On 04/07/2010 12:42 PM, Dave Smith wrote:
> Would you still be willing to share those configs for the
> laptop/password setup? That's my use case too. I am (unfortunately)
> running openSuSE 11.0 on x86-64.
Forgot about that, didn't I. Was overseas at the time I wrote the
e-mail, and it slipped my mind (besides my internet connection at the
time was very flaky).
I will attach the following files:
- pwd-server.conf - password-based server conf (dynamic pool)
- tls-server.conf - TLS-based server conf (static pool, see ccd below)
- clientrouter - a sample server ccd file that associates the client's
CN with a specific ip address
- pwd-client.conf - password-based client conf
- tls-client.conf - TLS-based client conf like I use on my routers.
To get this all to work you need to set up your own TLS certificate
authority and generate and sign keys, one for the server, and one for
each TLS client. password-based clients need only the CA public cert.
I use a nifty program called "xca" to create and manage my personal certs.
An important note about certificates: openvpn does not like anything
other than SHA1 hashes for signature. At least that has been my
experience. So when signing certs, use the SHA1 hash. This is
obviously not as secure as SHA256. I haven't done much more research
into this. After certificate exchange, openvpn uses SSL for encryption.
- pwd-server.conf
- This config runs on udp on the standard port
- clients can easily use NetworkManager to set up vpn connections to
connect to this.
- clients need to have access to certificateauthority.crt
- I run one pwd config on udp and one on tcp, in case foreign
networks are blocking a particular port or protocol.
- uses a dynamic ip address pool.
- tls-server.conf
- my config runs on port 1195, since the pwd-based conf is on 1194.
- clients must have keys and signed certificates, and the cn of the
- client cert must match the name of the ccd file that statically
assigns the IP address to the client
- if no ccd file, I think it defaults to a dynamic pool
- clientrouter
- a sample ccd file that lives in /etc/openvpn/ccd/
- cn of client cert must match this file name
- provides openvpn with a list of subnets that the client can
route to.
- provides static address assignment, using two addresses, one for
each end of the tunnel (see
http://openvpn.net/index.php/open-source/documentation/howto.html
for information about address pairs and windows limitations).
- pwd-client.conf
- needs a copy of the certificateauthority.crt
- NetworkManager can handle configuration so less need to use a conf
file on the client
- tls-client.conf
- typical tls client conf that I'd use on a router.
I hope I haven't missed anything or messed up the config files too
badly. I can answer any questions about them that you might have.
# This file is /etc/openvpn/pwd-server.conf
port 1194
proto udp
dev tun
ca certauthority.crt
cert thisserver.crt
key thisserver.key
dh dh2048.pem
client-cert-not-required
# the following options enable username and passwords based on pam
username-as-common-name
plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so "login login USERNAME
password PASSWORD"
# this is the network that clients on this vpn are a part of.
# note that it is only the bottom part of the subnet
# the upper part is used by a tcp openvpn
server 192.168.30.0 255.255.255.192
# this file should exist in /etc/openvpn
ifconfig-pool-persist ipp30udp.txt
push "route remote_host 255.255.255.255 net_gateway"
# push routes to the other networks that are a part of my
# virtual private net
push "route 192.168.31.0 255.255.255.0"
push "route 192.168.30.0 255.255.255.192"
push "route 192.168.30.64 255.255.255.192"
push "route 192.168.40.0 255.255.255.0"
push "route 192.168.41.0 255.255.255.0"
push "route 192.168.42.0 255.255.255.0"
push "route 192.168.43.0 255.255.255.0"
push "dhcp-option DNS 192.168.31.1"
#push "dhcp-option WINS 192.168.31.1"
client-config-dir ccd
client-to-client
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 4
# This is a conf file for a password-based openvpn client
client
dev tun
proto udp
remote yourserver.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
mute-replay-warnings
mute 20
ca certificateauthority.crt
auth-user-pass
comp-lzo
verb 3
# This is /etc/openvpn/tls-server.conf
port 1195
proto udp
dev tun
ca certificateauthority.crt
cert thisserver.crt
key thisserver.key # This file should be kept secret
dh dh2048.pem
# this is the network that clients on this vpn are a part of.
# note that it is only the bottom part of the subnet
# the upper part is used by a tcp openvpn
server 192.168.31.0 255.255.255.0
# this file should exist in /etc/openvpn
ifconfig-pool-persist ipp31.txt
push "route remote_host 255.255.255.255 net_gateway"
# push routes to the other networks that are a part of my
# virtual private net
push "route 192.168.31.0 255.255.255.0"
push "route 192.168.30.0 255.255.255.192"
push "route 192.168.30.64 255.255.255.192"
push "route 192.168.40.0 255.255.255.0"
push "route 192.168.41.0 255.255.255.0"
push "route 192.168.42.0 255.255.255.0"
push "route 192.168.43.0 255.255.255.0"
push "dhcp-option DNS 192.168.31.1"
#push "dhcp-option WINS 192.168.31.1"
client-config-dir ccd
# This is a list of all my subnets that TLS clients on my
# vpn net bring with them. These commands tell openvpn
# that it can route through itself to these subnets. I'm
# not sure if they are needed, as ccd files also tell
# openvpn about specific subnets that are accessible via
# a client.
route 192.168.40.0 255.255.255.0
route 192.168.41.0 255.255.255.0
route 192.168.42.0 255.255.255.0
route 192.168.43.0 255.255.255.0
route 192.168.44.0 255.255.255.0
client-to-client
keepalive 10 120
persist-key
persist-tun
status openvpn-status.log
verb 3
tun-mtu 1500
tun-mtu-extra 32
mssfix 1400
# This file is /etc/openvpn/ccd/clientrouter
ifconfig-push 192.168.31.10 192.168.31.9
iroute 192.168.40.0 255.255.255.0
iroute 192.168.41.0 255.255.255.0
iroute 192.168.43.0 255.255.255.0
# this is /etc/openvpn/tls-client.conf
client
port 1195
proto udp
dev tun
remote yourserver.com 1195
tls-client
resolv-retry infinite
nobind
persist-key
persist-tun
mute-replay-warnings
mute 20
ca /path/to/certifcateauthority.crt
cert /path/to/clientrouter.crt
key /path/to/clientrouter.key
keepalive 10 120
#verb 3
/*
PLUG: http://plug.org, #utah on irc.freenode.net
Unsubscribe: http://plug.org/mailman/options/plug
Don't fear the penguin.
*/
