Sunday, November 23, 2008

OpenVPN+WindowsXP+Debian Linux

How to connect Windows XP and Debian Linux using secure connection over OpenVPN.

Prepare your working tools
su
apt-get install openvpn
cd /usr/share/doc/openvpn/examples/easy-rsa/2.0/
gzip -d *.gz
mkdir -p /etc/openvpn/tools
ln -s tools/keys /etc/openvpn/keys
make install DESTDIR=/etc/openvpn/tools
cd /etc/openvpn/tools

Change key size (optionally):
Open file: /etc/openvpn/tools/vars
Change: export KEY_SIZE=1024
To value: 2048

or change key size by executing following commands (still optional):
cp vars vars.bak
cat vars.bak | \
sed -e 's/export KEY_SIZE=1024/export KEY_SIZE=2048' > vars


Generate keys:
source vars
./clean-all # Warning: this will delete all your previous keys!
# optionally: mv keys .. ; ln ../keys keys
./build-ca
./build-dh
./build-key-server server
./build-key client1
./build-key client2
./build-key client3

In future you can add new client certificate by following commands:
source ./vars
./build-key client4

# Optionally:
mkdir logs
mkdir var

Your client key is stored to files client1 - 3. Copy appropriate client file with certificates to your Windows desktop.

Customize configuration files:
On Linux: server.conf / client.conf
On Windows: server.ovpn / client.ovpn

Further settings:
Setup firewall rules
Open access through firewall to OpenVPN server:
iptables -I INPUT -s trusted-client.com -p UDP --dport 1194 -j ACCEPT
iptables -I FORWARD -s trusted-client.com -p UDP --dport 1194 -j ACCEPT

Allow forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

Allow access from VPN to anywhere around the world (optional):
iptables -I INPUT -i tun+ -j ACCEPT
iptables -I FORWARD -i tun+ -j ACCEPT

Allow NAT for VPN
iptables -F -t nat
iptables -t nat -A POSTROUTING -s 10.1.0.0/24 -o eth0 -j MASQUERADE

Setup OpenVPN server on Debian Linux:
Copy files: ca.crt, server.key, server.crt
To: /etc/openvpn

Setup OpenVPN client on Windows XP:
Copy files: cli/*, ca.crt, server.crt, client3.key, client3.crt
To: C:\Progra~1\OpenVPN\config

Start OpenVPN server on Debian Linux:
/etc/init.d/openvpn restart
or
openvpn --config /etc/openvpn/server.conf

Start OpenVPN client on Windows XP:
right click OpenVPN tray icon, choose "connect"
or run from command line:
openvpn --config C:\Progra~1\OpenVPN\config\client3.ovpn
 ... can be stopped by the F4 key.

Start  or shutdownOpenVPN on Windows7 as a service:
net start OpenVPNService
net stop OpenVPNService

No comments: