Index > Help Tutorials > OpenVPN on Ubuntu 14.04
Installation
install server and key generation tool
sudo apt-get install openvpn easy-rsa
make separate directory for keys etc.
mkdir /etc/openvpn/easy-rsa
copy key tools to easy-rsa direcoty
cp -r /usr/share/easy-rsa/* /etc/openvpn/easy-rsa
modify the variables, example is below
export KEY_COUNTRY="US"
export KEY_PROVINCE="NC"
export KEY_CITY="Winston-Salem"
export KEY_ORG="Example Company"
export KEY_EMAIL="steve@example.com"
export KEY_CN=MyVPN
export KEY_NAME=MyVPN
export KEY_OU=MyVPN
change the values
nano /etc/openvpn/easy-rsa/vars
change directory to keys directory
cd /etc/openvpn/easy-rsa
run the following to cache all variables you setup earlier
source vars
run the clean-up tool/script
./clean-all
build certification authority
./build-ca
build server key, change the server name to yours
./build-key-server dc01
build dh file
./build-dh
Server Configuration
copy the sample server configuration zipped file to openvpn directory
cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn
unzip the configuration file
gzip -d /etc/openvpn/server.conf.gz
edit the configuration file
nano /etc/openvpn/server.conf
make sure the following are pointing to your keys
ca easy-rsa/keys/ca.crt
cert easy-rsa/keys/dc01.crt
key easy-rsa/keys/dc01.key
dh easy-rsa/keys/dh2048.pem
make log direcoty
mkdir -p /var/log/openvpn
relocate the status logs
sed -i 's,status openvpn-status.log,status /var/log/openvpn/openvpn-status.log,g' /etc/openvpn/server.conf
sed -i 's,;log-append openvpn.log,log-append /var/log/openvpn/openvpn.log,g' /etc/openvpn/server.conf
enable ipv4 forwarding for lan access if needed. Please note that if you enable ipv4 forwarding then you need to push the route for your subnet as well otherwise what is the point ?
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 'push "route 192.168.0.0 255.255.255.0"' >> /etc/openvpn/server.conf
time to start server
service openvpn start
check it
ifconfig tun0
try to ping vpn ip
ping -c4 10.8.0.1
Authentication Modules
lets make a separate direcoty for all plugin, any module configuration will go there. Its not required but just to keep things neat
mkdir -p /etc/openvpn/plugin
1. Certificate
generate client certificate and keys
cd /etc/openvpn/easy-rsa/
source vars
./build-key client
Client Setup (Windows)
copy ca.crt,clien1.crt,client.key from /etc/openvpn/easy-rsa/keys to c:\Program Files\OpenVPN\config
create the client configuration c:\Program Files\OpenVPN\config\client.ovpn with following contents
# C:\Program Files\OpenVPN\config\client.ovpn
client
remote servername
port 1194
proto udp
dev tun
dev-type tun
ns-cert-type server
reneg-sec 86400
comp-lzo yes
verb 3
ca ca.crt
cert client.crt ; This certificate is needed for authentication
key client.key ; This key is needed for authentication
; Set the name of the Windows TAP network interface device here
dev-node VPN
2. Pluggable Authentication Modules (PAM)
append following to /etc/openvpn/server.conf
# user authentication
client-cert-not-required
# pam authentication
plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so openvpn
now create openvpn profile in pam.d direcoty
nano /etc/pam.d/openvpn
paste the following in /etc/pam.d/openvpn
auth required pam_unix.so shadow nodelay
auth requisite pam_succeed_if.so uid >= 500 quiet
auth requisite pam_succeed_if.so user ingroup openvpn quiet
account required pam_unix.so
line 2 mean that user uid must be greater than or equal to 500.
line 3 mean that user must be member of openvpn group. Create group if needed
now create user openvpn and group openvpn
useradd openvpn
setup the password for openvpn, I will set test just for the ease
passwd openvpn
Client Setup (Windows)
copy ca.crt from /etc/openvpn/easy-rsa/keys to c:\Program Files\OpenVPN\config
create the client configuration c:\Program Files\OpenVPN\config\client.ovpn with following contents
# C:\Program Files\OpenVPN\config\client.ovpn
client
remote servername
port 1194
proto udp
dev tun
dev-type tun
ns-cert-type server
reneg-sec 86400
comp-lzo yes
verb 3
ca ca.crt
cert client.crt ; This certificate is needed for authentication
key client.key ; This key is needed for authentication
auth-nocache
auth-user-pass
auth-retry interact
; Set the name of the Windows TAP network interface device here
dev-node VPN
Now try to connect from windows client using openvpn account, mine was working at this point so should yours
3. Freeradius
install packages
apt-get install libgcrypt11 libgcrypt11-dev gcc make build-essential
download the radius plugin for openvpn
wget http://www.nongnu.org/radiusplugin/radiusplugin_v2.1a_beta1.tar.gz
extract the above pluging
tar xvfz radiusplugin_v2.1a_beta1.tar.gz
switch to plugin directory
cd radiusplugin_v2.1a_beta1
compile the plugin
make
make plugin direcoty
apt-get install openvpn-auth-radius
copy the plugin and plugin configuration to /etc/openvpn/plugin directory
cp {radiusplugin.so,radiusplugin.cnf} /etc/openvpn/plugin
copy the radius configuration file
cp /usr/share/doc/openvpn-auth-radius/examples/radiusplugin.cnf /etc/openvpn/plugin
change the server name or ip in /etc/openvpn/plugin/radiusplugin.cnf configuration file, replace 192.168.0.2 with your real ip and secret
sed -i 's,name=192.168.0.153,name=192.168.0.2,g' /etc/openvpn/plugin/radiusplugin.cnf
configure openvpn to use the new radius plugin/configuration
# user authentication
client-cert-not-required
# freeradius authentication
plugin /etc/openvpn/plugin/radiusplugin.so /etc/openvpn/plugin/radiusplugin.cnf
echo "" >> /etc/openvpn/server.conf
echo "# ldap/ad authentication " >> /etc/openvpn/server.conf
echo "plugin /usr/lib/openvpn/radiusplugin.so /etc/openvpn/plugin/radiusplugin.cnf" >> /etc/openvpn/server.conf
Note: To make this work, you want to make sure that none of the other authentication module is not in use so adjust server.conf and comment any other modules
restart openvpn
service openvpn restart
Client Setup (Windows)
copy ca.crt from /etc/openvpn/easy-rsa/keys to c:\Program Files\OpenVPN\config
create the client configuration c:\Program Files\OpenVPN\config\client.ovpn with following contents
# C:\Program Files\OpenVPN\config\client.ovpn
client
remote servername
port 1194
proto udp
dev tun
dev-type tun
ns-cert-type server
reneg-sec 86400
comp-lzo yes
verb 3
ca ca.crt
cert client.crt ; This certificate is needed for authentication
key client.key ; This key is needed for authentication
auth-nocache
auth-user-pass
auth-retry interact
; Set the name of the Windows TAP network interface device here
dev-node VPN
4. LDAP/Active Directory
apt-get install openvpn-auth-ldap
copy the ldap configuration file
cp /usr/share/doc/openvpn-auth-ldap/examples/auth-ldap.conf /etc/openvpn/plugin
edit the ldap configuration file and change the authentication setting to your enviornment, file is pretty simple and self explanatory
nano /etc/openvpn/plugin/auth-ldap.conf
now tell openvpn server to use new setting
echo "" >> /etc/openvpn/server.conf
echo "# ldap/ad authentication " >> /etc/openvpn/server.conf
echo "plugin /usr/lib/openvpn/openvpn-auth-ldap.so /etc/openvpn/plugin/auth-ldap.conf" >> /etc/openvpn/server.conf
cat << eot >> /etc/openvpn/server.conf
# ldap/ad authentication
plugin /usr/lib/openvpn/openvpn-auth-ldap.so /etc/openvpn/plugin/auth-ldap.conf
eot
Note: To make this work, you want to make sure that none of the other authentication module is not in use so adjust server.conf and comment any other modules
Client Setup (Windows)
copy ca.crt from /etc/openvpn/easy-rsa/keys to c:\Program Files\OpenVPN\config
create the client configuration c:\Program Files\OpenVPN\config\client.ovpn with following contents
# C:\Program Files\OpenVPN\config\client.ovpn
client
remote servername
port 1194
proto udp
dev tun
dev-type tun
ns-cert-type server
reneg-sec 86400
comp-lzo yes
verb 3
ca ca.crt
cert client.crt ; This certificate is needed for authentication
key client.key ; This key is needed for authentication
auth-nocache
auth-user-pass
auth-retry interact
; Set the name of the Windows TAP network interface device here
dev-node VPN
References
