Changes between Initial Version and Version 1 of Openvpn1xHOWTO


Ignore:
Timestamp:
07/25/14 15:28:14 (10 years ago)
Author:
Samuli Seppänen
Comment:

Migrated content from http://openvpn.net/index.php/open-source/documentation/miscellaneous/88-1xhowto.html

Legend:

Unmodified
Added
Removed
Modified
  • Openvpn1xHOWTO

    v1 v1  
     1{{{#!html
     2<h2>Introduction</h2>
     3<div align="left">
     4<table border="0">
     5<tbody>
     6<tr>
     7<td width="600">
     8<p>This HOWTO is mainly relevant for setting up single-client or static site-to-site VPNs and is oriented more towards OpenVPN 1.x than 2.0. To take advantage of the OpenVPN 2.0 client/server capability, see the <a href="index.php/open-source/documentation/howto.html">OpenVPN 2.0 HOWTO</a>.</p>
     9<p>This document describes setting up OpenVPN in a typical Home to Office telecommuting configuration. While this HOWTO presents in-depth configuration examples, simpler examples are shown in the <a href="index.php/open-source/documentation/manuals/65-openvpn-20x-manpage.html">examples section</a> of the man page.</p>
     10<h2>Additional Articles and Documentation</h2>
     11<p><a href="index.php/open-source/articles.html">Many excellent articles and HOWTOs</a> exist for configuring OpenVPN in different environments.</p>
     12<h2>Basic Tunnel Types</h2>
     13<p>There are two basic types of tunnels that one can create with OpenVPN:</p>
     14<ul>
     15<li><strong>Routed IP tunnels</strong> -- best used to route point-to-point IP traffic without broadcasts. Slightly more efficient than bridged ethernet tunnels and easier to configure. This HOWTO (below) covers routed IP tunnels.</li>
     16<li><strong>Bridged Ethernet Tunnels</strong> -- can be used to tunnel both IP and non-IP protocols. This type of tunnel is appropriate for applications which communicate via broadcasts, such as Windows file and print sharing (without a WINS server) and LAN games. Slightly more complex to configure. <a href="index.php/open-source/documentation/miscellaneous/76-ethernet-bridging.html">A Mini-HOWTO for bridged ethernet tunnels.</a></li>
     17</ul>
     18<h2>Routed IP tunnel HOWTO</h2>
     19<p>Given the interrelated issues involved in configuring firewalls, VPNs, and NAT, we will attempt to describe a complete system configuration rather than isolating the VPN component of the setup.</p>
     20<p>In our example, both Home and Office private networks are linked to the internet via two gateway machines which each have a public IP address. Each gateway machine contains two NICs, one connected to the private network, the other connected to the internet. The gateway machines provide NAT, firewall, and VPN services for the machines on the private networks. The Home and Office sides of the configuration are roughly symmetrical except the Office gateway machine has a fixed IP address while the Home machine has a DHCP dynamic address.</p>
     21<p>In the following examples, all configuration files shown are also available in the OpenVPN distribution.</p>
     22</td>
     23</tr>
     24</tbody>
     25</table>
     26</div>
     27<h2>Home and Office IP Networking Parameters</h2>
     28<p> </p>
     29<table border="2" cellspacing="8" cellpadding="8">
     30<tbody>
     31<tr>
     32<td> </td>
     33<td>
     34<h3>Home</h3>
     35</td>
     36<td>
     37<h3>Office</h3>
     38</td>
     39</tr>
     40<tr>
     41<td>
     42<h3>Local Ethernet Subnet (Private Address)</h3>
     43</td>
     44<td>10.0.1.0/24</td>
     45<td>10.0.0.0/24</td>
     46</tr>
     47<tr>
     48<td>
     49<h3>Tunnel Endpoint (Private Address)</h3>
     50</td>
     51<td>10.1.0.2</td>
     52<td>10.1.0.1</td>
     53</tr>
     54<tr>
     55<td>
     56<h3>OpenVPN Gateway (Public Address)</h3>
     57</td>
     58<td>DHCP client, need not be explicitly specified</td>
     59<td>1.2.3.4</td>
     60</tr>
     61</tbody>
     62</table>
     63<p><a name="install" title="install"></a></p>
     64<h2>Installing OpenVPN</h2>
     65<div align="left">
     66<table border="0">
     67<tbody>
     68<tr>
     69<td width="600">
     70<p>If your system doesn't have the OpenSSL Library, you should <a href="http://www.openssl.org/">download and install it</a>.</p>
     71<p>If you want to take advantage of compression on the VPN link, or you want to install OpenVPN as an RPM package, install the <a href="http://www.oberhumer.com/opensource/lzo/">LZO Library</a>.</p>
     72<p>If you are using Linux 2.2 or earlier, download the <a href="http://vtun.sourceforge.net/tun/">TUN/TAP driver</a>. Users of Linux 2.4.7 or greater should find the TUN/TAP driver already bundled with their kernel. Users of Linux 2.4.0 -&gt; 2.4.6 should note the caveat at the end of the <a href="index.php/open-source/documentation/install.html">INSTALL</a> file.</p>
     73<p>Now <a href="index.php/open-source/downloads.html">download</a> the latest release of OpenVPN.</p>
     74<h3>Install from tarball</h3>
     75<p>Unzip the distribution:</p>
     76<blockquote>
     77<pre><strong>gzip -dc openvpn-1.6.0.tar.gz | tar xvf -</strong></pre>
     78</blockquote>
     79<p>Build OpenVPN:</p>
     80<blockquote>
     81<pre><strong>cd openvpn-1.6.0<br />./configure<br />make<br />make install</strong></pre>
     82</blockquote>
     83<p>If you didn't download the LZO Library, add <strong>--disable-lzo</strong> to the <strong>configure</strong> command. Other options can be enabled such as <strong>pthread</strong> support (<strong>./configure --enable-pthread</strong>) to improve latency during SSL/TLS dynamic key exchanges. The command</p>
     84<blockquote>
     85<pre><strong>./configure --help</strong></pre>
     86</blockquote>
     87<p>will show all configuration options.</p>
     88<h3>Install from RPM</h3>
     89<p>First build the RPM file. This will require that the OpenSSL, pthread, and <a href="http://www.oberhumer.com/opensource/lzo/">LZO</a> libraries are present. Normally only the LZO library requires an explicit download and install; the other libraries are present by default on most Linux distributions.</p>
     90<blockquote>
     91<pre><strong>rpmbuild -tb openvpn-1.6.0.tar.gz</strong></pre>
     92</blockquote>
     93<p>The RPM build process will generate a lot of output. If the build succeeds, there should be a note near the end of the output stating the name of the binary RPM file which was written. Install the binary RPM with the command:</p>
     94<blockquote>
     95<pre><strong>rpm -Uvh <em>binary-RPM-file</em></strong></pre>
     96</blockquote>
     97</td>
     98</tr>
     99</tbody>
     100</table>
     101</div>
     102<h2>Configuring the TUN/TAP driver</h2>
     103<div align="left">
     104<table border="0">
     105<tbody>
     106<tr>
     107<td width="600">
     108<h3>One-time Configuration Steps</h3>
     109<p>If you are using Linux 2.4.7 or higher, chances are good that the TUN/TAP driver is already bundled with your kernel. You can confirm this with the command</p>
     110<blockquote>
     111<pre><strong>locate if_tun.h</strong></pre>
     112</blockquote>
     113<p>which should show a file such as <strong>/usr/include/linux/if_tun.h</strong>.</p>
     114<p>For Linux 2.4.7 or higher, if you installed from the tarball, enter the following command to configure the TUN/TAP device node (you can omit this step if you installed from RPM, as the RPM install will do it automatically for you):</p>
     115<blockquote>
     116<pre><strong>mknod /dev/net/tun c 10 200</strong></pre>
     117</blockquote>
     118<p>If you are using Linux 2.2, you should obtain <a href="http://vtun.sourceforge.net/tun/">Version 1.1</a> of the TUN/TAP kernel module and follow the installation instructions.</p>
     119<a name="reboot" title="reboot"></a>
     120<h3>Once-per-reboot Configuration Steps</h3>
     121<p>On Linux, prior to using OpenVPN or any other program which uses TUN/TAP devices, you should load the TUN/TAP kernel module:</p>
     122<blockquote>
     123<pre><strong>modprobe tun</strong></pre>
     124</blockquote>
     125<p>and enable IP forwarding:</p>
     126<blockquote>
     127<pre><strong>echo 1 &gt; /proc/sys/net/ipv4/ip_forward</strong></pre>
     128</blockquote>
     129</td>
     130</tr>
     131</tbody>
     132</table>
     133</div>
     134<h2>Configure Firewall and NAT</h2>
     135<div align="left">
     136<table border="0">
     137<tbody>
     138<tr>
     139<td width="600">This section assumes you are using Linux 2.4 with an <strong>iptables</strong> firewall. Here is a sample firewall configuration that provides NAT for machines on a private network to access the internet, stateful outgoing connection tracking, and OpenVPN support:</td>
     140</tr>
     141</tbody>
     142</table>
     143</div>
     144<hr />
     145<div align="left">
     146<table border="4" cellspacing="16" cellpadding="16">
     147<tbody>
     148<tr>
     149<td width="100%">
     150<h3>sample-config-files/firewall.sh</h3>
     151</td>
     152</tr>
     153</tbody>
     154</table>
     155</div>
     156<blockquote>
     157<pre><strong>#!/bin/bash<br /><br /># A Sample OpenVPN-aware firewall.<br /><br /># eth0 is connected to the internet.<br /># eth1 is connected to a private subnet.<br /><br /># Change this subnet to correspond to your private<br /># ethernet subnet.  Home will use 10.0.1.0/24 and<br /># Office will use 10.0.0.0/24.<br />PRIVATE=10.0.0.0/24<br /><br /># Loopback address<br />LOOP=127.0.0.1<br /><br /># Delete old iptables rules<br /># and temporarily block all traffic.<br />iptables -P OUTPUT DROP<br />iptables -P INPUT DROP<br />iptables -P FORWARD DROP<br />iptables -F<br /><br /># Set default policies<br />iptables -P OUTPUT ACCEPT<br />iptables -P INPUT DROP<br />iptables -P FORWARD DROP<br /><br /># Prevent external packets from using loopback addr<br />iptables -A INPUT -i eth0 -s $LOOP -j DROP<br />iptables -A FORWARD -i eth0 -s $LOOP -j DROP<br />iptables -A INPUT -i eth0 -d $LOOP -j DROP<br />iptables -A FORWARD -i eth0 -d $LOOP -j DROP<br /><br /># Anything coming from the Internet should have a real Internet address<br />iptables -A FORWARD -i eth0 -s 192.168.0.0/16 -j DROP<br />iptables -A FORWARD -i eth0 -s 172.16.0.0/12 -j DROP<br />iptables -A FORWARD -i eth0 -s 10.0.0.0/8 -j DROP<br />iptables -A INPUT -i eth0 -s 192.168.0.0/16 -j DROP<br />iptables -A INPUT -i eth0 -s 172.16.0.0/12 -j DROP<br />iptables -A INPUT -i eth0 -s 10.0.0.0/8 -j DROP<br /><br /># Block outgoing NetBios (if you have windows machines running<br /># on the private subnet).  This will not affect any NetBios<br /># traffic that flows over the VPN tunnel, but it will stop<br /># local windows machines from broadcasting themselves to<br /># the internet.<br />iptables -A FORWARD -p tcp --sport 137:139 -o eth0 -j DROP<br />iptables -A FORWARD -p udp --sport 137:139 -o eth0 -j DROP<br />iptables -A OUTPUT -p tcp --sport 137:139 -o eth0 -j DROP<br />iptables -A OUTPUT -p udp --sport 137:139 -o eth0 -j DROP<br /><br /># Check source address validity on packets going out to internet<br />iptables -A FORWARD -s ! $PRIVATE -i eth1 -j DROP<br /><br /># Allow local loopback<br />iptables -A INPUT -s $LOOP -j ACCEPT<br />iptables -A INPUT -d $LOOP -j ACCEPT<br /><br /># Allow incoming pings (can be disabled)<br />iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT<br /><br /># Allow services such as www and ssh (can be disabled)<br />iptables -A INPUT -p tcp --dport http -j ACCEPT<br />iptables -A INPUT -p tcp --dport ssh -j ACCEPT<br /><br /># Allow incoming OpenVPN packets<br /># Duplicate the line below for each<br /># OpenVPN tunnel, changing --dport n<br /># to match the OpenVPN UDP port.<br />#<br /># In OpenVPN, the port number is<br /># controlled by the --port n option.<br /># If you put this option in the config<br /># file, you can remove the leading '--'<br />#<br /># If you taking the stateful firewall<br /># approach (see the OpenVPN HOWTO),<br /># then comment out the line below.<br /><br />iptables -A INPUT -p udp --dport 1194 -j ACCEPT<br /><br /># Allow packets from TUN/TAP devices.<br /># When OpenVPN is run in a secure mode,<br /># it will authenticate packets prior<br /># to their arriving on a tun or tap<br /># interface.  Therefore, it is not<br /># necessary to add any filters here,<br /># unless you want to restrict the<br /># type of packets which can flow over<br /># the tunnel.<br /><br />iptables -A INPUT -i tun+ -j ACCEPT<br />iptables -A FORWARD -i tun+ -j ACCEPT<br />iptables -A INPUT -i tap+ -j ACCEPT<br />iptables -A FORWARD -i tap+ -j ACCEPT<br /><br /># Allow packets from private subnets<br />iptables -A INPUT -i eth1 -j ACCEPT<br />iptables -A FORWARD -i eth1 -j ACCEPT<br /><br /># Keep state of connections from local machine and private subnets<br />iptables -A OUTPUT -m state --state NEW -o eth0 -j ACCEPT<br />iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT<br />iptables -A FORWARD -m state --state NEW -o eth0 -j ACCEPT<br />iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT<br /><br /># Masquerade local subnet<br />iptables -t nat -A POSTROUTING -s $PRIVATE -o eth0 -j MASQUERADE<br /></strong></pre>
     158</blockquote>
     159<div align="left">
     160<table border="0">
     161<tbody>
     162<tr>
     163<td width="600">
     164<p>OpenVPN offers a few additional options on firewall setup:</p>
     165<ul>
     166<li>If both OpenVPN peers reference the other with an explicit <strong>--remote</strong> option, and stateful firewalls that provide UDP connection tracking (such as <strong>iptables</strong>) exist between the peers, it is possible to run OpenVPN without any explicit firewall rules, if both peers originate regular pings to each other to keep the connection alive. To do this, simply run OpenVPN with the <strong>--remote <em>peer</em></strong> option, and specify <strong>--ping 15</strong> to ensure that packets flow over the tunnel at least once every 15 seconds.</li>
     167<li>The above option is less convenient if one of the peers changes its IP address frequently such as a DHCP or a dial-in peer. For these cases, the sample firewall configuration above will allow incoming packets on UDP port 1194 (OpenVPN's default UDP port) from any IP address. This should be considered safe in any of OpenVPN's secure modes, since all incoming tunnel packets must pass an authentication test or they will be dropped.</li>
     168<li>If you choose to fully open OpenVPN's incoming UDP port as in the sample firewall configuration above, you might want to take advantage of the <strong>--tls-auth</strong> option to do double authentication on the TLS control channel, using both the RSA key and a pre-shared secret passphrase as a second line of defense against DoS or active attacks. For more information on <strong>--tls-auth</strong>, see the <a href="man.html">openvpn man page</a>.</li>
     169</ul>
     170</td>
     171</tr>
     172</tbody>
     173</table>
     174</div>
     175<h2>Build RSA Certificates and Keys</h2>
     176<div align="left">
     177<table border="0">
     178<tbody>
     179<tr>
     180<td width="600">OpenVPN has two secure modes, one based on SSL/TLS security using RSA certificates and keys, the other using a pre-shared static key. While SSL/TLS + RSA keys is arguably the most secure option, static keys have the benefit of simplicity. If you want to use RSA keys, read on. For static keys, jump forward to the <a href="index.php/open-source/documentation/miscellaneous/88-1xhowto.html">Build Pre-Shared Static Key</a>section.
     181<p>We will build RSA certificates and keys using the <strong>openssl</strong> command, included in the OpenSSL library distribution.</p>
     182<p>RSA certificates are public keys that also have other secure fields embedded in them such as the <strong>Common Name</strong> or <strong>email address</strong> of the certificate holder. OpenVPN provides the ability to write scripts to test these fields prior to authentication. For more information, see the <strong>--tls-verify</strong> option in the <a href="index.php/open-source/documentation/manuals/65-openvpn-20x-manpage.html">openvpn man page</a>.</p>
     183<p>In our example we will follow the <strong>apache</strong> convention of using the <strong>.crt</strong> file extension to denote certificate files and the <strong>.key</strong> file extension to denote private key files. Private key files must always be kept secure. Certificate files can be freely published or shared.</p>
     184<p>Select one machine such as Office to be the key management machine.</p>
     185<p>First edit the <strong>/usr/share/ssl/openssl.cnf</strong> file (this file may exist in a different place, so use <strong>locate openssl.cnf</strong> to find it).</p>
     186<p>You may want to make some changes to this file:</p>
     187<ul>
     188<li>Make a directory to serve as your key working area and change <strong>dir</strong> to point to it.</li>
     189<li>Consider increasing <strong>default_days</strong> so your VPN doesn't mysteriously stop working after exactly one year.</li>
     190<li>Set <strong>certificate</strong> and <strong>private_key</strong> to point to your master certificate authority certificate and private key files which we will presently generate. In the examples below, we will assume that your certificate authority certificate is named <strong>my-ca.crt</strong> and your certificate authority private key is named <strong>my-ca.key</strong>.</li>
     191<li>Note the files <strong>index.txt</strong> and <strong>serial</strong>. Initialize <strong>index.txt</strong> to be empty and <strong>serial</strong> to contain an initial serial number such as <strong>01</strong>.</li>
     192<li>If you are paranoid about key sizes, increase <strong>default_bits</strong> to 2048. OpenVPN will have no problem handling a 2048 bit RSA key if you have built OpenVPN with <strong>pthread</strong> support, to enable background processing of RSA keys. You can still use large keys even without <strong>pthread</strong> support, but you will see some latency degradation on the tunnel during SSL/TLS key negotiations. For a good article on choosing an RSA key size, see the <a href="http://www.schneier.com/crypto-gram-0204.html">April 2002 issue</a> of Bruce Schneier's Crypto-Gram Newsletter.</li>
     193</ul>
     194<p>After <strong>openssl.cnf</strong> has been edited, create your master certificate authority certificate/private-key pair:</p>
     195</td>
     196</tr>
     197</tbody>
     198</table>
     199</div>
     200<blockquote>
     201<pre><strong>openssl req -nodes -new -x509 -keyout my-ca.key -out my-ca.crt -days 3650</strong></pre>
     202</blockquote>
     203<div align="left">
     204<table border="0">
     205<tbody>
     206<tr>
     207<td width="600">
     208<p>This will create a master certificate authority certificate/private-key pair valid for 10 years.</p>
     209<p>Now create certificate/private-key pairs for both Home and Office. When prompted for the common name, make sure to use a different name for Home and Office.</p>
     210</td>
     211</tr>
     212</tbody>
     213</table>
     214</div>
     215<blockquote>
     216<pre><strong>openssl req -nodes -new -keyout office.key -out office.csr<br />openssl ca -out office.crt -in office.csr<br />openssl req -nodes -new -keyout home.key -out home.csr<br />openssl ca -out home.crt -in home.csr</strong></pre>
     217</blockquote>
     218<div align="left">
     219<table border="0">
     220<tbody>
     221<tr>
     222<td width="600">
     223<p>Now copy <strong>home.crt</strong>, <strong>home.key</strong>, and <strong>my-ca.crt</strong> to Home over a secure channel, though actually only <strong>.key</strong> files should be considered non-public.</p>
     224<p>Now create Diffie Hellman parameters on Office with the following command:</p>
     225<blockquote>
     226<pre><strong>openssl dhparam -out dh1024.pem 1024</strong></pre>
     227</blockquote>
     228<p>Increase the bit size from 1024 to 2048 if you also increased it in <strong>openssl.cnf</strong>.</p>
     229<p>For the paranoid, consider omitting the <strong>-nodes</strong> option on the <strong>openssl</strong> commands above. This will cause each private key to be encrypted with a password, making the keys secure even if someone broke onto your server and stole your private key files. The downside of this approach is that every time you run OpenVPN, you will need to type in the password. For more information see the <strong>--askpass</strong> option in the <a href="index.php/open-source/documentation/manuals/65-openvpn-20x-manpage.html">openvpn man page</a>.</p>
     230<p>If you find manual RSA key management confusing, note that OpenVPN will interoperate with any X509 certificate management tool or service including the commercial CAs such as <a href="http://www.thawte.com/">Thawte</a> or <a href="http://www.verisign.com/">Verisign</a>. Check out the <a href="http://www.openca.org/">OpenCA</a> project for an example of what's being done with certificate/key management in the Open Source realm.</p>
     231<p>In addition, the OpenVPN distribution contains a small set of scripts which can be used to simplify <a href="index.php/open-source/documentation/miscellaneous/77-rsa-key-management.html">RSA certificate and key management</a>.</p>
     232</td>
     233</tr>
     234</tbody>
     235</table>
     236</div>
     237<h2>Important Note on the use of commercial certificate authorities (CAs) with OpenVPN</h2>
     238<div align="left">
     239<table border="0">
     240<tbody>
     241<tr>
     242<td width="600">
     243<p>It should be noted that OpenVPN's security model in SSL/TLS mode is oriented toward users who will generate their own root certificate, and hence be their own CA. In SSL/TLS mode, OpenVPN authenticates its peer by checking that the peer-supplied certificate was signed by the CA certificate specified in the <strong>--ca</strong> option. Like the SSL-based secure web, the security of OpenVPN's SSL/TLS mode rests on the infeasibility of forging a root certificate signature.</p>
     244<p> </p>
     245<p>This authentication procedure works perfectly well if you have generated your own root certificate, but presents a problem if you wish to use the root certificate of a commercial CA such as Thawte. If, for example, you specified Thawte's root certificate in the <strong>--ca</strong> option, any certificate signed by Thawte would now be able to authenticate with your OpenVPN peer -- certainly not what you would want.</p>
     246<p>Luckily there is a solution to this problem in the <strong>--tls-verify</strong> option. This option will allow you to execute a command to check the contents of a certificate, to fine-tune the selection of which certificate is allowed, and which is not. See the script <strong>verify-cn</strong> in the sample-scripts subdirectory for an example of how to do this, and also see the man page for the <strong>--tls-verify</strong> option.</p>
     247</td>
     248</tr>
     249</tbody>
     250</table>
     251</div>
     252<p><a name="mitm" title="mitm"></a></p>
     253<h2>Important Note on possible "Man-in-the-Middle" attack if clients do not verify the certificate of the server they are connecting to.</h2>
     254<div align="left">
     255<table border="0">
     256<tbody>
     257<tr>
     258<td width="600">
     259<p>See discussion <a href="howto.html#mitm">here</a>.</p>
     260</td>
     261</tr>
     262</tbody>
     263</table>
     264</div>
     265<h2>Configuration file using SSL/TLS mode and RSA certificates/keys</h2>
     266<div align="left">
     267<table border="0">
     268<tbody>
     269<tr>
     270<td width="600">
     271<p>In our example, we will use OpenVPN configuration files. OpenVPN allows options to be passed on either the command line or in one or more configuration files. Options in configuration files can omit the leading "--" that is required for command line options.</p>
     272</td>
     273</tr>
     274</tbody>
     275</table>
     276</div>
     277<p>Set up the following configuration files:</p>
     278<hr />
     279<div align="left">
     280<table border="4" cellspacing="16" cellpadding="16">
     281<tbody>
     282<tr>
     283<td width="100%">
     284<h3>sample-config-files/tls-office.conf</h3>
     285</td>
     286</tr>
     287</tbody>
     288</table>
     289</div>
     290<blockquote>
     291<pre><strong>#<br /># Sample OpenVPN configuration file for<br /># office using SSL/TLS mode and RSA certificates/keys.<br />#<br /># '#' or ';' may be used to delimit comments.<br /><br /># Use a dynamic tun device.<br /># For Linux 2.2 or non-Linux OSes,<br /># you may want to use an explicit<br /># unit number such as "tun1".<br /># OpenVPN also supports virtual<br /># ethernet "tap" devices.<br />dev tun<br /><br /># 10.1.0.1 is our local VPN endpoint (office).<br /># 10.1.0.2 is our remote VPN endpoint (home).<br />ifconfig 10.1.0.1 10.1.0.2<br /><br /># Our up script will establish routes<br /># once the VPN is alive.<br />up ./office.up<br /><br /># In SSL/TLS key exchange, Office will<br /># assume server role and Home<br /># will assume client role.<br />tls-server<br /><br /># Diffie-Hellman Parameters (tls-server only)<br />dh dh1024.pem<br /><br /># Certificate Authority file<br />ca my-ca.crt<br /><br /># Our certificate/public key<br />cert office.crt<br /><br /># Our private key<br />key office.key<br /><br /># OpenVPN 2.0 uses UDP port 1194 by default<br /># (official port assignment by iana.org 11/04).<br /># OpenVPN 1.x uses UDP port 5000 by default.<br /># Each OpenVPN tunnel must use<br /># a different port number.<br /># lport or rport can be used<br /># to denote different ports<br /># for local and remote.<br />; port 1194<br /><br /># Downgrade UID and GID to<br /># "nobody" after initialization<br /># for extra security.<br />; user nobody<br />; group nobody<br /><br /># If you built OpenVPN with<br /># LZO compression, uncomment<br /># out the following line.<br />; comp-lzo<br /><br /># Send a UDP ping to remote once<br /># every 15 seconds to keep<br /># stateful firewall connection<br /># alive.  Uncomment this<br /># out if you are using a stateful<br /># firewall.<br />; ping 15<br /><br /># Uncomment this section for a more reliable detection when a system<br /># loses its connection.  For example, dial-ups or laptops that<br /># travel to other locations.<br />; ping 15<br />; ping-restart 45<br />; ping-timer-rem<br />; persist-tun<br />; persist-key<br /><br /># Verbosity level.<br /># 0 -- quiet except for fatal errors.<br /># 1 -- mostly quiet, but display non-fatal network errors.<br /># 3 -- medium output, good for normal operation.<br /># 9 -- verbose, good for troubleshooting<br />verb 3<br /></strong></pre>
     292</blockquote>
     293<hr />
     294<div align="left">
     295<table border="4" cellspacing="16" cellpadding="16">
     296<tbody>
     297<tr>
     298<td width="100%">
     299<h3>sample-config-files/office.up</h3>
     300</td>
     301</tr>
     302</tbody>
     303</table>
     304</div>
     305<blockquote>
     306<pre><strong>#!/bin/sh<br />route add -net 10.0.1.0 netmask 255.255.255.0 gw $5<br /></strong></pre>
     307</blockquote>
     308<hr />
     309<div align="left">
     310<table border="4" cellspacing="16" cellpadding="16">
     311<tbody>
     312<tr>
     313<td width="100%">
     314<h3>sample-config-files/tls-home.conf</h3>
     315</td>
     316</tr>
     317</tbody>
     318</table>
     319</div>
     320<blockquote>
     321<pre><strong>#<br /># Sample OpenVPN configuration file for<br /># home using SSL/TLS mode and RSA certificates/keys.<br />#<br /># '#' or ';' may be used to delimit comments.<br /><br /># Use a dynamic tun device.<br /># For Linux 2.2 or non-Linux OSes,<br /># you may want to use an explicit<br /># unit number such as "tun1".<br /># OpenVPN also supports virtual<br /># ethernet "tap" devices.<br />dev tun<br /><br /># Our OpenVPN peer is the office gateway.<br />remote 1.2.3.4<br /><br /># 10.1.0.2 is our local VPN endpoint (home).<br /># 10.1.0.1 is our remote VPN endpoint (office).<br />ifconfig 10.1.0.2 10.1.0.1<br /><br /># Our up script will establish routes<br /># once the VPN is alive.<br />up ./home.up<br /><br /># In SSL/TLS key exchange, Office will<br /># assume server role and Home<br /># will assume client role.<br />tls-client<br /><br /># Certificate Authority file<br />ca my-ca.crt<br /><br /># Our certificate/public key<br />cert home.crt<br /><br /># Our private key<br />key home.key<br /><br /># OpenVPN 2.0 uses UDP port 1194 by default<br /># (official port assignment by iana.org 11/04).<br /># OpenVPN 1.x uses UDP port 5000 by default.<br /># Each OpenVPN tunnel must use<br /># a different port number.<br /># lport or rport can be used<br /># to denote different ports<br /># for local and remote.<br />; port 1194<br /><br /># Downgrade UID and GID to<br /># "nobody" after initialization<br /># for extra security.<br />; user nobody<br />; group nobody<br /><br /># If you built OpenVPN with<br /># LZO compression, uncomment<br /># out the following line.<br />; comp-lzo<br /><br /># Send a UDP ping to remote once<br /># every 15 seconds to keep<br /># stateful firewall connection<br /># alive.  Uncomment this<br /># out if you are using a stateful<br /># firewall.<br />; ping 15<br /><br /># Uncomment this section for a more reliable detection when a system<br /># loses its connection.  For example, dial-ups or laptops that<br /># travel to other locations.<br />; ping 15<br />; ping-restart 45<br />; ping-timer-rem<br />; persist-tun<br />; persist-key<br /><br /># Verbosity level.<br /># 0 -- quiet except for fatal errors.<br /># 1 -- mostly quiet, but display non-fatal network errors.<br /># 3 -- medium output, good for normal operation.<br /># 9 -- verbose, good for troubleshooting<br />verb 3<br /></strong></pre>
     322</blockquote>
     323<hr />
     324<div align="left">
     325<table border="4" cellspacing="16" cellpadding="16">
     326<tbody>
     327<tr>
     328<td width="100%">
     329<h3>sample-config-files/home.up</h3>
     330</td>
     331</tr>
     332</tbody>
     333</table>
     334</div>
     335<blockquote>
     336<pre><strong>#!/bin/sh<br />route add -net 10.0.0.0 netmask 255.255.255.0 gw $5<br /></strong></pre>
     337</blockquote>
     338<p><a name="pre-shared" title="pre-shared"></a></p>
     339<h2>Build A Pre-Shared Static Key</h2>
     340<div align="left">
     341<table border="0">
     342<tbody>
     343<tr>
     344<td width="600">
     345<p>In contrast with RSA key management, using a pre-shared static key has the benefit of simplicity. The major downside of using static keys is that you give up the notion of <em>perfect forward secrecy</em>, meaning that if an attacker steals your static key, everything that was ever encrypted with it is compromised.</p>
     346<p>Generate a static key with the following command:</p>
     347<blockquote>
     348<pre><strong>openvpn --genkey --secret static.key</strong></pre>
     349</blockquote>
     350<p>The static key file is formatted in ascii and looks like this:</p>
     351<blockquote>
     352<pre><strong>-----BEGIN OpenVPN Static key V1-----<br />e5e4d6af39289d53<br />171ecc237a8f996a<br />97743d146661405e<br />c724d5913c550a0c<br />30a48e52dfbeceb6<br />e2e7bd4a8357df78<br />4609fe35bbe99c32<br />bdf974952ade8fb9<br />71c204aaf4f256ba<br />eeda7aed4822ff98<br />fd66da2efa9bf8c5<br />e70996353e0f96a9<br />c94c9f9afb17637b<br />283da25cc99b37bf<br />6f7e15b38aedc3e8<br />e6adb40fca5c5463<br />-----END OpenVPN Static key V1-----<br /></strong></pre>
     353</blockquote>
     354<p>An OpenVPN static key file contains enough entropy to key both a 512 bit cipher key and a 512 bit HMAC key for authentication.</p>
     355<p>Copy <strong>static.key</strong> to the other peer via a secure medium such as <strong>scp</strong> or copy-paste in <strong>ssh</strong>.</p>
     356</td>
     357</tr>
     358</tbody>
     359</table>
     360</div>
     361<h2>Configuration File using a Pre-Shared Static Key</h2>
     362<div align="left">
     363<table border="0">
     364<tbody>
     365<tr>
     366<td width="600">
     367<p>In our example, we will use OpenVPN configuration files. OpenVPN allows options to be passed on either the command line or in one or more configuration files. Options in configuration files can omit the leading "--" that is required for command line options.</p>
     368</td>
     369</tr>
     370</tbody>
     371</table>
     372</div>
     373<p>Set up the following configuration files:</p>
     374<hr />
     375<div align="left">
     376<table border="4" cellspacing="16" cellpadding="16">
     377<tbody>
     378<tr>
     379<td width="100%">
     380<h3>sample-config-files/static-office.conf</h3>
     381</td>
     382</tr>
     383</tbody>
     384</table>
     385</div>
     386<blockquote>
     387<pre><strong>#<br /># Sample OpenVPN configuration file for<br /># office using a pre-shared static key.<br />#<br /># '#' or ';' may be used to delimit comments.<br /><br /># Use a dynamic tun device.<br /># For Linux 2.2 or non-Linux OSes,<br /># you may want to use an explicit<br /># unit number such as "tun1".<br /># OpenVPN also supports virtual<br /># ethernet "tap" devices.<br />dev tun<br /><br /># 10.1.0.1 is our local VPN endpoint (office).<br /># 10.1.0.2 is our remote VPN endpoint (home).<br />ifconfig 10.1.0.1 10.1.0.2<br /><br /># Our up script will establish routes<br /># once the VPN is alive.<br />up ./office.up<br /><br /># Our pre-shared static key<br />secret static.key<br /><br /># OpenVPN 2.0 uses UDP port 1194 by default<br /># (official port assignment by iana.org 11/04).<br /># OpenVPN 1.x uses UDP port 5000 by default.<br /># Each OpenVPN tunnel must use<br /># a different port number.<br /># lport or rport can be used<br /># to denote different ports<br /># for local and remote.<br />; port 1194<br /><br /># Downgrade UID and GID to<br /># "nobody" after initialization<br /># for extra security.<br />; user nobody<br />; group nobody<br /><br /># If you built OpenVPN with<br /># LZO compression, uncomment<br /># out the following line.<br />; comp-lzo<br /><br /># Send a UDP ping to remote once<br /># every 15 seconds to keep<br /># stateful firewall connection<br /># alive.  Uncomment this<br /># out if you are using a stateful<br /># firewall.<br />; ping 15<br /><br /># Uncomment this section for a more reliable detection when a system<br /># loses its connection.  For example, dial-ups or laptops that<br /># travel to other locations.<br />; ping 15<br />; ping-restart 45<br />; ping-timer-rem<br />; persist-tun<br />; persist-key<br /><br /># Verbosity level.<br /># 0 -- quiet except for fatal errors.<br /># 1 -- mostly quiet, but display non-fatal network errors.<br /># 3 -- medium output, good for normal operation.<br /># 9 -- verbose, good for troubleshooting<br />verb 3<br /></strong></pre>
     388</blockquote>
     389<hr />
     390<div align="left">
     391<table border="4" cellspacing="16" cellpadding="16">
     392<tbody>
     393<tr>
     394<td width="100%">
     395<h3>sample-config-files/office.up</h3>
     396</td>
     397</tr>
     398</tbody>
     399</table>
     400</div>
     401<blockquote>
     402<pre><strong>#!/bin/sh<br />route add -net 10.0.1.0 netmask 255.255.255.0 gw $5<br /></strong></pre>
     403</blockquote>
     404<hr />
     405<div align="left">
     406<table border="4" cellspacing="16" cellpadding="16">
     407<tbody>
     408<tr>
     409<td width="100%">
     410<h3>sample-config-files/static-home.conf</h3>
     411</td>
     412</tr>
     413</tbody>
     414</table>
     415</div>
     416<blockquote>
     417<pre><strong>#<br /># Sample OpenVPN configuration file for<br /># home using a pre-shared static key.<br />#<br /># '#' or ';' may be used to delimit comments.<br /><br /># Use a dynamic tun device.<br /># For Linux 2.2 or non-Linux OSes,<br /># you may want to use an explicit<br /># unit number such as "tun1".<br /># OpenVPN also supports virtual<br /># ethernet "tap" devices.<br />dev tun<br /><br /># Our OpenVPN peer is the office gateway.<br />remote 1.2.3.4<br /><br /># 10.1.0.2 is our local VPN endpoint (home).<br /># 10.1.0.1 is our remote VPN endpoint (office).<br />ifconfig 10.1.0.2 10.1.0.1<br /><br /># Our up script will establish routes<br /># once the VPN is alive.<br />up ./home.up<br /><br /># Our pre-shared static key<br />secret static.key<br /><br /># OpenVPN 2.0 uses UDP port 1194 by default<br /># (official port assignment by iana.org 11/04).<br /># OpenVPN 1.x uses UDP port 5000 by default.<br /># Each OpenVPN tunnel must use<br /># a different port number.<br /># lport or rport can be used<br /># to denote different ports<br /># for local and remote.<br />; port 1194<br /><br /># Downgrade UID and GID to<br /># "nobody" after initialization<br /># for extra security.<br />; user nobody<br />; group nobody<br /><br /># If you built OpenVPN with<br /># LZO compression, uncomment<br /># out the following line.<br />; comp-lzo<br /><br /># Send a UDP ping to remote once<br /># every 15 seconds to keep<br /># stateful firewall connection<br /># alive.  Uncomment this<br /># out if you are using a stateful<br /># firewall.<br />; ping 15<br /><br /># Uncomment this section for a more reliable detection when a system<br /># loses its connection.  For example, dial-ups or laptops that<br /># travel to other locations.<br />; ping 15<br />; ping-restart 45<br />; ping-timer-rem<br />; persist-tun<br />; persist-key<br /><br /># Verbosity level.<br /># 0 -- quiet except for fatal errors.<br /># 1 -- mostly quiet, but display non-fatal network errors.<br /># 3 -- medium output, good for normal operation.<br /># 9 -- verbose, good for troubleshooting<br />verb 3<br /></strong></pre>
     418</blockquote>
     419<hr />
     420<div align="left">
     421<table border="4" cellspacing="16" cellpadding="16">
     422<tbody>
     423<tr>
     424<td width="100%">
     425<h3>sample-config-files/home.up</h3>
     426</td>
     427</tr>
     428</tbody>
     429</table>
     430</div>
     431<blockquote>
     432<pre><strong>#!/bin/sh<br />route add -net 10.0.0.0 netmask 255.255.255.0 gw $5<br /></strong></pre>
     433</blockquote>
     434<h2>Starting the VPN in SSL/TLS mode</h2>
     435<div align="left">
     436<table border="0">
     437<tbody>
     438<tr>
     439<td width="600">
     440<p>On Home, start the VPN with the command:</p>
     441<blockquote>
     442<pre><strong>openvpn --config tls-home.conf</strong></pre>
     443</blockquote>
     444<p>On Office, start the VPN with the command:</p>
     445<blockquote>
     446<pre><strong>openvpn --config tls-office.conf</strong></pre>
     447</blockquote>
     448</td>
     449</tr>
     450</tbody>
     451</table>
     452</div>
     453<h2>Starting the VPN in Static Key mode</h2>
     454<div align="left">
     455<table border="0">
     456<tbody>
     457<tr>
     458<td width="600">
     459<p>On Home, start the VPN with the command:</p>
     460<blockquote>
     461<pre><strong>openvpn --config static-home.conf</strong></pre>
     462</blockquote>
     463<p>On Office, start the VPN with the command:</p>
     464<blockquote>
     465<pre><strong>openvpn --config static-office.conf</strong></pre>
     466</blockquote>
     467</td>
     468</tr>
     469</tbody>
     470</table>
     471</div>
     472<h2>Test the VPN</h2>
     473<div align="left">
     474<table border="0">
     475<tbody>
     476<tr>
     477<td width="600">
     478<p>On Home, test the VPN by pinging Office through the tunnel:</p>
     479<blockquote>
     480<pre><strong>ping 10.1.0.1</strong></pre>
     481</blockquote>
     482<p>On Office, test the VPN by pinging Home through the tunnel:</p>
     483<blockquote>
     484<pre><strong>ping 10.1.0.2</strong></pre>
     485</blockquote>
     486<p>If these tests silently fail, you may want to re-edit the configuration files and set the verbosity level to 8 which will produce much more detailed debugging output. Also consult the <a href="index.php/open-source/faq.html#cant-ping">FAQ</a> for more information on troubleshooting.</p>
     487<p>If these tests succeed, now try pinging through the tunnel using machines on the private networks other than the OpenVPN gateway machines, to test the routing. Basically any machine on the <strong>10.0.1.0/24</strong> subnet should be able to access any machine on the <strong>10.0.0.0/24</strong> subnet and vice versa.</p>
     488<p>If that works, congratulations! If not, you might want to check out the <a href="http://sourceforge.net/mail/?group_id=48978">OpenVPN Mailing List</a> archives to see if anyone else has had a similar problem. If you don't find a resolution to your problem there, consider posting to the <strong>openvpn-users</strong> list.</p>
     489</td>
     490</tr>
     491</tbody>
     492</table>
     493</div>
     494<p><a name="dhcp" title="dhcp"></a></p>
     495<h2>Make the VPN DHCP-aware</h2>
     496<div align="left">
     497<table border="0">
     498<tbody>
     499<tr>
     500<td width="600">
     501<p>If you recall, in our example network configuration, Home has a dynamic IP address which could change without warning. If you are using <strong>dhcpcd</strong> as your client daemon, it is easy to construct a script which will be run anytime the client's IP address changes. This script will be named something like <strong>/etc/dhcpc/dhcpcd-eth0.exe</strong>.</p>
     502<p>Basically, you should add a line to this script which will send a <strong>SIGUSR1</strong> or <strong>SIGHUP</strong> signal to the OpenVPN daemon such as:</p>
     503<blockquote>
     504<pre><strong>killall -HUP openvpn</strong></pre>
     505</blockquote>
     506<p>When OpenVPN receives this signal it will close and reopen the network connection to its peer, using the new IP address assigned by DHCP.</p>
     507<p>You should also use the <strong>--float</strong> option if you are connecting to a peer which may change its IP address due to a DHCP reset.</p>
     508<p>It is also possible to handle DHCP resets with the <strong>SIGUSR1</strong> signal which is like <strong>SIGHUP</strong> except it offers more fine-grained control over which OpenVPN subsystems are reset. A SIGUSR1 signal can also be generated internally based on <strong>--ping</strong> and <strong>--ping-restart</strong>. The <strong>--persist-tun</strong> option allows a reset without closing and reopening the TUN device (which allows seamless connectivity through the tunnel across DHCP resets). The <strong>--persist-remote-ip</strong> option allows for preservation of remote IP address across DHCP resets. This allows both OpenVPN peers to be DHCP clients. The <strong>--persist-key</strong> option doesn't re-read key files on restart (which allows an OpenVPN daemon to be restarted even if its privileges were downgraded with <strong>--user</strong> or <strong>--group</strong>).</p>
     509<p>For more information on using OpenVPN in a dynamic IP address context, see the <a href="index.php/open-source/faq.html#dynamic">FAQ</a>.</p>
     510<p>OpenVPN can also be used in cases where <a href="index.php/open-source/faq.html#dynamic-address">both ends of the connection are dynamic</a>.</p>
     511</td>
     512</tr>
     513</tbody>
     514</table>
     515</div>
     516<h2>Start the VPN automatically on reboot</h2>
     517<div align="left">
     518<table border="0">
     519<tbody>
     520<tr>
     521<td width="600">
     522<p>First make a directory to store OpenVPN keys and configuration files such as <strong>/etc/openvpn</strong>.</p>
     523<p>Decide whether you want to use TLS or Static Key mode and copy appropriate <strong>.conf</strong>, <strong>.up</strong>, <strong>.key</strong>, <strong>.pem</strong>, and <strong>.crt</strong> files to <strong>/etc/openvpn</strong>.</p>
     524<p>Protect your <strong>.key</strong> files:</p>
     525<blockquote>
     526<pre><strong>chmod go-rwx /etc/openvpn/*.key</strong></pre>
     527</blockquote>
     528<p>If you are using Linux <strong>iptables</strong>, edit the firewall configuration file <strong>firewall.sh</strong>, making changes appropriate to your site and copy to <strong>/etc/openvpn</strong>.</p>
     529</td>
     530</tr>
     531</tbody>
     532</table>
     533</div>
     534<p>Make a startup script that looks something like this:</p>
     535<hr />
     536<div align="left">
     537<table border="4" cellspacing="16" cellpadding="16">
     538<tbody>
     539<tr>
     540<td width="100%">
     541<h3>sample-config-files/openvpn-startup.sh</h3>
     542</td>
     543</tr>
     544</tbody>
     545</table>
     546</div>
     547<blockquote>
     548<pre><strong>#!/bin/sh<br /><br /># A sample OpenVPN startup script<br /># for Linux.<br /><br /># openvpn config file directory<br />dir=/etc/openvpn<br /><br /># load the firewall<br />$dir/firewall.sh<br /><br /># load TUN/TAP kernel module<br />modprobe tun<br /><br /># enable IP forwarding<br />echo 1 &gt; /proc/sys/net/ipv4/ip_forward<br /><br /># Invoke openvpn for each VPN tunnel<br /># in daemon mode.  Alternatively,<br /># you could remove "--daemon" from<br /># the command line and add "daemon"<br /># to the config file.<br />#<br /># Each tunnel should run on a separate<br /># UDP port.  Use the "port" option<br /># to control this.  Like all of<br /># OpenVPN's options, you can<br /># specify "--port 8000" on the command<br /># line or "port 8000" in the config<br /># file.<br /><br />openvpn --cd $dir --daemon --config vpn1.conf<br />openvpn --cd $dir --daemon --config vpn2.conf<br />openvpn --cd $dir --daemon --config vpn2.conf<br /></strong></pre>
     549</blockquote>
     550<p>And make a shutdown script like this:</p>
     551<hr />
     552<div align="left">
     553<table border="4" cellspacing="16" cellpadding="16">
     554<tbody>
     555<tr>
     556<td width="100%">
     557<h3>sample-config-files/openvpn-shutdown.sh</h3>
     558</td>
     559</tr>
     560</tbody>
     561</table>
     562</div>
     563<blockquote>
     564<pre><strong>#!/bin/sh<br /><br /># stop all openvpn processes<br /><br />killall -TERM openvpn<br /></strong></pre>
     565</blockquote>
     566<div align="left">
     567<table border="0">
     568<tbody>
     569<tr>
     570<td width="600">
     571<p>Finally, add calls to <strong>openvpn-startup.sh</strong> and <strong>openvpn-shutdown.sh</strong> to your system startup and shutdown scripts or to your <strong>/etc/init.d</strong> directory.</p>
     572</td>
     573</tr>
     574</tbody>
     575</table>
     576</div>
     577<p><a name="init" title="init"></a></p>
     578<h2>Managing startup and shutdown of multiple OpenVPN tunnels</h2>
     579<div align="left">
     580<table border="0">
     581<tbody>
     582<tr>
     583<td width="600">
     584<p>Here is a sample <strong>/etc/init.d</strong> script which will automatically create an OpenVPN tunnel for each <strong>.conf</strong> file in <strong>/etc/openvpn</strong>.</p>
     585<p>This script is installed by default if you install OpenVPN from an RPM package.</p>
     586</td>
     587</tr>
     588</tbody>
     589</table>
     590</div>
     591<hr />
     592<div align="left">
     593<table border="4" cellspacing="16" cellpadding="16">
     594<tbody>
     595<tr>
     596<td width="100%">
     597<h3>sample-scripts/openvpn.init</h3>
     598</td>
     599</tr>
     600</tbody>
     601</table>
     602</div>
     603<blockquote>
     604<pre><strong>#!/bin/sh<br />#<br /># openvpn       This shell script takes care of starting and stopping<br />#               openvpn on RedHat or other chkconfig-based system.<br />#<br /># chkconfig: 345 24 76<br />#<br /># description: OpenVPN is a robust and highly flexible tunneling application that<br />#              uses all of the encryption, authentication, and certification features<br />#              of the OpenSSL library to securely tunnel IP networks over a single<br />#              UDP port.<br />#<br /><br /># Contributed to the OpenVPN project by<br /># Douglas Keller &lt;doug@voidstar.dyndns.org&gt;<br /># 2002.05.15<br /><br /># To install:<br />#   copy this file to /etc/rc.d/init.d/openvpn<br />#   shell&gt; chkconfig --add openvpn<br />#   shell&gt; mkdir /etc/openvpn<br />#   make .conf or .sh files in /etc/openvpn (see below)<br /><br /># To uninstall:<br />#   run: chkconfig --del openvpn<br /><br /># Author's Notes:<br />#<br /># I have created an /etc/init.d init script and enhanced openvpn.spec to<br /># automatically register the init script.  Once the RPM is installed you<br /># can start and stop OpenVPN with "service openvpn start" and "service<br /># openvpn stop".<br />#<br /># The init script does the following:<br />#<br /># - Starts an openvpn process for each .conf file it finds in<br />#   /etc/openvpn.<br />#<br /># - If /etc/openvpn/xxx.sh exists for a xxx.conf file then it executes<br />#   it before starting openvpn (useful for doing openvpn --mktun...).<br />#<br /># - In addition to start/stop you can do:<br />#<br />#   service openvpn reload - SIGHUP<br />#   service openvpn reopen - SIGUSR1<br />#   service openvpn status - SIGUSR2<br />#<br /># Modifications:<br />#<br /># 2003.05.02<br />#   * Changed == to = for sh compliance (Bishop Clark).<br />#   * If condrestart|reload|reopen|status, check that we were<br />#     actually started (James Yonan).<br />#   * Added lock, piddir, and work variables (James Yonan).<br />#   * If start is attempted twice, without an intervening stop, or<br />#     if start is attempted when previous start was not properly<br />#     shut down, then kill any previously started processes, before<br />#     commencing new start operation (James Yonan).<br />#   * Do a better job of flagging errors on start, and properly<br />#     returning success or failure status to caller (James Yonan).<br />#<br /># 2005.04.04<br />#   * Added openvpn-startup and openvpn-shutdown script calls<br />#     (James Yonan).<br />#<br /><br /># Location of openvpn binary<br />openvpn=""<br />openvpn_locations="/usr/sbin/openvpn /usr/local/sbin/openvpn"<br />for location in $openvpn_locations<br />do<br />  if [ -f "$location" ]<br />  then<br />    openvpn=$location<br />  fi<br />done<br /><br /># Lockfile<br />lock="/var/lock/subsys/openvpn"<br /><br /># PID directory<br />piddir="/var/run/openvpn"<br /><br /># Our working directory<br />work=/etc/openvpn<br /><br /># Source function library.<br />. /etc/rc.d/init.d/functions<br /><br /># Source networking configuration.<br />. /etc/sysconfig/network<br /><br /># Check that networking is up.<br />if [ ${NETWORKING} = "no" ]<br />then<br />  echo "Networking is down"<br />  exit 0<br />fi<br /><br /># Check that binary exists<br />if ! [ -f  $openvpn ] <br />then<br />  echo "openvpn binary not found"<br />  exit 0<br />fi<br /><br /># See how we were called.<br />case "$1" in<br />  start)<br />        echo -n $"Starting openvpn: "<br /><br />       /sbin/modprobe tun &gt;/dev/null 2&gt;&amp;1<br /><br />        # From a security perspective, I think it makes<br />   # sense to remove this, and have users who need<br />   # it explictly enable in their --up scripts or<br />    # firewall setups.<br /><br />  #echo 1 &gt; /proc/sys/net/ipv4/ip_forward<br /><br />  # Run startup script, if defined<br />  if [ -f $work/openvpn-startup ]; then<br />         $work/openvpn-startup<br /> fi<br /><br />  if [ ! -d  $piddir ]; then<br />            mkdir $piddir<br /> fi<br /><br />  if [ -f $lock ]; then<br />         # we were not shut down correctly<br />         for pidf in `/bin/ls $piddir/*.pid 2&gt;/dev/null`; do<br />              if [ -s $pidf ]; then<br />               kill `cat $pidf` &gt;/dev/null 2&gt;&amp;1<br />              fi<br />        rm -f $pidf<br />     done<br />      rm -f $lock<br />       sleep 2<br />       fi<br /><br />  rm -f $piddir/*.pid<br />       cd $work<br /><br />    # Start every .conf in $work and run .sh if exists<br />        errors=0<br />  successes=0<br />       for c in `/bin/ls *.conf 2&gt;/dev/null`; do<br />          bn=${c%%.conf}<br />            if [ -f "$bn.sh" ]; then<br />              . $bn.sh<br />      fi<br />        rm -f $piddir/$bn.pid<br />     $openvpn --daemon --writepid $piddir/$bn.pid --config $c --cd $work<br />       if [ $? = 0 ]; then<br />           successes=1<br />           else<br />          errors=1<br />      fi<br />    done<br /><br />        if [ $errors = 1 ]; then<br />      failure; echo<br /> else<br />          success; echo<br /> fi<br /><br />  if [ $successes = 1 ]; then<br />           touch $lock<br />   fi<br />        ;;<br />  stop)<br />   echo -n $"Shutting down openvpn: "<br />        for pidf in `/bin/ls $piddir/*.pid 2&gt;/dev/null`; do<br />      if [ -s $pidf ]; then<br />       kill `cat $pidf` &gt;/dev/null 2&gt;&amp;1<br />      fi<br />        rm -f $pidf<br />     done<br /><br />        # Run shutdown script, if defined<br /> if [ -f $work/openvpn-shutdown ]; then<br />        $work/openvpn-shutdown<br />        fi<br /><br />  success; echo<br />     rm -f $lock<br />       ;;<br />  restart)<br />        $0 stop<br />   sleep 2<br />   $0 start<br />  ;;<br />  reload)<br /> if [ -f $lock ]; then<br />         for pidf in `/bin/ls $piddir/*.pid 2&gt;/dev/null`; do<br />                if [ -s $pidf ]; then<br />                 kill -HUP `cat $pidf` &gt;/dev/null 2&gt;&amp;1<br />               fi<br />            done<br />  else<br />          echo "openvpn: service not started"<br />       exit 1<br />        fi<br />        ;;<br />  reopen)<br /> if [ -f $lock ]; then<br />         for pidf in `/bin/ls $piddir/*.pid 2&gt;/dev/null`; do<br />                if [ -s $pidf ]; then<br />                 kill -USR1 `cat $pidf` &gt;/dev/null 2&gt;&amp;1<br />              fi<br />            done<br />  else<br />          echo "openvpn: service not started"<br />       exit 1<br />        fi<br />        ;;<br />  condrestart)<br />    if [ -f $lock ]; then<br />         $0 stop<br />           # avoid race<br />      sleep 2<br />           $0 start<br />      fi<br />        ;;<br />  status)<br /> if [ -f $lock ]; then<br />         for pidf in `/bin/ls $piddir/*.pid 2&gt;/dev/null`; do<br />                if [ -s $pidf ]; then<br />                 kill -USR2 `cat $pidf` &gt;/dev/null 2&gt;&amp;1<br />              fi<br />            done<br />      echo "Status written to /var/log/messages"<br />    else<br />          echo "openvpn: service not started"<br />       exit 1<br />        fi<br />        ;;<br />  *)<br />      echo "Usage: openvpn {start|stop|restart|condrestart|reload|reopen|status}"<br />       exit 1<br />    ;;<br />esac<br />exit 0<br /></strong></pre>
     605</blockquote>
     606<h2>Instantiate an OpenVPN daemon using <strong>inetd</strong> or <strong>xinetd</strong></h2>
     607<div align="left">
     608<table border="0">
     609<tbody>
     610<tr>
     611<td width="600">
     612<p>The common <strong>xinetd</strong> service can be used to automatically instantiate an OpenVPN daemon upon receipt of an initial datagram from a remote peer.</p>
     613<p>This xinetd configuration will cause xinetd to listen on UDP port 1194 for the first datagram of an incoming OpenVPN session (using a pre-shared key), at which time xinetd will automatically instantiate an OpenVPN daemon to handle the session. Note the use of the <strong>--inactive</strong> switch which will cause the OpenVPN daemon to time out and exit after 10 minutes of idle time. After the OpenVPN daemon exits for whatever reason, the xinetd service will resume listening on the port, and will again instantiate an OpenVPN daemon to handle additional incoming connections. Also note that xinetd will initially instantiate the OpenVPN daemon with <em>root</em> privileges, but OpenVPN will subsequently (after reading the protected key file) downgrade its privilege to <em>nobody</em>.</p>
     614<p>The key file can be generated with the following command:</p>
     615<blockquote>
     616<pre><strong>openvpn --genkey --secret key</strong></pre>
     617</blockquote>
     618<p>Note that each OpenVPN tunnel needs to run on its own separate port number, and needs its own xinetd configuration file. This is because OpenVPN needs specific information on each potential incoming connection, including key files, TUN/TAP devices, tunnel endpoints, and routing configuration. At this point in OpenVPN's development, it is not capable of handling any sort of <em>incoming connection template</em> that would allow a single configuration file to describe a large class of potential connecting clients. Since OpenVPN is implemented as a UDP server, it cannot take advantage of the infrastructure available to forking TCP servers which listen on a fixed port number, then dynamically fork off a new handling daemon for each client session. Nonetheless, incoming connection templates are on the wish list and may be implemented if there is sufficient interest and support from the developer and user community.</p>
     619</td>
     620</tr>
     621</tbody>
     622</table>
     623</div>
     624<hr />
     625<div align="left">
     626<table border="4" cellspacing="16" cellpadding="16">
     627<tbody>
     628<tr>
     629<td width="100%">
     630<h3>sample-config-files/xinetd-server-config</h3>
     631</td>
     632</tr>
     633</tbody>
     634</table>
     635</div>
     636<blockquote>
     637<pre><strong># An xinetd configuration file for OpenVPN.<br />#<br /># This file should be renamed to openvpn or something suitably<br /># descriptive and copied to the /etc/xinetd.d directory.<br /># xinetd can then be made aware of this file by restarting<br /># it or sending it a SIGHUP signal.<br />#<br /># For each potential incoming client, create a separate version<br /># of this configuration file on a unique port number.  Also note<br /># that the key file and ifconfig endpoints should be unique for<br /># each client.  This configuration assumes that the OpenVPN<br /># executable and key live in /root/openvpn.  Change this to fit<br /># your environment.<br /><br />service openvpn_1<br />{<br />        type            = UNLISTED<br />        port            = 1194<br />        socket_type     = dgram<br />        protocol        = udp<br />        wait            = yes<br />        user            = root<br />        server          = /root/openvpn/openvpn<br />        server_args     = --inetd --dev tun --ifconfig 10.4.0.2 10.4.0.1 --secret /root/openvpn/key --inactive 600 --user nobody<br />}<br /></strong></pre>
     638</blockquote>
     639<hr />
     640<div align="left">
     641<table border="4" cellspacing="16" cellpadding="16">
     642<tbody>
     643<tr>
     644<td width="100%">
     645<h3>sample-config-files/xinetd-client-config</h3>
     646</td>
     647</tr>
     648</tbody>
     649</table>
     650</div>
     651<blockquote>
     652<pre><strong># This OpenVPN config file<br /># is the client side counterpart<br /># of xinetd-server-config<br /><br />dev tun<br />ifconfig 10.4.0.1 10.4.0.2<br />remote my-server<br />port 1194<br />user nobody<br />secret /root/openvpn/key<br />inactive 600<br /></strong></pre>
     653</blockquote>
     654<hr />
     655<p>Copyright © 2002-2008 by OpenVPN Technologies, Inc. &lt;<a href="mailto:info@openvpn.net">info@openvpn.net</a>&gt;. OpenVPN is a trademark of OpenVPN Technologies, Inc.</p>
     656}}}