ACC SHELL
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 15. Configuring VPN Server</title><link rel="stylesheet" href="susebooks.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.75.2"><link rel="home" href="index.html" title="Documentation"><link rel="up" href="part.network_security.html" title="Part III. Network Security"><link rel="prev" href="cha.security.firewall.html" title="Chapter 14. Masquerading and Firewalls"><link rel="next" href="cha.security.yast_ca.html" title="Chapter 16. Managing X.509 Certification"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header" border="0" class="bctable"><tr><td width="80%"><div class="breadcrumbs"><p><a href="index.html"> Documentation</a><span class="breadcrumbs-sep"> > </span><a href="book.security.html">Security Guide</a><span class="breadcrumbs-sep"> > </span><a href="part.network_security.html">Network Security</a><span class="breadcrumbs-sep"> > </span><strong><a accesskey="p" title="Chapter 14. Masquerading and Firewalls" href="cha.security.firewall.html"><span>◀</span></a> <a accesskey="n" title="Chapter 16. Managing X.509 Certification" href="cha.security.yast_ca.html"><span>▶</span></a></strong></p></div></td></tr></table></div><div class="chapter" title="Chapter 15. Configuring VPN Server"><div class="titlepage"><div><div><h2 class="title"><a name="cha.security.vpnserver"></a>Chapter 15. Configuring VPN Server<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#cha.security.vpnserver">¶</a></span></h2></div></div></div><div class="toc"><p><b>Contents</b></p><dl><dt><span class="sect1"><a href="cha.security.vpnserver.html#sec.security.vpn.overview">15.1. Overview</a></span></dt><dt><span class="sect1"><a href="cha.security.vpnserver.html#sec.security.vpn.simplest">15.2. Creating the Simplest VPN Example</a></span></dt><dt><span class="sect1"><a href="cha.security.vpnserver.html#sec.security.vpn.ca">15.3. Setting Up Your VPN Server Using Certificate Authority</a></span></dt><dt><span class="sect1"><a href="cha.security.vpnserver.html#sec.security.vpn.nameserver">15.4. Changing Nameservers in VPN</a></span></dt><dt><span class="sect1"><a href="cha.security.vpnserver.html#sec.security.vpn.tools-client">15.5. KDE- and GNOME Applets For Clients</a></span></dt><dt><span class="sect1"><a href="cha.security.vpnserver.html#sec.security.vpn.moreinfo">15.6. For More Information</a></span></dt></dl></div><a class="indexterm" name="id589983"></a><a class="indexterm" name="id589988"></a><div class="abstract" title="Abstract"><p class="title"><b>Abstract</b></p><p>
Nowadays, the Internet connection is cheap and available almost
everywhere. It is important that the connection is as secure as possible.
Virtual Private Network (VPN), is a secure network within a second,
insecure network such as the Internet or WLAN. It can be implemented in
different ways and serves several purposes. In this chapter, we focus on
VPNs to link branch offices via secure wide area networks (WANs).
</p></div><div class="sect1" title="15.1. Overview"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sec.security.vpn.overview"></a>15.1. Overview<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.security.vpn.overview">¶</a></span></h2></div></div></div><p>
This section introduces a brief overview of some scenarios which VPN
offers, and some relevant terminology as well.
</p><div class="sect2" title="15.1.1. VPN Scenarios"><div class="titlepage"><div><div><h3 class="title"><a name="sec.security.vpn.scenarios"></a>15.1.1. VPN Scenarios<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.security.vpn.scenarios">¶</a></span></h3></div></div></div><p>
There are many solutions to set up and build of a VPN connection. This
chapter focuses on the OpenVPN package. Compared to other VPN software,
OpenVPN can be operated in two modes:
</p><div class="variablelist"><dl><dt><span class="term">Routed VPN</span></dt><dd><p>
Routing is an easy solution to set up. It is more efficient and
scales better than bridged VPN. Furthermore, it allows the user to
tune MTU (Maximum Transfer Unit) to raise efficiency. However, in a
heterogeneous environment NetBIOS broadcasts do not work if you do
not have a Samba server on the gateway. If you need IPv6, each tun
drivers on both ends must support this protocol explicitly.
</p><div class="figure"><a name="fig.vpn.scenario-routed-1"></a><p class="title"><b>Figure 15.1. Routed VPN</b><span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#fig.vpn.scenario-routed-1">¶</a></span></p><div class="figure-contents"><div class="mediaobject"><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="80%"><tr><td><img src="images/vpn_routed1.png" width="100%" alt="Routed VPN"></td></tr></table></div></div></div><br class="figure-break"></dd><dt><span class="term">Bridged VPN</span></dt><dd><p>
Bridging is a more complex solution. It is recommended when you need
to browse Windows file shares across the VPN without setting up a
Samba or WINS server. Bridged VPN is also needed if you want to use
non-IP protocols (such as IPX) or applications relying on network
broadcasts. However, it is less efficient than routed VPN. Another
disadvantage is that it does not scale well.
</p><div class="figure"><a name="fig.vpn.scenario-briged-1"></a><p class="title"><b>Figure 15.2. Bridged VPN - Scenario 1</b><span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#fig.vpn.scenario-briged-1">¶</a></span></p><div class="figure-contents"><div class="mediaobject"><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="80%"><tr><td><img src="images/vpn_bridged1.png" width="100%" alt="Bridged VPN - Scenario 1"></td></tr></table></div></div></div><br class="figure-break"><div class="figure"><a name="fig.vpn.scenario-briged-2"></a><p class="title"><b>Figure 15.3. Bridged VPN - Scenario 2</b><span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#fig.vpn.scenario-briged-2">¶</a></span></p><div class="figure-contents"><div class="mediaobject"><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="80%"><tr><td><img src="images/vpn_bridged2.png" width="100%" alt="Bridged VPN - Scenario 2"></td></tr></table></div></div></div><br class="figure-break"><div class="figure"><a name="fig.vpn.scenario-briged-3"></a><p class="title"><b>Figure 15.4. Bridged VPN - Scenario 3</b><span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#fig.vpn.scenario-briged-3">¶</a></span></p><div class="figure-contents"><div class="mediaobject"><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="80%"><tr><td><img src="images/vpn_bridged3.png" width="100%" alt="Bridged VPN - Scenario 3"></td></tr></table></div></div></div><br class="figure-break"></dd></dl></div><p>
The major difference between bridging and routing is that a routed VPN
cannot IP-broadcast while a bridged VPN can.
</p></div><div class="sect2" title="15.1.2. Tun and Tap Devices"><div class="titlepage"><div><div><h3 class="title"><a name="sec.security.vpn.tun-tap"></a>15.1.2. Tun and Tap Devices<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.security.vpn.tun-tap">¶</a></span></h3></div></div></div><p>
Whenever you setup a VPN connection your IP packets are transferred over
your secured tunnel. The connection between the client's device and the
server's device is called a <span class="emphasis"><em>tunnel</em></span>. A tunnel can
use a so-called <span class="emphasis"><em>tun</em></span> or <span class="emphasis"><em>tap</em></span>
device. They are virtual network kernel drivers which implement the
transmission of ethernet frames or ip frames/packets:
</p><div class="variablelist"><dl><dt><span class="term">tun device</span></dt><dd><p>
A tun device simulates a point-to-point network (layer 3 packets in
the OSI model such as Ethernet frames). A tun device is used with
routing and works with IP frames.
</p></dd><dt><span class="term">tap device</span></dt><dd><p>
A tap device simulates an ethernet device (layer 2 packets in the OSI
model such as IP packets). A tap device is used for creating a
network bridge. It works with Ethernet frames.
</p></dd></dl></div><p>
The userspace program OpenVPN can attach itself to a tun or tap device
to receive packets sent by your OS. The program is also able to write
packets to the device. For more information, see
<code class="filename">/usr/src/linux/Documentation/networking/tuntap.txt</code>.
You must install the <code class="literal">kernel-source</code> package to read
this file.
</p></div></div><div class="sect1" title="15.2. Creating the Simplest VPN Example"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sec.security.vpn.simplest"></a>15.2. Creating the Simplest VPN Example<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.security.vpn.simplest">¶</a></span></h2></div></div></div><p>
The following example creates a point-to-point VPN tunnel. It
demonstrates how to create a VPN tunnel between one client and a server.
It is assumed that your VPN server will use private IP addresses like
<code class="systemitem">192.168.1.120</code> and your client the IP
address <code class="systemitem">192.168.2.110</code>. You can
modify these private IP addresses to your needs but make sure you select
addresses which do not conflict with other IP addresses.
</p><div class="warning"><table border="0" cellpadding="3" cellspacing="0" width="100%" summary="Warning: Use It Only For Testing"><tr class="head"><td width="32"><img alt="[Warning]" src="admon/warning.png"></td><th align="left">Use It Only For Testing</th></tr><tr><td colspan="2" align="left" valign="top"><p>
This scenario is only useful for testing and is considered as an example
to get familiar with VPN. <span class="emphasis"><em>Do not use</em></span> this as a real
world scenario to connect as it can compromise your security and the
safety of your IT infrastructure!
</p></td></tr></table></div><div class="sect2" title="15.2.1. Configuring the VPN Server"><div class="titlepage"><div><div><h3 class="title"><a name="sec.security.vpn.simplest.vpnserv"></a>15.2.1. Configuring the VPN Server<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.security.vpn.simplest.vpnserv">¶</a></span></h3></div></div></div><p>
To configure a VPN server, proceed as follows:
</p><div class="procedure" title="Procedure 15.1. VPN Server Configuration"><a name="pro.security.vpn.simplest.vpnserv"></a><p class="title"><b>Procedure 15.1. VPN Server Configuration</b><span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#pro.security.vpn.simplest.vpnserv">¶</a></span></p><ol class="procedure" type="1"><li><p>
Install the package <code class="systemitem">openvpn</code>
on the machine that will later become your VPN server.
</p></li><li><p>
Open a shell, become <code class="systemitem">root</code> and create the VPN secret key:
</p><pre class="screen">openvpn --genkey --secret /etc/openvpn/secret.key</pre></li><li><p>
Copy the secret key to your client:
</p><pre class="screen">scp /etc/openvpn/secret.key root@192.168.2.110:/etc/openvpn/</pre></li><li><p>
Create the file <code class="filename">/etc/openvpn/server.conf</code> with the
following content:
</p><pre class="screen">dev tun
ifconfig 192.168.1.120 192.168.2.110
secret secret.key</pre></li><li id="st.security.vpn.simplest.vpnserv.yast"><p>
If you use a firewall, start YaST and open UDP port 1194
(<span class="guimenu">Security and
Users</span>+<span class="guimenu">Firewall</span>+<span class="guimenu">Allowed
Services</span>.
</p></li><li><p>
Start the OpenVPN service as <code class="systemitem">root</code>:
</p><pre class="screen">rcopenvpn start</pre></li></ol></div></div><div class="sect2" title="15.2.2. Configuring the VPN Client"><div class="titlepage"><div><div><h3 class="title"><a name="sec.security.vpn.simplest.vpnclient"></a>15.2.2. Configuring the VPN Client<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.security.vpn.simplest.vpnclient">¶</a></span></h3></div></div></div><p>
To configure the VPN client, do the following:
</p><div class="procedure" title="Procedure 15.2. VPN Client Configuration"><a name="id590524"></a><p class="title"><b>Procedure 15.2. VPN Client Configuration</b></p><ol class="procedure" type="1"><li><p>
Install the package <code class="systemitem">openvpn</code>
on your client VPN machine.
</p></li><li><p>
Create <code class="filename">/etc/openvpn/client.conf</code> with the
following content:
</p><pre class="screen">remote <em class="replaceable"><code>IP_OF_SERVER</code></em>
dev tun
ifconfig 192.168.2.110 192.168.1.120
secret secret.key</pre><p>
Replace the placeholder <em class="replaceable"><code>IP_OF_SERVER</code></em> in the
first line with either the domain name, or the public IP address of
your server.
</p></li><li><p>
If you use a firewall, start YaST and open UDP port 1194 as
described in <a class="xref" href="cha.security.vpnserver.html#st.security.vpn.simplest.vpnserv.yast" title="Step 5">Step 5</a>
of <a class="xref" href="cha.security.vpnserver.html#pro.security.vpn.simplest.vpnserv" title="Procedure 15.1. VPN Server Configuration">Procedure 15.1, “VPN Server Configuration”</a>.
</p></li><li><p>
Start the OpenVPN service as <code class="systemitem">root</code>:
</p><pre class="screen">rcopenvpn start</pre></li></ol></div></div><div class="sect2" title="15.2.3. Testing the VPN Example"><div class="titlepage"><div><div><h3 class="title"><a name="sec.security.vpn.simplest.use"></a>15.2.3. Testing the VPN Example<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.security.vpn.simplest.use">¶</a></span></h3></div></div></div><p>
After the OpenVPN is successfully started, test if the tun device is
available with the following command:
</p><pre class="screen">ifconfig tun0</pre><p>
To verify the VPN connection, use <span class="command"><strong>ping</strong></span> on both client
and server to see if you can reach each other. Ping server from client:
</p><pre class="screen">ping -I tun0 192.168.1.120</pre><p>
Ping client from server:
</p><pre class="screen">ping -I tun0 192.168.2.110</pre></div></div><div class="sect1" title="15.3. Setting Up Your VPN Server Using Certificate Authority"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sec.security.vpn.ca"></a>15.3. Setting Up Your VPN Server Using Certificate Authority<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.security.vpn.ca">¶</a></span></h2></div></div></div><p>
The example shown in
<a class="xref" href="cha.security.vpnserver.html#sec.security.vpn.simplest" title="15.2. Creating the Simplest VPN Example">Section 15.2</a>
is useful for testing, but not for daily work. This section explains how
to build a VPN server that allows more than one connection at the same
time. This is done with a public key infrastructure (PKI). A PKI consists
of a pair of public and private keys for the server and each client and a
master certificate authority (CA), which is used to sign every server
and client certificate.
</p><p>
The general overview of this process involves the following steps
explained in these sections:
</p><div class="procedure"><ol class="procedure" type="1"><li><p>
<a class="xref" href="cha.security.vpnserver.html#sec.security.vpn.certs" title="15.3.1. Creating Certificates">Section 15.3.1, “Creating Certificates”</a>
</p></li><li><p>
<a class="xref" href="cha.security.vpnserver.html#sec.security.vpn.config-server" title="15.3.2. Configuring the Server">Section 15.3.2, “Configuring the Server”</a>
</p></li><li><p>
<a class="xref" href="cha.security.vpnserver.html#sec.security.vpn.config-clients" title="15.3.3. Configuring the Clients">Section 15.3.3, “Configuring the Clients”</a>
</p></li></ol></div><div class="sect2" title="15.3.1. Creating Certificates"><div class="titlepage"><div><div><h3 class="title"><a name="sec.security.vpn.certs"></a>15.3.1. Creating Certificates<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.security.vpn.certs">¶</a></span></h3></div></div></div><p>
Before a VPN connection gets established, the client must authenticate
the server certificate. Conversely, the server must also authenticate
the client certificate. This is called <span class="emphasis"><em>mutual
authentication</em></span>.
</p><p>
You can use two methods to create the respective certificates and keys:
</p><div class="itemizedlist"><ul class="itemizedlist" type="bullet"><li class="listitem" style="list-style-type: disc"><p>
Use the YaST CA module (see <a class="xref" href="cha.security.yast_ca.html" title="Chapter 16. Managing X.509 Certification">Chapter 16, <i>Managing X.509 Certification</i></a>),
or
</p></li><li class="listitem" style="list-style-type: disc"><p>
Use the scripts included with the
<code class="systemitem">openvpn</code> package.
</p></li></ul></div><div class="sect3" title="15.3.1.1. Generating Certificates with easy-rsa"><div class="titlepage"><div><div><h4 class="title"><a name="sec.security.vpn.ca.easy-rsa"></a>15.3.1.1. Generating Certificates with easy-rsa<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.security.vpn.ca.easy-rsa">¶</a></span></h4></div></div></div><p>
The easy-rsa utilities use the <code class="filename">openssl.cnf</code> file
stored under
<code class="filename">/usr/share/openvpn/easy-rsa/<em class="replaceable"><code>VER</code></em></code>.
In most cases you can leave this file as it is.
</p><div class="procedure" title="Procedure 15.3. Generate the Master CA And Key"><a name="pro.vpn.generate-master-key"></a><p class="title"><b>Procedure 15.3. Generate the Master CA And Key</b><span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#pro.vpn.generate-master-key">¶</a></span></p><ol class="procedure" type="1"><li><p>
Open a shell and become <code class="systemitem">root</code>.
</p></li><li><p>
Change the directory to
<code class="filename">/usr/share/openvpn/easy-rsa/<em class="replaceable"><code>VER</code></em>/</code>.
Replace the placeholder <em class="replaceable"><code>VER</code></em> with either
<code class="filename">1.0</code> or <code class="filename">2.0</code>, the current
versions.
</p></li><li id="st.vpn.easy-rsa.config"><p>
Copy the file <code class="filename">vars</code> to
<code class="filename">/etc/openvpn</code> and set <code class="literal">export
EASY_RSA</code> to
<code class="filename">/usr/share/openvpn/easy-rsa</code>:
</p><pre class="screen">export EASY_RSA="/usr/share/openvpn/easy-rsa"</pre></li><li id="st.vpn.easy-rsa.vars"><p>
In the <code class="filename">vars</code> file change the
<code class="literal">KEY_COUNTRY</code>, <code class="literal">KEY_PROVINCE</code>,
<code class="literal">KEY_CITY</code>, <code class="literal">KEY_ORG</code>, and
<code class="literal">KEY_EMAIL</code> variables according to your needs.
</p></li><li><p>
Initialize the PKI:
</p><pre class="screen">source /etc/openvpn/vars && ./clean-all && ./build-ca</pre></li><li><p>
Enter the data required by the <span class="command"><strong>build-ca</strong></span> script.
Usually you can take the defaults that you have set in
<a class="xref" href="cha.security.vpnserver.html#st.vpn.easy-rsa.vars" title="Step 4">Step 4</a>. Additionally set
<code class="literal">Organizational Unit Name</code> and <code class="literal">Common
Name</code> that were not set previously.
</p></li></ol></div><p>
Once done, the master certificate and key are saved as
<code class="filename">/usr/share/openvpn/easy-rsa/<em class="replaceable"><code>VER</code></em>/keys/ca.*</code>.
</p><div class="procedure" title="Procedure 15.4. Generate The Private Server Key"><a name="pro.vpn.generate-private-key"></a><p class="title"><b>Procedure 15.4. Generate The Private Server Key</b><span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#pro.vpn.generate-private-key">¶</a></span></p><ol class="procedure" type="1"><li><p>
Change to the
<code class="filename">/usr/share/openvpn/easy-rsa/<em class="replaceable"><code>VER</code></em>/</code>
directory.
</p></li><li id="st.vpn.easy-rsa.build-key-server"><p>
Run the following script:
</p><pre class="screen">./build-key-server server</pre><p>
The argument (here: <code class="literal">server</code>) is used for the
private key filename.
</p></li><li><p>
Accept the default parameters, but fill <code class="literal">server</code> for
the <code class="literal">Common Name</code> option.
</p></li><li><p>
Answer the next two questions (<span class="quote">“<span class="quote">Sign the certificate?
[y/n]</span>”</span> and <span class="quote">“<span class="quote">1 out of 1 certificate requests certified,
commit? [y/n]</span>”</span>) with <code class="literal">y</code> (yes).
</p></li></ol></div><p>
Once done, the private server key is saved as
<code class="filename">/usr/share/openvpn/easy-rsa/<em class="replaceable"><code>VER</code></em>/keys/server.*</code>.
</p><div class="procedure" title="Procedure 15.5. Generate Certificates and Keys for a Client"><a name="pro.vpn.generate-keys-for-clients"></a><p class="title"><b>Procedure 15.5. Generate Certificates and Keys for a Client</b><span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#pro.vpn.generate-keys-for-clients">¶</a></span></p><ol class="procedure" type="1"><li><p>
Change to the
<code class="filename">/usr/share/openvpn/easy-rsa/<em class="replaceable"><code>VER</code></em>/</code>
directory. Replace the placeholder <em class="replaceable"><code>VER</code></em>
with either <code class="filename">1.0</code> or <code class="filename">2.0</code>.
</p></li><li><p>
Create the key as in
<a class="xref" href="cha.security.vpnserver.html#st.vpn.easy-rsa.build-key-server" title="Step 2">Step 2</a> of
<a class="xref" href="cha.security.vpnserver.html#pro.vpn.generate-private-key" title="Procedure 15.4. Generate The Private Server Key">Procedure 15.4, “Generate The Private Server Key”</a>:
</p><pre class="screen">./build-key client</pre></li><li><p>
Repeat the previous step for each client that is allowed to connect
to the VPN server. Make sure you use a different name (other than
<span class="quote">“<span class="quote"><code class="literal">client</code></span>”</span>) and an appropriate
<code class="literal">Common Name</code>, because this parameter has to be
unique for each client.
</p></li></ol></div><p>
Once done, the client certificate keys are saved as
<code class="filename">/usr/share/openvpn/easy-rsa/keys/client.*</code>
(depending on the name that you have given for the
<span class="command"><strong>build-key</strong></span> command).
</p><div class="procedure" title="Procedure 15.6. Final Configuration Steps"><a name="id591195"></a><p class="title"><b>Procedure 15.6. Final Configuration Steps</b></p><ol class="procedure" type="1"><li><p>
Make sure your current working directory is
<code class="filename">/usr/share/openvpn/easy-rsa/<em class="replaceable"><code>VER</code></em>/</code>.
</p></li><li><p>
Create the Diffie-Hellman parameter:
</p><pre class="screen">./build-dh</pre></li><li><p>
Create the <code class="filename">/etc/openvpn/ssl</code> directory.
</p></li><li><p>
Copy the following files to <code class="filename">/etc/openvpn/ssl</code>:
</p><pre class="screen">cp keys/ca.{crt,key} keys/dh1024.pem keys/server.{crt,key} /etc/openvpn/ssl</pre></li><li><p>
Copy the client keys to the relevant client machine. You should have
the files <code class="filename">client.crt</code> and
<code class="filename">client.key</code> in the
<code class="filename">/etc/openvpn/ssl</code> directory.
</p></li></ol></div></div></div><div class="sect2" title="15.3.2. Configuring the Server"><div class="titlepage"><div><div><h3 class="title"><a name="sec.security.vpn.config-server"></a>15.3.2. Configuring the Server<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.security.vpn.config-server">¶</a></span></h3></div></div></div><p>
The configuration file is mostly a summary of
<code class="filename">/usr/share/doc/packages/openvpn/sample-config-files/server.conf</code>
without the comments and with some small changes concerning some paths.
</p><div class="example"><a name="ex.vpn.serv-config"></a><p class="title"><b>Example 15.1. VPN Server Configuration File</b><span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#ex.vpn.serv-config">¶</a></span></p><div class="example-contents"><pre class="screen"># /etc/openvpn/server.conf
port 1194 <a name="co.vpn.servconfig.port"></a><img src="callouts/1.png" alt="1" border="0">
proto udp <a name="co.vpn.servconfig.proto"></a><img src="callouts/2.png" alt="2" border="0">
dev tun0 <a name="co.vpn.servconfig.dev"></a><img src="callouts/3.png" alt="3" border="0">
# Security <a name="co.vpn.servconfig.security"></a><img src="callouts/4.png" alt="4" border="0">
ca ssl/ca.crt
cert ssl/server.crt
key ssl/server.key
dh ssl/dh1024.pem
server 192.168.1.120 255.255.255.0 <a name="co.vpn.servconfig.server"></a><img src="callouts/5.png" alt="5" border="0">
ifconfig-pool-persist /var/run/openvpn/ipp.txt <a name="co.vpn.servconfig.pool"></a><img src="callouts/6.png" alt="6" border="0">
# Privileges <a name="co.vpn.serverconf.privilege"></a><img src="callouts/7.png" alt="7" border="0">
user nobody
group nobody
# Other configuration <a name="co.vpn.servconfig.misc"></a><img src="callouts/8.png" alt="8" border="0">
keepalive 10 120
comp-lzo
persist-key
persist-tun
status /var/log/openvpn-status.log
log-append /var/log/openvpn.log
verb 4</pre></div></div><br class="example-break"><div class="calloutlist"><table border="0" summary="Callout list"><tr><td width="5%" valign="top" align="left"><p><a href="#co.vpn.servconfig.port"><img src="callouts/1.png" alt="1" border="0"></a> </p></td><td valign="top" align="left"><p>
The TCP/UDP port to which OpenVPN listens. You have to open up the
port in the Firewall, see <a class="xref" href="cha.security.firewall.html" title="Chapter 14. Masquerading and Firewalls">Chapter 14, <i>Masquerading and Firewalls</i></a>. The
standard port for VPN is 1194, so in most cases you can leave that as
it is.
</p></td></tr><tr><td width="5%" valign="top" align="left"><p><a href="#co.vpn.servconfig.proto"><img src="callouts/2.png" alt="2" border="0"></a> </p></td><td valign="top" align="left"><p>
The protocol, either UDP or TCP.
</p></td></tr><tr><td width="5%" valign="top" align="left"><p><a href="#co.vpn.servconfig.dev"><img src="callouts/3.png" alt="3" border="0"></a> </p></td><td valign="top" align="left"><p>
The tun or tap device, see <a class="xref" href="cha.security.vpnserver.html#sec.security.vpn.tun-tap" title="15.1.2. Tun and Tap Devices">Section 15.1.2, “Tun and Tap Devices”</a>
for the differences.
</p></td></tr><tr><td width="5%" valign="top" align="left"><p><a href="#co.vpn.servconfig.security"><img src="callouts/4.png" alt="4" border="0"></a> </p></td><td valign="top" align="left"><p>
The following lines contain the relative or absolute path to the root
server CA certificate (<code class="literal">ca</code>), the root CA key
(<code class="literal">cert</code>), the private server key
(<code class="literal">key</code>) and the Diffie-Hellman parameters
(<code class="literal">dh</code>). These were generated in
<a class="xref" href="cha.security.vpnserver.html#sec.security.vpn.certs" title="15.3.1. Creating Certificates">Section 15.3.1, “Creating Certificates”</a>.
</p></td></tr><tr><td width="5%" valign="top" align="left"><p><a href="#co.vpn.servconfig.server"><img src="callouts/5.png" alt="5" border="0"></a> </p></td><td valign="top" align="left"><p>
Supplies a VPN subnet. The server can be reached by
<code class="systemitem">192.168.1.120</code>.
</p></td></tr><tr><td width="5%" valign="top" align="left"><p><a href="#co.vpn.servconfig.pool"><img src="callouts/6.png" alt="6" border="0"></a> </p></td><td valign="top" align="left"><p>
Records a mapping of clients and its virtual IP address in the given
file. Useful when the server goes down and (after the restart) the
clients get their previously assigned IP address.
</p></td></tr><tr><td width="5%" valign="top" align="left"><p><a href="#co.vpn.serverconf.privilege"><img src="callouts/7.png" alt="7" border="0"></a> </p></td><td valign="top" align="left"><p>
For security reasons it is a good idea to run the OpenVPN daemon with
reduced privileges. For this reason the group and user
<code class="systemitem">nobody</code> is used.
</p></td></tr><tr><td width="5%" valign="top" align="left"><p><a href="#co.vpn.servconfig.misc"><img src="callouts/8.png" alt="8" border="0"></a> </p></td><td valign="top" align="left"><p>
Several other configurations, see comment in the original
configuration from
<code class="filename">/usr/share/doc/packages/openvpn/sample-config-files</code>.
</p></td></tr></table></div><p>
After this configuration, you can see log messages from your OpenVPN
server under <code class="filename">/var/log/openvpn.log</code>. When you have
started it for the first time, it should finish it with:
</p><pre class="screen">... Initialization Sequence Completed</pre><p>
If you do not see this message, check the log carefully. Usually OpenVPN
gives you some hints what is wrong in your configuration file.
</p></div><div class="sect2" title="15.3.3. Configuring the Clients"><div class="titlepage"><div><div><h3 class="title"><a name="sec.security.vpn.config-clients"></a>15.3.3. Configuring the Clients<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.security.vpn.config-clients">¶</a></span></h3></div></div></div><p>
The configuration file is mostly a summary from
<code class="filename">/usr/share/doc/packages/openvpn/sample-config-files/client.conf</code>
without the comments and with some small changes concerning some paths.
</p><div class="example"><a name="id591542"></a><p class="title"><b>Example 15.2. VPN Client Configuration File</b></p><div class="example-contents"><pre class="screen"># /etc/openvpn/client.conf
client <a name="co.vpn.clientconf.client"></a><img src="callouts/1.png" alt="1" border="0">
dev tun <a name="co.vpn.clientconf.dev"></a><img src="callouts/2.png" alt="2" border="0">
proto udp <a name="co.vpn.clientconf.proto"></a><img src="callouts/3.png" alt="3" border="0">
remote <em class="replaceable"><code>IP_OR_HOSTNAME</code></em> 1194 <a name="co.vpn.clientconf.remote"></a><img src="callouts/4.png" alt="4" border="0">
resolv-retry infinite
nobind
# Privileges <a name="co.vpn.clientconf.privileges"></a><img src="callouts/5.png" alt="5" border="0">
user nobody
group nobody
# Try to preserve some state across restarts.
persist-key
persist-tun
# Security <a name="co.vpn.clientconf.security"></a><img src="callouts/6.png" alt="6" border="0">
ca ssl/ca.crt
cert ssl/client.crt
key ssl/client.key
comp-lzo <a name="co.vpn.clientconf.compr"></a><img src="callouts/7.png" alt="7" border="0"></pre><div class="calloutlist"><table border="0" summary="Callout list"><tr><td width="5%" valign="top" align="left"><p><a href="#co.vpn.clientconf.client"><img src="callouts/1.png" alt="1" border="0"></a> </p></td><td valign="top" align="left"><p>
We must specify that this machine is a client.
</p></td></tr><tr><td width="5%" valign="top" align="left"><p><a href="#co.vpn.clientconf.dev"><img src="callouts/2.png" alt="2" border="0"></a> </p></td><td valign="top" align="left"><p>
The network device. Both clients and server must use the same device.
</p></td></tr><tr><td width="5%" valign="top" align="left"><p><a href="#co.vpn.clientconf.proto"><img src="callouts/3.png" alt="3" border="0"></a> </p></td><td valign="top" align="left"><p>
The protocol. Use the same settings as on the server.
</p></td></tr><tr><td width="5%" valign="top" align="left"><p><a href="#co.vpn.clientconf.remote"><img src="callouts/4.png" alt="4" border="0"></a> </p></td><td valign="top" align="left"><p>
Replace the placeholder <em class="replaceable"><code>IP_OR_HOSTNAME</code></em>
with the respective hostname or IP address of your VPN server. After
the hostname the port of the server is given. You can have multiple
lines of <code class="literal">remote</code> entries pointing to different VPN
servers. This is useful for load balancing between different VPN
servers.
</p></td></tr><tr><td width="5%" valign="top" align="left"><p><a href="#co.vpn.clientconf.privileges"><img src="callouts/5.png" alt="5" border="0"></a> </p></td><td valign="top" align="left"><p>
For security reasons it is a good idea to run the OpenVPN daemon with
reduced privileges. For this reason the group and user
<code class="systemitem">nobody</code> is used.
</p></td></tr><tr><td width="5%" valign="top" align="left"><p><a href="#co.vpn.clientconf.security"><img src="callouts/6.png" alt="6" border="0"></a> </p></td><td valign="top" align="left"><p>
Contains the client files. For security reasons, it is better to have
a separate file pair for each client.
</p></td></tr><tr><td width="5%" valign="top" align="left"><p><a href="#co.vpn.clientconf.compr"><img src="callouts/7.png" alt="7" border="0"></a> </p></td><td valign="top" align="left"><p>
Turns compression on. Use it only when the server has this parameter
switched on as well.
</p></td></tr></table></div></div></div><br class="example-break"></div></div><div class="sect1" title="15.4. Changing Nameservers in VPN"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sec.security.vpn.nameserver"></a>15.4. Changing Nameservers in VPN<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.security.vpn.nameserver">¶</a></span></h2></div></div></div><p>
If you need to change nameservers before or during your VPN session, use
<span class="command"><strong>netconfig</strong></span>.
</p><p>
Use the following procedure to change a nameserver:
</p><div class="procedure" title="Procedure 15.7. Changing Nameservers"><a name="pro.security.vpn.nameserver"></a><p class="title"><b>Procedure 15.7. Changing Nameservers</b><span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#pro.security.vpn.nameserver">¶</a></span></p><ol class="procedure" type="1"><li><p>
Open a shell and log in as <code class="systemitem">root</code>.
</p></li><li><p>
Create the file <code class="filename">/etc/openvpn/client.up</code> with the
following contents:
</p><pre class="screen">/sbin/netconfig modify -i "${1}" -s openvpn <<EOT
DNSSEARCH='${domain}'
DNSSERVERS='${dns[*]}'
EOT</pre></li><li><p>
Start your VPN connection with <span class="command"><strong>rcopenvpn
<code class="option">start</code></strong></span>.
</p></li><li><p>
Create the file <code class="filename">/etc/openvpn/client.down</code> with the
following contents:
</p><pre class="screen">/sbin/netconfig remove -i "${1}" -s openvpn</pre></li><li><p>
Run <span class="command"><strong>netconfig</strong></span> and replace the line
<code class="envar">DNSSERVERS</code> with your respective entry:
</p><pre class="screen">netconfig modify -i tun0 -s openvpn <<EOT
DNSSEARCH='mt-home.net'
DNSSERVERS='192.168.1.116'
EOT</pre><p>
To check, if the entry has been successfully inserted into
<code class="filename">/etc/resolv.conf</code>, execute:
</p><pre class="screen">grep -v ^# /etc/resolv.conf
search mt-home.net mat-home.net
nameserver ...
nameserver ...
nameserver 192.168.1.116</pre></li><li><p>
To remove the DNS entry, execute:
</p><pre class="screen">netconfig remove -i tun0 -s openvpn</pre></li></ol></div><p>
Find another example in
<code class="filename">/usr/share/doc/packages/openvpn/contrib/pull-resolv-conf/</code>.
</p><p>
If you need to specify a ranking list of fallback services, use the
<code class="envar">NETCONFIG_DNS_RANKING</code> variable in
<code class="filename">/etc/sysconfig/network/config</code>. The default value is
<code class="literal">auto</code> which resolves to:
</p><pre class="screen">+strongswan +openswan +racoon +openvpn -avahi</pre><p>
Preferred service names have the <code class="literal">+</code> prefix, fallback
services the <code class="literal">-</code> prefix.
</p></div><div class="sect1" title="15.5. KDE- and GNOME Applets For Clients"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sec.security.vpn.tools-client"></a>15.5. KDE- and GNOME Applets For Clients<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.security.vpn.tools-client">¶</a></span></h2></div></div></div><p>
The following sections describe the setup of OpenVPN connections with
GNOME and KDE desktop tools.
</p><div class="sect2" title="15.5.1. KDE"><div class="titlepage"><div><div><h3 class="title"><a name="sec.security.vpn.config.kde"></a>15.5.1. KDE<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.security.vpn.config.kde">¶</a></span></h3></div></div></div><p>
To setup an OpenVPN connection in KDE4 that can be easily turned on or
off, proceed as follows:
</p><div class="procedure"><ol class="procedure" type="1"><li><p>
Make sure you have installed the
<code class="systemitem">NetworkManager-openvpn-kde4</code>
package with all dependencies resolved.
</p></li><li><p>
Right-click on a widget of your panel and select <span class="guimenu">Panel Options</span>+<span class="guimenu">Add Widgets...</span>.
</p></li><li><p>
Select <span class="guimenu">Networks</span>.
</p></li><li><p>
Right-click on the icon and choose <span class="guimenu">Manage
Connections</span>.
</p></li><li><p>
Add a new VPN connection with <span class="guimenu">Add</span>+<span class="guimenu">OpenVPN</span>. A new window opens.
</p></li><li><p>
Choose the <span class="guimenu">Connection Type</span> between <span class="guimenu">X.509
Certificates</span> or <span class="guimenu">X.509 With Password</span>
depending on what you have setup with your OpenVPN server.
</p></li><li><p>
Insert the necessary files into the respective text fields. From our
example configuration these are:
</p><div class="informaltable"><table border="1"><colgroup><col><col></colgroup><tbody><tr><td>
<p>
<span class="guimenu">CA file</span>
</p>
</td><td>
<p>
<code class="filename">/etc/openvpn/ssl/ca.crt</code>
</p>
</td></tr><tr><td>
<p>
<span class="guimenu">Certificate</span>
</p>
</td><td>
<p>
<code class="filename">/etc/openvpn/ssl/client1.crt</code>
</p>
</td></tr><tr><td>
<p>
<span class="guimenu">Key</span>
</p>
</td><td>
<p>
<code class="filename">/etc/openvpn/ssl/client1.key</code>
</p>
</td></tr><tr><td>
<p>
<span class="guimenu">Username</span>
</p>
</td><td>
<p>
The user
</p>
</td></tr><tr><td>
<p>
<span class="guimenu">Password</span>
</p>
</td><td>
<p>
The password for the user
</p>
</td></tr></tbody></table></div></li><li><p>
If you have not used the KDE Wallet System, you are asked if you want
to configure it. Follow the steps in the wizard. After you have
finished this step, you are reverted back to the <span class="guimenu">Network
Settings</span> dialog.
</p></li><li><p>
Finish with <span class="guimenu">Ok</span>.
</p></li><li><p>
Enable the connection with your Network manager applet.
</p></li></ol></div></div><div class="sect2" title="15.5.2. GNOME"><div class="titlepage"><div><div><h3 class="title"><a name="sec.security.vpn.config.gnome"></a>15.5.2. GNOME<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.security.vpn.config.gnome">¶</a></span></h3></div></div></div><p>
To setup a OpenVPN connection in GNOME that can be easily turned on or
off, proceed as follows:
</p><div class="procedure"><ol class="procedure" type="1"><li><p>
Make sure you have installed the
<code class="systemitem">NetworkManager-openvpn-gnome</code>
package with all dependencies resolved.
</p></li><li><p>
Start the Network Connection Editor with <span class="keycap">Alt</span>+<span class="keycap">F2</span> and insert
<span class="command"><strong>nm-connection-editor</strong></span> into the text field. A new
window appears.
</p></li><li><p>
Select the <span class="guimenu">VPN</span> tab and click
<span class="guimenu">Add</span>.
</p></li><li><p>
Choose the VPN connection type, in this case
<span class="guimenu">OpenVPN</span>.
</p></li><li><p>
Choose the <span class="guimenu">Authentication</span> type. Select between
<span class="guimenu">Certificates (TLS)</span> or <span class="guimenu">Password with
Certificates (TLS)</span> depending on the setup of your OpenVPN
server.
</p></li><li><p>
Insert the necessary files into the respective text fields. According
to the example configuration, these are:
</p><div class="informaltable"><table border="1"><colgroup><col><col></colgroup><tbody><tr><td>
<p>
<span class="guimenu">Username</span>
</p>
</td><td>
<p>
The user (only available when you have selected <span class="guimenu">Password
with Certificates (TLS)</span>)
</p>
</td></tr><tr><td>
<p>
<span class="guimenu">Password</span>
</p>
</td><td>
<p>
The password for the user (only available when you have selected
<span class="guimenu">Password with Certificates (TLS)</span>)
</p>
</td></tr><tr><td>
<p>
<span class="guimenu">User Certificate</span>
</p>
</td><td>
<p>
<code class="filename">/etc/openvpn/ssl/client1.crt</code>
</p>
</td></tr><tr><td>
<p>
<span class="guimenu">CA Certificate</span>
</p>
</td><td>
<p>
<code class="filename">/etc/openvpn/ssl/ca.crt</code>
</p>
</td></tr><tr><td>
<p>
<span class="guimenu">Private Key</span>
</p>
</td><td>
<p>
<code class="filename">/etc/openvpn/ssl/client1.key</code>
</p>
</td></tr></tbody></table></div></li><li><p>
Finish with <span class="guimenu">Apply</span> and <span class="guimenu">Close</span>.
</p></li><li><p>
Enable the connection with your Network Manager applet.
</p></li></ol></div></div></div><div class="sect1" title="15.6. For More Information"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sec.security.vpn.moreinfo"></a>15.6. For More Information<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.security.vpn.moreinfo">¶</a></span></h2></div></div></div><p>
For more information about VPN, visit:
</p><div class="itemizedlist"><ul class="itemizedlist" type="bullet"><li class="listitem" style="list-style-type: disc"><p>
<a class="ulink" href="http://www.openvpn.net" target="_top">http://www.openvpn.net</a>: Homepage of VPN
</p></li><li class="listitem" style="list-style-type: disc"><p>
<code class="filename">/usr/share/doc/packages/openvpn/sample-config-files/</code>:
Examples of configuration files for different scenarios
</p></li></ul></div></div></div><div class="navfooter"><table width="100%" summary="Navigation footer" border="0" class="bctable"><tr><td width="80%"><div class="breadcrumbs"><p><a href="index.html"> Documentation</a><span class="breadcrumbs-sep"> > </span><a href="book.security.html">Security Guide</a><span class="breadcrumbs-sep"> > </span><a href="part.network_security.html">Network Security</a><span class="breadcrumbs-sep"> > </span><strong><a accesskey="p" title="Chapter 14. Masquerading and Firewalls" href="cha.security.firewall.html"><span>◀</span></a> <a accesskey="n" title="Chapter 16. Managing X.509 Certification" href="cha.security.yast_ca.html"><span>▶</span></a></strong></p></div></td></tr></table></div></body></html>
ACC SHELL 2018