A simple configuration

This recipe will demonstrate how to set up a connection in the client or server mode using certificates.

Getting ready

Install OpenVPN 2.3.9 or higher on two computers. Make sure the computers are connected over a network. Set up the client and server certificates using the previous recipe. For this recipe, the server computer was running CentOS 6 Linux and OpenVPN 2.3.9 and the client was running Fedora 22 Linux and OpenVPN 2.3.10.

How to do it...

  1. Create the server configuration file:
            proto udp 
            port 1194 
            dev tun 
            server 10.200.0.0 255.255.255.0 
     
            ca   /etc/openvpn/cookbook/ca.crt 
            cert /etc/openvpn/cookbook/server.crt 
            key  /etc/openvpn/cookbook/server.key 
            dh   /etc/openvpn/cookbook/dh2048.pem 
    

    Then save it as example2-2-server.conf.

  2. Copy over the public certificates and the server private key from the /etc/openvpn/cookbook/keys directory:
          [server]$ cd /etc/openvpn/cookbook
          [server]$ cp keys/ca.crt ca.crt
          [server]$ cp keys/openvpnserver.crt server.crt
          [server]$ cp keys/openvpnserver.key server.key
          [server]$ cp keys/dh2048.pem dh2048.pem
    

    Note

    Note that there is no need to run the preceding commands as user root, provided that write access to these directories has been given.

  3. Start the server:
          [root@server]# openvpn --config example2-2-server.conf
    
  4. Next, create the client configuration file:
            client 
            proto udp 
            remote openvpnserver.example.com 
            port 1194 
            dev tun 
            nobind 
     
            ca /etc/openvpn/cookbook/ca.crt 
            cert /etc/openvpn/cookbook/client1.crt 
            key /etc/openvpn/cookbook/client1.key 
    

    Then save it as example2-2-client.conf.

  5. Transfer the files such as ca.crtclient1.crt, and client1.key to the client machine using a secure channel; for example, using the scp command:
    How to do it...
  6. Then, start the client:
          [root@client]# openvpn --config example2-2-client.conf
          [...]
     [openvpnserver] Peer Connection Initiated with 
              openvpnserver:1194
              TUN/TAP device tun0 opened
              /sbin/ip link set dev tun0 up mtu 1500
              /sbin/ip addr add dev tun0 local 10.200.0.6 peer 10.200.0.5
              Initialization Sequence Completed
    

After the connection is established, we can verify that it is working by pinging the server (notice the IP address):

[client]$ ping -c 2 10.200.0.1
PING 10.200.0.1 (10.200.0.1) 56(84) bytes of data.
64 bytes from 10.200.0.1: icmp_seq=1 ttl=64 time=30.6 ms
64 bytes from 10.200.0.1: icmp_seq=2 ttl=64 time=30.7 ms

How it works...

When the server starts, it configures the first available TUN interface with the IP address 10.200.0.1 and with a fake remote address of 10.200.0.2. After that, the server listens on the UDP port 1194 for incoming connections.

The client connects to the server on this port. After the initial TLS handshake, using both the client and server certificates, the client is assigned the IP address 10.200.0.6 (or rather the mini-network 10.200.0.4 - 10.200.0.7). The client configures its first available TUN interface using this information, after which the VPN is established.

There's more...

After the connection is established, you can query the tun0 interface like this:

[client]$ /sbin/ifconfig tun0 | grep inet

Then, look for the following:

inet addr:10.200.0.6  P-t-P:10.200.0.5 

The IP address 10.200.0.5 is a placeholder address and can never be reached. Starting with OpenVPN 2.1, it has also become possible to assign linear addresses to the clients that allow you to have more clients in the same range of IP addresses. This will be explained in the next recipe.

The first address is the VPN client address from a /30 subnet, and the second address is the fake remote endpoint address. Each /30 subnet has to start at a multiple of four, and the VPN client IP address is at the starting address plus two:

  • 10.200.0.[0-3], the VPN IP is 10.200.0.1. Normally, this block is for the OpenVPN server itself.
  • 10.200.0.[4-7], the client IP is 10.200.0.6. Normally, this block is for the first client to connect.
  • 10.200.0.[8-11][12-15][16-19], and so on are used for consecutive clients.

Because of the /30 subnet for each address, this topology mode is known as net30. It is still the default topology mode, but this will change in the near future.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
13.59.61.147