The example shown in Section 15.2 is useful for testing, but not for daily work. This section explains how to build a VPN server that allows more than one connection at the same time. This is done with a public key infrastructure (PKI). A PKI consists of a pair of public and private keys for the server and each client and a master certificate authority (CA), which is useed to sign every server and client certificate.
The general overview of this process involves the following steps:
Build your public key infrastructure (see Section 15.3.1, “Creating Certificates”).
Configure your server (see Section 15.3.2, “Configuring the Server”).
Configure your clients (see Section 15.3.3, “Configuring the Clients”).
Before a VPN connection gets established, the client must authenticate the server certificate. Conversely, the server must also authenticate the client certificate. This is called mutual authentication.
You can use two methods to create the respective certificates and keys:
Use the YaST CA module (see Chapter 16, Managing X.509 Certification), or
Use the scripts included with the
openvpn
package.
The easy-rsa utilities use the openssl.cnf
file
stored under
/usr/share/openvpn/easy-rsa/
.
In most cases you can leave this file as it is.
VER
Procedure 15.1. Generate the Master CA And Key
Open a shell and become root
.
Change the directory to
/usr/share/openvpn/easy-rsa/
.
Replace the placeholder VER
/VER
with the
version, currently either 1.0
or
2.0
.
Copy the file vars
to /etc/openvpn
and edit the value of export EASY_RSA
to
/usr/share/openvpn/easy-rsa
.
Edit the default values in the file vars
. Change
the variables KEY_COUNTRY
,
KEY_PROVINCE
, KEY_CITY
,
KEY_ORG
, and KEY_EMAIL
.
Initialize the PKI:
source /etc/openvpn/vars && ./clean-all && ./build-ca
Enter the data required by the build-ca script.
Usually you can take the defaults that you have set in
Step 4. The only parameters that are
not set are the Organizational Unit Name
and
Common Name
.
After this procedure, the master certificate and key is saved as
/usr/share/openvpn/easy-rsa/
.
VER
/keys/ca.*
Procedure 15.2. Generate The Private Server Key
Make sure the directory is
/usr/share/openvpn/easy-rsa/
.
VER
/
Run the following script:
./build-key-server server
The argument (here: server
) is used for the
private key filename.
Accept the default parameters, but fill server
for
the Common Name
option.
Answer the next two questions (“Sign the certificate?
[y/n]” and “1 out of 1 certificate requests certified,
commit? [y/n]”) with y
(yes).
After this procedure, the private server key is saved
/usr/share/openvpn/easy-rsa/
.
VER
/keys/server.*
Procedure 15.3. Generate Certificates and Keys for a Client
Make sure your current directory is
/usr/share/openvpn/easy-rsa/
.
Replace the placeholder VER
/VER
with the
version, currently either 1.0
or
2.0
.
Create the key as in Step 2 from Procedure 15.2, “Generate The Private Server Key”:
./build-key client
Repeat the previous step for each client that is allowed to connect
to the VPN server. Make sure you use a different name (other than
“client”) and an appropriate Common
Name
, because this parameter has to be unique for each
client.
After this procedure, the certificate client keys are saved in
/usr/share/openvpn/easy-rsa/keys/client.*
(depending on the name that you have given for the
build-key command.)
Procedure 15.4. Final Configuration Steps
Make sure your current working directory is
/usr/share/openvpn/easy-rsa/
.
VER
/
Create the Diffie-Hellman parameter:
./build-dh
Create /etc/openvpn/ssl
.
Copy the following files:
cp keys/ca.{crt,key} keys/dh1024.pem keys/server.{crt,key} /etc/openvpn/ssl/
Copy the client keys to the relevant client machine. You should have
the files client.crt
and
client.key
in the
/etc/openvpn/ssl
directory.
The configuration file is mostly a summary of
/usr/share/doc/packages/openvpn/sample-config-files/server.conf
without the comments and with some small changes to some paths.
Example 15.1. VPN Server Configuration File
# /etc/openvpn/server.conf port 1194proto udp
dev tun0
# Security
ca ssl/ca.crt cert ssl/server.crt key ssl/server.key dh ssl/dh1024.pem server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /var/run/openvpn/ipp.txt
# Privleges
user nobody group nobody # Other configuration
keepalive 10 120 comp-lzo persist-key persist-tun status /var/log/openvpn-status.log log-append /var/log/openvpn.log verb 4
The TCP/UDP port to which OpenVPN listens. You have to open up the port in the Firewall, see Chapter 14, Masquerading and Firewalls. The standard port for VPN is 1194, so in most cases you can leave that as it is. | |
The protocol, either UDP or TCP. | |
The tun or tap device, see Section 15.1.2, “Tun and Tap Devices” for the differences. | |
The following lines contain the relative or absolute path to the root
server CA certificate ( | |
Supplies a VPN subnet. The server can be reached by
| |
Records a mapping of clients and its virtual IP address in the given file. Useful when the server goes down and (after the restart) the clients get their previously assigned IP address. | |
For security reasons it is a good idea to run the OpenVPN daemon with
reduced privileges. For this reason the group and user
| |
Several other configurations, see comment in the original
configuration from
|
After this configuration, you can see log messages from your OpenVPN
server under /var/log/openvpn.log
. When you have
started it for the first time, it should finish it with:
... Initialization Sequence Completed
If you do not get this message, check the log carefully. Usually OpenVPN gives you some hints what is wrong in your configuration file.
The configuration file is mostly a summary from
/usr/share/doc/packages/openvpn/sample-config-files/client.conf
without the comments and with some small changes to some paths.
Example 15.2. VPN Client Configuration File
# /etc/openvpn/client.conf clientdev tun
proto udp
remote
IP_OR_HOSTNAME
1194resolv-retry infinite nobind # Privleges
user nobody group nobody # Try to preserve some state across restarts. persist-key persist-tun # Security
ca ssl/ca.crt cert ssl/client.crt key ssl/client.key comp-lzo
We have to specify that this machine is a client. | |
The network device. Both clients and server must use the same device. | |
The protocol. Use the same settings as on the server. | |
Replace the placeholder | |
For security reasons it is a good idea to run the OpenVPN daemon with
reduced privileges. For this reason the group and user
| |
Contains the client files. For security reasons, it is better to have a separate file pair for each client. | |
Turns compression on. Use it only when the server has this parameter switched on as well. |