does anyone consider openVPN (or any VPN solution) to be simple to set up?
Yes, it's very simple. To me, the hardest part was deciding what IP's to use
and what naming convention to use for my keys.
The following is my "how-to" file (which I keep handy in
/etc/openvpn/HOW-TO).
While it does not really explain what is going on, it *does* list all of the
necessary steps to create a server, create a client key, install a
client key
on a client.
Alan
--
NOTE - in all cases below, replace the word SERVER with the host name of
the server.
Likewise, replace CLIENT with the host name of the client. In my example
files,
there is a server called "mysrv" and a client called "myclient".
OUR NAMING CONVENTION FOR CERTIFICATES, DIRECTORIES AND "COMMON NAMES"
server configuration
--------------------
The server keys, certificates, and accounting files are in
/etc/openvpn/keys/SERVER/
The "common name" for the certificate authority is "SERVER".
The "common name" for the server certificate is "SERVER".
client certificates
-------------------
Files are called /etc/openvpn/keys/SERVER/SERVER-CLIENT.{crt,csr,key}
The "common name" is "SERVER-CLIENT".
OpenVPN configuration files
---------------------------
Server config files are /etc/openvpn/SERVER.conf
Client-specific config files (on server)
/etc/openvpn/client_config/SERVER-CLIENT
Client config files are /etc/openvpn/SERVER-CLIENT.conf
CREATING THE SERVER KEYS
. ./vars
./tools/clean-all
./tools/build-ca
./tools/build-key-server mysrv
./tools/build-dh
CREATING CLIENT KEYS
. ./vars
./tools/build-key clientname
(then copy clientname.crt clientname.key and ca.crt to the client machine)
(create a conf file for the client)
REVOKING A CLIENT KEY
. ./vars
./tools/revoke-full bad_client
(and then read http://openvpn.net/howto.html#quick)
EXAMPLE SERVER CONF FILE
# the basics
port 1194
proto udp
dev tun
# certificate stuff
ca /etc/openvpn/keys/mysrv/ca.crt
cert /etc/openvpn/keys/mysrv/mysrv.crt
key /etc/openvpn/keys/mysrv/mysrv.key
dh /etc/openvpn/keys/mysrv/dh1024.pem
# address range to use
server 10.99.1.0 255.255.255.0
ifconfig-pool-persist ipp.txt
# advertise our own subnet to clients
push "route 10.1.0.0 255.255.0.0"
# client 'myclient' will route 10.2.0.0/16
# only necessary if you're bridging two networks,
# not if you're just handling the "road warrior"
client-config-dir client_config
route 10.2.0.0 255.255.0.0
# lower-layers
keepalive 10 120
comp-lzo
persist-key
persist-tun
# for better security
user nobody
group nogroup
# logging
status openvpn-status.log
log-append /var/log/openvpn.log
verb 3
EXAMPLE CLIENT CONF FILE
# the basics
dev tun
proto udp
client
remote servers.address.com 1194
# retries, etc
resolv-retry infinite
nobind
persist-key
persist-tun
# for security
user nobody
group nogroup
# certificate stuff
ca /etc/openvpn/keys/mysrv/ca.crt
cert /etc/openvpn/keys/mysrv/mysrv-myclient.crt
key /etc/openvpn/keys/mysrv/mysrv-myclient.key
# low layers
comp-lzo
# logging
log-append /var/log/openvpn.log
verb 3
END
--
TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
TriLUG Organizational FAQ : http://trilug.org/faq/
TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
