When I'm using my laptop at a public Wi-Fi hotspot, I sometimes get a little paranoid. To ameliorate this feeling, I use a secure VPN when out and about.
I've traditionally used SSH for this, and in fact I have a whole howto on the subject. But Gnome has recently made Network Manager pretty slick with their new OpenVPN plugin. Now, with a few clicks on my Network Manager icon I can quickly encrypt all of my network traffic. With a few more clicks, I can turn it back off just as quick.
Configure OpenVPN on the server
I run OpenVPN on a virtual host, so these instructions are specific to Ubuntu Gutsy Gibbon on a OpenVZ installation. However, this is pretty much the same if you're running this on a real server.
Install some packages:
sudo apt-get install openvpn dnsmasq openssl
Building OpenVPN keys
Copy over the openVPN key generation tools:
cd /etc/openvpn cp -r /usr/share/doc/openvpn/examples/easy-rsa /etc/openvpn cd easy-rsa source ./vars ./clean-all
Building the certificate authority:
Just use the Enter key to accept the default values, they don't much matter. However, use your domain name (eg. enigmacurry.com for me) when it asks for "Common Name"
root@enigmacurry:/etc/openvpn/easy-rsa# ./build-ca Generating a 1024 bit RSA private key ..........++++++ ..........................................................++++++ writing new private key to 'ca.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [KG]: State or Province Name (full name) [NA]: Locality Name (eg, city) [BISHKEK]: Organization Name (eg, company) [OpenVPN-TEST]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:enigmacurry.com Email Address [me@myhost.mydomain]: root@enigmacurry:/etc/openvpn/easy-rsa#
Build the server key:
Again use the default values, use your domain name for "Common Name", don't enter a challenge password, and say yes to the two last questions.
root@enigmacurry:/etc/openvpn/easy-rsa# ./build-key-server server Generating a 1024 bit RSA private key ...++++++ ..................................++++++ writing new private key to 'server.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [KG]: State or Province Name (full name) [NA]: Locality Name (eg, city) [BISHKEK]: Organization Name (eg, company) [OpenVPN-TEST]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:enigmacurry.com Email Address [me@myhost.mydomain]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /etc/openvpn/easy-rsa/openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'KG' stateOrProvinceName :PRINTABLE:'NA' localityName :PRINTABLE:'BISHKEK' organizationName :PRINTABLE:'OpenVPN-TEST' commonName :PRINTABLE:'enigmacurry.com' emailAddress :IA5STRING:'me@myhost.mydomain' Certificate is to be certified until Jan 30 20:42:11 2018 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
Generate "DH Paramters":
sit back and relax for this one:
./build-dh
Finally, build your client key (My client is called insurgent, use your own name here. Repeat this step depending on how many clients you need):
root@enigmacurry:/etc/openvpn/easy-rsa# ./build-key insurgent Generating a 1024 bit RSA private key ...........................++++++ ....++++++ writing new private key to 'insurgent.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [KG]: State or Province Name (full name) [NA]: Locality Name (eg, city) [BISHKEK]: Organization Name (eg, company) [OpenVPN-TEST]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:enigmacurry.com Email Address [me@myhost.mydomain]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /etc/openvpn/easy-rsa/openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'KG' stateOrProvinceName :PRINTABLE:'NA' localityName :PRINTABLE:'BISHKEK' organizationName :PRINTABLE:'OpenVPN-TEST' commonName :PRINTABLE:'enigmacurry.com' emailAddress :IA5STRING:'me@myhost.mydomain' Certificate is to be certified until Jan 30 20:49:32 2018 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
Copy these files to /etc/openssl:
- ca.crt
- server.crt
- server.key
- dh1024.pem
Copy three files to somewhere on your client machine:
- ca.crt
- insurgent.crt (or whatever you called it)
- insurgent.key (or whatever you called it)
Configure OpenVPN
Edit /etc/default/openvpn and delete whatever is there. Make it look like this, but use your own client name instead of insurgent:
AUTOSTART="insurgent"
Create a new file /etc/openssl/insurgent.conf (use your client name instead):
dev tun ca ca.crt cert server.crt key server.key # This file should be kept secret dh dh1024.pem server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "redirect-gateway" push "dhcp-option DNS 10.8.0.1" keepalive 10 120 comp-lzo persist-key persist-tun status openvpn-status.log verb 3
You can now start up openVPN:
/etc/init.d/openvpn start
Set up the firewall
I assume you're already running a firewall. This isn't a firewall guide, so go read something else for that.
I've set up three new rules in my firewall for the following purposes:
- To allow outside connections into the VPN
- To allow all access from tunneled connections
- To masquerade traffic so that I can use the internet through the VPN
These are my rules:
#Allow VPN connections: -A INPUT -p udp -m udp --dport 1194 -j ACCEPT #Allow any tunneled connection: -A INPUT -i tun0 -j ACCEPT #SNAT any tunneled connection, XXX is your server's external IP: -A POSTROUTING -s 10.8.0.0/255.255.255.0 -j SNAT --to-source XXX.XXX.XXX.XXX
Traditionally, you would just use the MASQUERADE jump instead of SNAT. However, OpenVZ doesn't support MASQUERADE 
If you're on a regular server you could do this instead of SNAT:
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
Configuring the client
The server was the hard part, this is the cool part.
Install the openvpn network manager plugin:
sudo apt-get install network-manager-openvpn
This will restart your Network Manager daemon.
Left click the Network Manager applet and select VPN Connections -> Configure VPN.
- Click Add.
- Click Forward.
- Choose "OpenVPN client"
- Create a name for the connection.
- Enter your domain name for your gateway.
- Load ca.crt file for the "CA File"
- Load insurgent.crt for the "Certificate"
- Load insurgent.key for the "Key"
- Click on the Optional tab and select "LZO compression"
- Click Forward
- Click Apply
Now you can connect by choosing the VPN connection just created.