This page details setting up secure access to a LAN using the OpenVPN software. This software is designed to offer secure connections to clients on untrusted networks, for example the internet or wireless networks. Unlike the IPSec technologies that involve reconfiguring the TCP/IP stack, OpenVPN runs in userspace and establishes a separate network connection for encrypted traffic. The OpenVPN homepage is at http://openvpn.sourceforge.net.
The scenario detailed in this page is concerned with setting up a Debian Linux system as an OpenVPN server to protect the LAN from unauthorised access and provide VPN bridge to the LAN for authorised client systems. The set up is designed to be as transparent as possible to the end user, although the OpenVPN software allows for varying degrees of interactivity, particularly on Windows clients. It assumes that the Linux OpenVPN server has two network cards fitted, one connected to the "trusted" LAN and one connected to the "untrusted" network.
Debian Sarge (currently testing, soon to be stable) is the platform used in this document. There is no OpenVPN package in the repository for Debian Woody (currently stable). There is, however, a package for OpenVPN 1.6 in Sarge. Unfortunately the 1.6 series does not scale well to large installations, so a backport of OpenVPN 2.0 is used. Although still technically in beta phase, the software is stable and offers some features that are important when considering a VPN that will have a large number of clients. Unlike OpenVPN 1.6, the 2.0 series does not require a separate instance of the OpenVPN server process running for each client that may connect. It uses a single port for all connections. This also means that client-side configuration is easier, as all clients can be set to use the same port, rather than each one having to be configured to use a different port. OpenVPN 2.0 also only supports certificates for authentication - static keys are no longer supported.
The OpenVPN 2.0 packages used in this document are found at http://tmp.inittab.org/~agi/sid/. At the time of writing the most recent package is "beta 11", and this is the version used in this document. Although they were built for Debian unstable, they only depend on libraries available in Sarge, so the package installs OK. In addition to the .deb package from the aforementioned site, you will need to install the libssl0.9.7 and liblzo1 packages as root. This should be as straight-forward as:
# apt-get install libssl0.9.7 liblzo1
Once this is done, the .deb package can be installed as root with the command:
# dpkg -i openvpn_2.0_beta11-1_i386.deb
To be able to generate and issue your own certificates for authentication purposes, you will need the openssl package and its dependencies, which can be installed as root using:
# apt-get install openssl
Tunnelling Vs. Bridging
OpenVPN can work in two different "modes", Tunnelling and Bridging. Tunnelling allows hosts connected via VPN to occupy a separate subnet from the internal LAN. This is more efficient in terms of network traffic, but can prove problematic on networks that rely on broadcast traffic (e.g. Windows networks that don't use WINS). Also, servers and other network devices need to be reconfigured to route traffic to the separate subnet as well as the LAN and their default gateway.
Bridging allows the VPN client to appear as a host on the LAN - it has an IP address in the same range as the rest of the LAN clients. This can make administering remote clients easier and requires no configuration of routing tables on servers and network devices (other than the OpenVPN server). However, bridging can negatively impact network performance. This document uses the bridging mode of OpenVPN.
If you wish to use Ethernet Bridging, you will need to ensure the correct modules are available for your kernel. Ethernet Bridging is not supported by the 2.4.18 kernel that is the provided for Debian, so a newer version is required. You can either compile your own kernel, or install a newer version from stock. The 2.6.8-1 kernel available as a package for Sarge includes the bridging module. You will also require the bridge-utils package, which can be installed as root, along with its dependencies using:
# apt-get install bridge-utils
It is necessary to ensure that the tun and bridge modules are inserted on system boot. There are also some other settings that should be configured to ensure that the server process starts during system boot.
The configuration file(s) for OpenVPN should be held in the /etc/openvpn directory. This directory is empty following the installation of the package. There are example configuration files in /usr/share/doc/openvpn. The OpenVPN project also provides some examples for the 2.0 series on their examples page.
The /etc/init.d/openvpn script is linked as S16openvpn in the /etc/rc2.d directory.
It is recommended to configure OpenVPN not to log to /var/log/syslog as the software can "flood" the system log with extraneous information.
A work in progress by TonyWhitmore