:: Setting up VPN using Openvpn :: | |||
HOME |
openvpn@mia:~/certificates> openvpn --genkey --secret temp.key openvpn@mia:~/certificates> cat temp.key -----BEGIN OpenVPN Static key V1----- 3e51dd78f851023b 8f90c386555f7e77 8fb104b6da7ad925 21bf4640b1fea1ed d8122049cea29837 e1f03ce9f6456494 639bd25ea938f9d9 8c7f677c29cf4acc 2ef6608043048f7c 805a8837910092aa 660f7daa903feaba f6768125323a56ca 2a5e04193b9c18c7 ffaf9006f3d74d0f 0d3e331d66b95b34 35dc22fe3748cd30 -----END OpenVPN Static key V1-----
openvpn@mia:~/certificates> scp temp.key openvpn@zidler:~/certificates
openvpn@mia:~> cat openvpn.conf dev tun port 5000 #comp-lzo #ping 15 verb 3 #shaper 1000 remote 131.193.50.184 ifconfig 192.168.254.200 192.168.254.201 up /home/openvpn/bin/ip-up.sh down /home/openvpn/bin/ip-down.sh #Using Pre-Shared Secret Key. secret /home/openvpn/certificates/static.key auth MD5 cipher DES-CBC #keysize 192 ------------------------------------------------------------------- openvpn@zidler:~> cat openvpn.conf dev tun port 5000 #comp-lzo #ping 15 verb 3 #shaper 1000 remote 131.193.50.165 ifconfig 192.168.254.201 192.168.254.200 up /home/openvpn/bin/ip-up.sh down /home/openvpn/bin/ip-down.sh #Using Pre-Shared Secret Key. secret /home/openvpn/certificates/static.key auth MD5 cipher DES-CBC #keysize 192NOTE: Take note of the remote AA.BB.CC.DD and ifconfig 192.168.254.XX 192.168.254.YY options. The IP Address's are reversed at the two peers. Uncomment comp-lzo if you want to use compression, and shaper n if you want to limit the bandwidth to n Bytes/Sec.
openvpn@mia:~> openvpn --show-ciphers --SNIP-- DES-CFB 64 bit default key (fixed) DES-CBC 64 bit default key (fixed) --SNIP--Specify the selected cipher (DES-CFB, say) in the configuratoin file as cipher DES-CFB. Only one cipher can be specified, and AFAIK there is no negotiation between the two peers.
openvpn@mia:~> openvpn --show-digests --SNIP-- MD2 128 bit digest size MD5 128 bit digest size --SNIP--Specify the selected HMAC (MD5, say) in the configuratoin file as auth MD5. Only one HMAC can be specified, and AFAIK there is no negotiation between the two peers.
[openvpn@mia openvpn]# openvpn --config openvpn.conf Thu Jul 17 16:12:10 2003 0[0]: OpenVPN 1.4.1 i386-redhat-linux-gnu built on May 22 2003 Thu Jul 17 16:12:10 2003 1[0]: UDP link local (bound): [undef]:5000 Thu Jul 17 16:12:10 2003 2[0]: UDP link remote: 131.193.50.184:5000 Thu Jul 17 16:12:10 2003 3[0]: Static Encrypt: Cipher 'DES-CBC' initialized with 64 bit key Thu Jul 17 16:12:10 2003 4[0]: Static Encrypt: Using 128 bit message digest 'MD5' for HMAC authentication Thu Jul 17 16:12:10 2003 5[0]: Static Decrypt: Cipher 'DES-CBC' initialized with 64 bit key Thu Jul 17 16:12:10 2003 6[0]: Static Decrypt: Using 128 bit message digest 'MD5' for HMAC authentication Thu Jul 17 16:12:10 2003 7[0]: Data Channel MTU parms [ udp_mtu=1300 extra_frame=40 extra_buffer=0 extra_tun=0 dynamic = [ mtu_min_initial=MTU_INITIAL_UNDEF mtu_max_initial=MTU_INITIAL_UNDEF mtu_initial=MTU_SET_TO_MAX mtu_min=140 mtu_max=1300 mtu=1300 ]] Thu Jul 17 16:12:10 2003 8[0]: TUN/TAP device tun0 opened Thu Jul 17 16:12:10 2003 9[0]: /sbin/ifconfig tun0 192.168.254.200 pointopoint 192.168.254.201 mtu 1260 Thu Jul 17 16:12:10 2003 10[0]: /home/openvpn/bin/ip-up.sh tun0 1260 1300 192.168.254.200 192.168.254.201 [ip-up] -- tun0 1260 1300 192.168.254.200 192.168.254.201 Thu Jul 17 16:12:10 2003 11[0]: PTHREAD support initialized Thu Jul 17 16:12:40 2003 12[0]: Peer Connection Initiated with 131.193.50.184:5000Take a look at the messages to check the different parameters.
[openvpn@mia openvpn]# openvpn --config openvpn.conf Thu Jul 17 16:16:52 2003 0[0]: OpenVPN 1.4.1 i386-redhat-linux-gnu built on May 22 2003 Thu Jul 17 16:16:52 2003 1[0]: UDP link local (bound): [undef]:5000 Thu Jul 17 16:16:52 2003 2[0]: UDP link remote: 131.193.50.184:5000 Thu Jul 17 16:16:52 2003 3[0]: ******* WARNING *******: null cipher specified, no encryption will be used Thu Jul 17 16:16:52 2003 4[0]: ******* WARNING *******: null MAC specified, no authentication will be used Thu Jul 17 16:16:52 2003 5[0]: Data Channel MTU parms [ udp_mtu=1300 extra_frame=8 extra_buffer=0 extra_tun=0 dynamic = [ mtu_min_initial=MTU_INITIAL_UNDEF mtu_max_initial=MTU_INITIAL_UNDEF mtu_initial=MTU_SET_TO_MAX mtu_min=108 mtu_max=1300 mtu=1300 ]] Thu Jul 17 16:16:52 2003 6[0]: TUN/TAP device tun0 opened Thu Jul 17 16:16:52 2003 7[0]: /sbin/ifconfig tun0 192.168.254.200 pointopoint 192.168.254.201 mtu 1292 Thu Jul 17 16:16:52 2003 8[0]: /home/openvpn/bin/ip-up.sh tun0 1292 1300 192.168.254.200 192.168.254.201 [ip-up] -- tun0 1292 1300 192.168.254.200 192.168.254.201 Thu Jul 17 16:16:52 2003 9[0]: PTHREAD support initialized
openvpn@mia:~> cat openvpn.conf dev tun port 5000 ; user nobody ; group nobody #comp-lzo #ping 15 verb 3 #shaper 1000 remote 131.193.50.184 ifconfig 192.168.254.200 192.168.254.201 up /home/openvpn/bin/ip-up.sh down /home/openvpn/bin/ip-down.sh tls-client #auth alg=none #cipher alg=none #keysize 192 ca /home/openvpn/certificates/cacert.cer cert /home/openvpn/certificates/openvpn_mia_cert.cert key /home/openvpn/certificates/openvpn_mia_key.pem tls-cipher RC4-MD5 ------------------------------------------------------- openvpn@zidler:~> cat openvpn.conf dev tun port 5000 ; user nobody ; group nobody #comp-lzo #ping 15 verb 3 #shaper 1000 remote 131.193.50.165 ifconfig 192.168.254.201 192.168.254.200 up /home/openvpn/bin/ip-up.sh down /home/openvpn/bin/ip-down.sh tls-server #auth alg=none #cipher alg=none #keysize 192 ca /home/openvpn/certificates/cacert.cer cert /home/openvpn/certificates/openvpn_zidler_cert.cert key /home/openvpn/certificates/openvpn_zidler_key.pem dh /home/openvpn/certificates/dh1024.pem tls-cipher RC4-MD5
[openvpn@zidler]# openssl dhparam -out dh1024.pem 1024
openvpn@zidler:/home/openvpn# openvpn --config openvpn.conf Fri Jul 18 11:01:56 2003 0: OpenVPN 1.4.1 i686-pc-linux-gnu built on Jun 4 2003 Fri Jul 18 11:01:56 2003 1: UDP link local (bound): [undef]:5000 Fri Jul 18 11:01:56 2003 2: UDP link remote: 131.193.50.165:5000 Fri Jul 18 11:01:56 2003 3: Diffie-Hellman initialized with 1024 bit key Enter PEM pass phrase: Fri Jul 18 11:01:58 2003 4: WARNING: file '/home/openvpn/certificates/openvpn_zidler_key.pem' is group or others accessible Fri Jul 18 11:01:58 2003 5: Data Channel MTU parms [ udp_mtu=1300 extra_frame=41 extra_buffer=0 extra_tun=0 dynamic = [ mtu_min_initial=MTU_INITIAL_UNDEF mtu_max_initial=MTU_INITIAL_UNDEF mtu_initial=MTU_SET_TO_MAX mtu_min=141 mtu_max=1300 mtu=1300 ]] Fri Jul 18 11:01:58 2003 6: Control Channel MTU parms [ udp_mtu=1300 extra_frame=38 extra_buffer=0 extra_tun=0 dynamic = [ mtu_min_initial=MTU_INITIAL_UNDEF mtu_max_initial=MTU_INITIAL_UNDEF mtu_initial=MTU_SET_TO_MIN mtu_min=138 mtu_max=1300 mtu=138 ]] Fri Jul 18 11:01:59 2003 7: TUN/TAP device tun0 opened Fri Jul 18 11:01:59 2003 8: /sbin/ifconfig tun0 192.168.254.201 pointopoint 192.168.254.200 mtu 1259 Fri Jul 18 11:01:59 2003 9: /home/openvpn/bin/ip-up.sh tun0 1259 1300 192.168.254.201 192.168.254.200 [ip-up] -- tun0 1259 1300 192.168.254.201 192.168.254.200 Fri Jul 18 11:02:11 2003 10: TLS: tls_pre_decrypt: first response to initial packet sid=6536e1bc d3232430 Fri Jul 18 11:02:11 2003 11: VERIFY OK: depth=1, /CN=Certificate.Authority.Created.by.Shashank.Khanvilkar/ST=Illinois/C=US/Email=shashank@evl.uic.edu/O=Root.Certification.Authority Fri Jul 18 11:02:11 2003 12: VERIFY OK: depth=0, /CN=openvpn/ST=Illinois/C=US/Email=openvpn@mia.ece.uic.edu/O=UIC/OU=ECE Fri Jul 18 11:02:11 2003 13: Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key Fri Jul 18 11:02:11 2003 14: Data Channel Decrypt: Using 160 bit message digest 'SHA1' for HMAC authentication Fri Jul 18 11:02:11 2003 15: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key Fri Jul 18 11:02:11 2003 16: Data Channel Encrypt: Using 160 bit message digest 'SHA1' for HMAC authentication Fri Jul 18 11:02:11 2003 17: Control Channel: TLSv1, cipher TLSv1/SSLv3 RC4-MD5, 1024 bit RSA Fri Jul 18 11:02:11 2003 18: Peer Connection Initiated with 131.193.50.165:5000 --SNIP--
seq_no: 0 Y%*i%|\NU]\Dw-5jOba4Q@D8`?5t#"iBFna^M1OF)t?6++f)m6ZIR:aOY3EvO1Tu!7UhI&0R6O%\uked#BIpvGARZfd+3; "Olq9Q3J@J5E(,2m,5KVA^}bLse2 4gcVI}C\ccB4*J[VTg(;YIyr.Gg/Z#C]Y)OBs{AXYU}&2Ut6w1+CG kn#zdA?D6H/ U&$lGwG9vgeg]7a+C@R]-\z)]=b=nGLEMQ31dtJ\^K_Wc\b(|Pe+I{N(;3EEtqjC^9nD/:)"|aeZ_)s2n ['i}\8D#.7)k2B\Vl2su4qThis data was generated using modudpgen, a synonym for Modified UDP generator and sniffed using ethereal.
seq_no: 0 Y%*i%|\NU]\Dw-5jOba4Q@D8`?5t#"iBFna^M1OF)t?6++f)m6ZIR:aOY3EvO1Tu!7UhI&0R6O%\uked#BIpvGARZfd+3; "Olq9Q3J@J5E(,2m,5KVA^}bLse2 4gcVI}C\ccB4*J[VTg(;YIyr.Gg/Z#C]Y)OBs{AXYU}&2Ut6w1+CG kn#zdA?D6H/ U&$lGwG9vgeg]7a+C@R]-\z)]=b=nGLEMQ31dtJ\^K_Wc\b(|Pe+I{N(;3EEtqjC^9nD/:)"|aeZ_)s2n ['i}\8D#.7)k2B\Vl2su4qThis data was generated using modudpgen, a synonym for Modified UDP generator and sniffed using ethereal.
route add -net network/netmask gw gateway-ipAlthough this method is simple for small networks, it becomes exceedingly difficult to maintain such routes one your network reaches a decent size (> 5 nodes, say). Hence one should avoid using this method, unless you have a very small network.