Created
December 7, 2015 23:06
-
-
Save suidroot/c4270cb4136c965e043c to your computer and use it in GitHub Desktop.
OpenVPN on Vyatta Firewall
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Reference url: http://www.brocade.com/downloads/documents/html_product_manuals/vyatta/vyatta_5400_manual/wwhelp/wwhimpl/js/html/wwhelp.htm | |
Create the directory for certificate management | |
Instruction: login to the vyatta and make sure you are at the $ prompt: | |
example: vyatta@HOSTNAME:~$ | |
##creates the directory## | |
vyatta@HOSTNAME:~$ mkdir /config/auth/ca (note: there is a space after mkdir) | |
##copies files to new directory## | |
vyatta@HOSTNAME:~$ cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /config/auth/ca | |
##change directory## | |
vyatta@HOSTNAME:~$ cd /config/auth/ca | |
##edit the vars file## | |
vyatta@HOSTNAME:/config/auth/ca$ vi vars | |
Instructions for using vi editor http://www.washington.edu/computing/unix/vi.html | |
You can edit the defaults like KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, and KEY_EMAIL. These settings are in the _{+}vars{+}_ file. You don't have to edit the defaults, you make sure, none of those are left blank\!. | |
Next we need to initialize the CA: ./ | |
# Set up the certificate generation environment | |
vyatta@HOSTNAME:/config/auth/ca$ source vars | |
vyatta@HOSTNAME:/config/auth/ca$ ./clean-all | |
# Build the CA key and certificate | |
vyatta@HOSTNAME:/config/auth/ca$ ./build-ca | |
# Build the diffie-hellman file | |
vyatta@HOSTNAME:/config/auth/ca$ ./build-dh | |
# Build a server key and certificate | |
vyatta@HOSTNAME:/config/auth/ca$ ./build-key-server <server> | |
# Build a client key and certificate | |
vyatta@HOSTNAME:/config/auth/ca$ ./build-key <client_name> (use this command to build more client certificates and keys. EACH CLIENT REQUIRES A DIFFERENT CERTIFICATE AND KEY) | |
# Point the OpenVPN server configuration at the new ca cert, server key, server cert, and dh files | |
See “Configure the Vyatta” below. | |
After you created the certificate, you need to send the following files to the PC client: ca.crt client1.crt, client1.key. This can be done by accessing the vyatta using Filezilla or WinSCP. | |
Configure the Vyatta | |
set interfaces openvpn vtun0 description 'Client VPN' | |
set interfaces openvpn vtun0 mode 'server' | |
set interfaces openvpn vtun0 server domain-name 'example.com' | |
set interfaces openvpn vtun0 server push-route '192.168.90.0/24' | |
set interfaces openvpn vtun0 server push-route '192.168.15.128/25' | |
set interfaces openvpn vtun0 server subnet '192.168.100.0/24' | |
set interfaces openvpn vtun0 tls ca-cert-file '/config/auth/ca/keys/ca.crt' | |
set interfaces openvpn vtun0 tls cert-file '/config/auth/ca/keys/openvpn-server.crt' | |
set interfaces openvpn vtun0 tls dh-file '/config/auth/ca/keys/dh1024.pem' | |
set interfaces openvpn vtun0 tls key-file '/config/auth/ca/keys/openvpn-server.key | |
CLIENT CONFIGURATION | |
Download client from http://openvpn.net/index.php/download/community-downloads.html | |
Install client. | |
Installation notes can be found at http://openvpn.net/index.php/open-source/documentation/howto.html#install | |
1. Copy the three files (from Filezilla copy) that were sent to you into C:\Program Files\OpenVPN\config. | |
2. Create a text document in C:\program files\OpenVPN\config called clientname.ovpn | |
3. To edit the configuration file, open the program from Start>All Programs>OpenVPN>”OpenVPN GUI” (Note: you may edit the config by using any text editor alternatively) | |
4. You will have an icon in the system tray that looks like this: | |
Right-click the icon and select “Edit Config”. | |
Make this config look like the Client Config File below, but be sure to change the remote IP address and certificate and key names as needed. | |
Basic VPN client configuration The TCP/443 makes it easier to get through all kind of firewalls, UDP/1194 might be blocked. | |
============== | |
Client Config file: | |
============== | |
client | |
dev tun | |
proto udp | |
remote <server ip> 1194 | |
resolv-retry infinite | |
nobind | |
persist-key | |
persist-tun | |
ca ca.crt | |
cert openvpn-server.crt | |
key openvpn-server.key | |
verb 7 | |
remote-cert-tls server | |
route-method exe | |
route-delay 2 | |
Run OpenVPN | |
To run OpenVPN, right-click the system tray icon and select “connect”. | |
**You may need to run the client as administrator for push-routes to work. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment