Jan 22, 2012

Secure remote access to home through OpenVPN (III)

Let's end up the series of articles about my secure remote access to home through OpenVPN. In the first part, I had to get over the issue about the dynamic IP address used by my ADSL service. I overcame it by using a free dynamic DNS service: DNSdynamic. In the second one, I relied on easy-rsa in order to generate the suitable digital certificates.

Now, we are ready to set OpenVPN up in both sides of the connection: the client and server. First up, let's begin with the server by installing OpenVPN directly from the Ubuntu repositories. Then, we have to copy the appropiate certificates made up by easy-rsa into the openvpn directory, and finally, edit the OpenVPN configuration file for the server.

root@javi-pc:/home/javi/tmp/2.0# aptitude install openvpn

root@javi-pc:/home/javi/tmp/2.0/keys# cp ca.crt server.crt server.key dh1024.pem /etc/openvpn/

root@javi-pc:/home/javi# cat /etc/openvpn/server.conf
# Use a dynamic TUN device
dev tun

# Set virtual point-to-point IP addresses
ifconfig 10.0.0.1 10.0.0.2

# Use TCP for communicating with client
proto tcp-server

# Enable TLS and assume server role during TLS handshake
tls-server

# File containing Diffie Hellman parameters
dh /etc/openvpn/dh1024.pem

# Certificate authority (CA) file
ca /etc/openvpn/ca.crt

# Local peer's signed certificate
cert /etc/openvpn/server.crt

# Local peer's private key
key /etc/openvpn/server.key

# Use fast LZO compression
comp-lzo

# Ping remote every 10sg and restart after 60sg passed without sign of life from remote
keepalive 10 60

# Output logging messages to openvpn.log file
log /var/log/openvpn.log

# Set output verbosity to normal usage range
verb 3

Now we only have to start the OpenVPN daemon and afterwards, we will be able to appreciate that the service is running on TCP port 1194. A final task will be to open that port on the router and redirect all that traffic to the server.

root@javi-pc:/home/javi# /etc/init.d/openvpn start

root@javi-pc:/home/javi# netstat -natp | grep openvpn
tcp        0      0 0.0.0.0:1194            0.0.0.0:*               LISTEN    19781/openvpn

Let's undertake now the other side of the tunnel: the client. It will be necessary as well to install OpenVPN from the Ubuntu repositories and move into the openvpn directory the adequate digital certificates.

root@javi-laptop:~# aptitude install openvpn

root@javi-laptop:~# cat /etc/openvpn/client.conf
# Use a dynamic TUN device
dev tun

# Connect to server
remote test.dnsdynamic.com

# Set virtual point-to-point IP addresses
ifconfig 10.0.0.2 10.0.0.1

# Use TCP for communicating with server
proto tcp-client

# Enable TLS and assume client role during TLS handshake
tls-client

# Certificate designed as a server-only certificate
remote-cert-tls server

# Certificate authority (CA) file
ca /etc/openvpn/ca.crt

# Local peer's signed certificate
cert /etc/openvpn/client.crt

# Local peer's private key
key /etc/openvpn/client.key

# Use fast LZO compression
comp-lzo

# Ping remote every 10sg and restart after 60sg passed without sign of life from remote
keepalive 10 60

# Output logging messages to openvpn.log file
log /var/log/openvpn.log

# Set output verbosity to normal usage range
verb 3

Lastly, we must remove any link in the runlevel directory for the OpenVPN script, so as to launch it manually whenever we want.

root@javi-laptop:~# update-rc.d -f openvpn remove

root@javi-laptop:~# /etc/init.d/openvpn start


No comments:

Post a Comment

Post a Comment