suidroot/openvpn-vyatta

## openvpn-vyatta
Reference url: http://www.brocade.com/downloads/documents/html_product_manuals/vyatta/vyatta_5400_manual/wwhelp/wwhimpl/js/html/wwhelp.htm

Create the directory for certificate management
Instruction: login to the vyatta and make sure you are at the $ prompt:
 example: vyatta@HOSTNAME:~$

##creates the directory##
vyatta@HOSTNAME:~$ mkdir /config/auth/ca (note: there is a space after mkdir)
##copies files to new directory##
vyatta@HOSTNAME:~$ cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /config/auth/ca
##change directory##
vyatta@HOSTNAME:~$ cd /config/auth/ca
##edit the vars file##
vyatta@HOSTNAME:/config/auth/ca$ vi vars

Instructions for using vi editor http://www.washington.edu/computing/unix/vi.html
You can edit the defaults like KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, and KEY_EMAIL. These settings are in the _{+}vars{+}_ file. You don't have to edit the defaults, you make sure, none of those are left blank\!.

Next we need to initialize the CA: ./

# Set up the certificate generation environment
vyatta@HOSTNAME:/config/auth/ca$ source vars
vyatta@HOSTNAME:/config/auth/ca$ ./clean-all
# Build the CA key and certificate
vyatta@HOSTNAME:/config/auth/ca$ ./build-ca
# Build the diffie-hellman file
vyatta@HOSTNAME:/config/auth/ca$ ./build-dh
# Build a server key and certificate
vyatta@HOSTNAME:/config/auth/ca$ ./build-key-server <server>
# Build a client key and certificate
vyatta@HOSTNAME:/config/auth/ca$ ./build-key <client_name>  (use this command to build more client certificates and keys.  EACH CLIENT REQUIRES A DIFFERENT CERTIFICATE AND KEY)
# Point the OpenVPN server configuration at the new ca cert, server key, server cert, and dh files
	See “Configure the Vyatta” below.

After you created the certificate, you need to send the following files to the PC client: ca.crt client1.crt, client1.key.  This can be done by accessing the vyatta using Filezilla or WinSCP.

Configure the Vyatta
set interfaces openvpn vtun0 description 'Client VPN'
set interfaces openvpn vtun0 mode 'server'
set interfaces openvpn vtun0 server domain-name 'example.com'
set interfaces openvpn vtun0 server push-route '192.168.90.0/24'
set interfaces openvpn vtun0 server push-route '192.168.15.128/25'
set interfaces openvpn vtun0 server subnet '192.168.100.0/24'
set interfaces openvpn vtun0 tls ca-cert-file '/config/auth/ca/keys/ca.crt'
set interfaces openvpn vtun0 tls cert-file '/config/auth/ca/keys/openvpn-server.crt'
set interfaces openvpn vtun0 tls dh-file '/config/auth/ca/keys/dh1024.pem'
set interfaces openvpn vtun0 tls key-file '/config/auth/ca/keys/openvpn-server.key

CLIENT CONFIGURATION

Download client from http://openvpn.net/index.php/download/community-downloads.html
Install client.

Installation notes can be found at http://openvpn.net/index.php/open-source/documentation/howto.html#install

1.	Copy the three files (from Filezilla copy) that were sent to you into C:\Program Files\OpenVPN\config.
2.	Create a text document in C:\program files\OpenVPN\config called clientname.ovpn

3.	To edit the configuration file, open the program from Start>All Programs>OpenVPN>”OpenVPN GUI” (Note: you may edit the config by using any text editor alternatively)
4.	You will have an icon in the system tray that looks like this:

Right-click the icon and select “Edit Config”.
Make this config look like the Client Config File below, but be sure to change the remote IP address and certificate and key names as needed.

Basic VPN client configuration The TCP/443 makes it easier to get through all kind of firewalls, UDP/1194 might be blocked.

==============
Client Config file:
==============
client
dev tun
proto udp
remote <server ip> 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert openvpn-server.crt
key openvpn-server.key
verb 7
remote-cert-tls server
route-method exe
route-delay 2


Run OpenVPN
To run OpenVPN, right-click the system tray icon and select “connect”.
**You may need to run the client as administrator for push-routes to work.
	Reference url: http://www.brocade.com/downloads/documents/html_product_manuals/vyatta/vyatta_5400_manual/wwhelp/wwhimpl/js/html/wwhelp.htm

	Create the directory for certificate management
	Instruction: login to the vyatta and make sure you are at the $ prompt:
	example: vyatta@HOSTNAME:~$

	##creates the directory##
	vyatta@HOSTNAME:~$ mkdir /config/auth/ca (note: there is a space after mkdir)
	##copies files to new directory##
	vyatta@HOSTNAME:~$ cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /config/auth/ca
	##change directory##
	vyatta@HOSTNAME:~$ cd /config/auth/ca
	##edit the vars file##
	vyatta@HOSTNAME:/config/auth/ca$ vi vars

	Instructions for using vi editor http://www.washington.edu/computing/unix/vi.html
	You can edit the defaults like KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, and KEY_EMAIL. These settings are in the _{+}vars{+}_ file. You don't have to edit the defaults, you make sure, none of those are left blank\!.

	Next we need to initialize the CA: ./

	# Set up the certificate generation environment
	vyatta@HOSTNAME:/config/auth/ca$ source vars
	vyatta@HOSTNAME:/config/auth/ca$ ./clean-all
	# Build the CA key and certificate
	vyatta@HOSTNAME:/config/auth/ca$ ./build-ca
	# Build the diffie-hellman file
	vyatta@HOSTNAME:/config/auth/ca$ ./build-dh
	# Build a server key and certificate
	vyatta@HOSTNAME:/config/auth/ca$ ./build-key-server <server>
	# Build a client key and certificate
	vyatta@HOSTNAME:/config/auth/ca$ ./build-key <client_name> (use this command to build more client certificates and keys. EACH CLIENT REQUIRES A DIFFERENT CERTIFICATE AND KEY)
	# Point the OpenVPN server configuration at the new ca cert, server key, server cert, and dh files
	See “Configure the Vyatta” below.

	After you created the certificate, you need to send the following files to the PC client: ca.crt client1.crt, client1.key. This can be done by accessing the vyatta using Filezilla or WinSCP.

	Configure the Vyatta
	set interfaces openvpn vtun0 description 'Client VPN'
	set interfaces openvpn vtun0 mode 'server'
	set interfaces openvpn vtun0 server domain-name 'example.com'
	set interfaces openvpn vtun0 server push-route '192.168.90.0/24'
	set interfaces openvpn vtun0 server push-route '192.168.15.128/25'
	set interfaces openvpn vtun0 server subnet '192.168.100.0/24'
	set interfaces openvpn vtun0 tls ca-cert-file '/config/auth/ca/keys/ca.crt'
	set interfaces openvpn vtun0 tls cert-file '/config/auth/ca/keys/openvpn-server.crt'
	set interfaces openvpn vtun0 tls dh-file '/config/auth/ca/keys/dh1024.pem'
	set interfaces openvpn vtun0 tls key-file '/config/auth/ca/keys/openvpn-server.key

	CLIENT CONFIGURATION

	Download client from http://openvpn.net/index.php/download/community-downloads.html
	Install client.

	Installation notes can be found at http://openvpn.net/index.php/open-source/documentation/howto.html#install

	1. Copy the three files (from Filezilla copy) that were sent to you into C:\Program Files\OpenVPN\config.
	2. Create a text document in C:\program files\OpenVPN\config called clientname.ovpn

	3. To edit the configuration file, open the program from Start>All Programs>OpenVPN>”OpenVPN GUI” (Note: you may edit the config by using any text editor alternatively)
	4. You will have an icon in the system tray that looks like this:

	Right-click the icon and select “Edit Config”.
	Make this config look like the Client Config File below, but be sure to change the remote IP address and certificate and key names as needed.

	Basic VPN client configuration The TCP/443 makes it easier to get through all kind of firewalls, UDP/1194 might be blocked.

	==============
	Client Config file:
	==============
	client
	dev tun
	proto udp
	remote <server ip> 1194
	resolv-retry infinite
	nobind
	persist-key
	persist-tun
	ca ca.crt
	cert openvpn-server.crt
	key openvpn-server.key
	verb 7
	remote-cert-tls server
	route-method exe
	route-delay 2


	Run OpenVPN
	To run OpenVPN, right-click the system tray icon and select “connect”.
	**You may need to run the client as administrator for push-routes to work.