:: Setting up VPN using Openvpn ::
HOME

Click Here for Comparison Chart for different VPN solutions


TO SET UP A VPN USING OPENVPN
  1. In order to keep everything isolated, I created a new user/group (openvpn/openvpn) on mia and zidler. Instructions for creating users using command line options can be found here I have also set up passwordless login using SSH. PLease refer to this document for the HowTo. However, I still execute openvpn with as a root. Use sudo if you want to execute it as any other user.
  2. OpenVPN is very easy to configure and install.
  3. OpenVPN supports conventional encryption using
    1. Pre-shared secret key.
    2. Non-encrypted UDP tunnels.
    3. Public key encryption (TLS) using client & server certificates.
    Below I have explained steps to create each of them.
  4. The openvpn project has maintained a good HowTo and the present document can act as a very good supplement to it. Also, I enjoyed reading the up-to-date manpage, and would recommend it to anyone who wants to use Openvpn solution for setting up a VPN.
  5. Download the necessary rpm's from rpmfind.net or any such site. Installation should be fairly easy. If for some reason installation fails (in my case, it was asking for libcrypto.so.* and libssl.so.*, though both these libraries were present) consider using the tarball for installation.
  6. Assuming that you have a running installation, lets use the following setup with mia as the client and zidler as the server .
  7. Recipe for setting up VPN using pre-shared secret key
    1. The first thing that anyone needs to do is generate a shared-secret key that can be shared between the two peers. Use the following command to generate this: 
      openvpn@mia:~/certificates> openvpn --genkey --secret temp.key
openvpn@mia:~/certificates> cat temp.key 
-----BEGIN OpenVPN Static key V1-----
3e51dd78f851023b
8f90c386555f7e77
8fb104b6da7ad925
21bf4640b1fea1ed
d8122049cea29837
e1f03ce9f6456494
639bd25ea938f9d9
8c7f677c29cf4acc
2ef6608043048f7c
805a8837910092aa
660f7daa903feaba
f6768125323a56ca
2a5e04193b9c18c7
ffaf9006f3d74d0f
0d3e331d66b95b34
35dc22fe3748cd30
-----END OpenVPN Static key V1-----
    2. Place this secret key (temp.key) in a known location. I usually use $HOME/certificates on all my peers. Copy this secret key in the peer's $HOME/certificates using scp as follows: 
      openvpn@mia:~/certificates> scp temp.key openvpn@zidler:~/certificates
    3. Set up a proper configuration file on both the peers. Read the man page for openvpn to know the different configuration options. You can leave most of these to their default values. The important ones, that i wanted to change are shown below: 
      openvpn@mia:~> cat openvpn.conf
dev tun
port 5000
#comp-lzo
#ping 15
verb 3
#shaper 1000 
remote 131.193.50.184
ifconfig 192.168.254.200 192.168.254.201
up /home/openvpn/bin/ip-up.sh
down /home/openvpn/bin/ip-down.sh

#Using Pre-Shared Secret Key.
secret /home/openvpn/certificates/static.key 
auth MD5
cipher DES-CBC
#keysize 192
-------------------------------------------------------------------
openvpn@zidler:~> cat openvpn.conf
dev tun
port 5000
#comp-lzo
#ping 15
verb 3
#shaper 1000
remote 131.193.50.165
ifconfig 192.168.254.201 192.168.254.200
up /home/openvpn/bin/ip-up.sh
down /home/openvpn/bin/ip-down.sh

#Using Pre-Shared Secret Key.
secret /home/openvpn/certificates/static.key
auth MD5
cipher DES-CBC
#keysize 192
      NOTE: Take note of the remote AA.BB.CC.DD and ifconfig 192.168.254.XX 192.168.254.YY options. The IP Address's are reversed at the two peers. Uncomment comp-lzo if you want to use compression, and shaper n if you want to limit the bandwidth to n Bytes/Sec.
    4. You can also select different ciphers (as made available by your openssl implementation). To see what is available on your platform use the following commands: 
      openvpn@mia:~> openvpn --show-ciphers
--SNIP--
DES-CFB 64 bit default key (fixed)
DES-CBC 64 bit default key (fixed)
--SNIP--
      Specify the selected cipher (DES-CFB, say) in the configuratoin file as cipher DES-CFB. Only one cipher can be specified, and AFAIK there is no negotiation between the two peers.
    5. You can also select different MACs (as made available by your openssl implementation). To see what is available on your platform use the following commands: 
      openvpn@mia:~> openvpn --show-digests
--SNIP--
MD2 128 bit digest size
MD5 128 bit digest size
--SNIP--
      Specify the selected HMAC (MD5, say) in the configuratoin file as auth MD5. Only one HMAC can be specified, and AFAIK there is no negotiation between the two peers.
    6. start both the peers (in any order) using the command: 
      [openvpn@mia openvpn]# openvpn --config openvpn.conf

Thu Jul 17 16:12:10 2003 0[0]: OpenVPN 1.4.1 i386-redhat-linux-gnu built on May 22 2003
Thu Jul 17 16:12:10 2003 1[0]: UDP link local (bound): [undef]:5000
Thu Jul 17 16:12:10 2003 2[0]: UDP link remote: 131.193.50.184:5000
Thu Jul 17 16:12:10 2003 3[0]: Static Encrypt: Cipher 'DES-CBC' initialized with 64 bit key
Thu Jul 17 16:12:10 2003 4[0]: Static Encrypt: Using 128 bit message digest 'MD5' for HMAC authentication
Thu Jul 17 16:12:10 2003 5[0]: Static Decrypt: Cipher 'DES-CBC' initialized with 64 bit key
Thu Jul 17 16:12:10 2003 6[0]: Static Decrypt: Using 128 bit message digest 'MD5' for HMAC authentication
Thu Jul 17 16:12:10 2003 7[0]: Data Channel MTU parms [ udp_mtu=1300 extra_frame=40 extra_buffer=0 extra_tun=0 dynamic = [ mtu_min_initial=MTU_INITIAL_UNDEF mtu_max_initial=MTU_INITIAL_UNDEF mtu_initial=MTU_SET_TO_MAX mtu_min=140 mtu_max=1300 mtu=1300 ]]
Thu Jul 17 16:12:10 2003 8[0]: TUN/TAP device tun0 opened
Thu Jul 17 16:12:10 2003 9[0]: /sbin/ifconfig tun0 192.168.254.200 pointopoint 192.168.254.201 mtu 1260
Thu Jul 17 16:12:10 2003 10[0]: /home/openvpn/bin/ip-up.sh tun0 1260 1300 192.168.254.200 192.168.254.201
[ip-up] -- tun0 1260 1300 192.168.254.200 192.168.254.201
Thu Jul 17 16:12:10 2003 11[0]: PTHREAD support initialized
Thu Jul 17 16:12:40 2003 12[0]: Peer Connection Initiated with 131.193.50.184:5000
      Take a look at the messages to check the different parameters.
  8. Recipe for setting up VPN using NULL encrypted UDP tunnel
    1. To acheive this, just set cipher none and auth none in the configuration file in the previous recipe.
    2. Start openvpn using the same commands as in the first step, but check the messages, to see that the cipher and MAC are NULL as below: 
      [openvpn@mia openvpn]# openvpn --config openvpn.conf
Thu Jul 17 16:16:52 2003 0[0]: OpenVPN 1.4.1 i386-redhat-linux-gnu built on May 22 2003
Thu Jul 17 16:16:52 2003 1[0]: UDP link local (bound): [undef]:5000
Thu Jul 17 16:16:52 2003 2[0]: UDP link remote: 131.193.50.184:5000
Thu Jul 17 16:16:52 2003 3[0]: ******* WARNING *******: null cipher specified, no encryption will be used
Thu Jul 17 16:16:52 2003 4[0]: ******* WARNING *******: null MAC specified, no authentication will be used
Thu Jul 17 16:16:52 2003 5[0]: Data Channel MTU parms [ udp_mtu=1300 extra_frame=8 extra_buffer=0 extra_tun=0 dynamic = [ mtu_min_initial=MTU_INITIAL_UNDEF mtu_max_initial=MTU_INITIAL_UNDEF mtu_initial=MTU_SET_TO_MAX mtu_min=108 mtu_max=1300 mtu=1300 ]]
Thu Jul 17 16:16:52 2003 6[0]: TUN/TAP device tun0 opened
Thu Jul 17 16:16:52 2003 7[0]: /sbin/ifconfig tun0 192.168.254.200 pointopoint 192.168.254.201 mtu 1292
Thu Jul 17 16:16:52 2003 8[0]: /home/openvpn/bin/ip-up.sh tun0 1292 1300 192.168.254.200 192.168.254.201
[ip-up] -- tun0 1292 1300 192.168.254.200 192.168.254.201
Thu Jul 17 16:16:52 2003 9[0]: PTHREAD support initialized
  9. Recipe for setting up VPN using public-key encryption (with client/server certificates)
    1. It is better to set up your own CA (Certificate Authority) that will grant and sign certificates. However this is not entirely necessary, and this step can be omitted. But I have preferred to use it and all further steps will assume the existence of a CA. Instructions to create your very own CA, that can sign and approve user requested certifcates can be found here. Make sure that you copy the CA's very own certificate to a known directory.I have kept all such certificates in $HOME/certificates.
    2. The openvpn user (openvpn) that creates a VPN must request a certificate and get it signed by the CA. PLease remember that the private key must not be protected by a password.Instructions for users to create such keys/certificate requests and get it signed by a CA can be found in Step 8, 9, 10 of this document.
    3. Change the permission of the private key to 644 or lower. Do the same at the server.
    4. I have stored the CA certificate, the private key and the signed certificate in $HOME/certificates on both the peers.
    5. When using the public-key encryption method to set up VPN tunnels, openvpn opens two channels between the peers.
      1. Data channel: This is used to exchange normal traffic between the the two peers.
      2. Control Channel: This is used to exchange control information (such as keys etc.) between the peers.
    6. The ciphers/auth method used on the data and control channels can be selected individually. For example, the options auth, cipher in the configuration file control the cipher/auth for the data channel, while the option tls-cipher specifies the ciphers/auth for control channel. The list of available ciphers can be obtained by using the commands:
      1. openvpn --show-ciphers
      2. openvpn --show-digests
      3. openvpn --show-tls
    7. For using the public key encryption methods, u have to designate one peer as the client (who initiates the handshake) and other as the server. Hence the configuration files differ a bit on the two peers. In one config file we have to place the option tls-client and other tls-server. Both the configuration files are shown below: 
      openvpn@mia:~> cat openvpn.conf
dev tun
port 5000
; user nobody
; group nobody
#comp-lzo
#ping 15
verb 3
#shaper 1000
remote 131.193.50.184
ifconfig 192.168.254.200 192.168.254.201
up /home/openvpn/bin/ip-up.sh
down /home/openvpn/bin/ip-down.sh

tls-client
#auth alg=none
#cipher alg=none
#keysize 192
ca /home/openvpn/certificates/cacert.cer
cert /home/openvpn/certificates/openvpn_mia_cert.cert
key /home/openvpn/certificates/openvpn_mia_key.pem
tls-cipher RC4-MD5
-------------------------------------------------------
openvpn@zidler:~> cat openvpn.conf
dev tun
port 5000
; user nobody
; group nobody
#comp-lzo
#ping 15
verb 3
#shaper 1000
remote 131.193.50.165
ifconfig 192.168.254.201 192.168.254.200
up /home/openvpn/bin/ip-up.sh
down /home/openvpn/bin/ip-down.sh

tls-server
#auth alg=none
#cipher alg=none
#keysize 192
ca /home/openvpn/certificates/cacert.cer
cert /home/openvpn/certificates/openvpn_zidler_cert.cert
key /home/openvpn/certificates/openvpn_zidler_key.pem
dh /home/openvpn/certificates/dh1024.pem
tls-cipher RC4-MD5
    8. Notice the file dh1024.pem on the server. This is a required file if you plan to use the public-key mode of encryption using client and server certificates for openvpn. You can create this file using the following command. THIS IS ONLY REQUIRED AT THE SERVER. It takes a few minutes to generate this file. 
      [openvpn@zidler]# openssl dhparam -out dh1024.pem 1024
    9. The $HOME/(ip-up.sh|ip-down.sh) scripts (at both client and server) are used to add/delete routes in the routing table.
    10. openvpn can be invoked at the client and server (first at the server) using 
      openvpn@zidler:/home/openvpn# openvpn --config openvpn.conf
Fri Jul 18 11:01:56 2003 0: OpenVPN 1.4.1 i686-pc-linux-gnu built on Jun  4 2003
Fri Jul 18 11:01:56 2003 1: UDP link local (bound): [undef]:5000
Fri Jul 18 11:01:56 2003 2: UDP link remote: 131.193.50.165:5000
Fri Jul 18 11:01:56 2003 3: Diffie-Hellman initialized with 1024 bit key
Enter PEM pass phrase:
Fri Jul 18 11:01:58 2003 4: WARNING: file '/home/openvpn/certificates/openvpn_zidler_key.pem' is group or others accessible
Fri Jul 18 11:01:58 2003 5: Data Channel MTU parms [ udp_mtu=1300 extra_frame=41 extra_buffer=0 extra_tun=0 dynamic = [ mtu_min_initial=MTU_INITIAL_UNDEF mtu_max_initial=MTU_INITIAL_UNDEF mtu_initial=MTU_SET_TO_MAX mtu_min=141 mtu_max=1300 mtu=1300 ]]
Fri Jul 18 11:01:58 2003 6: Control Channel MTU parms [ udp_mtu=1300 extra_frame=38 extra_buffer=0 extra_tun=0 dynamic = [ mtu_min_initial=MTU_INITIAL_UNDEF mtu_max_initial=MTU_INITIAL_UNDEF mtu_initial=MTU_SET_TO_MIN mtu_min=138 mtu_max=1300 mtu=138 ]]
Fri Jul 18 11:01:59 2003 7: TUN/TAP device tun0 opened
Fri Jul 18 11:01:59 2003 8: /sbin/ifconfig tun0 192.168.254.201 pointopoint 192.168.254.200 mtu 1259
Fri Jul 18 11:01:59 2003 9: /home/openvpn/bin/ip-up.sh tun0 1259 1300 192.168.254.201 192.168.254.200
[ip-up] -- tun0 1259 1300 192.168.254.201 192.168.254.200
Fri Jul 18 11:02:11 2003 10: TLS: tls_pre_decrypt: first response to initial packet sid=6536e1bc d3232430
Fri Jul 18 11:02:11 2003 11: VERIFY OK: depth=1, /CN=Certificate.Authority.Created.by.Shashank.Khanvilkar/ST=Illinois/C=US/Email=shashank@evl.uic.edu/O=Root.Certification.Authority
Fri Jul 18 11:02:11 2003 12: VERIFY OK: depth=0, /CN=openvpn/ST=Illinois/C=US/Email=openvpn@mia.ece.uic.edu/O=UIC/OU=ECE
Fri Jul 18 11:02:11 2003 13: Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Fri Jul 18 11:02:11 2003 14: Data Channel Decrypt: Using 160 bit message digest 'SHA1' for HMAC authentication
Fri Jul 18 11:02:11 2003 15: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Fri Jul 18 11:02:11 2003 16: Data Channel Encrypt: Using 160 bit message digest 'SHA1' for HMAC authentication
Fri Jul 18 11:02:11 2003 17: Control Channel: TLSv1, cipher TLSv1/SSLv3 RC4-MD5, 1024 bit RSA
Fri Jul 18 11:02:11 2003 18: Peer Connection Initiated with 131.193.50.165:5000
--SNIP--
  10. Use netstat -rn and ping to verify that the routing is indeed set up properly.
  11. The tunnel can be discontinued by killing the openvpn process.
  12. Comments and corrections are appreciated and can be sent at papers@mia.ece.uic.edu. Now comes the experimentation.
Comments and corrections are appreciated and can be sent to papers@mia.ece.uic.edu. Click here for ©opyright information.