This is me doing a bridged OpenVPN setup. eth0 is LAN, eth1 is Internet. RHEL4 in use. iptables left as an exercise for the reader. darky, 20050603 0220 This document reads something like: - Bridged setup instructions - Routed setup instructions - Windows tips - Change log ====================================================================== - Install bridge-utils - Install openvpn, lzo from Dag - Get lzo 1.08, not 2.x, in my experience WARNING: If you manage to make the RH networking scripts try to take a bridge device down before you delete all devices from the bridge, I believe you'll basically hang the kernel up trying to get rid of the bridge device. Something like that. Moral of the story being: careful if you try to get tricky and do this remotely, because you might end up kicking the box entirely off the network until it gets rebooted. Nonetheless, I've tried to give the instructions in the proper order so that you can set up a bridge remotely without killing the box. - HEY MAKE SURE TO INSTALL bridge-utils (I keep forgetting) - ifdown eth0 - ifcfg-lanbr0: TYPE=Bridge BOOTPROTO=static ONBOOT=yes DEVICE=lanbr0 IPADDR=10.0.3.1 NETMASK=255.128.0.0 - ifcfg-eth0: DEVICE=eth0 HWADDR=DE:AD:BE:EF:F0:0D ONBOOT=yes TYPE=Ethernet BRIDGE=lanbr0 lanbr0 has to have a static IP. - ifup lanbr0 - ifup eth0 - If you're running dhcpd and you've specified eth0 in /etc/sysconfig/dhcpd, go and change it to lanbr0. You'll need to do the same for other services/configurations, of course, including iptables. - Check the system clock and make sure it's right. Otherwise your certificates won't be valid (or, at best, won't be valid until some point in the future). - Make CA and various keys (as root): - cd /root - mkdir ca; chmod 700 ca; cd ca - Make a copy of the easy-rsa stuff: - From Dag RPMs: cp /usr/share/doc/openvpn-*/easy-rsa/* . - From Fedora Extras: cp /usr/share/openvpn/easy-rsa/1.0/* . - chmod 600 *; egrep -l '/bin/(ba)?sh' * | xargs chmod 700 - Edit vars: KEY_SIZE 1024->2048, params at bottom - bash - . ./vars - ./clean-all && ./build-ca - ./build-key-server server - Build any client keys you'd like with ./build-key - IF you're comfortable using the SKIP DH parameters distributed with OpenSSL (I certainly am): - wget -O keys/dh2048.pem http://www.codefu.org/people/darkness/dh2048.pem - You should probably run: openssl dhparam -check -in keys/dh2048.pem -noout This runs some tests on the parameters to make sure they look OK for use in DH. Further paranoia would probably require you checking the values against those found in the SKIP specification. (Some day it might be cool to get the RFC 3526 parameters used in IPsec, if only because they'll probably see more use than SKIP.) - OTHERWISE, ./build-dh - ^D - install -o 0 -g 0 -m 400 keys/ca.crt keys/server.{key,crt} \ keys/dh*.pem /etc/openvpn/ - Note: if you're running OpenVPN as non-root, your environment may require you to make these files readable by the user OpenVPN runs as. This is typically as easy as changing the group on the files (including ipp.txt and the status log file). I'm not sure you'll ever get SIGHUP to work as non-root, though, since reopening the tap/tun device is problematic. Fedora's init script, at least, uses SIGHUP when you request a "reload". - install -o 0 -g 0 -m 644 \ /usr/share/doc/openvpn-*/sample-config-files/server.conf \ /etc/openvpn/vpn.conf - Edit /etc/openvpn/vpn.conf - dev ovpntap0 - dev-type tap - Change dh1024.pem to dh2048.pem - Comment out server line - Uncomment server-bridge and edit the line - Add any route statements you need - optional: push dhcp-options for DNS and/or WINS - push multiple servers with one push dhcp-option per server: push "dhcp-option DNS 1.2.3.4" push "dhcp-option DNS 1.2.3.5" - optional: add dhcp-option for NBT (NetBIOS node type): 2 and 8 are important; 2 is WINS only (I think) and 8 is hybrid (IIRC!) - optional: push a default domain with the DOMAIN option - optional: enable client-to-client for people to be able to talk to each other -- except I think this might only have an effect with OpenVPN in a routed environment - optional: cipher AES-256-CBC - optional: enable the management server with "management 127.0.0.1 1193" useful for troubleshooting, killing old connections, etc. - /etc/openvpn/vpn.sh: #!/bin/bash -e TAP=ovpntap0 BR=lanbr0 openvpn --mktun --dev $TAP --dev-type tap >/dev/null ip addr flush dev $TAP 2>/dev/null ip link set dev $TAP up brctl addif $BR $TAP - /etc/openvpn/openvpn-shutdown #!/bin/bash -e TAP=ovpntap0 BR=lanbr0 ip link set dev $TAP down brctl delif $BR $TAP openvpn --rmtun --dev $TAP --dev-type tap >/dev/null - chmod 755 /etc/openvpn/{vpn.sh,openvpn-shutdown} - chkconfig openvpn on; service openvpn start If it fails to start, and especially if you're on an older box (like RH 7.2, which is what I'm working on as I write this comment) check /var/log/messages. You may see something like: Cannot open TUN/TAP dev /dev/ovpntun0: No such file or directory (errno=2) In that case, you're very possibly missing /dev/net/tun [ -d /dev/net ] || mkdir /dev/net mknod /dev/net/tun c 10 200 && chmod 600 /dev/net/tun Now try to start the openvpn service again. If you're using iptables or other firewalling, don't forget to allow in 1194/udp for OpenVPN, and to allow forwarding on your Linux box. Also, don't forget to make sure net.ipv4.ip_forward=1 ni /etc/sysctl.conf. Add any routes to the config file, if you need networks other than the one you're bridging for. ====================================================================== Notes on a routed setup I've had two old boxes (RH 8.0) that I needed to put OpenVPN on. I wasn't comfortable with setting up briding remotely, so I decided to make them routed. Changed from the above instructions: - No bridge-utils needed, no editing of ifcfg-* or doing service network restart. - For dev and dev-type: dev ovpntun0 dev-type tun - In vpn.conf: - Don't comment the server line; instead, fill it in with your own choice for the subnet - Randomly generate the middle two octets (10.x.x.0/24): dd if=/dev/urandom bs=2 count=1 | od -t uC - Add routes to any networks that lie beyond the firewall. - You don't need the two scripts in /etc/openvpn. For Windows routed instead of bridged, see the Windows bridged/routed section below. ====================================================================== OpenVPN Windows client For bridged: - Install client from http://openvpn.se/download.html - Copy client.ovpn from sample-config to config, edit - Comment dev tun, uncomment dev tap - Change the remote line to point to your server - Change ca, cert, key file names if necessary - Uncomment ns-cert-type server - Optional: specify "cipher AES-256-CBC" if you did so in the server configuration. - Copy client key, client certificate, and CA certificate into config directory (default names: client.key, client.crt, ca.crt) Deviations from above for a routed (instead of bridged) setup: - Don't comment dev tun, leave dev tap commented Notes: - XP: May want to turn off firewall settings JUST ON THE TAP32 ADAPTER. - May need to adjust things in Windows Security Center to get it to stop bugging you, but don't want to turn it off for all interfaces. - May want to rename the adapter in Network Connections so it's easier to identify when doing phone support. Otherwise it's just "Local Area Connection 2" or something. - If you have multiple OpenVPN connections on a machine, Doofus says you need to make sure the dev-node parameter in the configurations are all unique. - I think this is only if you want to open multiple connections simultaneously, though. ====================================================================== Change log: Slight modification to source vars when making keys. Also, note this is a bridged OpenVPN setup. Routed is even easier. Oh, and I added -e to the openvpn-shutdown script. darky, 20050610 0116 Minor changes, corrections. Remembered to instruct myself to service network restart after configuring the network. darky, 20050709 1824 Added information on setting up Windows clients. darky, 20050709 1914 Added ns-cert-type server to client config. Supresses warning from OpenVPN GUI about not verifying server. darky, 20050808 1216 Note from Doofus about multiple TAP devices. darky, 20051005 2042 Added NetBIOS node type (NBT) dhcp-option so I remember what it is. Moved change log to bottom so this might be easier to read. darky, 20060119 1635 Added dhcp-option DOMAIN, client-to-client, and management server as options for the server configuration. Clean up a little in that section too. Also added note about multiple OpenVPN connections in Windows not requiring multiple TAP32 adapters unless you want to connect to more than one VPN simultaneously. Additionally, added warning about trying to set up bridging remotely. darky, 20060129 1459 - Added fixed DH parameters. - Added section on routed OpenVPN setup. - Fixed path to easy-rsa for Fedora Extras OpenVPN package. - Added reminder to update firewall rules and ensure forwarding is on. - Added note about lzo 1.08 RPMs (vs. 2.x). darky, 20060228 1752 - Added note about setting user/group when using FC Extras RPM. darky, 20060302 1417 - Clarified the change of KEY_SIZE in the "vars" file within the easy-rsa stuff. - Updated wget command for dh2048.pem. Now I can copy and paste many of these commands. - Added bit about missing /dev/net/tun on older boxes. - Clarified OpenVPN routed Windows configuration change. darky, 20060320 1339 - Fixed up section about setting up a bridge after I successfully did it remotely. darky, 20060328 1302 - Put quotes around dhcp-options. - Clarified bit about running dhparam -check on the D-H parameters. - Added bit about checking the system clock. darky, 20060328 1813 - Added in a reminder to s/eth0/lanbr0/ in /etc/sysconfig/dhcpd. darky, 20060401 1058 - Added in cipher AES-256-CBC, as recommended in the section on hardening OpenVPN in the OpenVPN HOWTO. - Reminder to add route statements if necessary. darky, 20060720 0116 - Added separate instructions for installing keys and initializing ipp.txt and openvpn-status.log files, needed for Fedora Extras OpenVPN where it runs as openvpn:openvpn. Without this, a "service openvpn reload" (or kill -HUP) actually causes OpenVPN to exit, since it can't read the files it needs. darky, 20060821 1426 - Removed separate instructions referenced above, and removed bit where you make OpenVPN run as non-root. I've got it running root at several places and haven't been 0wned yet (to my knowledge). Moreover, Fedora's init script (at least; maybe Dag's too) use SIGHUP to reload OpenVPN, which makes OpenVPN reopen the tap/tun device, and that's not likely to happen when running as non-root. Sure, you could just use SIGUSR1. But when if you forget? OpenVPN dies, and you might not notice it (which is what happened to me). darky, 20060821 1822