Configuration and setup summary
Here's the quick summary (all the standard disclaimers apply - don't try this unless you have some idea what you're doing!):
Open a port in your firewall (at the "mothership" location) and point it to your pbxinaflash box. The standard port number is 1194, you only need to forward udp. If you try to connect from a very locked-down internet connection, the most conservative port number to use would be 443 (https) because that's the least likely port to be blocked or proxied for outgoing connections. You'll also need to open the port on the PiaF firewall, unless you have disabled iptables. See
this post for a rule that will probably do the trick.
That being said, I've typically used very non-standard port numbers (pick something over 20000 at random). The configuration below assumes standard port 1194, UDP traffic (don't worry, it's a full VPN, it just uses UDP as a transport - TCP works through the tunnel as well, and much more). These files will make a VPN with internal addresses 10.100.100.x.
For more serious detail, see the openvpn.net website and tutorials - they're great.
You'll need either a fixed public IP at your server, or a dynamic DNS service (dyndns.org is great, there are several others). See their instructions for setting up an account and the software. This config assumes your public IP DNS name is
mydyndnsname.dyndns.org).
Log in to your box as root
The default locations that yum looks for packages doesn't include openvpn. You can add one by adding the following files to your yum configuration (if it doesn't already exist):
nano -w /etc/yum.repos.d/rpmforge.repo
# Name: RPMforge RPM Repository for Red Hat Enterprise 5 - dag
# URL: http://rpmforge.net/
[rpmforge]
name = Red Hat Enterprise $releasever - RPMforge.net - dag
#baseurl = http://apt.sw.be/redhat/el5/en/$basearch/dag
mirrorlist = http://apt.sw.be/redhat/el5/en/mirrors-rpmforge
#mirrorlist = file:///etc/yum.repos.d/mirrors-rpmforge
enabled = 1
protect = 0
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-rpmforge-dag
gpgcheck = 1
exclude=afio*
exclude=asterisk*
exclude=buffer*
exclude=mindi-*
exclude=mondo-*
You may also need to put the GPG key in:
nano -w /etc/pki/rpm-gpg/RPM-GPG-KEY-rpmforge-dag
The following public key can be used to verify RPM packages
downloaded from http://dag.wieers.com/apt/ using 'rpm -K'
if you have the GNU GPG package.
Questions about this key should be sent to:
Dag Wieers <[email protected]>
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.2.1 (GNU/Linux)
mQGiBD9JMT0RBAC9Q2B0AloUMTxaK73sD0cOu1MMdD8yuDagbMlDtUYA1aGeJVO6
TV02JLGr67OBY+UkYuC1c3PUwmb3+jakZd5bW1L8E2L705wS0129xQOZPz6J+alF
5rTzVkiefg8ch1yEcMayK20NdyOmhDGXQXNQS8OJFLTIC6bJs+7MZL83/wCg3cG3
3q7MWHm3IpJb+6QKpB9YH58D/2WjPDK+7YIky/JbFBT4JPgTSBy611+bLqHA6PXq
39tzY6un8KDznAMNtm+NAsr6FEG8PHe406+tbgd7tBkecz3HPX8nR5v0JtDT+gzN
8fM3kAiAzjCHUAFWVAMAZLr5TXuoq4lGTTxvZbwTjZfyjCm7gIieCu8+qnPWh6hm
30NgA/0ZyEHG6I4rOWqPks4vZuD+wlp5XL8moBXEKfEVOMh2MCNDRGnvVHu1P3eD
oHOooVMt9sWrGcgxpYuupPNL4Uf6B6smiLlH6D4tEg+qCxC17zABI5572XJTJ170
JklZJrPGtnkPrrKMamnN9MU4RjGmjh9JZPa7rKjZHyWP/z/CBrQ1RGFnIFdpZWVy
cyAoRGFnIEFwdCBSZXBvc2l0b3J5IHYxLjApIDxkYWdAd2llZXJzLmNvbT6IWQQT
EQIAGQUCP0kxPQQLBwMCAxUCAwMWAgECHgECF4AACgkQog5SFGuNeeYvDQCeKHST
hIq/WzFBXtJOnQkJGSqAoHoAnRtsJVWYmzYKHqzkRx1qAzL18Sd0iEYEEBECAAYF
Aj9JMWAACgkQoj2iXPqnmevnOACfRQaageMcESHVE1+RSuP3txPUvoEAoJAtOHon
g+3SzVNSZLn/g7/Ljfw+uQENBD9JMT8QBACj1QzRptL6hbpWl5DdQ2T+3ekEjJGt
llCwt4Mwt/yOHDhzLe8SzUNyYxTXUL4TPfFvVW9/j8WOkNGvffbs7g84k7a5h/+l
IJTTlP9V9NruDt1dlrBe+mWF6eCY55OFHjb6nOIkcJwKxRd3nGlWnLsz0ce9Hjrg
6lMrn0lPsMV6swADBQP9H42sss6mlqnJEFA97Fl3V9s+7UVJoAIA5uSVXxEOwVoh
Vq7uECQRvWzif6tzOY+vHkUxOBRvD6oIU6tlmuG3WByKyA1d0MTqMr3eWieSYf/L
n5VA9NuD7NwjFA1kLkoDwfSbsF51LppTMkUggzwgvwE46MB6yyuqAVI1kReAWw+I
RgQYEQIABgUCP0kxPwAKCRCiDlIUa4155oktAKDAzm9QYbDpk6SrQhkSFy016BjE
BACeJU1hpElFnUZCL4yKj4EuLnlo8kc=
=mqUt
-----END PGP PUBLIC KEY BLOCK-----
then install openvpn:
yum -y install openvpn
Let it do it's thing.
Make a folder for everything:
mkdir /etc/openvpn
Copy the easy-rsa folder to your openvpn installation (note the version number may vary):
cp -R /usr/share/doc/openvpn-2.0.9/easy-rsa /etc/openvpn/
Once installed, generate your certificates and encryption keys:
cd /etc/openvpn/easy-rsa
mkdir /etc/openvpn/easy-rsa/keys
nano -w vars
and edit the last 5 lines with your information (as you want it to appear in the certificate files - could be bogus info, if you like)
control-x, y <enter> to save
Tell the shell you want to use these parameters:
source ./vars
generate your keys (you may need to do a
chmod +x build* and
chmod +x clean-all to make the functions executable)
./clean-all
./build-dh # if this doesn't work, try openssl dhparam -out dh1024.pem 1024
./build-ca
./build-key-server myservername
./build-key myclientname1
./build-key myclientname2
You'll be prompted to change anything (if desired) that you entered already. Important: the "common name" of the server and clients must all be unique, don't leave them blank. The OU name can be left blank on all of them. The last two prompts ask you if everything is OK, and if the info should be committed to the database. Be sure to type y<enter> for both.
Create the Server configuration file:
nano -w /etc/openvpn/server.conf
port 1194
proto udp
dev tun
ca easy-rsa/keys/ca.crt
cert easy-rsa/keys/server.crt
key easy-rsa/keys/server.key # This file should be kept secret
dh easy-rsa/keys/dh1024.pem
server 10.100.100.0 255.255.255.0
ifconfig-pool-persist ipp.txt
#push "route 192.168.200.0 255.255.255.0"
#If your network was 192.168.200.0, this would allow VPN clients to see it
#You'll have to tell your router that your pbxinaflash machine is the gateway for 10.100.100.0/255.255.255.0, though
client-to-client # allows VPN clients to see each other
keepalive 30 120
comp-lzo
max-clients 5 # adjust for however many clients you want to support
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
log-append openvpn.log
verb 4
management localhost 7505
Create the client configuration file (this goes in the "OpenVPN config directory" on Windows (and must have the extension .ovpn instead of .conf), in "~/Library/openvpn/" on the Mac if you use Tunnelblick, or in /etc/openvpn/ on Linux.
nano -w /etc/openvpn/myclientname1.conf
client
dev tun
proto udp
remote mydyndnsname.dyndns.org 1194
resolv-retry infinite
nobind
user nobody
group nobody
persist-key
persist-tun
ca ca.crt
cert myclientname1.crt
key myclientname1.key
ns-cert-type server
comp-lzo
verb 3
control-x, y, <enter> to save
Move all .conf files out of the /etc/openvpn directory to another location on your drive. When openvpn starts, it will try to create a process for each .conf file, and the client configuration files won't work when launched on your server.
Also copy over these files from the server to the client (use a secure connection like ssh or you're compromising the network):
/etc/openvpn/easy-rsa/keys/ca.crt
/etc/openvpn/easy-rsa/keys/myclientname1.crt
/etc/openvpn/easy-rsa/keys/myclientname1.key
Put them in the same place (
/etc/openvpn on the client machine for Linux, see above for other platforms)
On the server, you'll want to have openvpn startup automatically, I believe "
chkconfig openvpn on" (without quotes) will do it. The server will start a separate instance for each .conf file in /etc/openvpn, so you can run different servers with different settings (on separate ports). I use this so I can connect to my whole network, but all my relatives can connect to an isolated VPN network so I can do tech support on their computers.
For more detailed setup help, check out openvpn.net. These files come directly from my server (Walmart special) running pbxinaflash, so I'm confident they work well, but YMMV. I hope I haven't missed any steps, but as this is a forum, I'm sure working together we can make this documentation better.
Notice the last entry in the server config file turns on a management port. I found this sweet php script that shows a list of all connected clients on the VPN, showing their private (VPN) IP addresses. Find it here:
http://pablohoffman.com/software/vpnstatus/vpnstatus.txt
and copy it to /var/www/html and make sure the priveleges are OK, and you can see the status of your VPN.