HOWTO setup a small server

OpenVPN (Virtual Private Network)

Installation

Prerequisite: OpenSSL Both the server and client configuration require an existing public key infrastructure. See the sections titled cryptographic options in the snippets of the configuration files below to know which certificates/keys/whatever are required on the server and client, respectively.

The installation of OpenVPN is done with:

# apt-get install openvpn
# mkdir /etc/openvpn/jail

Server Configuration

Afterwards some files must be generated:

# cd /root/certs
# openssl dhparam -out dh2048.pem 2048
# openvpn --genkey --secret ta.key
# cp dh2048.pem ta.key /etc/openvpn

The configuration of the server could look like this (see /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz for details):

# OpenVPN server configuration
# (lines begining with `#' or `;' are comments)

# IP address, port, and protocol to bind
local 223.1.2.1
port 1194
proto udp
dev tun

# cryptographic options (key, certificates, HMAC, cipher)
ca /etc/ssl/certs/ca.crt
cert /etc/ssl/certs/server.crt
key /etc/ssl/private/server.key
dh dh2048.pem
tls-auth ta.key 0
cipher AES-256-CBC

# networking options for VPN (IP range, routes, if any)
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
# push route(s)
;push "route 223.1.2.0 255.255.255.0"
# OpenVPN server as default gateway (read OpenVPN HOWTO!)
;push "redirect-gateway def1"

# miscellanous options
keepalive 5 60
comp-lzo
status /var/log/openvpn-status.log
verb 3

# hardening: run as nobody in chroot jail etc.
# (directory /etc/openvpn/jail must exist)
user nobody
group nogroup
persist-key
persist-tun
chroot jail

# CRL, if any (must be located in /etc/openvpn/jail)
;crl-verify crl.pem

Now you can start the VPN daemon:

# /etc/init.d/openvpn restart

Caveat: Chroot Jail and Syslog

If the option chroot is used to run OpenVPN inside a chroot jail (recommended!), it will not be able to log via syslog anymore after a restart of the syslog daemon. This is due to a change of the socket /dev/log which is no longer accessible after entering the jail, but required to communicate with syslog. A restart of the syslog daemon especially happens after each rotation of its log files (e.g., once a day). The problem can be circumvented by creating an additional socket inside the chroot jail.

Firstly, create a dev directory inside the jail:

# mkdir /etc/openvpn/jail/dev

Secondly, configure the syslog daemon to create an additional socket. Currently, the default syslog daemon is provided by the rsyslog package. Add the following line to its configuration file after the line beginning with $ModLoad imuxsock:

$AddUnixListenSocket /etc/openvpn/jail/dev/log

Then, restart the syslog daemon:

# /etc/init.d/rsyslog restart

If you use another syslog daemon like sysklogd (the previous default), you might have to specify the additional socket as command line argument of the daemon. This can be done easily by

SYSLOGD="-a /etc/openvpn/jail/dev/log"

and, finally, restarting the syslog daemon:

# /etc/init.d/sysklogd restart

Client Configuration

The configuration of the clients could look like this (see /usr/share/doc/openvpn/examples/sample-config-files/client.conf.gz for details):

# OpenVPN client configuration
# (lines begining with `#' or `;' are comments)

# IP address, port, and protocol to bind
client
remote 223.1.2.1 1194
proto udp
dev tun
resolv-retry infinite
nobind

# cryptographic options (key, certificates, HMAC, cipher)
ca /etc/ssl/certs/ca.crt
cert /etc/ssl/certs/client.crt
key /etc/ssl/private/client.key
tls-auth ta.key 1
cipher AES-256-CBC
ns-cert-type server
# the next one only for OpenVPN >= 2.1 and server certificates having
# the keyUsage and extendedKeyUsage attributes set accordingly:
remote-cert-tls server
auth-nocache

# miscellanous options
comp-lzo

# hardening: run as nobody in chroot jail etc.
# (directory /etc/openvpn/jail must exist)
# NOTE: NOT FOR WINDOWS CLIENTS!
user nobody
group nogroup
persist-key
persist-tun
chroot jail

# CRL, if any (must be located in /etc/openvpn/jail)
;crl-verify crl.pem

For the rare case that a connection has to be established from a certain port, you will have to replace nobind in the above example by:

port 5678
bind

Now you can start the VPN daemon:

# /etc/init.d/openvpn restart

Note: The caveat concerning chroot jail and syslog, of course, also applies to the client.

Networking Requirements (Server)

Note: Be sure to also permit access to any services from the VPN in their configurations. E.g., the Apache2 configuration above does not permit access from the 10.8.0.0/24 network, etc.

Prerequisite: Shorewall You must, of course, add the new TUN interface (tun0) to the packet filter and permit access to the OpenVPN server from the net (be careful, as the order of the entries of some configuration files is important):

vpn		tun0		detect		tcpflags,logmartians,nosmurfs

vpn	ipv4

$FW		vpn		ACCEPT

# OpenVPN
#
ACCEPT		net		$FW		udp	1194
ACCEPT		vpn		$FW		...	...
ACCEPT		vpn		net		...	...
#

If packets from the VPN are to be forwarded to the network of the server, you will have to enable IP forwarding:

IP_FORWARDING=On

Finally, restart shorewall:

# shorewall restart

Back to index.