1. Ensure everything up to date (as / ):

#apt-get update
#apt-get upgrade --show-upgraded

2. Install OpenVPN and the udev dependency

#apt-get install openvpn udev

3. Configure Public Key Infrastructure Variables

$nano /etc/openvpn/easy-rsa/2.0/vars
edited the default to (roughly as CA_Cert: ipv6_yearl.us.txt NB to update CACerts): 
export KEY_COUNTRY="US"
export KEY_PROVINCE="MA"
export KEY_CITY="Newton"
export KEY_ORG="US.Yearl" #perhaps should have used [email protected]? 
export KEY_EMAIL="[email protected]"

4. initialize PKI Issued

All 3 commands in sequence. Unlike CA_Cert left certain fields not present in /etc/openvpn/easy-rsa/2.0/vars blank. Not necessary anyway. The point is to create a DN (Distinguished Name).

cd /etc/openvpn/easy-rsa/2.0/
 . /etc/openvpn/easy-rsa/2.0/clean-all
 . /etc/openvpn/easy-rsa/2.0/build-ca
 Organizational Unit Name (eg, section) []:.
 Common Name (eg, your name or your server's hostname) [US.Yearl CA]:.
 Name []:.

5. Generate Certificates and Private Keys

. /etc/openvpn/easy-rsa/2.0/build-key-server yearlus

writing new private key to ‘yearlus.key’ … some questions matching info in /etc/openvpn/easy-rsa/2.0/vars then A challenge password []: MYAWESOMEPASSWORD An optional company name []: US.Yearl


6. Create client certs. In this case the name of two machines on my LAN

. /etc/openvpn/easy-rsa/2.0/build-key huitzil
. /etc/openvpn/easy-rsa/2.0/build-key centzon

The same questions as before re building a DN. Hmm. I’m going to run with the server settings for huitzil (except for email: that will be that machine’s owner) and something different for centzon and see which one (or both) are valid. The doco is unclear on how the client DN should be constructed may have answered own question as Common Name (eg, your name or your server's hostname) {huitzil}:


7. Generate Diffie Hellman Parameters

DH parms govern the method of key exchange and authentication used by the OpenVPN server. Generate these: . /etc/openvpn/easy-rsa/2.0/build-dh


8. Relocate Secure Keys

/etc/openvpn/easy-rsa/2.0/keys/ directory contains all of the keys generated by easy-rsa tools. In order to authenticate to the VPN, you’ll need to copy a number of certificate and key files to the remote client machines. They are: ca.crt client1.crt client1.key

# cp -r /etc/openvpn/easy-rsa/2.0/keys /home/sjy2/openvpn_keys
# chown -R sjy2 /home/sjy2/openvpn_keys

Then SFTP, and delete the non-root keys in the user dir. SCP would have been easier direct from the src dir, but neither endpoint was readily accessible. Root login is additionally prevented on the server (see XXX), hence he need to temporarily transfer ownership. Keys and certificates for the server then to /etc/openvpn so OpenVPN server process can access them.

$cd /etc/openvpn/easy-rsa/2.0/keys 
$cp ca.crt ca.key dh1024.pem yearlus.crt yearlus.key /etc/openvpn

9. Configuring the VPN

Example config in There is an example file in /usr/share/doc/openvpn/examples/sample-config-files

$cd /usr/share/doc/openvpn/examples/sample-config-files
$gunzip -d server.conf.gz
$cp server.conf /etc/openvpn/
$mv /etc/openvpn/server.conf /etc/vpn/yearlus.conf
$cp client.conf ~/
$cd ~/
$nano client.conf
# The hostname/IP and port of the server. 
# You can have multiple remote entries 
# to load balance between the servers. 
remote 178.17.41.223 1194
$nano yearlus.conf
# Any X509 key management system can be used. 
# OpenVPN can also use a PKCS 
#12 formatted key file 
# (see "pkcs12" directive in man page). ca ca.crt cert yearlus.crt key yearlus.key 
# This file should be kept secret 

10. start the VPN server

generally use “/etc/init.d/openvpn start”, but this is my first outing so let me be verbose:

$./usr/sbin/openvpn --config /etc/openvpn/yearlus.conf 
 OpenVPN 2.1.3 i486-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [MH] [PF_INET6] [eurephia] built on Oct 21 2010
 .
 .
 .
 Wed Feb 29 23:01:08 2012 Initialization Sequence Completed

Boomshaka! Copy over a client.conf to /etc/openvpn, start server as daemon

# cp ~/centzon.conf /etc/openvpn
# /etc/init.d/openvpn start
Starting virtual private network daemon: centzon yearlus failed!

Hmmm. Problem with the client, centzon.conf? No. I’m a doofus… hunt and kill the previous PID. then:

#cp ~/centzon.conf /etc/openvpn
#/etc/init.d/openvpn start
 Starting virtual private network daemon: centzon huitzil yearlus.

Now over to a Mac client. So install http://code.google.com/p/tunnelblick/ and fire her up. Asking whether to “open a private configurations folder” or “create tunnelblick VPN Configuration”. Not sure. somewhat randomly chose the former. copy client .crt and .key to tunnelbrick’s config. dir: /Users/sjy2/Library/Application\ Support/Tunnelblick/Configurations and last pic. Boomshaka! Not thoroughly happy as the connection is reset every 231s or so… that may be a DNS issue? That’s not the point right now. Also pretty sure the server keys should not have left the server. Also, it would be nice to generate a .tblk file for ease of distribution.


11. So, almost there.

Now to route/tunnel incoming connections through the VPN…

nano /etc/openvpn/yearlus.conf

uncomment: push “redirect-gateway def1 bypass-dhcp”

Now edit /etc/sysctl.conf (Configuration file for setting system variables) adding the following line to ensure that your system is able to forward IPv4/6 traffic:

nano /etc/sysctl.conf

net.ipv4.ip_forward=1 net.ipv6.conf.all.forwarding=1


Followed largely from [http://library.linode.com/networking/openvpn/debian-6-squeeze#sph_install-openvpn](Followed largely from http://library.linode.com/networking/openvpn/debian-6-squeeze#sph_install-openvpn.)