Context Navigation

Changes between Version 2 and Version 3 of HOWTO

Timestamp:: 07/25/14 07:41:38 (10 years ago)
Author:: Samuli Seppänen
Comment:: Fixed formatting up to "Generate the master Certificate Authority (CA) certificate & key"

Legend:

: Unmodified
: Added
: Removed
: Modified

HOWTO

-                      v2
+                      v3
 == Mac OS X Notes ==
+Angelo Laub and Dirk Theisen have developed an OpenVPN GUI for OS X.
+Other OSes
+Some notes are available in the INSTALL file for specific OSes. In general, the
+    ./configure
+    make
+    make install
+Angelo Laub and Dirk Theisen have developed an [http://code.google.com/p/tunnelblick/ OpenVPN GUI for OS X].
+== Other OSes ==
+Some notes are available in the [https://github.com/OpenVPN/openvpn/blob/master/INSTALL INSTALL] file for specific OSes. In general, the
+{{{
+./configure
+make
+make install
+}}}
 method can be used, or you can search for an OpenVPN port or package which is specific to your OS/distribution.
+Determining whether to use a routed or bridged VPN
 See FAQ for an overview of Routing vs. Ethernet Bridging. See also the OpenVPN Ethernet Bridging page for more notes and details on bridging.
+= Determining whether to use a routed or bridged VPN =
+See the documentation [wiki:WikiStart front page] and [wiki:FAQ FAQ] for an overview of Routing vs. Ethernet Bridging.
 Overall, routing is probably a better choice for most people, as it is more efficient and easier to set up (as far as the OpenVPN configuration itself) than bridging. Routing also provides a greater ability to selectively control access rights on a client-specific basis.
 …
 I would recommend using routing unless you need a specific feature which requires bridging, such as:
     the VPN needs to be able to handle non-IP protocols such as IPX,
     you are running applications over the VPN which rely on network broadcasts (such as LAN games), or
     you would like to allow browsing of Windows file shares across the VPN without setting up a Samba or WINS server.
+Numbering private subnets
+ * the VPN needs to be able to handle non-IP protocols such as IPX,
+ * you are running applications over the VPN which rely on network broadcasts (such as LAN games), or
+ * you would like to allow browsing of Windows file shares across the VPN without setting up a Samba or WINS server.
+= Numbering private subnets =
 Setting up a VPN often entails linking together private subnets from different locations.
 The Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of the IP address space for private internets (codified in RFC 1918):
+.0.0.0        10.255.255.255  (10/8 prefix)
+.16.0.0      172.31.255.255  (172.16/12 prefix)
+.168.0.0     192.168.255.255         (192.168/16 prefix)
+||10.0.0.0||10.255.255.255||(10/8 prefix)||
+||172.16.0.0||172.31.255.255||(172.16/12 prefix)||
+||192.168.0.0||192.168.255.255||(192.168/16 prefix)||
 While addresses from these netblocks should normally be used in VPN configurations, it's important to select addresses that minimize the probability of IP address or subnet conflicts. The types of conflicts that need to be avoided are:
     conflicts from different sites on the VPN using the same LAN subnet numbering, or
     remote access connections from sites which are using private subnets which conflict with your VPN subnets.
 For example, suppose you use the popular 192.168.0.0/24 subnet as your private LAN subnet. Now you are trying to connect to the VPN from an internet cafe which is using the same subnet for its WiFi LAN. You will have a routing conflict because your machine won't know if 192.168.0.1 refers to the local WiFi gateway or to the same address on the VPN.
+ * conflicts from different sites on the VPN using the same LAN subnet numbering, or
+ * remote access connections from sites which are using private subnets which conflict with your VPN subnets.
+For example, suppose you use the popular 192.168.0.0/24 subnet as your private LAN subnet. Now you are trying to connect to the VPN from an internet cafe which is using the same subnet for its !WiFi LAN. You will have a routing conflict because your machine won't know if 192.168.0.1 refers to the local !WiFi gateway or to the same address on the VPN.
 As another example, suppose you want to link together multiple sites by VPN, but each site is using 192.168.0.0/24 as its LAN subnet. This won't work without adding a complexifying layer of NAT translation, because the VPN won't know how to route packets between multiple sites if those sites don't use a subnet which uniquely identifies them.
 …
 And to avoid cross-site IP numbering conflicts, always use unique numbering for your LAN subnets.
+Setting up your own Certificate Authority (CA) and generating certificates and keys for an OpenVPN server and multiple clients
+Overview
+= Setting up your own Certificate Authority (CA) and generating certificates and keys for an OpenVPN server and multiple clients =
+== Overview ==
 The first step in building an OpenVPN 2.x configuration is to establish a PKI (public key infrastructure). The PKI consists of:
     a separate certificate (also known as a public key) and private key for the server and each client, and
     a master Certificate Authority (CA) certificate and key which is used to sign each of the server and client certificates.
+ * a separate certificate (also known as a public key) and private key for the server and each client, and
+ * a master Certificate Authority (CA) certificate and key which is used to sign each of the server and client certificates.
 OpenVPN supports bidirectional authentication based on certificates, meaning that the client must authenticate the server certificate and the server must authenticate the client certificate before mutual trust is established.
 …
 This security model has a number of desirable features from the VPN perspective:
     The server only needs its own certificate/key -- it doesn't need to know the individual certificates of every client which might possibly connect to it.
     The server will only accept clients whose certificates were signed by the master CA certificate (which we will generate below). And because the server can perform this signature verification without needing access to the CA private key itself, it is possible for the CA key (the most sensitive key in the entire PKI) to reside on a completely different machine, even one without a network connection.
     If a private key is compromised, it can be disabled by adding its certificate to a CRL (certificate revocation list). The CRL allows compromised certificates to be selectively rejected without requiring that the entire PKI be rebuilt.
     The server can enforce client-specific access rights based on embedded certificate fields, such as the Common Name.
+ * The server only needs its own certificate/key -- it doesn't need to know the individual certificates of every client which might possibly connect to it.
+ * The server will only accept clients whose certificates were signed by the master CA certificate (which we will generate below). And because the server can perform this signature verification without needing access to the CA private key itself, it is possible for the CA key (the most sensitive key in the entire PKI) to reside on a completely different machine, even one without a network connection.
+ * If a private key is compromised, it can be disabled by adding its certificate to a CRL (certificate revocation list). The CRL allows compromised certificates to be selectively rejected without requiring that the entire PKI be rebuilt.
+ * The server can enforce client-specific access rights based on embedded certificate fields, such as the Common Name.
 Note that the server and client clocks need to be roughly in sync or certificates might not work properly.
+Generate the master Certificate Authority (CA) certificate & key
+== Generate the master Certificate Authority (CA) certificate & key ==
 In this section we will generate a master CA certificate/key, a server certificate/key, and certificates/keys for 3 separate clients.