Saturday, August 3, 2013

Openvpn rules! A primer on setting up Openvpn.

Well, that took a while.  Babies sure do suck up free time.  Enough said on that front.

Have you ever wanted to access data on your home network remotely but didn't want expose lots of ports to insecure applications or setup forwarding for lots of services or applications?  Then using Openvpn might be the solution for you.  Now onto the good stuff.

In my case an HTPC will be the host for a new Openvpn server.  My overall structure will be as follows:  OpenVPN Client > My Router > OpenVPN Server.  It should also be noted that I personally take security very seriously so these steps follow nearly all the major recommendations for hardening security on the Openvpn server discussed here.

First, install Openvpn on your server machine.  In my case, I'm using Ubuntu Precise(12.04):

sudo apt-get install openvpn

Next create the required keys for the server and any clients(I recommend 2048 bit keys, as the strength is excellent and I have not noticed any connection or performance issues).

Then, modify the configuration for the server:

mode server
tls-server

local 192.168.1.100 # LAN IP of openvpn server
port 1194 ## default openvpn port
proto udp

dev tun

persist-key
persist-tun

#certificates and encryption
ca ca.crt
cert server.crt
key server.key    # This file should be kept secret
dh dh2048.pem
tls-auth ta.key 0 # This file is secret
tls-cipher AES256-SHA
cipher AES-256-CBC
auth SHA512       # Supported on Android phones

# Network info
topology subnet   # Topology easing configuration & setup
server 192.168.2.0 255.255.255.0 # VPN subnet clients will get IPs from
push "route 192.168.1.0 255.255.255.0" # Route to LAN IPs
client-to-client  # Allow client to connect to the LAN IPs
max-clients 2     # Max number vpn clients connected at a time
ifconfig-pool-persist /etc/openvpn/ipp.txt
comp-lzo

#log and security
user nobody
group nogroup
keepalive 10 120
status openvpn-status.log
verb 3

Then setup the first client:

client
dev tun

proto udp

# Server to connect to
remote ###.###.###.### 1194 # Public IP/hostname of router

resolv-retry infinite

nobind
user nobody
group nobody

persist-key
persist-tun

# Certificates
ca ca.crt
cert client1.crt
key client1.key
tls-auth ta.key 1

# Increased security (prevent man-in-the-middle attacks)
ns-cert-type server 

# Encryption - Must match server side
cipher AES-256-CBC
tls-cipher AES256-SHA
auth SHA512

comp-lzo
verb 3

You should now be able to connect to the Openvpn server from your client.  However, connecting to systems on your LAN is yet to be solved.  To do that you'll need to do two things:
  1. Enable IP forwarding on the system running Openvpn
  2. Setup a static route for the new subnet on any router(s) on your LAN network
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)