Virtual network connectivity between FreeBSD and Kubuntu using OpenVPN
Whenever I'm away from home I'd like access to resources on my local network, such as e-mail and file shares. I have in the past made IMAP, SMTP and SSH access available from the internet, to my dislike. I've also used SSH and X11-forwarding to get an instance of kmail forwarded to my laptop. All these systems either pose security threats, has flaws, or are somewhat painful solutions.
So, I decided to set up a Virtual Private Network with OpenVPN. This would give me a "virtual" access to my local network, and thus have access to resources as I would be present on the local network. OpenVPN doesn't use IPSEC, but instead uses SSL/TLS from the OpenSSL projekt. I also looked in to the new version of OpenSSH, which features functionallity similar to a routed VPN by having support for TUN/TAP-interfaces. OpenSSH does however only run over TCP, which makes the solution un-ideal when having a firewall that performs network adress translation. TCP over TCP will also have more overhead than TCP over UDP.
Setting up the FreeBSD server with OpenVPN
I'm running FreeBSD 6.0, and OpenVPN is available as a binary package thru the ports system. This makes
pkg-addonesome# pkg_add -r openvpn
Fetching ftp://ftp.freebsd.org/../Latest/openvpn.tbz... Done.
Fetching ftp://ftp.freebsd.org/../All/lzo-2.01.tbz... Done.
.. truncated..
In order for the OpenVPN deamon to launch at startup, we add the following lines to /etc/rc.conf
openvpn_enable="YES" # YES or NO
openvpn_if="tun"
openvpn_configfile="/usr/local/etc/openvpn/openvpn.conf"
openvpn_dir="/usr/local/etc/openvpn"
(If you are using cornshell, CSH, then a "rehash" is in place for the system to find the new openvpn-executable) Now it's time to configure the deamon. We create the directory specified above, and copy the sample configuration file in to place.
root# mkdir /usr/local/etc/openvpn
root# cp /usr/local/share/doc/openvpn/sample-config-files/server.conf /usr/local/etc/openvpn
I'm using PKI-certificates for authentication, and thus these keys must be created. The OpenVPN-package includes a system to do this. It requires us to operate under Bash, so we enter that terminal by issuing the command "sh". We enter the directory /usr/local/share/doc/openvpn/easy-rsa/ and edit the file vars, and modify the last lines like this,
export KEY_COUNTRY=SE
export KEY_PROVINCE=Stockholm
export KEY_CITY=Stockholm
export KEY_ORG="gsandahl"
export KEY_EMAIL="goran@gsandahl.net
We make the file executable with "chmod u+x vars"
This exports several variables which will be used for creation of CA-certificate, server certificate and client certificates. The following procedure exports the variables and creates the CA-key and certificate :
# ./vars
NOTE: when you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/keys
# ./build-ca
Generating a 1024 bit RSA private key
..................++++++
...................... ............................ ................. ++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code)
State or Province Name (full name)
Locality Name (eg, city)
Organization Name (eg, company)
Organizational Unit Name (eg, section) <>:
Common Name (eg, your name or your server's hostname) <>:twosome
Email Address
The process is similar for creation of server and client certificates, with the commands "build-key-server server" and "build-key foursome" respectively. The important thing is that the "common name" differs between all instances.
Next we copy the certificates and keys to their apropriate place
cp keys/* /usr/local/etc/openvpn
The configuration-file we edited before should be fine as of default. We start the OpenVPN-deamon by issuing the command
/usr/local/etc/rc.d/openvpn.sh start
The server should now be up and running. Authentication of connecting clients is based on certificates being signed by the CA that the server trusts (and is signed by). In my case, this is the foursome-certificate.
Setting up Kubuntu and Kvpnc to connect to the server with OpenVPN
My laptop system is installed with Kubuntu Breezy. OpenVPN is available in the official reprository, and is thus easily installed with
foursome# apt-get install openvpn
We wont do any actual configuration of openvpn through it's config files, but instead use the application Kvpnc to configure and connect to the tunnel. Kvpnc is a kde-based vpn-frontend to OpenVPN, amongst others. A great application which also is available thru the APT-system
foursome# apt-get install kvpnc
We do however need the keys created before. I copy the necessary ones ( "client-twosome.crt", "client-twosome.key" and "ca.crt" ) to a local directory using for instance scp.
I launch kvpnc, and choose "new profile" available in the Profile-menu. The configuration of the certificates are done at a later moment in Preferences, available under the Settings-menu. We let two pictures visualise this.
I also made sure that "USE UDP (NAT-T) was checked under Network/NAT, and that "Userdefined port" under OpenVPN wasn't.
The client now successfully connects to the server, and all traffic destined for the 10.8.0.0 network gets routed through the tunnel over the tun0-interface. Beautiful :