[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] OpenVPN 2.0 client/server setup


  • Subject: Re: [Openvpn-users] OpenVPN 2.0 client/server setup
  • From: Steve Kieu <haiquy@xxxxxxxxx>
  • Date: Thu, 9 Dec 2004 06:06:14 +1100 (EST)

> The task is:
> 1. We have a LAN with private IP (192.168.1.0/24)
> with a MS terminal
> server in it (192.168.1.4). Gateway is Mandrake
> linux 8.2.
> 2. We have 2 remote offices (windows boxes) to
> connect to Terminal
> server (they are connected to internet via NAT - not
> shown on the
> picture
> 
> W2K TS <-----> Gateway with OpenVPN <-internet->
> Client1 192.168.10.5
> 192.168.1.4 --192.168.1.134 A.B.C.D ------------
> Client2 192.168.11.5
> 
> Tonnel adresation is 10.8.0.0/24 (server wil take
> 10.8.0.1)
> Config. files are taken from
> http://openvpn.sourceforge.net/20notes.html -
> "Sample OpenVPN 2.0
> config file for multi-client server" and "Sample
> client-side OpenVPN
> 2.0 config file for connecting to multi-client
> server."
> 
> The questions:
> 1.What should I correct in these sample configs?

The sample config is very well explained. I am new to
openvpn too, but after reading it I can do it by
myself. 
Set port number you want to use 
Set protocol (default udp)

Basically, if you select server-client model, you need
to:
Find out the server directive in the server config and
change it to

server your_VPN_network netmask

(example ) 
server 10.8.0.0 255.255.255.0
Then find out the line start with ca; cert; key dh
tls-auth and change it to the path you store your ca
cert and key . 

example
in Linux
ca /etc/openvpn/demoCA/cacert.pem
in Window
ca c:\\openvpn\\demoCA\\cacert.pem

The harder part as a newbee like us is to understand
how to assign static VPN IP. You need to create a
directory for a client config file, suppose
/etc/openvpn/ccd (or c:\\openvpn\\ccd

Modify a line in the server config file so u have
aline says

client-config-dir path_to_the_dir

In that directory create a file wich the file name is
exactly the common X509 name (see below) of the client
(case matters) and add a line
ifconfig-push 10.8.0.4 255.255.255.0

so the client with that X509 common name will be push
the command ifconfig 10.8.0.4 thus will have VPN ip
10.8.1.4. etc...

> 2.How should I generate keys & certificates? I did:

I suggest you use Linux machine as openvpn server for
stability. I got some issue with window server part
but after reinstall it it seems to be stable now. With
linux you can create keys. I wrote a procedure (not
yet complete but I will do it today) (for my work
mate) you can access from this directory
http://perfectpc.co.nz/~sk/pub/openvpn/
in lyx format, well will export to pdf later.

> with "easy-rca"
> scripts made root certificate ca.crt & ca.key. Then
> with 'build-inter'
> script made intermediate CA certificate/private key
> pair (signed with
> root ca) for server and for 2 offices. There was a
> question about
> 'challenge password' - what is it?

a password to open the secret key. If you create a ca
(certificate authority) you need to supply one. For
other keys you may hit enter so openvpn doesn't need
to ask when opening the secret keys.


> 3.How should I setup OpenVPN clients on Windows
> boxes?

The window client config file is nearly identical to
the linux part, only change the path name from linux
part to window path and remember \\ . You can run
openvpn as service win window, if so, you copy the
config file to c:\program files\OpenVPN\config
directory and enter Control Panel / Addministrative
tool / Service and fine OpenVPN, set it start
automatically.

Best luck, any more question just email me.



=====
S.KIEU

Find local movie times and trailers on Yahoo! Movies.
http://au.movies.yahoo.com

____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users