Monthly Archives: juin 2014

OpenVPN certificates and configuration per client

Server certificate creation:
Go to directory /usr/share/doc/openvpn/examples/easy-rsa/2.0/ or the directory that corresponds to your openvpn installation.

Edit vars file according to your needs.

It may be usefull to be able to push different configuration per client, for example different routing tables.
To do that you have to create client certificates based on the client hostname. The server will include scripts whose names are the same as the names of clients.

We assume first that the certificate part for the server has already been done:

source ./vars
./clean-all
./build-ca
./build-dh

You can also create an extra certificate for the server or you can put the same entry in the server configuration file for ca and cert.

Now the client certificates: we will create one certificate per client, the client hostname will be used to name the certificate file as well as it will be used as the Common Name in the certificate creation.

Example with the client hostname JDOE
First certificates creation: go to directory /usr/share/doc/openvpn/examples/easy-rsa/2.0/ or the directory that corresponds to your openvpn installation.
Edit the vars file according to your needs.

./build-key JDOE

Now the per client configuration, on the server create a dedicated directory:

mkdir /etc/openvpn/clients

Add in the server configuration file this line:

client-config-dir /etc/openvpn/clients

In directory /etc/openvpn/clients create a script file with the hostname client name and put in this file the customized settings:

# cat /etc/openvpn/clients/JDOE
ifconfig-push 10.0.45.1 255.255.255.0
push "route 10.0.45.0 255.255.255.0 10.0.45.254"

OpenVPN bridge mode configuration

In the following example, we have a server with only one NIC (eth0) and we will create a bridgeabled interface (tap0) that will be used by openvpn.
In order to have VPN clients in the same subnet as the server, both interfaces will be bridged together in one interface br0.

First you will have to make network configuration to bridge VPN adaptater with LAN adaptater.
You may need to install some packages:

apt-get install bridge-utils uml-utilities

Ensure you have tap interface created in /dev/net, if not created it:

mknod /dev/net/tap c 10 200
chmod 666 /dev/net/tap

Modify /etc/network/interface:

auto lo
iface lo inet loopback
        up tunctl -t tap0 -u nobody
        up ifconfig tap0 promisc up

auto eth0
iface eth0 inet manual
        up ifconfig eth0 promisc up

auto br0
iface br0 inet static
        address 192.168.45.100
        netmask 255.255.255.0
        network 192.168.45.0
        broadcast 192.168.45.255
        gateway 192.168.45.254
        # dns-* options are implemented by the resolvconf package, if installed
        # dns-nameservers 8.8.8.8
        dns-search mydomain.com
        bridge_ports eth0 tap0
        bridge_fd 0

Server side configuration:

mode server
port 1194
proto udp
dev tap0

ca certificats/ca.crt
cert certificats/gateway.crt
key certificats/gateway.key
dh certificats/dh1024.pem

# user this plugin to authenticate with /etc/passwd
plugin /usr/lib/openvpn/openvpn-auth-pam.so common-auth

server-bridge 192.168.45.100 255.255.255.0 192.168.45.91 192.168.45.99
push "route 192.168.45.0 255.255.255.0"
push "dhcp-option DNS 192.168.45.100"
push "dhcp-option DOMAIN mydomain.com"

client-to-client
duplicate-cn

tmp-dir /tmp
keepalive 10 120
comp-lzo
max-clients 15
user nobody
group nogroup
persist-key
persist-tun
status /var/log/ovpn-status.1194.log
log         /var/log/ovpn.1194.log
mute 5
verb 3

Client side configuration:

client
dev tap
proto udp
remote mydomain.com 1194

resolv-retry infinite

nobind

persist-key
persist-tun

ca cafile.crt
cert certfile.crt
key keyfile.key

route-method exe
route-delay 2

auth-user-pass

comp-lzo
verb 4
mute 20

Enable forwarding to be able to reach local net, edit file /etc/sysctl.conf and add:

net.ipv4.ip_forward = 1

To take it into account then run:

sysctl -p

Adjust iptables rules, you may have to adapt these rules to your system:

iptables -A INPUT -i tap0 -j ACCEPT
iptables -A INPUT -s $LAN -i br0 -j ACCEPT
iptables -A FORWARD -i br0 -j ACCEPT