openvpn and a Windows client

This is quite an easy one. Even for a newbie. Here we will show the quickest way to create an openVPN tunnel between your safe home Linux/BSD router and your Windows client. Very useful for mobile computers, which do not always use the same secure network. Mind that this only shows you the quickest way to connect your Windows to your newly installed VPN. For detailed documentation, you should check openVPN’s official site here.

NOTE: make sure your clock and timezone on your linuxbox are set correctly or you will end up with certificates, which have expired or will be valid in a week :)

Prerequisites:

1. a linuxbox with a static IP address or domain name

2. root access to it

3. administrator access to the Windows computer

STEP 1: installing and starting openVPN

First, you need to have the Universal TUN/TAP device driver support compiled in your kernel or loaded as a module. All kernels I tested since 2.6.14 have it set as module. Just to make sure the module is loaded:

~ # modprobe tun

now lets install the openVPN package;

emerge -av openvpn #Gentoo

apt-get install openvpn #Debian based distros

depending on your hardware, this may take between 2 and 10 minutes. Now lets get us some new certificates generated for our encrypted tunnel:

vi /usr/share/openvpn/easy-rsa/vars

At the bottom of the file set your corresponding values to:

export KEY_COUNTRY=”"
export KEY_PROVINCE=”"
export KEY_CITY=”"
export KEY_ORG=”"
export KEY_EMAIL=”"

This will save you some typing when we generate the certificates. Next reload the file just in case:

source /usr/share/openvpn/easy-rsa/vars

and clear up any generic keys and certs:

/usr/share/openvpn/easy-rsa/clean-all

All preparation is done. Lets generate some encrypted data now :) First we need or CA cert:

/usr/share/openvpn/easy-rsa/build-ca

This will generate with the help of openssl a RSA encrypted certificate. Most of the data will be preset, since we were smart and filled it in earlier :)

NOTE: All prompted parameters must be filled. Skipping or leaving blank may result in going trough these steps again.

We proceed with generating the keys and certs for our server and client:

/usr/share/openvpn/easy-rsa/build-key-server server

/usr/share/openvpn/easy-rsa/build-key client

The server key generator will ask you a couple of [y/N] questions:

“Sign the certificate? [y/n]”
“1 out of 1 certificate requests certified, commit? [y/n]“

Of course, both need a yes answer or the cert and key generator will either abort or give you an unsigned cert, which is practically useless. Finally, the Diffie Hellman parameters:

/usr/share/openvpn/easy-rsa/build-dh

This is a 1024 bit file, so it will really take some time. Once this is complete, we are done generating. We now only need to configure our server. But before that it is a good idea to backup all the keys and certs. Each time new set is created the previous one will be removed from the folder the scripts store them:

/usr/share/openvpn/easy-rsa/keys/

So, a quick backup is always a good idea:

mkdir /root/vpnkeys

mv /usr/share/openvpn/easy-rsa/keys/* /root/vpnkeys/

From this point, you can also archive them and store a copy on a remote machine. A little extra security is always good.

Lets proceed with configuring. Firstly, create a openvpn folder and copy the keys there:

mkdir /etc/openvpn/vpn-name-nere

cp -f /usr/share/openvpn/easy-rsa/keys/* /etc/openvpn/vpn-name-nere

chmod all these folders to 700 just in case:

chmod 700 /root/vpnkeys
chmod 700 /etc/openvpn/vpn-name-here

Now we need to create a configuration file for the opnVPN and add value to it:

touch /etc/openvpn/openvpn.conf

vi /etc/openvpn/openvpn.conf

Here is a basic configuration file, which is safe to use:

port 1194
proto udp
dev tun
ca vpn-name-nere/ca.crt
cert vpn-name-nere/server.crt
key vpn-name-nere/server.key
dh vpn-name-nere/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3

I left the default openVPN port 1194, but for convenience or security, the port can be changed anytime. The network range and netmask can also be changed to suite your current setup. Write the config and start openVPN daemon:

/etc/init.d/openvpn start

STEP 2: to configure our Windows client.

To start with — we need a GUI, which will set our tunnel device and connect. The openVPN client from here:

http://openvpn.se/download.html

is quite nice and simple. The installation has no tricks to surprise you with, so use the default settings. Once ready, we need to set it up. This is the easies part :). All you need is to copy the key and certificate for client, which we generated earlier:

client.crt

client.key

ca.crt

a simple copy/paste will do the job, but to avoid any extra spaces (which can spoil our cert) and of course for security I recommend WinSCP to copy them or your local Samba file sharing server. If you used default settings when the client was installed, the certs and ley shoulg go to:

C:Program FilesOpenVPNconfig

Then we need to create a configuration file for the client side. Again nothing tricky that can’t be found in the official openVPN docs in this step. Just create a client.ovpn file in the same folder as your certs and key and use this basic config:

client
dev tun
proto udp

remote host-of-linux-box #add the port number at the end if you are not using the default one — 1194
resolv-retry infinite
nobind

persist-key
persist-tun

ca ca.crt
cert client.crt
key client.key

comp-lzo
verb 3

Now look down to your tray. There the openVPN GUI tool should have appeared. Right-click on it and select the “Change Password”. Leave the old password blank and fill in the password, which you used when generating your keys. Save the configuration. Now you are ready to connect :) Easy, eh?