- IPsec Versus OpenVPN
- Requirements for the OpenVPN Solution
- Setting Up the Public Key Infrastructure (PKI)
- Setting Up the VPN Serve
- Configuring OpenVPN
- Configuring a Sample Client
- Connecting to the Server
- Configuring the Routing
- Working with Unprivileged Users
- Advantages and Disadvantages of This Solution
Modifying the configuration file is straightforward; therefore, I'll only discuss the most important parameters as they apply to our solution (a complete example is available on my web site).
- The directive server expects an IP subnet and a network mask as parameters. dev expects only one parameter, which in this case is tun to create a routed IP tunnel.
- Optional connection parameters are set as local to specify the binding interface by its IP address. If no value is set, OpenVPN binds to all available adapters. This is not desirable for most installations, so the value applied to local should be the external interface's IP.
- By default, OpenVPN is bound to port 1194 UDP. To change the default settings, change the values of the directives prot and proto.
- To enable X.509 authentication, some files must exist in the filesystem.
- The issuing CA must be referenced with ca /path/to/certificate/file.
- The server certificate and its secret key are configured very similarly, using cert /path/to/server.crt for the certificate and key /path/to/server.key for the private key. As described earlier, a fourth key is needed for the protocol negotiation, which is configured with the directive dh /path/to/dh-key.dh.
Once all changes are made to the configuration file, you must update a few IP settings. It's essential to add entries to the client's routing table that point to the LAN's IP subnets. When the client connects to the VPN server, these entries are pushed to the client via the following command:
push "route <network> <netmask>"..
The push command can send most configuration commands to the client, which allows an administrator to configure the connecting clients remotely. The following command pushes the server's default gateway to the client:
If you're using a Windows network, it's also necessary to push the values for the DNS and WINS server to the client:
push "dhcp-option DNS 192.168.1.1" push "dhcp-option WINS 192.168.1.1"