client on Windows XP. Here is a brief description of what OpenVPN is from their site:

OpenVPN is a full-featured SSL VPN solution which can accomodate a wide range of configurations, including remote access, site-to-site VPNs, WiFi security, and enterprise-scale remote access solutions with load balancing, failover, and fine-grained access-controls

My current network setup is the following:

Internal Private Network: 10.0.0.0/24
VPN Network: 10.1.0.0/24
DMZ Network: 172.16.0.0/24 (Wifi network)
WAN Network: 192.168.0.0/30 (small network between DSL modem and Gentoo Firewall)
DNS Servers are the DNS servers from my ISP

I wanted to install OpenVPN for two basic reasons. The first reason is to provide a secure access to my network from my Access Point. I currently have my wireless AP in a DMZ network, allowing guests to get on a network to surf, but still keeping my internal private network protected. With OpenVPN, I can associate and then VPN to my private network. The second reason is to have VPN access when I'm on the road from anywhere.

OpenVPN will create a tun/tap interface, so this will need to be enabled in the kernel.

Device Drivers -> Network Device Support
[*] Universal TUN/TAP device driver support

If you added this remember to recompile the kernel and reboot before moving on.

After emerging openvpn (emerge -v openvpn), edit the configuration file (/etc/openvpn/openvpn.conf) and add the following values.
vi openvpn.conf

port 1000
dev tap
tls-server
cd /etc/openvpn/
ca /etc/openvpn/ca.crt
cert /etc/openvpn/gateway.crt
key /etc/openvpn/gateway.key
dh /etc/openvpn/dh2048.pem
tls-auth ta.key 0
mode server
duplicate-cn
ifconfig 10.1.0.1 255.255.255.0 # openvpn gateway
ifconfig-pool 10.1.0.2 10.1.0.11 255.255.255.0 # ip range for openvpn client
push "dhcp-option DNS xxx.xxx.xxx.xxx" # add your DNS servers (either local DNS or ISP provided DNS)
push "dhcp-option DNS xxx.xxx.xxx.xxx" # add your DNS servers (either local DNS or ISP provided DNS)
push "route-gateway 10.1.0.1" # push default gateway
mtu-test
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
ping 10
ping-restart 120
push "ping 10"
push "ping-restart 60"
push "route 10.0.0.0 255.255.255.0 10.1.0.1" # add route to to protected network
push "route 10.1.0.0 255.255.255.0 10.1.0.1"
comp-lzo
status openvpn-status.log
verb 4

The first thing I wanted to point out is the 'port' variable. I set it to 1000, this is not default, and you can set it to any value you'd like. Next, we'll need to create keys for the server and client. I'll start with the ta.key first. You can create this in /etc/openvpn/

cd /etc/openvpn/
openvpn --genkey --secret ta.key

Next, we'll move on to RSA keys. You can edit the /usr/share/openvpn/easy-rsa/vars file with your certification info (ie: State, Country, etc). I also set the key length to be 2048 instead of 1024. Once keys are made, copy them to /etc/openvpn/.

cd /usr/share/openvpn/easy-rsa
vi vars
source ./vars
./clean-all
./build-dh
cp keys/dh2048.pem /etc/openvpn/.
./clean-all
./build-req gateway
cp keys/gateway.* /etc/openvpn/.

This example is signing keys with a local certificate authority.

./build-ca
./build-req laptop
./sign-req laptop
cp keys/laptop.* /etc/openvpn/.
./sign-req gateway
./sign-req laptop
cp keys/gateway.crt /etc/openvpn/.
cp keys/laptop.crt /etc/openvpn/.
cp keys/ca.key /etc/openvpn/.
cp keys/ca.crt /etc/openvpn/.
cd /etc/openvpn/

It's a good habit to verify your certs before moving on.

openssl verify -CAfile ca.crt -purpose sslclient gateway.crt
openssl verify -CAfile ca.crt -purpose sslclient laptop.crt

UPDATE UPDATE UPDATE 12/23/2011
So I needed to get this working on a new box lastnight, and had all sorts of trouble relating to keys. Doing some research (mainly here: http://openvpn.net/index.php/open-source/documentation/miscellaneous/77-rsa-key-management.html), here is the new procedure:

cd /etc/openvpn/
openvpn --genkey --secret ta.key
cd /usr/share/openvpn/easy-rsa
vi vars
source ./vars
./clean-all
./build-dh
./build-ca
./build-req client
./sign-req client
./build-key-server server
cd keys/
cp server.* /etc/openvpn/.
cp client.* /etc/openvpn/.
cp dh2048.pem /etc/openvpn/.
cp ca.* /etc/openvpn/.
cd /etc/openvpn/
openssl verify -CAfile ca.crt -purpose sslclient client.crt
openssl verify -CAfile ca.crt -purpose sslserver server.crt

So the files that neeeds to be on the client will be:

client.csr
client.key
ca.crt
ta.key

Let's start the service and add it to the default runlevel

/etc/init.d/openvpn start
rc-update add openvpn default

Next we'll need to configure iptables to forward VPN traffic. This is showing just the relavant iptable commands for just the VPN, you'll need to have a working iptables ruleset first. Also, you need to make sure you have forwarding enabled in your /etc/sysctl.conf (net.ipv4.ip_forward = 1)

IPT=/sbin/iptables
LANIFACE=eth0
VPNIFACE=tap0
VPN=10.1.0.0/24
$IPT -A INPUT -i $VPNIFACE -j ACCEPT
$IPT -A FORWARD -i $VPNIFACE -j ACCEPT
$IPT -t nat -A POSTROUTING -s $VPN -o $LANIFACE -j MASQUERADE

If everything is started and running, we'll move on to the VPN client. OpenVPN provides clients for Linux as well as Windows. I thought I'd first try the Windows client. There are multiple Windows OpenVPN clients, the config and key handling below should be okay with all, but this is focusing on the OpenVPNGui client that can be found here.

After installing the program, edit the client config:

C:\Program Files\OpenVPN\config\client.ovpn

And add the following:

port 1000
dev tap
remote xxx.xxx.xxx.xxx # your static IP of VPN server
tls-client
ca keys/ca.crt
cert keys/laptop.crt
key keys/laptop.key
tls-auth keys/ta.key 1
mtu-test
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
pull
float
ping 10
ping-restart 60
comp-lzo
verb 4

Next create a folder called keys in the same location:

C:\Program Files\OpenVPN\config\keys

You'll need to get a few of the keys you created on the OpenVPN server (/etc/openvpn/) into this folder. I would recommend SCP'ing the files. Here is the list of keys you'll need to bring over:

ca.crt
laptop.crt
laptop.key
ta.key

After this is done, look to the task tray, and right click. Look for Client and select 'Connect'. A prompt will show all debug information of the VPN connection. If all goes well, you'll get through the process, and a TUN interface will be available with the IP of 10.1.0.2 (ipconfig /all). At this point start testing the VPN. Test by pinging internal devices on the private network. If problems occur look at /var/log/messages on the OpenVPN server, as well as it's own log file /var/log/openvpn-status.log. One common problem is incorrect routes pushed to the client, or an iptables misconfiguration on the firewall.



Good Luck!!!