Recommended OpenVPN Setup

Michael Torrie torriem at gmail.com
Wed Apr 7 14:17:39 MDT 2010


On 04/07/2010 12:42 PM, Dave Smith wrote:
> Would you still be willing to share those configs for the 
> laptop/password setup? That's my use case too. I am (unfortunately) 
> running openSuSE 11.0 on x86-64.

Forgot about that, didn't I.  Was overseas at the time I wrote the
e-mail, and it slipped my mind (besides my internet connection at the
time was very flaky).

I will attach the following files:
- pwd-server.conf - password-based server conf (dynamic pool)
- tls-server.conf - TLS-based server conf (static pool, see ccd below)
- clientrouter - a sample server ccd file that associates the client's
CN with a specific ip address
- pwd-client.conf - password-based client conf
- tls-client.conf - TLS-based client conf like I use on my routers.

To get this all to work you need to set up your own TLS certificate
authority and generate and sign keys, one for the server, and one for
each TLS client.  password-based clients need only the CA public cert.
I use a nifty program called "xca" to create and manage my personal certs.

An important note about certificates:  openvpn does not like anything
other than SHA1 hashes for signature.  At least that has been my
experience.  So when signing certs, use the SHA1 hash.  This is
obviously not as secure as SHA256.  I haven't done much more research
into this.  After certificate exchange, openvpn uses SSL for encryption.

- pwd-server.conf
  - This config runs on udp on the standard port
  - clients can easily use NetworkManager to set up vpn connections to
    connect to this.
  - clients need to have access to certificateauthority.crt
  - I run one pwd config on udp and one on tcp, in case foreign
    networks are blocking a particular port or protocol.
  - uses a dynamic ip address pool.

- tls-server.conf
  - my config runs on port 1195, since the pwd-based conf is on 1194.
  - clients must have keys and signed certificates, and the cn of the
  - client cert must match the name of the ccd file that statically
    assigns the IP address to the client
  - if no ccd file, I think it defaults to a dynamic pool

- clientrouter
  - a sample ccd file that lives in /etc/openvpn/ccd/
  - cn of client cert must match this file name
  - provides openvpn with a list of subnets that the client can
    route to.
  - provides static address assignment, using two addresses, one for
    each end of the tunnel (see
    http://openvpn.net/index.php/open-source/documentation/howto.html
    for information about address pairs and windows limitations).
- pwd-client.conf
  - needs a copy of the certificateauthority.crt
  - NetworkManager can handle configuration so less need to use a conf
    file on the client
- tls-client.conf
  - typical tls client conf that I'd use on a router.

I hope I haven't missed anything or messed up the config files too
badly.  I can answer any questions about them that you might have.
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: pwd-server.conf
Url: http://plug.org/pipermail/plug/attachments/20100407/7995fda8/attachment.pl 
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: pwd-client.conf
Url: http://plug.org/pipermail/plug/attachments/20100407/7995fda8/attachment-0001.pl 
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: tls-server.conf
Url: http://plug.org/pipermail/plug/attachments/20100407/7995fda8/attachment-0002.pl 
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: clientrouter
Url: http://plug.org/pipermail/plug/attachments/20100407/7995fda8/attachment-0003.pl 
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: tls-client.conf
Url: http://plug.org/pipermail/plug/attachments/20100407/7995fda8/attachment-0004.pl 


More information about the PLUG mailing list