Update of /cvsroot/leaf/doc/guide/user-bering-uclibc
In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv6377
Added Files:
bucu-openvpn.xml
Log Message:
openvpn 2.0x doc's - not finished yet, but usable.
--- NEW FILE: bucu-openvpn.xml ---
<?xml version="1.0" encoding="UTF-8"?>
<chapter id="bucu-openvpn">
<chapterinfo>
<authorgroup>
<author>
<firstname>K.-P.</firstname>
<surname>Kirchdoerfer</surname>
<affiliation>
<address><email>kapeka at users.sourceforge.net</email></address>
</affiliation>
</author>
<author>
<firstname>Eric</firstname>
<surname>de Thouars</surname>
<affiliation>
<address><email>dorus at users.sourceforge.net</email></address>
</affiliation>
</author>
</authorgroup>
<revhistory>
<revision>
<revnumber>0.1</revnumber>
<date>2005-03-20</date>
<authorinitials>KP</authorinitials>
<revremark>Initial document</revremark>
</revision>
<revision>
<revnumber>0.2</revnumber>
<date>2005-04-06</date>
<authorinitials>ET</authorinitials>
<revremark>Minor corrections and added instructions on starting
openvpn</revremark>
</revision>
</revhistory>
</chapterinfo>
<title>Configuring openvpn</title>
<section>
<title>Introduction</title>
<section>
<title>Objectives</title>
<para>This chapter describes how to configure your LEAF system(s) to
build Virtual Private Networks (VPN) with <ulink
url="http://www.openvpn.net";>OpenVPN</ulink>.</para>
</section>
<section>
<title>Overview of the setup described here</title>
<para>The setup described here assumes you are using openvpn 2.x in
server/client mode. Furthermore the setup used for this chapter is based
on LEAF systems connected to the internet via dynamic IP's. It will be
similar, but easier, to build VPN's between LEAF systems with a fixed IP
or a mixed environment.</para>
<para>We also had in mind to tunnel the subnets behind the LEAF routers.
Connecting one or more road-warriors should be easier again.</para>
<para>Additionally only routing (using the TUN interface) between
subnets is described, for bridging (using the TAP interface), the
differences to routing and advantages/disadvantages of tunneling or
bridging please read the <ulink
url="http://openvpn.net/faq.html#bridge1";>according Openvpn
documentation</ulink>.</para>
<para>In our example OpenVPN setup, openvpn uses lzo compression and the
keys (esp.the CA authority) are build and stored on the LEAF
router.</para>
<note>
<para>Following the description about creating keys may impose
security risks! It's only useful to help you to start with openvpn, in
no way it's meant to be used in a production environment.</para>
</note>
</section>
<section>
<title>About openvpn</title>
<para>OpenVPN is a full-featured SSL VPN solution which can accomodate a
wide range of configurations, including road warrior access,
home/office/campus telecommuting, WiFi security, secure branch office
linking, and enterprise-scale remote access solutions with load
balancing, failover, and fine-grained access-controls.</para>
<para>Compared with ipsec implemenations like freeswan/openswan it's
easier to setup, supports dynamic IP addresses out of the box and
doesn't need any kernel patches.</para>
</section>
</section>
<section>
<title>Loading the packages</title>
<para>Edit the <filename>lrpkg.cfg</filename> (pre Bering-uClibc-2.2.0) or
<filename>leaf.cfg</filename> (Bering-uClibc-2.2.0 onwards) file and add
<filename>ovpn20z.lrp, easyrsa.lrp, liblzo.lrp, libssl.lrp,
openssl.lrp</filename> and <filename>libcrpto.lrp</filename> to the list
of packages to be loaded at boot. Check the Bering-uClibc <ulink
url="http://leaf.sourceforge.net/doc/guide/buci-install.html";>Installation
Guide</ulink> to learn how to do that.</para>
<para>You don't need <filename>liblzo.lrp</filename> if you choose an
OpenVPN package without lzo support.</para>
<para><filename>openssl.lrp</filename> and
<filename>easyrsa.lrp</filename> are only needed on your OpenVPN server to
create the keys. You don't need it on an OpenVPN client and you don't need
to load it on your OpenVPN server, once you have created the keys.</para>
</section>
<section>
<title>Loading the modules</title>
<para>You need to load the tun module <filename>tun.o</filename> to have a
virtual tunnel interface.</para>
<para>To accomplish this, you need the appropriate modules tarball for
your LEAF Bering-uClibc. It's usually available for download in our FRS,
older versions are available in our cvs repository.</para>
<para>Unpack the modules tarball and copy
<filename>2.4.26/kernel/drivers/net/tun.o</filename> to
<filename>/lib/modules</filename> on your router.</para>
<para>Add "tun" to your <filename>/etc/modules</filename>.</para>
<para>Save modules.lrp</para>
</section>
<section>
<title>Generating keys</title>
<para>To start with OpenVPN 2.x in server/client mode, you'll have to
generate SSL keys and certificate those keys. The table below shows which
keys and certificates are necessary on which system</para>
<table>
<title>OpenVPN keys and certificates</title>
<tgroup cols="2">
<tbody>
<row>
<entry><emphasis>OpenVPN Server</emphasis></entry>
<entry><emphasis>OpenVPN Client</emphasis></entry>
</row>
<row>
<entry>CA certificate</entry>
<entry>CA certificate</entry>
</row>
<row>
<entry>Server key</entry>
<entry>Client key</entry>
</row>
<row>
<entry>Server certificate</entry>
<entry>Client certificate</entry>
</row>
</tbody>
</tgroup>
</table>
<para>If you don't have your own CA the next sections describe how to make
one and generate the necessary keys and certificates.</para>
<para>If you have your own existing key generation and CA environment you
can use that to generate keys and cerficates for the server and client(s)
and install them manually into the directory defined in the configuration
file. The only step that you still need to make with the tools described
below is the generation of the Diffie-Hellman parameters.</para>
<section>
<title>Setup for key generation on your Bering-uClibc box</title>
<para>The package <filename>easyrsa.lrp</filename> provides you with the
necessary scripts to do this part of the configuration. For this demo
four steps are necessary:</para>
<orderedlist>
<listitem>
<para>Configure key generation</para>
</listitem>
<listitem>
<para>Build your own Root Certificate Authority (CA) key and
certificate</para>
</listitem>
<listitem>
<para>Build the server key and certificate</para>
</listitem>
<listitem>
<para>Build the client key(s) and certificate(s)</para>
</listitem>
</orderedlist>
<para>Edit /etc/easy-rsa/vars and change the settings as needed. You
should only need to change the values for KEY_COUNTRY, KEY_PROVINCE,
KEY_CITY, KEY_ORG and KEY_EMAIL. Optionally you can change the KEY_SIZE
to a greater value.</para>
<para>Change directory into /etc/easyrsa and source</para>
<para><command>. vars</command></para>
<para>(this means: dot blank vars)</para>
<para>to export the new settings to your environment variables and the
command <command>clean-all</command>, if you build the keys the first
time.</para>
</section>
<section>
<title>Build your own Root Certification Authority (CA)
certificate/key</title>
<para>With <command>build-ca</command> the ca.crt and ca.key will be
built in your KEY_DIR directory.</para>
</section>
<section>
<title>Build Diffie-Hellmann parameters</title>
<para>This step is necessary for the server end of a SSL/TLS connection.
Run <command>build-dh</command>.</para>
</section>
<section>
<title>Build the server key</title>
<para>The server certificates will be built with the
<command>build-key-server</command> script.</para>
<para>You will be asked to sign the certificate with your ca keys -
respond "y".</para>
<para>To save your setup and keys backup ovpn20z.lrp.</para>
</section>
<section>
<title>Build the client key(s)</title>
<para>The last step is to build and sign the client keys.</para>
<para>Therefor run the build-key script with the client name as
parameter. This name should also be added if you're asked for the
"Common Name" during key generation. Again sign the certificates.</para>
<para>Transfer the generated and signed key (foo.crt, foo.key) plus the
generated ca.crt in a secure way to your client(s).</para>
</section>
</section>
<section>
<title>OpenVPN server side</title>
<section>
<title>OpenVPN server configuration</title>
<para>Edit /etc/openvpn/server.conf.</para>
<para>Set the ca, cert and key to the generated root certificate, server
certificate and server key.</para>
<screen>ca keys/ca.crt
cert keys/Server.crt
key keys/Server.key # This file should be kept secret</screen>
<para>Additionally set the path to the key with the Diffie-Hellman
parameters:</para>
<para><screen>dh keys/dh1024.pem</screen></para>
<para>Annouce the routes to the client to allow it to reach other
private subnets over the openvpn server with the push statement.
Remember that these private subnets will also need to know to route the
OpenVPN client address pool (10.8.0.0/255.255.255.0) back to the OpenVPN
server:</para>
<screen>push "route 192.168.10.0 255.255.255.0"
push "route 192.168.25.0 255.255.255.0"
push "route 192.168.23.0 255.255.255.0"</screen>
<para>Add the routes to the subnets to the OpenVPN server:</para>
<screen>route 192.168.25.0 255.255.255.0 vpn_gateway
route 192.168.23.0 255.255.255.0 vpn_gateway </screen>
<para>To allow machines in the subnets behind the OpenVPN clients to
access the vpn as well you need to define the client-config-dir an add
the route as well:</para>
<para><screen>client-config-dir ccd
route 192.168.25.0 255.255.255.0
route 192.168.23.0 255.255.255.0</screen></para>
<para>Given your client-names are vpn-client1 and vpn-client2 add a file
for each client with the clients name ("vpnclient1" and "vpn-client2")
in /etc/openvpn/ccd and add a statement like:</para>
<para>iroute 192.168.23.0 255.255.255.0</para>
<para>for the client providing the 192.168.23.0 subnet</para>
<para>and</para>
<para>iroute 192.168.25.0 255.255.255.0</para>
<para>for the client providing the 192.168.25.0 subnet</para>
<para>If you want to have the clients and subnets behind seeing each
other, enable client-to-client.</para>
<para>Backup ovpn20z.lrp.</para>
</section>
<section>
<title>Configure shorewall on the openvpn server</title>
<para>Add a new zone to /etc/shorewall/zones:</para>
<para><screen>vpn VPN Remote Subnet</screen></para>
<para>Add the tun interface to /etc/shorewall/interfaces:</para>
<para><screen>vpn tun+</screen></para>
<para>Note that we added a wildcard ("+") to the tun interface so the
vpn zone applies to all tun interfaces - important if you want to
support more than one openvpn client.</para>
<para>You can either open the traffic between the vpn zone and the local
net completly with adding</para>
<para><screen>loc vpn ACCEPT vpn loc ACCEPT</screen></para>
<para>to /etc/shorewall/policy - or just add the ports you want to open
in /etc/shorewall/rules.</para>
<para>As last step add your vpn to the shorewall tunnel defintions
(/etc/shorewall/tunnels)</para>
<para><screen>generic:udp:1194 net 0.0.0.0/0</screen></para>
<para>Note: This is very generic definition: Newer shorewall versions
support <parameter>openvpn</parameter> as tunnel type. The gateway is
defined as "0.0.0.0/0" to support clients with dynamic ip
addresses.</para>
</section>
<section>
<title>Starting the OpenVPN server</title>
<section>
<title>Manual</title>
<para>To test the server configuration you can manually start the
OpenVPN server with the command</para>
<para><command># openvpn /etc/openvpn/server.conf</command></para>
</section>
<section>
<title>Automatic</title>
<para>After a (re)boot the <filename>/etc/init.d/openvpn</filename>
script starts all tunnels that have a definition file in
<filename>/etc/openvpn</filename>. The definition files are all files
with the extension <filename>.conf</filename>. This means that you
should rename or deelete any sample configuration files in that
directory if you don't want openvpn to attempt to start those tunnels
at (re)boot time.</para>
</section>
<section>
<title>Checking</title>
<para>Check <filename>/var/log/openvpn-status</filename> for the
status of your openvpn tunnels</para>
<para>In case of problems <filename>/var/log/daemon.log</filename> may
give some hints for troubleshooting</para>
</section>
</section>
</section>
<section>
<title>OpenVPN clients</title>
<section>
<title>OpenVPN client configuration</title>
<para>Edit
<filename><filename>/etc/openvpn/client.conf</filename></filename>.</para>
<para>Change the remote server to your OpenVPN server:</para>
<para><screen>remote my-server-1 1194</screen></para>
<para>You can choose a dynamic DNS entry like:</para>
<para><screen>remote foo.dyndns.org 1194</screen></para>
<para>Uncomment "user" and "group". You also have to uncomment "nobind"
on a OpenVPN server, if you need to start a client as well, to make the
net behind the OpenVPN server visible to your clients.</para>
<para>Set the path and key names:</para>
<para><screen>ca keys/ca.crt
cert keys/vpn-client1.crt
key keys/vpn-client1.key</screen></para>
<para>Backup your OpenVPN package.</para>
</section>
<section>
<title>Configure shorewall on an OpenVPN client</title>
<para>Add a new zone to
<filename>/etc/shorewall/zones</filename>:</para>
<para><screen>vpn VPN Remote Subnet</screen></para>
<para>Add the tun interface to
<filename>/etc/shorewall/interfaces</filename>:</para>
<para><screen>vpn tun0</screen></para>
<para>You can either open the traffic between the vpn zone and the local
net completly with adding</para>
<para><screen>loc vpn ACCEPT vpn loc ACCEPT</screen></para>
<para>to <filename>/etc/shorewall/policy</filename> - or just add the
ports you want to open in
<filename>/etc/shorewall/rules</filename>.</para>
<para>As last step add your vpn to the shorewall tunnel defintions
(<filename>/etc/shorewall/tunnels</filename>)</para>
<para><screen>generic:udp:1194 net 0.0.0.0/0</screen></para>
<para>Note: This is very generic definition: Newer shorewall versions
support openvpn as tunnel type. The gateway is defined as "0.0.0.0/0" to
support an openserver with dynamic ip address.</para>
</section>
<section>
<title>Starting the OpenVPN client</title>
<para>This is identical to starting the OpenVPN server, see
above.</para>
</section>
</section>
<section>
<title>Links</title>
<para><ulink url="http://openvpn.net";>OpenVPN main page</ulink></para>
</section>
</chapter>
-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
leaf-cvs-commits mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/leaf-cvs-commits
