Here's a quick HOWTO for setting up an OpenVPN server and client on any (Debian, in this case) Linux machine of your choice. I'm running an OpenVPN server on a box at home, and a client on my laptop, so I can securely route all my laptop traffic through my OpenVPN server, no matter where I am.
I highly recommend reading the official OpenVPN HOWTO from top to bottom, at least once. But here's a short, condensed HOWTO (specifically geared towards my needs, yours might be different):
Setting up the Server
$ aptitude install openvpn udev $ cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0 /etc/openvpn/easy-rsa $ cd /etc/openvpn/easy-rsa $ export KEY_SIZE=4096 $ . ./vars $ . ./clean-all $ . ./build-ca
You'll now have the chance to enter some data such as country code (e.g. "DE"), state/province, locality, organization name, organizational unit name, common name, name, and email address. The values you choose don't really matter much (except for commonName, maybe, which could be your hostname or domain or such). Finally, the ca.key (root CA key) and ca.crt (root CA certificate) files will be created.
Next, we'll create the server key:
$ ./build-key-server server
You'll have to enter lots of info again (see above), commonName could be "server" or such this time. Upon "Sign the certificate? [y/n]" say y, as well as upon "1 out of 1 certificate requests certified, commit? [y/n]". Finally, the server.key and server.crt files will be created.
Same procedure for creating a client key (I used "client1" as filename and commonName here):
$ ./build-key client1
Next up we'll generate Diffie Hellman parameters (this will take a shitload of time due to keysize=4096,
When this step is done, you'll have a dh4096.pem file.
As we want to use OpenVPN's "tls-auth" feature for perfect forward secrecy (it "adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification"), we'll have to generate a shared secret:
$ openvpn --genkey --secret ta.key $ mv ta.key keys
So much for creating keys. Now, we'll have to configure OpenVPN. Copy the default server config file and edit it:
$ cd /etc/openvpn $ cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz . $ gunzip server.conf.gz
Example of my config file:
port 1194 proto udp dev tun ca /etc/openvpn/easy-rsa/keys/ca.crt cert /etc/openvpn/easy-rsa/keys/server.crt dh /etc/openvpn/easy-rsa/keys/dh4096.pem server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "route 192.168.1.0 255.255.255.0" push "dhcp-option DNS 192.168.1.2" keepalive 10 120 comp-lzo user nobody group nogroup persist-key persist-tun status openvpn-status.log log-append openvpn.log verb 3
You can now start the OpenVPN server, e.g. via
$ /etc/init.d/openvpn restart
Iptables and routing in your network
After setting up the server, you need to enable routing on it and enable NATTing to your network.
echo 1 > /proc/sys/net/ipv4/ip_forward iptables -A INPUT -i tun+ -j ACCEPT iptables -A FORWARD -i tun+ -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -t nat -F POSTROUTING iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
On your private network you need to add a route into your internal router to route the traffic to 10.8.0.0/24 to the internal IP of your vpn server.
Install OpenVPN (apt-get install openvpn), or the windows installer then copy the default client config file and edit it:
$ cd /etc/openvpn $ cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf .
Change the parameters to match the server config (port 443/TCP, and so on) and use "tls-auth /etc/openvpn/ta.key 1" (note the "1" on the client, and the "0" on the server!). Replace xxx.xxx.xxx.xxx with the public IP address of your OpenVPN server. If it doesn't have a public, static IP address already, you can use services such as DynDNS, or (my preferred method), my ssh-based DIY poor man's dynamic DNS setup.
Here's my full client config:
client dev tun proto udp # change to your vpn server remote xxxxxxxxxxxxxxxxxxx 1194 resolv-retry infinite nobind # if using linux, you might want to uncomment these # if order to downgrade privileges # user nobody # group nogroup persist-key # persist-tun # If you are connecting through an # HTTP proxy to reach the actual OpenVPN # server, put the proxy server/IP and # port number here. See the man page # if your proxy server requires # authentication. ;http-proxy-retry # retry on connection failures ;http-proxy [proxy server] [proxy port #] ca 'ca.crt' cert 'client1.crt' key 'client1.key' ns-cert-type server tls-auth 'ta.key' 1 # cipher DES-EDE3-CBC comp-lzo verb 3 # auth-user-pass
Now you only need to copy the required certificates and keys to the client: client1.crt, client1.key, ca.crt, and ta.key. Do not copy the other, server-specific private keys and such to the client(s)! Also, the root CA key (ca.key) should not even be left on the server, but rather moved to some offline storage/box, so that it cannot fall into the wrong hands, e.g. in the case of a server compromise.
In windows you need to install the GUI and execute it as administrator.