OpenVPN

http://openvpn.net/ http://openvpn.net/index.php/open-source/documentation/howto.html https://help.ubuntu.com/community/OpenVPN

Installing & Creating Keys

First, prep the openvpn build directory:
cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0/ /etc/openvpn cd /etc/openvpn/easy-rsa

Change these lines at the end of vars to what you want:

export export export export export KEY_COUNTRY="US" KEY_PROVINCE="CA" KEY_CITY="SanFrancisco" KEY_ORG="Fort-Funston" KEY_EMAIL="me@myhost.mydomain"

Note: You may need to adjust permissions on the build directory.

Next, execute each of these files in order to setup up a new server.

source ./vars ./clean-all ./build-dh ./pkitool --initca ./pkitool --server server cd keys openvpn --genkey --secret ta.key ## Build a TLS key sudo cp server.crt server.key ca.crt dh1024.pem ta.key ../../ ## execute your new vars file ## ## ## ## Setup the easy-rsa folder (Deletes all keys) takes a while consider backgrounding creates ca cert and key creates a server cert and key

For adding clients:

cd /etc/openvpn/easy-rsa/ source ./vars ./pkitool client ## move to the easy-rsa directory ## execute the vars file ## create a cert and key named "client"

Note: in this example we are copying a client key/cert that is called client; your experience may differ copy ca.crt, client.key, client.crt to a folder on the client machine (you might need to put these files on a usb stick or SCP them)

Creating Config Files Server Default location is /etc/openvpn/server.conf Copy server example from http://openvpn.net/index.php/opensource/documentation/howto.html#server Leave UDP/TCP, port, etc alone. Change the route being pushed to the appropriate LOCAL subnet (e.g. if the server is on 192.168.X.X then set the route to that) Client Copy client certs & keys to a folder on the workstation (in windows, this is C:\Program files\OpenVPN) Copy client config from: http://openvpn.net/index.php/opensource/documentation/howto.html#client Set remote IP/hostname, port Set Certs & Keys directories appropriately Note: You can remove the entire client config and just leave the settings, as in:
client dev tun proto udp remote example.domain.org 1194 resolv-retry infinite nobind persist-key persist-tun ca "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\example\\ca.crt" cert "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\example\\client1.crt" key "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\example\\client1.key" verb 3

things to remember:
open up port 1194 on router; create routing table that redirects any paths to the VPN subnet to the VPN server (see attached) when in doubt, check the woodshanti vpn client or server config when building certs make sure that the server cert info (location, server name, etc) all match the client cert info. the only important piece of information you must fill out is the hostname of the server. Make sure that the OpenVPN service is running/working on reboot If you've set a static IP, make sure to kill the dhcp client before finishing! (should go to Samba Server wiki) In windows, make sure that the CA, CRT, and KEY files are using an absolute path with DOUBLE backslashes (see example) between directories, within quotes For Windows: http://openvpn.se/download.html For OS X: http://code.google.com/p/tunnelblick