Debian/Ubuntu Tips and Tricks

Debuntu

Debian/Ubuntu Tips and Tricks

How-To: OpenVPN on Debian Squeeze with Username/Password authentication

Posted by chantra on January 16th, 2013

OpenVPN is a SSL based VPN software that runs on most OS. It is simple to install and run.

In this tutorial, I will go over the steps needed to configure OpenVPN on Debian Squeeze to provide a full VPN tunnel, this is particularly useful when you want to access internet from non-trusted networks such as free hotspots...

There are many ways of setting up OpenVPN, a common one is to use a unique certificate for each users. Another one is to have each user authenticate with a username/password.

In this article, we will be setting OpenVPN to authenticate users using PAM.

In this scenario, we will run a VPN server on a machine with external IP 172.16.132.5 on eth0, in a real life case, this should be a public IP.
OpenVPN client will be getting IPs in range 10.8.0.0/24 which is the network that our OpenVPN server will handle.
The traffic will then be NATted on the external interface.
The OpenVPN server also needs to run a DNS server that replies to request on IP 10.8.0.1, this is required as we will be pushing DNS settings to the OpenVPN clients.
The setup of such server is outside the scope of this article.

Installing

Installation of OpenVPN is pretty simple on Debian:

# apt-get install openvpn

Now that we have installed openvpn, we need to configure it... that is where it gets a bit more complicated!

Configuration

As OpenVPN is an SSL based VPN, it uses SSL certificates to encrypt data. Even though we will not use certificates for each clients, we still need to generate certificates for the server side.

There is a bit of work to be done here, fortunately, OpenVPN comes with a lot of helper scripts to make it easier for us!

Generating Certificates

Debian ships a bunch of helper script in its openvpn package. Those scripts are stored in /usr/share/doc/openvpn/examples. We will copy the utilities to /etc/openvpn/.

# cp -a /usr/share/doc/openvpn/examples/easy-rsa /etc/openvpn/

Now, we will go to /etc/openvpn/easy-rsa/2.0 and create the certificates...

# cd /etc/openvpn/easy-rsa/2.0

All default values for generating certificates are stored in vars file. Edit this file and look for the KEY_*, CA_EXPIRE and KEY_EXPIRE variables and edit them t your likings.

Finally, create the CA

root@ovpnrouter:2.0# ./build-ca
Generating a 1024 bit RSA private key
......++++++
...++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [SanFrancisco]:
Organization Name (eg, company) [Fort-Funston]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [Fort-Funston CA]:
Name []:
Email Address [me@myhost.mydomain]:

And the Diffie Hellman parameter

root@ovpnrouter:2.0# ./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
.....................................++*++*++*

Finally, we generate the server certificate:

root@ovpnrouter:2.0# ./build-key-server server01
Generating a 1024 bit RSA private key
.....................++++++
.................++++++
writing new private key to 'server01.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [SanFrancisco]:
Organization Name (eg, company) [Fort-Funston]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [server01]:
Name []:
Email Address [me@myhost.mydomain]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName : PRINTABLE:'US'
stateOrProvinceName : PRINTABLE:'CA'
localityName : PRINTABLE:'SanFrancisco'
organizationName : PRINTABLE:'Fort-Funston'
commonName : PRINTABLE:'server01'
emailAddress :IA5STRING:'me@myhost.mydomain'
Certificate is to be certified until Jan 13 07:52:57 2023 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

And, to avoid DoS attack and UDP port flooding, we will generate a shared secret between the server and the clients:

root@ovpnrouter:2.0# openvpn --genkey --secret keys/ta.key

Pages: 1 2 3

Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>