“OpenVPN is a free and open source software application that implements virtual private network (VPN) solutions for creating secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It uses SSL/TLS security for encryption and is capable of traversing network address translators (NATs) and firewalls. It was written by James Yonan and is published under the GNU General Public License (GPL).” (Cite from Linux Security).
So with OpenVPN you can create a secure private network using internet connection/Public IP. OpenVPN uses the OpenSSL library to provide encryption of both the data (client and server) and control channels and transmitted data. OpenVPN work in multi platform. So once the server is setup and configured (i suggest use Linux), the client can connect from any platform (Windows, Mac OS, And Linux).
To install OpenVPN on Linux Ubuntu 10.04:
Login as root first:
sudo su
Install the OpenVPN:
apt-get install openvpn libssl-dev openssl
Configure it:
1. Copy the easy-rsa directory to openvpn folder:
cd /etc/openvpn/
cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa/
chown -R $USER /etc/openvpn/easy-rsa/
2. Edit the vars file
nano /etc/openvpn/easy-rsa/vars
3. Find and edit this line:
export KEY_COUNTRY="ID"
export KEY_PROVINCE="DKI"
export KEY_CITY="Jakarta"
export KEY_ORG="ahmadfauzi.web.id"
export KEY_EMAIL="info@ahmadfauzi.web.id"
With your information
4. Create the server certificates:
cd /etc/openvpn/easy-rsa/
source vars
./clean-all
./build-dh
./pkitool --initca
./pkitool --server server
cd keys
openvpn --genkey --secret ta.key
cp server.crt server.key ca.crt dh1024.pem ta.key /etc/openvpn/
5. Create the client certificates:
cd /etc/openvpn/easy-rsa/
source vars
./pkitool [writeyourhostnamehere]
cd ..
Change hostname to your server hostname (with no brackets)
6. Compress certificate for client:
cd /home
mkdir forclient
cd forclient
cp /etc/openvpn/keys.tgz .
cp /etc/openvpn/ca.crt .
cp /etc/openvpn/ta.key .
cp /etc/openvpn/easy-rsa/keys/[writeyourhostnamehere].crt .
cp /etc/openvpn/easy-rsa/keys/[writeyourhostnamehere].key .
cd ../
tar -czvf forclient.tgz forclient
7. Download/copy forclient.tgz for your openvpn client (I save the forclient.tgz into my /home folder)
8. Configure /etc/openvpn/server.conf
cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
gzip -d /etc/openvpn/server.conf.gz
9. Edit server.conf
nano /etc/openvpn/server.conf
And change the folowing lines, I use 192.168.10.0/24 for my private network. If you use 222.124.204.34 from your public IP Address, then add it became:
# This is your public IP Address
local 222.124.204.34
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh1024.pem
# This is my private network from server to client
server 192.168.10.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.10.0 255.255.255.0"
push "redirect-gateway"
# Enter your DNS Address
push "dhcp-option DNS 10.10.10.1"
keepalive 10 120
tls-auth ta.key 0 # This file is secret
cipher AES-128-CBC # AES
comp-lzo
user root
group root
persist-key
persist-tun
status openvpn-status.log
log openvpn.log
log-append openvpn.log
verb 3
And save then
After that, start the OpenVPN server with the following command:
sudo /etc/init.d/openvpn start
And the following command for restart the VPN:
sudo /etc/init.d/openvpn restart
The Client
On the Client, you must have OpenVPN first, install it:
sudo apt-get install openvpn libssl-dev openssl
Then configure it:
nano client.conf
Add the following lines:
client
dev tun
proto udp
# This IP should point to your OpenVPN server
remote 222.124.204.34 1194
resolv-retry infinite
nobind
user root
group root
persist-key
persist-tun
ca ca.crt
cert [writeyourhostnamehere].crt
key [writeyourhostnamehere].key
ns-cert-type server
tls-auth ta.key 1
cipher AES-128-CBC
comp-lzo
verb 3
save it
Get the forclient.tgz file from server (/home/forclient.tgz) and extract it into /etc/openvpn
cd /etc/openvpn
tar -xzvf /home/forclient.tgz .
test connection from client to server by typing:
cd /etc/openvpn
openvpn --config client.conf
And ping from client to server through Private IP:
ping 192.168.10.1
If you get reply from server, it means your configuration was successful :) and if Request Timed Out, check back the script
Good luck!
