Installation and Configuration - Support Verio

equableunalaskaSecurity

Dec 9, 2013 (3 years and 10 months ago)

153 views





COMPANY CONFIDENTIAL

Copyright
1996
-
200
9

Verio Inc.

All rights reserved.







Linux
VPS/MPS

OpenVPN

Getting Started Guide


First

Edition

September

200
9





Ope
nVPN

Getting

Started Guide

Table of Contents

i

COMPANY CONFIDENTIAL

Copyright
1996
-
200
9

Verio Inc.

All rights reserved.

Table of Contents

Introduction

................................
................................
................................
................................
................................
.

1

Disclai
mer

................................
................................
................................
................................
................................
.....

2

Overview

................................
................................
................................
................................
................................
.......

3

Installation and Configuration

................................
................................
................................
................................
...

4

VPN Access

................................
................................
................................
................................
................................

6

To Enable VPN Access:

................................
................................
................................
................................
...........

6

To Disable VPN Access:

................................
................................
................................
................................
.........

6

Server Install:

................................
................................
................................
................................
..............................

7

Server Configuration and SSL Certificate Files:

................................
................................
................................
.....

8

To Start the Server:

................................
................................
................................
................................
..................

8

To Start the Server at Reboot:

................................
................................
................................
................................
..

8

Client Install:

................................
................................
................................
................................
..............................

9

Client Cert Install:

................................
................................
................................
................................
.......................

9

Client Configuration and SSL Certificate Files:

................................
................................
................................
....

10

To Start the Client:

................................
................................
................................
................................
.................

10

To Start the Client at Reboot:

................................
................................
................................
................................

10

OpenVPN Install (no basic configuration option):

................................
................................
................................
...

11

RPM or Source Install:

................................
................................
................................
................................
.............

11

Additional Helps

................................
................................
................................
................................
........................

12

OpenVPN Documentation

................................
................................
................................
................................
........

12

Man Page

................................
................................
................................
................................
................................
..

12












Ope
nVPN

Getting

Started Guide

Introduction


COMPANY CONFIDENTIAL

Copyright
1996
-
200
9

Verio Inc.

All right
s reserved.

1

Introduction

Welcome to
the

OpenVPN

Getting Started
Guide for System Administrators! This document
describes
the
features and functionality of
OpenVPN as well as

the installation

methods

and

configuration

options

for Linux VPS a
nd MPS

server
s
.


Sections of this docume
nt include:




Overview


on page 3
.




Installation and Configuration


on page 4
.




Additional Helps


on page 12
.







Ope
nVPN

Getting

Started Guide

Disclaimer


COMPANY CONFIDENTIAL

Copyright
1996
-
200
8

Verio Inc.

All rights reserved.

2

Disclaimer

Support for OpenVPN is limited to the
vinstall

installation method
only. Other installation
meth
ods (RPM

and

source) are not supported. Any additional help beyond the
vinstall

will be
directed to the official
OpenVPN documentation

or Professional Services
.



Ope
nVPN

Getting

Started Guide

Overview


COMPANY CONFIDENTIAL

Copyright
1996
-
200
8

Verio Inc.

All rights reserved.

3

Overview

A VPN allows you to have a direct encrypted connection between two or more servers

creating a private network.
It is, in essence, a dedicated line over the public

internet.
Previously,

VPN
s commonl
y used

Internet Protocol Security (IPSec)

to create

secure

private
networks. However, IPSec
tends to

be bul
ky, complex, and
runs

on the kernel

space

which
potentially could cause
overall system

failure or worse introduce

unknown

security holes
because of i
ts confusing configuration.

OpenVPN is a
n open source

SSL

VPN solution that is

robust and highly flexible
.

It is lightweight and runs as
a
daemon
in

user
-
space

making it less
risky and less complex to install
,
configure
, and manage
.


OpenVPN is highly se
cure using the

industry

tested

and widely deployed
SSL
/TLS

protocol.
SSL is most comm
only recognized as the protocol used to encrypt traffic for an application
such as https. However, in this instance a VPN uses SSL to establish a point
-
to
-
point
encrypted
tunnel regardless of what application traffic passes through

it
.

Because OpenVPN
uses SSL, i
t

can provide
additional security above the standard protocols and support off
ered
by the default
server

configuration
. Also,
it provide
s

a method to create secure
groups of
servers
.



Some features of
OpenVPN
include:



Routed or bridged VPN



Supports
SSL/TLS security



TCP or UDP tunnel transport

through proxies or NAT



S
upport for dynamic IP
addresses and DHCP



S
cal
able
for multiple clients


OpenVPN can now be in
stalled using the
vinstall

utility simplifying the installat
ion and
configuration proces
s
.

OpenVPN is available

on

Linux VPS and
MPS servers

only
.

OpenVPN
is not available on FreeBSD VPS/MPS servers.
The
vinstall

is free

to use and
is
offered
only
in Engli
sh
. OpenVPN can be installed on both
new

and
existing
Linux
VPS/MPS
server
s
.


The
vinstall

also
assists

with
some
configuration settings for the VPN.

The
settings

used
comprise

a

basic configuration

and

is considered

minimal.

T
here are several advanced
con
figuration settings available. For information regarding advanced configurations, please
refer to the OpenVPN documentation:


http://openvpn.net/index.php/documenta
tion/manuals/openvpn
-
20x
-
manpage.html


S
everal scenarios

exist in

which OpenVPN can be used. One possible scenario
could

be to
use
VPN to connect to a Samba share as a secure file server. Another scenario could be to connect
your web server
to

your databa
se server using a secure
VPN
connection.

Ope
nVPN

Getting

Started Guide

Installation and Configuration


COMPANY CONFIDENTIAL

Copyright
1996
-
200
9

Verio Inc.

All rights reserved.

4

Installation and Configuration

There are several available methods to install OpenVPN.
Determining which method to use
depends on your expertise and configuration needs.
OpenVPN can be installed from an RPM,
from s
ource, or by using
the now

provided
vinstall
.


When using the
vinstal
l
,

some assumptions

are
used
for

the
installation
.
There may be
instances where the
assumptions used
differ from your specific needs. For those instances
,

you may want to use a different
installation method where you can

customize
the

entire

installation
to meet

your specific needs.
The

following describes
the

assumptions

used

by

the
vinstall
:




The
vinstall

currently installs OpenVPN 2.0.9



The

configuration directory is /etc/openvpn



The
vi
nstall

configures a "routed" VPN
http://openvpn.net/index.php/documentation/howto.html#vpntype



The
vinstall

creates certificates and keys in a way that

allows you to continue to

use the
easy
-
rsa scripts provided with OpenVPN (/etc/openvpn/easy
-
rsa)



The
vinstall

uses the default network (10.8.0.0), protocol (udp) and por
t (1194) as
supplied by OpenVPN




The
vinstall

enables client
-
to
-
client mode on the server install

http://openvpn.net/index.php/documentation/howto.html#config



The
vinstall

modi
fies the configuration so that O
penVPN will run
as user=nobody and
group=nobody


The
vinstall

can be used

in
fol
lowing

ways:


vinstall openvpn
--
server

vinstall openvpn
--
client

vinstall openvpn
--
client
-
cert

vinstall openvpn (
no
basic

configuration option)



The

--
server


and

--
client


options both install

the

OpenVPN
software
and

create
the

default configuration

files in the /etc/openvpn directory. The

difference is that the "
--
server"
option

also creates a
public key infrastructure (
PKI
)

certificate and
key
,

a master Certificate
Authority

certificate
, and
a
cert
ificate
and
key

pair for the server. The "
--
clien
t" do
es not
create any certificates or
keys.


The

"
--
cl
ient
-
cert"
option
is designed to be
executed

on
the OpenVPN

server

(the server

that

has
had the
"
--
server" option

installed
)
. The purpose of

running the
vinstall

with "
--
client
-
cert" is to create a ce
rtificate/key pair

for a client. This key
can then be
securely (manually)
transferred to the

appropriate client
server
.

Multiple clients can be
installed and configured.

Each client
will
need its own certificate/key pair.




Ope
nVPN

Getting

Started Guide

Installation and Configuration


COMPANY CONFIDENTIAL

Copyright
1996
-
200
9

Verio Inc.

All rights reserved.

5

The
vinstall

openvpn option all
ows you to install the OpenVPN software
with

no
basic

configuration settings. This
option initiates a menu where you can select
a

configuration

to
use
. The menu displays the following

configuration
options:


Configure as:


s)erver


c)lient


n)eith
er
--

configure later manually


Select the “neither

--

configure later manually


option

to

install the OpenVPN software
with
no
basic
configuration
. The configuration

files must be created manually
as well as the
PKI
.

Please refer to the
OpenVPN vinstall

(no
basic

configuration
option
)

section for detailed
instructions
.



The

server and client

configuration
options

can also be selected

from the menu
. They are the
equivalent of


--
server” and

--
client”

and as such can
also
be used
to initiate the appropri
ate

install
ation
.



Ope
nVPN

Getting

Started Guide

Installation and Configuration


COMPANY CONFIDENTIAL

Copyright
1996
-
200
9

Verio Inc.

All rights reserved.

6

VPN
Access

A
ctions
must be

performed outside of
your Linux VPS/MPS

server

to

grant

access to network
and device functionality that OpenVPN uses
. These actions

can be performed using
a single
enable/disable
script located within

your

Bac
kroom. B
efore
installing
OpenVPN

on your
serv
er, you will need to enable
VPN
access
through your Backroom
.


To E
nable
VPN
Access
:

1.

Login

to your
Backroom
.

2.

Go to the account
summary and select the

account that you wish to enable
V
PN

access

for. You can also
go to the following
URL

replacing
<
domain
.com
>

with your
backroom
domain and

then

select the
account
:



https://
<
domain
.com
>
/customer/backroom/account_info/index.pl


3.

Within the Account Details for your account, c
lick
on

the

Enable VPN

button
.


Note:

If the Enabl
e VPN button displays as Disable VPN then VPN access has already been
enabled.


To Disa
ble
VPN Access:

1.

Login to your
Backroom
.

2.

Go to the account summary and select the account that you wish to disable VPN access
for. You can also go to the following URL re
placing <domain.com> with your
backroom domain and then select the account:



https://
<domain
.com
>
/customer/backroom/account_info/index.pl


3.

Within the Account Details for your account, click on the
Dis
able VPN

button
.




Ope
nVPN

Getting

Started Guide

Installation and Configuration


COMPANY CONFIDENTIAL

Copyright
1996
-
200
9

Verio Inc.

All rights reserved.

7

Server Install
:


1.

Connect
via
SSH

to

the

Linux VPS
/MPS

server

on which you would like to install the
OpenVPN server.


2.

Once

connected,
su

to

root
,

and run the following command:


# vinstall openvpn

--
server


3.

OpenVPN uses SSL for
dat
a encryption.
You will need to create a

Certificate Authority

and a server certificate.

Enter
y

for Yes to be guided through the certificate/key setup.


Note:

The

PKI must exist before you will

able to generate a client certificate. If you enter n
(No) for this question, you will either need to
re
run the “
--
server” instal
l and enter y (Yes) or
refer to the OpenVPN web site for more information on PKI:


http://openvpn.net/howto.html#pki


4.

Select

the size of the
SSL

key
. The options are:


1


1024

bit key encryption

2


2048

b
it key encryption


5.

Enter

your
two
-
digit

country

code
.


6.

Enter

the name of your
state

or
provinc
e
.


7.

Enter

th
e name of your
city
.



8.

Enter

the name of y
our
organization
.



9.

Enter

your
email

address
.


10.

Review and confirm the
parameters

entered are

correct. If the

parameters are

correct
,

enter

y

for
Yes.


Note:

If

the

parameters are incorrect, enter
n

for No. You will be asked to enter the
parameters again for each question.



Ope
nVPN

Getting

Started Guide

Installation and Configuration


COMPANY CONFIDENTIAL

Copyright
1996
-
200
9

Verio Inc.

All rights reserved.

8

11.

To
proceed and
complete the ins
tallation with the confirmed

parameters

enter
y

for
Yes.


Caution:

Any pr
eviously existing OpenVPN public key infrastructure will be
destroyed and replaced.


Server Configuration and
SSL Certificate

Files:

The OpenVPN server configuration file is /etc/openvpn/server.conf

The SSL Certificate Author
ity file is /etc/openvpn/ca
.crt

T
he server certificate
file is /etc/openvpn/server.crt

T
he server certificate key
file is /etc/openvpn/server.key


To Start the S
erver:

Connect to your Linux VPS
/MPS

server

via
SSH
,
su

to root, and run the following command:



# service openvpn star
t


Note:

The

OpenVPN
server should start automatically once the
vinstall

completes.


To
S
tart

the
S
erver
at R
eboot:

Connect to your Linux VPS
/MPS

server

via
SSH
,
su

to root, and run the following command:


# chkconfig openvpn on


Ope
nVPN

Getting

Started Guide

Installation and Configuration


COMPANY CONFIDENTIAL

Copyright
1996
-
200
9

Verio Inc.

All rights reserved.

9

Client
I
nstall:

1.

Connect via
SSH

to the Linux VPS
/MPS

server on which you would like to install the
OpenVPN client.


2.

Once connected,
su

to
root
, and run the following command:



# vinstall openvpn

--
client


3.

Enter the
hostname

or
IP

of the VPN server.


Note:

The VPN server

is the server tha
t
has
had the
"
--
server" option

installed.


4.

Set
up the
client

certificate

and
key
. Please

refer to the
Client Cert Install

instructions
.


Note:

The

client

certificate and key must be setup

and in place

before starting the client.

The
client is not started automa
tically once the
vinstall

completes. You will need to start it once
the client certificate and key are in place.


Client Cert I
nstall:


1.

Connect via
SSH

to the Linux VPS
/MPS

server on which you have already installed the
OpenVPN server.


2.

Once connected,
su

to root, and run the following command:


# vinstall openvpn
--
client
-
cert


3.

Enter the
hostname

of th
e client serve
r.


Note:

The client server is the server that
has
had the
"
--
client
" option

installed.


4.

Copy the
Certificate

Authority

cert
ificate

from the OpenVPN

server
to the
OpenVPN
client
:



/
etc/openvpn/easy
-
rsa/keys/ca.crt to
/etc/openvpn/ca.crt


5.

Copy the
client

cert
ificate

from the OpenVPN server to the OpenVPN client:


/etc/openvpn/easy
-
rsa/
keys/
[
client hostname
.crt
]

to
/
etc/openvpn/client.crt



Ope
nVPN

Getting

Started Guide

Installation and Configuration


COMPANY CONFIDENTIAL

Copyright
1996
-
200
9

Verio Inc.

All rights reserved.

10

Note:

Replace [cli
ent hostname.crt] with the
client

hostname
previously
entered. For
instance if the

client

hostname entered was mydomain.com the client certificate would be
mydomain.com.crt.

Once
copied to

the OpenVPN client, the client certificate is named
client.crt.


6.

C
opy the
client

key

file from the OpenVPN server to the OpenVPN client:


/etc/openv
pn/easy
-
rsa/
keys/
[
client hostname
.
key
]

to
/etc/openvpn/client.key


Note:

Replace [
client hostname.key
]

with the
client

hostname
previously
entered.

For
instance if the
client
hostn
ame entered was mydomain.com the client
key

would be
mydomain.com.key.

Once
copied to

the OpenVPN client, the client
key

is named client.key.


7.

Be sure that the
client.key

file
has root
-
only read permissions
. Run the following
command to set the file permi
ssions for the client.key file to root
-
only read permissions:


#
chmod 400
/etc/openvpn/
client.key


8.

Start the
client

by running the following command on the client server:


#

service openvpn start


Client Configuration

and
SSL Certificate

Files:

The OpenV
PN client configuration file is /etc/openvpn/client.conf

The SSL Certificate Author
ity file is /etc/openvpn/ca.crt

T
he client

certificate
file is /etc/openvpn/client.crt

T
he client

certificate key
file is /etc/openvpn/client.key


To Start the C
lient:

Conne
ct to your Linux
VPS
/MPS

server

via
SSH
,
su

to root, and run the following command:



# service openvpn start


Note:

Before starting the OpenVPN client the SSL certificates must be generated on the
OpenVPN server. Please refer to the
Client Cert Install

instruc
tions.


To S
ta
rt the Client at R
eboot:

Connect to your Linux VPS
/MPS

server

via
SSH
,
su

to root, and run the following command:



# chkconfig openvpn on


Ope
nVPN

Getting

Started Guide

Installation and Configuration


COMPANY CONFIDENTIAL

Copyright
1996
-
200
9

Verio Inc.

All rights reserved.

11

OpenVPN
Install

(no
basic

configuration
option
)
:

1.

Connect to your Linux VPS
/MPS

server

via
SSH
.


2.

Once c
onnected,

su

to root, and run the following command:


#
vinstall openvpn


3.

Select the

n)either
--
configure later manually

con
figuration from the
menu:


Configure as:

s)erver



c)lient



n)either
--

configure later manually


Note:

The server and client
configuration options can also be selected from the menu as
they are the equivalent of “
--
server” and “
--
client”.


4.

Manually create the configuration files with your desired settings in the /etc/openvpn
directory.
Instructions for configuring OpenVPN can b
e found
here
:


http://openvpn.net/index.php/documentation/howto.html


5.

You will also need to setup the public key infrastructure.
Instructions for installing the
public key infrastructure

can be found
here
:


http://openvpn.net/howto.html#pki


RPM or S
ource

Install
:

Follow the instructions on the OpenVPN site:


http://openv
pn.net/index.php/documentation/howto.html





Ope
nVPN

Getting

Started Guide

Additional Helps


COMPANY CONFIDENTIAL

Copyright
1996
-
200
9

Verio Inc.

All rights reserved.

12

Additional Helps

OpenVPN

D
ocumentation

The OpenVPN web site contains several
helpful
documents
that can assist
with installation

and configuration. E
xamples

are also included
:



http://openvpn.net/index.php/documentation/howto.html



Man Page


The m
an page
contains

all

available

configuration

settings

with descriptions and examples. It
can be a
good source

for
advanced configuration
informati
on. You can view the man page on
your Linux VPS server or visit the OpenVPN web

site:


Connect to your Linux VPS
/MPS

server via
SSH
,
su

to root, and run the following command:



# man
openvpn


OpenVPN man page:


http://openvpn.net/index.php/open
-
source/documentation/manuals/65
-
openvpn
-
20x
-
manpage.html