#include <infodrom.style>
#include <debian.style>

<page title="Debian Tips">

<h1 align=center>Howto configure OpenVPN</h1>

<p>This HOWTO document is very small but contains everything you need
for setting up a VPN server with clients under Debian GNU/Linux <a
href="http://www.debian.org/releases/etch/">etch</a>.</p>

<p>VPN refers to <em>Virtual Private Network</em> and is a private
network that uses the Internet or Ethernet as transport layer.  It is
configured as an encrypted point-to-point network connection between
two hosts, the client and the server.  This connection uses the
insecure Internet as transport medium and provides a secured
network.</p>

<p>One of the easiest ways to configure a private network is to use
OpenVPN and OpenSSL for encryption.  Clients exist not only for
GNU/Linux and Unix but also for Windows and MacOS.  This document
covers Debian GNU/Linux, thus you first need to install the
<code>openvpn</code> package on the server and client.</p>

<h3>Setting up the VPN Server</h3>

<p><ol>

<li> Copy <code>/usr/share/doc/openvpn/examples/easy-rsa/2.0/openssl.cnf</code>
     to <code>/etc/openvpn</code>.

<li> Copy <code>/usr/share/doc/openvpn/examples/easy-rsa/2.0/vars</code>
     to <code>/etc/openvpn</code>.

<li> Adjust the <code>EASY_RSA</code> at the beginning into

<pre>
export EASY_RSA="/etc/openvpn"
</pre>

     and add to the end

<pre>
export EASY_RSA="/usr/share/doc/openvpn/examples/easy-rsa/2.0"
</pre>

Also adjust the line

<pre>
export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
</pre>

to point to the OpenVPN config directory directly

<pre>
export KEY_CONFIG="/etc/openvpn/openssl.cnf"
</pre>

<li> <code>mkdir /etc/openvpn/keys</code>
<li> <code>touch /etc/openvpn/keys/index.txt</code>
<li> <code>echo 00 &gt; /etc/openvpn/keys/serial</code>

<li> Adjust defaults to your needs if they should require modification

<li> Change directory to <code>/usr/share/doc/openvpn/examples/easy-rsa/2.0</code>

<li> Source the <code>vars</code> (<code> . /etc/openvpn/vars</code>)

<li> Build Diffie-Hellman parameters with <code>./build-dh</code>

<li> Build CA with <code>./build-ca</code>

<li> Build server key with <code>./build-key-server server</code>

<li> Configure server in <code>/etc/openvpn/server.conf</code>

<pre>
port 1194
proto udp
dev tun
ca keys/ca.crt
cert keys/server.crt
key keys/server.key  # This file should be kept secret
dh keys/dh1024.pem
server 10.8.0.0 255.255.255.0

ifconfig-pool-persist ipp.txt
keepalive 10 120
push "route 192.168.200.0 255.255.255.0"
persist-key
persist-tun
status openvpn-status.log
verb 0
</pre>

<li> This will cause OpenVPN to listen on UDP port 1194, use the given
     keys and certificates, use 10.8.0.0/24 as base network for this
     VPN (new clients will be assigned 4-IP-blocks starting with 0,
     the first being the server), a route for network 192.168.200.0
     will be pushed to the clients so this network is routed via this
     VPN connection.

<li> Restart the server with <code>/etc/init.d/openvpn restart</code>

</ol></p>

<h3>Setting up the VPN Client</h3>

<p><ol>

<li> Build client key on the server with <code>./build-key finlandia</code>

<li> Copy the <code>ca.crt</code>, <code>finlandia.crt</code> and
     <code>finlandia.key</code> files from <code>/etc/openvpn/keys</code>
     to the client

<li> Configure OpenVPN on the client in <code>/etc/openvpn/vpn.ovpn</code>

<pre>
client
dev tun
proto udp
remote PUBLIC-INTERFACE-OF-VPN-SERVER.TLD 1194
resolv-retry infinite
ns-cert-type server
nobind
tun-mtu 1500

# Try to preserve some state across restarts.
persist-key
persist-tun
ca gma/ca.crt
cert finlandia.crt
key finlandia.key
verb 0
keepalive 10 120
</pre>

<li> Start the client with <code>openvpn finlandia.ovpn</code>

</ol></p>

<p><a href="http://ressukka.net/blog/posts/20080821_openvpn_tunnel/">Bridge configuration</a></p>

</page>

# Local variables:
# mode: indented-text
# end: