Secure Communications with OpenVPN on Ubuntu 12.04 (Precise) and Debian 7
- Deprecated guides:
- Ubuntu 9.10
- Ubuntu 10.10
- Ubuntu 10.04
- Debian 6
- Debian 5
- CentOS 6
Traducciones al EspañolEstamos traduciendo nuestros guías y tutoriales al Español. Es posible que usted esté viendo una traducción generada automáticamente. Estamos trabajando con traductores profesionales para verificar las traducciones de nuestro sitio web. Este proyecto es un trabajo en curso.
DeprecatedThis guide has been deprecated and is no longer being maintained.
OpenVPN, or Open Virtual Private Network, is a tool for creating networking tunnels between and among groups of computers that are not on the same local network. This is useful if you want to remotely access services on a local network without making them publicly accessible. By integrating with OpenSSL, OpenVPN can encrypt all VPN traffic to provide a secure connection between machines.
Before installing OpenVPN, we assume that you have followed our Setting Up and Securing a Compute Instance. If you’re new to Linux server administration you may be interested in our Introduction to Linux Concepts Guide, Beginner’s Guide and Administration Basics Guide. If you’re concerned about securing on your Linode, you might be interested in our Security Basics article as well.
How OpenVPN Works
Once configured, the OpenVPN server encrypts traffic between your local computer and your Linode’s local network. While all other traffic is handled in the conventional manner, the VPN allows traffic on non-public interfaces to be securely passed through your Linode. This means you can connect to the local area network in your Linode’s data center. Using OpenVPN in this manner is supported by the default configuration
With the additional configuration we will set up at the end of this guide, all traffic coming from your local computer can be tunneled through the VPN server. This can be used to circumvent local traffic restrictions, or to mask the traffic coming from your computer.
Installing OpenVPN
Follow these instructions to install OpenVPN:
Update your package repositories with the following command:
apt-get update
Update your installed programs:
apt-get upgrade
Install the OpenVPN software with the following command:
apt-get install openvpn
The OpenVPN package provides a set of encryption-related tools called easy-rsa. In order for OpenVPN to function properly, these scripts should be located in the
/etc/openvpn/
directory. This is possible with the following command:cd /etc/openvpn/ && make-cadir easy-rsa
Most of the relevant configuration for the OpenVPN public key infrastructure is contained in
/etc/openvpn/easy-rsa/
. We will create several files in this directory used to define the OpenVPN server and client security.
Initializing the Public Key Infrastructure (PKI)
In this section, you will initialize the certificate authority and the public key infrastructure:
Move into the
/etc/openvpn/easy-rsa/
directory:cd /etc/openvpn/easy-rsa/
Create a symbolic link from
openssl-1.0.0.cnf
toopenssl.cnf
:ln -s openssl-1.0.0.cnf openssl.cnf
Source the
vars
script:source ./vars
This will return
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/keys
Execute the
clean-all
script../clean-all
Execute the
build-ca
script. At each prompt, fill out the information to be used in your certificate../build-ca
After doing this, your PKI should be configured properly.
Generating Certificates and Private Keys
With the certificate authority generated, you can generate the private key for the server and certificates for all the VPN clients.
Create the key with the following command:
./build-key-server server
You will be prompted for additional information. Change the default values as necessary. By default, the
Common Name
for this key will be server. The challenge password and company names are optional and can be left blank.When you’ve completed the question section, confirm the signing of the certificate and the
certificate requests certified
by answering yes to these questions.With the private keys generated, create certificates for all of your VPN clients. Issue the following command:
./build-key client1
Note Anyone with access toclient1.key
will be able to access your VPN. To better protect against this scenario, you can issue./build-key-pass client1
instead to build a client key which is encrypted with a passphrase.Repeat the previous step for each client, replacing
client1
with an appropriate identifier.
You should generate a unique key for every user of the VPN. Each key should have its own unique identifier, but all other information can remain the same. If you need to add users to your OpenVPN at any time, repeat step 4 to create additional keys.
Generating Diffie Hellman Parameters
The Diffie Hellman Parameters govern the method of key exchange used by the OpenVPN server. By creating a .pem file, you create the parameters by which the OpenVPN server will initiate secured connections with the clients.
Issue the following command to generate the .pem
file:
./build-dh
This should produce the following output:
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
This will be followed by a quantity of seemingly random output. Once it brings you back to a command prompt, the task has succeeded. In the keys
subdirectory it’s created a file called dh1024.pem
which will be used to generate secure connections to the VPN server’s clients.
Relocating Secure Keys
Move all of the secure keys to their proper locations by following these instructions:
The
/etc/openvpn/easy-rsa/keys/
directory contains all of the keys and certificates for the server and its clients generated using theeasy-rsa
tools. Copy the following certificate and key files to the remote client machines, using scp or another means of transferring:ca.crt
client1.crt
client1.key
Note Transfer these keys with the utmost attention to security. Anyone who has the key or is able to intercept an unencrypted copy of the key will be able to gain full access to your virtual private network. Typically we recommend that you encrypt the keys for transfer, either by using a protocol like SSH, or by encrypting them with the PGP tool.On your server, change to the
/etc/openvpn/easy-rsa/keys
directory:cd /etc/openvpn/easy-rsa/keys
Copy the keys to the
/etc/openvpn
directory of the server so the OpenVPN server process can access them:cp ca.crt ca.key dh1024.pem server.crt server.key /etc/openvpn
Keeping control of these files is of the utmost importance to the integrity of your server. If you ever need to move or back up these keys, ensure that they’re encrypted and secured. If these files become compromised, they must be recreated along with all client keys.
Revoking Client Certificates
If you need to remove a user’s access to the VPN server, follow these instructions:
Run the
vars
script. Note that for this script to function properly your working (current) directory must be /etc/openvpn/easy-rsa/ :source ./vars
Run the
revoke-full
script, substituting client1 with the name of the certificate you want to revoke:./revoke-full client1
This will revoke the ability of all users using the client1
certificate to access the VPN. Make sure you don’t accidentally revoke access for someone who still needs it, and who uses that certificate.
Configuring Server and Client Settings
In this section, you’ll create two important configuration files. One is for the server and defines the scope and settings for the VPN. The other is for your local computer, and defines the settings you will pass on to your VPN client. For each client connecting to the VPN you will need to generate a separate configuration file.
Configure your server file. There’s an example file in
/usr/share/doc/openvpn/examples/sample-config-files
which you’ll use as a starting point. First, extract and copy the file to the/etc/openvpn/
directory:gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz >/etc/openvpn/server.conf
Copy the
client.conf
file to your home directory:cp client.conf ~/
Move to your home directory:
cd ~
Open your
~/client.conf
file for editing, and update theremote
line to reflect the OpenVPN server’s name:nano ~/client.conf
- File: ~/client.conf
1 2 3 4 5
# The hostname/IP and port of the server. # You can have multiple remote entries # to load balance between the servers. remote example.com 1194
In the same file,
client.conf
, edit thecert
andkey
lines to reflect the name of your key. In this example we useclient1
for the file name.- File: ~/client.conf
1 2 3 4 5 6 7 8 9
# SSL/TLS parms. # See the server config file for more # description. It's best to use # a separate .crt/.key file pair # for each client. A single ca # file can be used for all clients. ca ca.crt cert client1.crt key client1.key
Copy the
~/client.conf
file to your client system.Repeat the entire key generation and distribution process for every user and every key that will connect to your network.
To start the OpenVPN server, run the following command:
service openvpn start
This will scan the /etc/openvpn
directory on the server for files with a .conf
extension. For every file that it finds, it will create and run a VPN daemon (server).
Installing Client-Side Software
The process for connecting to the VPN varies depending on the specific operating system and distribution running on the client machine. You will need to install the right OpenVPN package for your client operating system.
Most network management tools provide some facility for managing connections to a VPN. Configure connections to your OpenVPN through the same interface where you might configure wireless or Ethernet connections. If you choose to install and manage OpenVPN manually, you will need to place the client1.conf
file and the requisite certificate files in the local machine’s /etc/openvpn
directory, or equivalent location.
If you use OS X on a Mac, we have found that the Tunnelblick tool provides an easy method for managing OpenVPN connections. If you use Windows, the OpenVPN GUI tool may be an effective tool for managing your connections too. Linux desktop users can install the OpenVPN package and use the network management tools that come with the desktop environment.
Here we will go through installing Tunnelblick on OSX:
To download the latest version of Tunnelblick, click here. After opening the dmg file you can drag it into applications or open it immediately and it will copy itself.
After starting, you will see this splash screen:
At the next screen click the I have configuration files button.
At the next screen, click OpenVPN Configuration(s):
Tunnelblick will open a Finder window into which you can copy the client.conf and client1 ca, crt, and key files you created on the Linode and copied to this client machine. Follow the rest of the instructions shown in Tunnelblick to create and install your Tunnelblick configuration file.
Connecting to the VPN
If you are using Tunnelblick, click on the tray icon to initiate the connection:
A notification will show you the status as it connects:
Accessing your Linode over the VPN
Once you’re connected to your VPN, you can SSH to another Linode over the private network. If you want to access files directly from your Linode, you will need to install a compatible network file sharing protocol, like Samba, NFS, or Appletalk.
Tunneling All Connections through the VPN
By deploying the following configuration, you will be able to forward all traffic from client machines through your Linode, and encrypt it with transport layer security (TLS/SSL) between the client machine and the Linode.
Uncomment the following parameter by removing the semicolon to the
/etc/openvpn/server.conf
file to enable full tunneling:nano /etc/openvpn/server.conf
- File: /etc/openvpn/server.conf
1
push "redirect-gateway def1 bypass-dhcp"
Edit the
/etc/sysctl.conf
file to uncomment or add the following line to ensure that your system can forward IPv4 traffic:nano /etc/sysctl.conf
- File: /etc/sysctl.conf
1
net.ipv4.ip_forward=1
Issue the following command to set this variable for the current session:
echo 1 > /proc/sys/net/ipv4/ip_forward
Issue the following set of commands, one line at a time, to configure
iptables
to properly forward traffic through the VPN:iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT iptables -A FORWARD -j REJECT iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE iptables -A INPUT -i tun+ -j ACCEPT iptables -A FORWARD -i tun+ -j ACCEPT iptables -A INPUT -i tap+ -j ACCEPT iptables -A FORWARD -i tap+ -j ACCEPT
Add the same
iptables
rules to your system’s/etc/rc.local
file, so they will be recreated following your next reboot cycle:nano /etc/rc.local
- File: /etc/rc.local
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
#!/bin/sh -e # # [...] # iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT iptables -A FORWARD -j REJECT iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE iptables -A INPUT -i tun+ -j ACCEPT iptables -A FORWARD -i tun+ -j ACCEPT iptables -A INPUT -i tap+ -j ACCEPT iptables -A FORWARD -i tap+ -j ACCEPT exit 0
This will enable all client traffic except for DNS queries to be forwarded through the VPN.
To forward DNS traffic through the VPN, you will need to install the
dnsmasq
package and modify the/etc/opnevpn/server.conf
package. Install and configure thednsmasq
package with the following command:apt-get install dnsmasq && dpkg-reconfigure resolvconf
Note If you are using Debian 7, replace this command withapt-get install dnsmasq resolvconf
and skip steps 7 through 9You will be presented with a series of options in an ncurses menu. First, choose yes to prepare
/etc/resolv.conf
for dynamic updates.At the next option select No. This means that you will need to update
/etc/network/interfaces
but won’t need to remove the workaround afterwards.The third menu simply warns you that a reboot will be required to prevent a known bug.
Modify its configuration so that dnsmasq is not listening on a public interface. Open
/etc/dnsmasq.conf
for editing, and make sure the following lines are uncommented and have the appropriate values:nano /etc/dnsmasq.conf
- File: /etc/dnsmasq.conf
1 2 3
listen-address=10.8.0.1 bind-interfaces
Now that dnsmasq is configured, you will need to add two new lines to /etc/network/interfaces. First, go to the Linode’s Networking tab, shown below. You’ll need the IP addresses listed under DNS Resolvers for the
dns-nameservers
line:Open the interfaces file and insert the addresses listed under DNS Resolvers:
nano /etc/network/interfaces
- File: /etc/network/interfaces
1 2 3 4 5 6
# The primary network interface auto eth0 iface eth0 inet dhcp dns-search members.linode.com dns-nameservers 97.107.133.4 207.192.69.4 207.192.69.5
Note If you’re not utilizing IPv6, you can omit the addresses starting with 2600:When your system boots, dnsmasq will try to start before the OpenVPN tun device has been enabled. This will cause dnsmasq to fail at boot. To rectify this, modify your
/etc/rc.local
file to add a line that will restart dnsmasq after all the init scripts have finished. You should place the restart command after your iptables rules:nano /etc/rc.local
- File: /etc/rc.local
1 2 3
/etc/init.d/dnsmasq restart exit 0
Add the following line to the
/etc/openvpn/server.conf
file:nano /etc/openvpn/server.conf
- File: /etc/openvpn/server.conf
1
push "dhcp-option DNS 10.8.0.1"
Restart the Linode:
reboot
To test your connection, connect to the VPN connection from your local machine, then access one of the many websites that will display your public IP address. If the IP address displayed doesn’t match the IP address of your Linode, your traffic is not being filtered through your Linode or encrypted by the VPN. If the IP matches, network traffic from your local machine is being filtered through your Linode and encrypted over the VPN, and you have successfully completed your OpenVPN setup!
More Information
You may wish to consult the following resources for additional information on this topic. While these are provided in the hope that they will be useful, please note that we cannot vouch for the accuracy or timeliness of externally hosted materials.
This page was originally published on