Wednesday, April 2, 2014

howto - openvpn on gentoo

Today i gonna show you how to setup openvpn with self signed certificates and it's clients via cli or networkmanager (both using openvpn). I did made such setup a few days ago and i though i'll share my experience.

Server configuration:


I assume you have gentoo installed and running. Network should work too. Next we are going to install the needed packages. Depending on the openvpn version you also have to install easy-rsa. Openvpn prior to 2.3 have easy-rsa scripts included. I did install the latest unstable version, thus had to install easy-rsa as-well.
root # emerge -av openvpn
root # emerge -av easy-rsa

Since we need tun devices for openvpn you also have to make sure that tun devices are enabled in the kernel config (this is also needed on the clients):
root # cat /usr/src/linux/.config | grep CONFIG_TUN  


The scripts for generating the certificates are usually stored under /usr/share/easy-rsa/. Now edit following variables in the vars file: KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, and KEY_EMAIL. Make sure these parameters are not left blank.

Edit vars file:
root # cd /usr/share/easy-rsa/
root # vim vars

Generate the ca file:
root # . ./vars  
root # ./clean-all  
root # ./build-ca  

The above sequence now defaults most parameters from the vars file. Only the common name has to be entered explicitly.

Generate the server certificate:
root # ./build-key-server server

Like in the previous step, most parameters are defaulted. When the Common Name is queried, enter "server". The last two queries require a positive responses:
Sign the certificate? [y/n]  
1 out of 1 certificate requests certified, commit? [y/n]

Generate client certificates:
root # ./build-key client1
root # ./build-key client2

Make sure using unique common names for each client. If you want password protected certificates use ./build-key-pass or if you want pkcs12 key files use ./build-key-pkcs12 instead. Again, the last two queries require a positive responses.

Generate Diffie Hellman parameters (needed by the server).
root # ./build-dh

Now we generated lots of files in the keys sub-directory. For the server we need following files: ca.crt, server.crt, server.pem and dh1024.pem

Now create a new folder in the openvpn configuration directory and copy those files into this folder:
root # mkdir -p /etc/openvpn/vpn  
root # cd keys  
root # cp ca.crt dh1024.pem server.crt server.key /etc/openvpn/vpn  


First open the server config:
root # vim /etc/openvpn/openvpn.conf

Below my example configuration:
An overview about all server configuration possibilities can be found at [1].
port 11194
proto tcp
dev tun
ca vpn/ca.crt
cert vpn/server.crt
key vpn/server.key
dh vpn/dh1024.pem
ifconfig-pool-persist ipp.txt
keepalive 20 120
user nobody
group nobody
verb 3
Some descriptions:
ca, cert, key, dh - options which should point to the certification files which we copied before. As seen on my example configuration you don't have to set the full path, just the relative path to /etc/openvpn/.
server - supplies a subnet range for the clients
client-to-client - vpn clients can "see" each other

Client configuration:

First you have to copy separately for every client following files from the keys directory (/usr/share/easy-rsa/keys) to the client (like via usb-stick): ca.crt, client1.crt and client1.key. Save it somewhere secure, ideally under /usr/openvnp/vpn.
root # mkdir -p /etc/openvpn/vpn
root # cp ca.crt client1.crt client1.key /etc/openvpn/vpn/


Make sure you have both networkmanagement and networkmanager-openvpn installed:
root # emerge -av networkmanagement networkmanager-openvpn

Next, Networkmanager:

Open Network Settings, switch to the VPN tab and add a new OpenVPN Connection.

Here you can give your connection an unique name. You also have to enter the Gateway which is the public ip address of your openvpn server. Also point to the right location of your ca, client certificate and client key file.

Under Opttional Settings you have to add the correct port of your server. Since openvpn runs on tcp with support for lzo compression you also has to check "Use LZO compression" and "Use TCP connection".

In the IPv4 Address tab you can add an additional DNS Server. This is useful if you have an local dns-server which is used to resolve local computer names.

If you don't want to have all trafic routed over the vpn tunnel, check "Use only for resources on this connection" under Routes.

That's all - now you can simple connect to your vpn with clicking on your vpn connection.

Openvpn init-Script:

Like any client you need to install openvpn first:
root # emerge -av openvpn

On Gentoo it's possible to create more tunnels by replacing VPN with other names. Each connection has its own configuration and can be stopped and started individually. The default is simply to use openvpn.conf and not symlink the service. You can of course use both methods. I'm going to show it with a separate openvpn configuration. First link the the new connection to the openvpn init-Script.
root # ln -s /etc/init.d/openvpn /etc/init.d/openvpn.VPN

Now create your config as /etc/openvpn/VPN.conf An overview about all client configuration possibilities can be found at: [2]
dev tun  
proto tcp  
remote 11194
resolv-retry infinite
user nobody  
group nobody  
ca vpn/ca.crt  
cert vpn/client1.crt  
key vpn/client1.key  
remote-cert-tls server
Again ca, cert and key options are relative paths to /etc/openvpn.

After finishing the configuration you can start your openvpn connection with:
root # /etc/init.d/openvpn.VPN start


For the future it might be also interesting how to revoke someone's key. Below is a short howto for revoking certificates:

Revoking client certificates:

First switch do the easy-rsa directory:
root # cd /usr/share/easy-rsa/

Following command will generates a CRL file (crl.pem - certificate revocation list) and adds client's certificate to the revoke list.
root # . vars
root # ./revoke-full client

After doing so your output should be similar like:
Using configuration from /root/openvpn/20/openvpn/tmp/easy-rsa/openssl.cnf
DEBUG[load_index]: unique_subject = "yes"
Revoking Certificate 04.
Data Base Updated
Using configuration from /root/openvpn/20/openvpn/tmp/easy-rsa/openssl.cnf
DEBUG[load_index]: unique_subject = "yes"
client.crt: /C=KG/ST=NA/O=OpenVPN-TEST/CN=client/emailAddress=me@myhost.mydomain
error 23 at 0 depth lookup:certificate revoked

In order that openvpn is really going to drop connections from those certificates you have to add following to the server configuration.
crl-verify crl.pem

Make sure openvpn have access to this file. I suggest to copy this file directly to the openvpn configuration directory (/etc/openvpn)

Further help can be found here: Official Openvpn howto:
Gentoo wiki openvpn guide:
Revoking certificates: