Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
OpenVPN 2 Cookbook

You're reading from   OpenVPN 2 Cookbook Everything you need to know to master the intricacies of OpenVPN 2 is contained in this cookbook. Packed with recipes, tips, and tricks, it's the perfect companion for anybody wanting to build a secure virtual private network.

Arrow left icon
Product type Paperback
Published in Feb 2011
Publisher Packt
ISBN-13 9781849510103
Length 356 pages
Edition Edition
Tools
Concepts
Arrow right icon
Toc

Table of Contents (19) Chapters Close

OpenVPN 2 Cookbook
Credits
About the Author
About the Reviewers
www.PacktPub.com
Preface
1. Point-to-Point Networks FREE CHAPTER 2. Client-server IP-only Networks 3. Client-server Ethernet-style Networks 4. PKI, Certificates, and OpenSSL 5. Two-factor Authentication with PKCS#11 6. Scripting and Plugins 7. Troubleshooting OpenVPN: Configurations 8. Troubleshooting OpenVPN: Routing 9. Performance Tuning 10. OS Integration 11. Advanced Configuration 12. New Features of OpenVPN 2.1 and 2.2 Index

Complete site-to-site setup


In this recipe, we set up a complete site-to-site network, using most of the built-in security features that OpenVPN offers. It is intended as a "one-stop-shop" example of how to set up a point-to-point network.

Getting ready

We use the following network layout:

Install OpenVPN 2.0 or higher on two computers. Make sure that the computers are connected over a network. For this recipe, the server computer was running CentOS 5 Linux and OpenVPN 2.1.1 and the client was running Fedora 13 Linux and OpenVPN 2.1.1. We'll use the secret.key file from the OpenVPN Secret keys recipe here.

Make sure routing (IP forwarding) is configured on both the server and client.

How to do it...

  1. Create the server configuration file:

    dev tun
    proto udp
    local  openvpnserver.example.com
    lport  1194
    remote openvpnclient.example.com
    rport  1194
    
    secret secret.key 0
    ifconfig 10.200.0.1 10.200.0.2
    route 192.168.4.0 255.255.255.0
    
    user  nobody
    group nobody
    persist-tun
    persist-key
    keepalive 10 60
    ping-timer-rem
    
    verb 3
    daemon
    log-append /tmp/openvpn.log

    Save it as example1-7-server.conf.

  2. On the client side, we create the configuration file:

    dev tun
    proto udp
    local  openvpnclient.example.com
    lport  1194
    remote openvpnserver.example.com
    rport  1194
    
    secret secret.key 1
    ifconfig 10.200.0.2 10.200.0.1
    route 172.31.32.0 255.255.255.0
    
    user  nobody
    group nobody
    persist-tun
    persist-key
    keepalive 10 60
    ping-timer-rem
    
    verb 3
    daemon
    log-append /tmp/openvpn.log

    Save it as example1-7-client.conf.

  3. We start the tunnel on both ends:

        [root@server]# openvpn --config example1-7-server.conf
    

    And:

        [root@client]# openvpn --config client.conf
    

    Now our site-to-site tunnel is established.

  4. Check the log files on both the client and server, to verify that the connection has been established.

    After the connection comes up, the machines on the LANs behind both end points can be reached over the OpenVPN tunnel.

  5. For example, when we ping a machine on the client-side LAN from the server, we see the following:

How it works...

The client and server configuration files are very similar:

  • The server listens only on one interface and one UDP port

  • The server accepts connections only from a single IP address and port

  • The client has these options mirrored

Here is the set of configuration options:

user  nobody
group nobody
persist-tun
persist-key
keepalive 10 60
ping-timer-rem

They are used to make the connection more robust and secure, as follows:

  • The OpenVPN process runs as user nobody, group nobody, after the initial connection is established. Even if somebody is able to take control of the OpenVPN process itself he would still only be user nobody and not root. Note that on some Linux distributions the group nogroup is used instead.

  • The persist-tun and persist-key options are used to ensure that the connection comes back up automatically if the underlying network is disrupted. These options are necessary when using user nobody and group nobody (or group nogroup).

  • The keepalive and ping-timer-rem options cause OpenVPN to send a periodic 'ping' message over the tunnel to ensure that both ends of the tunnel remain up and running.

There's more...

This point-to-point setup can also be used to evade restrictive firewalls. The data stream between the two endpoints is not recognizable and very hard to decipher. When OpenVPN is run in client/server (see Chapter 2, Multi-client TUN-style Networks), the traffic is recognizable as OpenVPN traffic due to the initial TLS handshake.

See also

  • Chapter 8, Troubleshooting OpenVPN: Routing Issues, in which the most common routing issues are explained.

You have been reading a chapter from
OpenVPN 2 Cookbook
Published in: Feb 2011
Publisher: Packt
ISBN-13: 9781849510103
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at $19.99/month. Cancel anytime
Banner background image