Installing a Virtual Private Network (VPN)
Intro
In this article we will be using the open-source VPN software OpenVPN. OpenVPN is a good product being mature and available on a wide range of operating systems.
OpenVPN uses openSSL for security. OpenSSL uses keys for encryption. The public key encrypts the data but cannot decrypt the data. The private key is used to decrypt that data, this key is known only to the recipient of the message.
On connection the client and server handshake and negotiate on the cypher and compression methods they understand and the highest level of SSL protocol. The client and server then swap their certificates and public keys. OpenVPN then creates a virtual interface and data is tunnelled between client and server.
Installation
There are some libraries required that OpenVPN depends upon. The LZO library is one and can be obtained from www.oberhumer.com/opensource/lzo/download.
To install LZO do the following
# tar zxvf lzo-2.02.tar.gz
# cd lzo-2.02
# ./configure
# make
# make install
The second library required is the openssl-development package called openssl-devel The distribution CD should have the package and it can be installed as follows
# rpm -i openssl-develop*rpm
This source can be downloaded from www.openssl.org/download
Once these packages are installed OpenVPN can be installed as follows
# tar zxvf openvpn-2.0.9.tar.gz
# cd openvpn-2.0.9
# ./configure
# make
# make install
If you are using a firewall you will need to open port 1194. This port is used by OpenVPN to tunnel all of its traffic.
Testing the Installation
We now need to test whether OpenVPN work properly and can encrypt and decrypt as required.
Firstly we need to generate a key, to do this enter the following commands
# openvpn --genkey --secret key
# openvpn --test-crypto --secret-key
There should be a lengthly output to these commands for packet lengths up to 1500 bytes.
We can now test connectivity by opening two terminal sessions on the server and typing the following on one of them
# openvpn --config sample-config-files loopback-client
There will be some complaint at this point about its connections being refused until we type the next command in the second terminal session.
# openvpn --config sample-config-files loopback-server
These tests may take some time, up to a couple of minutes.
Creating a Point-to-Point VPN
We can then create a basic point-to-point VPN with only one client.
We will use a server ip-address of 192.168.1.1 and a client ip-address of 192.168.0.2 but you can change these to suit your own network configuration.
Place the following files in the OpenVPN directory
Firstly we need to generate a static key to enable data to be encrypted
# openvpn --genkey --secret static.key
This will create a file named static.key containing a 2048 bit key to encrypt the data.
We now need to create a minimal configuration file for the VPN server called openvpn.conf and placed within the openvpn directory.
This file should contain the following
dev tun
ifconfig 10.9.1.1 10.9.1.2
secret static.key
dev tun tells openvpn to use the virtual network interface tun as created during the installation.
The next line sets up the local and remote ends of the tunnel and assigns an ip-address to each,
The last line says to use the secret encryption file static.key for encryption of all communications over the tunnel.
Next copy over the static.key file to /etc/openvpn on the client computer and create a file /etc/openvpn/openvpn.conf also on the client computer with the following contents
remote 192.168.1.1
dev tun
ifconfig 10.9.1.2 10.9.1.1
secret static.key
The first line states that this is the remote end of the tunnel. "dev tun" again tells openvpn which virtual network device to use. The following line shows the ip-addresses of each end of the VPN (note these are reversed from the previous configuration file). And lastly we again state which file to use for encryption.
We now need to start the server end of the VPN as follows
# openvpn --config openvpn.conf --secret static.key
Then start the client end in the same way
# openvpn --config openvpn.conf --secret static.key
There will be quite a lot of output and if all goes well the last line should say
"Initialization Sequence Completed"
We can now try to ping each side of the tunnel, so for instance on the client try pinging the server address as follows
# ping 10.9.1.1
If the ping is successful it proves that the tunnel is up and working
This document describes a basic configuration of openvpn for more help try http://openvpn.net