FreeBSD OpenVPN Server/Routed

From Secure Computing Wiki
Revision as of 07:25, 4 October 2007 by Ecrist (Talk | contribs) (OpenVPN Configuration)

Jump to: navigation, search

Many people feel overwhelmed by the installation and configuration of OpenVPN. Here, I'll try to write an easy to understand installation guide.

Install OpenVPN

The first step toward a running OpenVPN installation is to install OpenVPN. On FreeBSD, we can do so from the ports tree:

cd /usr/ports/security/openvpn && make install clean

Once the installation is complete, we need to setup our directories for storing our SSL keys, CRL, etc. I keep all this information in /usr/local/etc/openvpn.

mkdir /usr/local/etc/openvpn

In order for OpenVPN to start, we need to add the following line to /etc/rc.conf:

openvpn_enable="YES"

Setup SSL Certificates/Keys

I think setting up SSL is the toughest part of OpenVPN for most people, including myself. I've written a script to help manage my network OpenSSL certificates. You can download this file here. Extract the tgz in your home directory (for now). You should see two files, ssl-admin.pl, and openssl.cnf.

Tuning ssl-admin.pl

You must edit the perl script to work correctly on your network. When initially downloaded, the script with exit, reminding you to setup all the variables at the top of the file. By default, the top of the file looks like this:

### Comment out the line with a # when you edit this file.
die("\n\n\n\nPlease edit variables and comment out this line.\n\n\n\n");
### SSL CERT Variables here ###
$ENV{'KEY_COUNTRY'} = "COUNTRY";
$ENV{'KEY_PROVINCE'} = "STATE/PROVINCE";
$ENV{'KEY_CITY'} = "CITY";
$ENV{'KEY_ORG'} = "ORGANIZATION";
$ENV{'KEY_EMAIL'} = 'EMAIL_ADDRESS';
$ENV{'KEY_SIZE'} = "1024";
$ENV{'KEY_DIR'} = "/usr/local/etc/openvpn/ssl"; 
$ENV{'KEY_DAYS'} = "3650";
$ENV{'KEY_CN'} = "";
$ENV{'KEY_CRL_LOC'} = "URI:http://CRL_URI";

We need to change each of these values. The top of my file, with all the variables set, looks like this:

### Comment out the line with a # when you edit this file.
#die("\n\n\n\nPlease edit variables and comment out this line.\n\n\n\n");
### SSL CERT Variables here ###
$ENV{'KEY_COUNTRY'} = "US";
$ENV{'KEY_PROVINCE'} = "MN";
$ENV{'KEY_CITY'} = "Minneapolis";
$ENV{'KEY_ORG'} = "Secure Computing Networks";
$ENV{'KEY_EMAIL'} = 'root@secure-computing.net';
$ENV{'KEY_SIZE'} = "1024";
$ENV{'KEY_DIR'} = "/usr/local/etc/openvpn/ssl";
$ENV{'KEY_DAYS'} = "3650";
$ENV{'KEY_CN'} = "";
$ENV{'KEY_CRL_LOC'} = "URI:https://www.secure-computing.net/crl.pem";

There are a couple points to note. First, make sure you comment out the die("... line. Failure to do so will result in the script failing to run. Second, the KEY_CRL_LOC is an optional variable, for use if you want to make your certificate revocation list available to the public. This script will not upload the CRL to your URI location. This must be manually done.

For OpenVPN purposes, I would not recommend making a key smaller than 1024. The KEY_DAYS variable determines how long your certificates are good for. Essentially, this is how often you'll have to reissue ssl certificates to your users. You can always revoke a certificate, so there's little worry about lost/stolen/fired/etc users.

Lastly, your KEY_DIR directory must already exist, or the script will error out. In our test installation here, we need to create this directory:

mkdir /usr/local/etc/openvpn/ssl

I keep my ssl-admin.pl script in /usr/local/etc/openvpn. This script will keep all of the files it needs to run in its own directory, which helps keep this my openvpn directory clean.

Executing ssl-admin.pl

We should now be ready to run ssl-admin.pl for the first time. Please note, you will need to have perl 5.8.8 or later installed for this script to run. At this time, there are no other dependencies. To run the script, simply use the following command:

KEY_DIR/ssl-admin.pl

Replace KEY_DIR with the directory where the ssl-admin.pl script resides. If you're CWD is that directory, use the following command:

./ssl-admin.pl

First Run

The first time (after you've set your variables), you're going to be prompted to either create a new CA root certificate, or point the script to your existing one. For the purpose of this document, we're going to create a new certificate.

  • For the certificate owner's name, I used vpn. Note, you cannot have spaces, capitol letters, or special characters.
  • ALWAYS protect your CA certificate with a password. Otherwise, why have a VPN if you're going to give keys to the world?
  • You'll note that most questions are answered automatically for you, based on the variables at the head of our script.

Once the CA certificate has been created (or pointed to), you should get a menu that appears as follows:

=====================================================
#                  SSL-ADMIN                        #
== OpenVPN Configuration ==
Now that we've got our SSL setup complete, we can move on to setting up the remainder of OpenVPN.  To begin, we need a Diffie/Hennemen key.  Create this with the following command:
<pre>openssl dhparam -out KEY_DIR/dh1024.pem 1024

Replace KEY_DIR with your OpenVPN directory.

Finally, we can create our OpenVPN configuration file. I will show you the file I use, and explain the entries as best I can:

daemon
port 1194

proto udp

dev tun

ca      /usr/local/etc/openvpn/ssl/active/ca.crt
cert    /usr/local/etc/openvpn/ssl/active/server.crt
key     /usr/local/etc/openvpn/ssl/active/server.key
dh      /usr/local/etc/openvpn/ssl/active/dh1024.pem

server 172.30.0.0 255.255.255.0

push "route 192.168.1.0 255.255.255.0"

# this is necessary for clients to reach 
# clients behind the openvpn gateways
client-to-client

keepalive 10 120

## allow multiple access from the same client
duplicate-cn

user vpn
group vpn

persist-key
persist-tun

status                  /var/openvpn/openvpn-status.log

log-append              /var/log/openvpn.log

verb 4

crl-verify              /usr/local/etc/openvpn/ssl/prog/crl.pem

OpenVPN Configuration

Now that we've got our SSL setup complete, we can move on to setting up the remainder of OpenVPN. To begin, we need a Diffie/Hennemen key. Create this with the following command:

openssl dhparam -out KEY_DIR/dh1024.pem 1024

Replace KEY_DIR with your OpenVPN directory.

Finally, we can create our OpenVPN configuration file. I will show you the file I use, and explain the entries as best I can:

daemon
port 1194

proto udp

dev tun

ca      /usr/local/etc/openvpn/ssl/active/ca.crt
cert    /usr/local/etc/openvpn/ssl/active/server.crt
key     /usr/local/etc/openvpn/ssl/active/server.key
dh      /usr/local/etc/openvpn/ssl/active/dh1024.pem

server 172.30.0.0 255.255.255.0

push "route 192.168.1.0 255.255.255.0"

# IVANS network
push "route 204.146.91.0 255.255.255.0"

# this is necessary for clients to reach 
# clients behind the openvpn gateways
client-to-client

keepalive 10 120

## allow multiple access from the same client
duplicate-cn

user vpn
group vpn

persist-key
persist-tun

status                  /var/openvpn/openvpn-status.log

log-append              /var/log/openvpn.log

verb 4

crl-verify              /usr/local/etc/openvpn/ssl/prog/crl.pem