- 1 介绍/概况
- 2 Setting up the System
- 3 Other Resources
Newer instructions are found at the Ubuntu 9.10 Server guide (Karmic Koala) -- OpenVPN.
OpenVPN is a Virtual Private Networking (VPN) solution provided in the Ubuntu Repositories. It is flexible, easy-to-use, reliable and secure. These instructions are for setting up a Bridged VPN on Ubuntu 8.04 using x509 certs and some general administration tasks.
什么是 VPN 桥接 ?
A bridged VPN allows the clients to appear as though they are on the same local area network (LAN) as the server system. The VPN accomplishes this by using a combination of virtual devices -- one called a "bridge" and the other called a "tap device". A tap device acts as a virtual Ethernet adapter and the bridge device acts as a virtual hub. When you bridge a physical Ethernet device and a tap device, you are essential creating a hub between the physical network and the remote clients. Therefore, all LAN services are visible to the remote clients.
Setting up the System
An understanding of the Linux networking stack is necessary. This example installation was performed using Ubuntu Jeos 8.04 in a KVM virtual machine (but could just have easily been performed on a standalone Ubuntu Server). In my configuration eth0 is connected to the Internet and eth1 is connected to the LAN network that will be bridged. Comments in configuration files are preceeded by two pound signs (##).
Installing the Server
sudo apt-get install openvpn bridge-utils
Setting up the Bridge
- Edit /etc/network/interfaces
When a Linux server is behind a NAT firewall, the /etc/network/interfaces file commonly looks like
# This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces(5). # The loopback network interface auto lo eth0 iface lo inet loopback # The primary network interface iface eth0 inet static address 192.168.1.10 netmask 255.255.255.0 gateway 192.168.1.1
Edit this and add a bridge interface:
sudo nano /etc/network/interfaces
so that it look similar to:
auto lo br0 iface lo inet loopback iface br0 inet static address 192.168.1.10 netmask 255.255.255.0 gateway 192.168.1.1 bridge_ports eth0 iface eth0 inet manual up ifconfig $IFACE 0.0.0.0 up up ip link set $IFACE promisc on down ip link set $IFACE promisc off down ifconfig $IFACE down
- If you are running Linux inside a virtual machine, you may want to add the following parameters to the bridge connection:
bridge_fd 9 ## from the libvirt docs (forward delay time) bridge_hello 2 ## from the libvirt docs (hello time) bridge_maxage 12 ## from the libvirt docs (maximum message age) bridge_stp off ## from the libvirt docs (spanning tree protocol)
- Restart networking:
sudo /etc/init.d/networking restart
The bridging decelerations come from the libvirt documentation. (I really only understand the bridge_ports directive and the bridge_stp directive. Please add more instructions here.)
- Generate certificates for the server. In order to do this I will setup my own Certificate Authority using the provided easy-rsa scripts in the /usr/share/doc/openvpn/examples/easy-rsa/ directory. Another alternative is using the graphical program tinyca to create your CA.
Step 1: Copy files to the /etc/openvpn/easy-rsa/ directory
sudo mkdir /etc/openvpn/easy-rsa/ sudo cp -R /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa/
Step 2: Edit /etc/openvpn/easy-rsa/vars
sudo vi /etc/openvpn/easy-rsa/vars
Change these lines at the bottom so that they reflect your new CA.
export KEY_COUNTRY="US" export KEY_PROVINCE="CA" export KEY_CITY="SanFrancisco" export KEY_ORG="Fort-Funston" export KEY_EMAIL="email@example.com"
Step 3: Setup the CA and create the first server certificate
cd /etc/openvpn/easy-rsa/ ## move to the easy-rsa directory sudo chown -R root:admin . ## make this directory writable by the system administrators sudo chmod g+w . ## make this directory writable by the system administrators source ./vars ## execute your new vars file ./clean-all ## Setup the easy-rsa directory (Deletes all keys) ./build-dh ## takes a while consider backgrounding ./pkitool --initca ## creates ca cert and key ./pkitool --server server ## creates a server cert and key cd keys openvpn --genkey --secret ta.key ## Build a TLS key sudo cp server.crt server.key ca.crt dh1024.pem ta.key ../../
The Certificate Authority is now setup and the needed keys are in /etc/openvpn/
Configuring the Server
By default all servers specified in *.conf files in the /etc/openvpn/ directory are started on boot. Therefore, all we have to do is creating a new file named server.conf in the /etc/openvpn/ directory. First, we're going to create a couple of new scripts to be used by the openvpn server.
sudo vi /etc/openvpn/up.sh
This script should contain the following
#!this bogus line has been added so the following line will display properly! #!/bin/sh BR=$1 DEV=$2 MTU=$3 /sbin/ifconfig $DEV mtu $MTU promisc up /usr/sbin/brctl addif $BR $DEV
Now, we'll create a "down" script.
sudo vi /etc/openvpn/down.sh
It should contain the following.
#!this bogus line has been added so the following line will display properly! #!/bin/sh BR=$1 DEV=$2 /usr/sbin/brctl delif $BR $DEV /sbin/ifconfig $DEV down
Now, make both scripts executable.
sudo chmod +x /etc/openvpn/up.sh /etc/openvpn/down.sh
And now on to configuring openvpn itself.
sudo vi /etc/openvpn/server.conf
mode server tls-server local <your ip address> ## ip/hostname of server port 1194 ## default openvpn port proto udp #bridging directive dev tap0 ## If you need multiple tap devices, add them here up "/etc/openvpn/up.sh br0" down "/etc/openvpn/down.sh br0" persist-key persist-tun #certificates and encryption ca ca.crt cert server.crt key server.key # This file should be kept secret dh dh1024.pem tls-auth ta.key 0 # This file is secret cipher BF-CBC # Blowfish (default) comp-lzo #DHCP Information ifconfig-pool-persist ipp.txt server-bridge 192.168.1.10 255.255.255.0 192.168.1.100 192.168.1.110 push "dhcp-option DNS your.dns.ip.here" push "dhcp-option DOMAIN yourdomain.com" max-clients 10 ## set this to the max number of clients that should be connected at a time #log and security user nobody group nogroup keepalive 10 120 status openvpn-status.log verb 3
Don't forget to either reboot or run the command below. This will restart openvpn and load the new config.
sudo /etc/init.d/openvpn restart
Getting Clients Connected
This section concerns creating client certificate and key files and setting up a client configuration file. The files can then be used with OpenVPN on a client platform. The described configuration will work with OpenVPN installations of OpenVPN GUI for Windows and Tunnelblick for Mac OS X clients. For a detailed discussion of each, refer to their respective home pages. It should also be compatible with Linux OpenVPN clients.
Generating Client Certificate and Key
Generating certificates and keys for a client is very similar to the process used for generating server certificates. It is assumed that you have already set up the
/etc/openvpn/easy-rsa/ directory and updated the
/etc/openvpn/easy-rsa/vars file as described above. You should have already setup your Certificate Authority and created a server certificate and keys.
cd /etc/openvpn/easy-rsa/ ## move to the easy-rsa directory source ./vars ## execute the vars file ./pkitool client ## create a cert and key named "client"
Configuring the Client
The client configuration has been adapted from the OpenVPN 2.0 sample configuration file. For Windows, the file should be named client.ovpn and for other operating systems, the file should be named client.conf. The file can be created using vi or other editor that can create plain text files. The configuration file assumes that there is only one TUN/TAP device configured on the client.
# Specify that this is a client client # Bridge device setting dev tap # Host name and port for the server (default port is 1194) # note: replace with the correct values your server set up remote your.server.example.com 1194 # Client does not need to bind to a specific local port nobind # Keep trying to resolve the host name of OpenVPN server. resolv-retry infinite # Preserve state across restarts persist-key persist-tun # SSL/TLS parameters - files created previously ca ca.crt cert client.crt key client.key # Since we specified the tls-auth for server, we need it for the client # note: 0 = server, 1 = client tls-auth ta.key 1 # Specify same cipher as server cipher BF-CBC # Use compression comp-lzo # Log verbosity (to help if there are problems) verb 3
Place the client.ovpn (or client.conf) configuration file along with the certificate and key files in the openvpn configuration directory on the client. With the above setup, the following files should be in the configuration directory.
client.ovpn ca.crt client.crt client.key ta.key
(For the OpenVPN GUI for Windows, the default location for the files is
(For Tunnelblick for Mac OS X, the default location for the files is
Firestarter configuration for OpenVPN
Firestarter requires some configuration on both client and server machines to allow services like SAMBA over a VPN tunnel. In addition the creation of rules within the GUI, it was also necessary to edit the /etc/firestarter/user-pre file. I used the instructions found here: http://www.howtoadvice.com/FirestarterVPN/ Also, though the tutorial didn't discuss it, I found it necessary to save the original user-pre file as a copy, then rename the original and rename the copy to user-pre due to permissions issues.