OpenVPN is an open source VPN daemon by James Yonan. The web site is at openvpn.net
OpenVPN can be used in point-to-point or client/server configurations.
VPN uses UDP port 1194
For purposes of the examples, the two machines will be called may.kg and june.kg. If you are constructing a VPN over the internet, then replace may.kg and june.kg with the internet hostname or IP address that each machine will use to contact the other over the internet.
Choosing the tunnel endpoints: Tunnel endpoints are private IP addresses that only have meaning in the context of the VPN. Each machine will use the tunnel endpoint of the other machine to access it over the VPN. In the examples, the tunnel endpoint for may.kg will be 10.4.0.1 and for june.kg, 10.4.0.2.
Once the VPN is established, a secure alternate path exists between the two hosts which is addressed by using the tunnel endpoints. You can control which network traffic passes between the hosts (a) over the VPN or (b) independently of the VPN, by choosing whether to use (a) the VPN endpoint address or (b) the public internet address, to access the remote host. For example if you are on may.kg and you wish to connect to june.kg via ssh without using the VPN (since ssh has its own built-in security) you would use the command ssh june.kg. However in the same scenario, you could also use the command telnet 10.4.0.2 to create a telnet session with june.kg over the VPN, that would use the VPN to secure the session rather than ssh.
You can use any address you wish for the tunnel endpoints but make sure that they are private addresses (such as those that begin with 10 or 192.168) and that they are not part of any existing subnet on the networks of either peer, unless you are bridging. If you use an address that is part of your local subnet for either of the tunnel endpoints, you will get a weird feedback loop.
sudo aptitude install -y openvpn
On may:
openvpn --remote june.kg --dev tun1 --ifconfig 10.4.0.1 10.4.0.2 --verb 9
On june:
openvpn --remote may.kg --dev tun1 --ifconfig 10.4.0.2 10.4.0.1 --verb 9
Now verify the tunnel is working by pinging across the tunnel.
On may:
ping 10.4.0.2
On june:
ping 10.4.0.1
The --verb 9 option will produce verbose output, similar to the tcpdump(8) program. Omit the --verb 9 option to have OpenVPN run quietly.
Port forwarding must be used if traversing NAT routers in a point-to-point configuration
First build a static key on may.
openvpn --genkey --secret key
This command will build a random key file in the current directory called key (in ascii format). Now copy key to june over a secure medium such as by using the scp(1) program.
On may:
openvpn --remote june.kg --dev tun1 --ifconfig 10.4.0.1 10.4.0.2 --verb 5 --secret key
On june:
openvpn --remote may.kg --dev tun1 --ifconfig 10.4.0.2 10.4.0.1 --verb 5 --secret key
The --remote parameter restricts which remote hosts can connect. Multiple --remote parameters may be used either on the command line or in the /etc/openvpn/xxx.conf files.
Now verify the tunnel is working by pinging across the tunnel.
On may:
ping 10.4.0.2
On june:
ping 10.4.0.1
Assuming you can ping across the tunnel, the next step is to route a real subnet over the secure tunnel. Suppose that may and june have two network interfaces each, one connected to the internet, and the other to a private network. Our goal is to securely connect both private networks. assume that may's private subnet is 10.0.0.0/24 and june's is 10.0.1.0/24.
First, ensure that IP forwarding is enabled on both peers.
enable routing:
echo 1 > /proc/sys/net/ipv4/ip_forward
and enable TUN packet forwarding through the firewall:
iptables -A FORWARD -i tun+ -j ACCEPT
On may:
route add -net 10.0.1.0 netmask 255.255.255.0 gw 10.4.0.2
On june:
route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.4.0.1
Now any machine on the 10.0.0.0/24 subnet can access any machine on the 10.0.1.0/24 subnet over the secure tunnel (or vice versa).
In a production environment, you could put the route command(s) in a shell script and execute with the --up option.
When OpenVPN is started by /etc/init.d/openvpn a separate OpenVPN daemon will be started for each .conf configuration file in the /etc/openvpn directory. This allows you to define multiple VPN connections.
|
This site best viewed with a browser |
| Warning: This is a Debian centric site | |
| Many thanks to Debra and Ian Murdock for making Debian possible | |
| First created Apr 22, 2008 ~ Last revised November 29, 2009 |
