OpenVPN (http://openvpn.net) is a fully-featured SSL VPN solution.
OpenVPN can be used to provide secure remote access to field workers, can provide site-to-site VPN links or can be used to secure a private wireless network: if you can think of an application for a VPN solution, OpenVPN can probably accommodate it.

The OpenVPN server software can be installed on Linux, Windows (2000 or later), Solaris or MacOS and there are clients available for an even wider range of platforms, including Windows Mobile.

In this article I shall describe how to install a VPN server and configure secure access to your private network from the Internet. This article is not necessarily reserved for IT admin staff: anyone who has a networked storage device at home and would like the ability to access their files while out and about – this is for you.
For those of you who are more comfortable with a Windows environment, there is an excellent article on The Register desribing how to install OpenVPN for Windows (http://www.theregister.co.uk/2008/09/01/openvpn_primer/). This article describes how to use OpenVPN to remotely access your corporate Internet connection.
I shall install and configure the server-side on the free Linux distribution CentOS (http://www.centos.org), version 4.7, and configure it to allow remote access to local network resources (file servers, intranet, etc).

Requirements

Before you install the server, it is important to consider how you intend to configure routing between your internal network and the outside world, and also the addressing scheme to use.

For your VPN solution to work, the client will need to recognise the remote resource being requested as residing on a network ‘behind’ the VPN server.
The vast majority of public WiFi services (and potentially cellular mobile network operators) will assign connected clients an IP address in the range 10.x.x.x , 172.16.x.x or 192.168.x.x (the addresses reserved for ‘internal’ networks) .
Therefore, if you have connected to a public WiFi service and have been assigned an address of, say, 192.168.0.42, you may be able to connect to your VPN server, but if you then request a connection to a server on the remote network with an address of 192.168.0.10 the client device will not know to route the request over the VPN link but will look for it on the local network.
Your internal network should therefore use an addressing scheme that is suitably unlikely to be in use elsewhere.

Once connected, the VPN client will be assigned an IP address on the remote network. Similarly, in order for the remote resource to be able to reply to requests from the VPN client, the address used by the client also needs to be ‘behind’ the VPN server so that local network resources know to route responses accordingly.
The necessary routes will need to be added to the local network resources: either each machine will need a route added to it to direct requests to the VPN network to the IP address of the OpenVPN server, or (preferably) add a route on the default gateway of the internal network.

The OpenVPN documentation suggests a network in the middle of the 10.x.x.x address block, such as 10.66.77.0/24 (so your VPN server might have an address of 10.66.77.1 with a subnet mask of 255.255.255.0).

For your VPN server to be accessible from the Internet, it will need a ‘routable’, or ‘real-world’ IP address. The majority of home broadband providers do not provide this unfortunately, so you may need to check with your provider what options are available. The external address of your server does not necessarily need to be ‘fixed’, but it will need to be routable. If you have a dynamic address, then you can create a free account with DynDNS (http://www.dyndns.org) which will enable you to connect to a ‘friendly name’ from your client device without having to worry about what the IP address might be at any given time.

In this example, my OpenVPN server will have a fixed external IP address. I shall be using an internal addressing scheme of 10.66.77.0/24 and I shall use a separate network range for the VPN: 10.66.78.0/24. The OpenVPN server will issue addresses to clients automatically via DHCP in this range.

Installation

Install a base (minimal) CentOS configuration.
During the installation assign the server an IP address on the local network (10.66.77.10, for example). Configure the default gateway with the internal address of your router (10.66.77.1, for example).
Install the GCC compiler via yum with the following command:

yum install gcc

The LZO compression library is also required. This is available from http://www.oberhumer.com/opensource/lzo/download/

The package will be in .tar.gz format. Extract the contents of the archive with the command:

tar xvfz lzo-x.x.x.tar.gz

now change to the directory created and run:

./configure
make
make install

OpenSSL is also required. This can be downloaded from http://rpm2html.osmirror.nl/openssl.html
The package will be in rpm format, install it with the command:

rpm –i openssl-x.x.x.rpm

Download the current OpenVPN installer package from http://openvpn.net
The package will be in .tar.gz format. Extract the contents of the archive with the command:

tar xvfz openvpn-x.x.x.tar.gz

now change to the directory created and run:

./configure
make
make install

OpenVPN is now installed but must now be configured.

Generate Master Certificate Authority (CA) key

Within the openvpn directory, switch to the easy-rsa directory.
Edit the ‘vars’ file.
Scroll down and update the contents of the following fields:

KEY_COUNTRY  (eg GB)
KEY_PROVINCE  (eg Dorset)
KEY_CITY  (eg Poole)
KEY_ORG  (eg MyCompany)
KEY_EMAIL  (eg root@mydomain.com)

Save the file.
Make the file executable with using chmod:

chmod 755 vars

Now run the following commands:

. ./vars
. ./clean-all
. ./build-ca

You will be prompted to enter the details for the CA key, but having edited the vars file you should be able to press Enter and have the default value accepted. You will need to enter the hostname of the server, ‘server’ will do.

Once complete the following files will have been created in a new directory called ‘keys’:

ca.crt
ca.key

Generate OpenVPN server key

Having created the root certificate for the certificate authority, we must now create a key for the OpenVPN server itself. Run the command

. ./build-key-server server

Again most of the fields will be completed for you, simply press Enter when prompted. You will need to enter the hostname of the server, again ‘server’ will do.

In the keys directory the following files will have been created:

server.crt
server.csr
server.key

Generate OpenVPN client key

Now we need to generate a key file for the client. Issue the following command:

. ./build-key client1

When prompted for the hostname, simply enter ‘client1’. Repeat this process for as many clients as you require.

Configure Diffie-Hellman key exchange

Now run the command:

. ./build-dh

This will configure the necessary key exchange parameters automatically and create a file named ‘dh1024.pem’ in the keys directory.

Configure Server

The default server configuration file now needs to be updated with the specific details of your network. An example server configuration file lives in /sample-config-files/server.conf. Make a copy of the file and save it to the openvpn directory.
Edit the file.

Locate the line beginning ‘port 1194’
Here you can specify which port the server will listen for connections on. The default is 1194 but this can be changed to any port you want. It is important that whatever port you choose, any firewalls that the VPN server sits behind are configured to allow this port through to the server from the Internet.

You can also specify the protocol used (UDP or TCP). The default is UDP.

Scroll down and locate the section beginning:
ca ca.crt
cert server.crt
key server.key

Specify the location of the server and ca key files (if not in the same directory as the conf file)

Scroll down and locate the line beginning ‘dh dh1024.pem’
Specify the location of the Diffie Hellman config file (if not in the same directory as the conf file)

Scroll down and locate the line beginning ‘server 192.168.0.0 255.255.255.0’
The details of the VPN subnet will need to be defined. The default value will need to be amended with the new details (10.66.78.0 255.255.255.0 in my example)

Scroll down and locate the section beginning ‘;push "route 192.168.10.0 255.255.255.0" ‘
Any routes that you wish to be pushed down to connected client devices will need to be configured here (remove the ‘ ; ‘ character at the beginning of the line to make it active. In my example I will add an entry to have a route for the 10.77.66.0 network pushed to the client.

Scroll down and uncomment out the lines ‘user nobody’ and ‘group nobody’ to reduce the privileges of the OpenVPN daemon.
Once complete save the file.

NOTE – there are also options within the server.conf file to define DNS and WINS server settings that can be pushed to the client device when it connects. If you are running a DNS server on your local network then this is advisable as it allows you to connect to ‘friendly names’ directly from the client, otherwise you will need to know the IP addresses of all local resources you want to access.

NOTE – if there are further networks that sit behind the VPN server other than the network that it sits on (such as a DMZ environment), then the necessary routes will also need to be defined to be pushed to the client. More information on this is available on the OpenVPN web site.

Start the OpenVPN server

Start the server with the command:

openvpn server.conf

Configure routing

On the local network resource – the internal router if one is being used, or on each host separately, add a route to direct traffic for the 10.66.78.0 network to the local IP address of the OpenVPN server. Use the following command to configure the host manually:

route add –net 10.66.78.0 –netmask 255.255.255.0 10.66.77.10 1

On a Netgear router, static routes are defined in the Advanced --> Static Routes section:

Configure the Windows Client

The OpenVPN client for Windows can be downloaded from http://openvpn.se/download.html
Be sure to choose the GUI and TAP driver package rather than just the GUI. The TAP driver is required to install the virtual network adapter.
Once installed, browse to C:\Program Files\OpenVPN. The are sample configuration files in the ‘sample-config’ directory. Copy the file ‘client.ovpn’ to the ‘config’ directory and then edit it with Notepad.
Enter the external name or IP address of the VPN server. An entry has been made for ‘remote my-server1 1194’. Replace my-server1 with the details of your server. If you specified an alternate port to use other than 1194 when configuring the server, substitute this here also.

Save the following files from the VPN server onto the client:

ca.crt
client.crt
client.key

The OpenVPN connection can be initiated by right clicking on the system tray icon and selecting Connect:

If all has gone well, you should be successfully connected and your local IP address will be displayed. You can now verify the connection by attempting to ping the local address of a resource on the remote network.

Configure the Mac Client

The setup procedure on the mac is a slightly more manual process. There are packages that can be purchased which include all of the required packages, such as Viscosity (http://www.viscosityvpn.com/), but with a little effort you can do it for free.

Firstly, install the XCode tools from the Apple OS DVD, if not installed already. These are required as they contain the GCC compiler which is required to install some of the prerequisite packages.

Next, you need to install a TUNTAP driver for the virtual network adapter, such as this one:
http://www-user.rhrk.uni-kl.de/~nissler/tuntap/
This package is MPKG file, simply run it and follow the on-screen instructions.

Next download and install Fink from http://www.finkproject.org/ (Fink provides similar functionality to yum on Linux systems).
Once Fink has been installed, open a Terminal window and enter the following command:

fink install openssl097 openssl097-dev openssl097-shlibs

This will download and install the necessary OpenSSL libraries onto the Mac.

Download the LZO Compression library from http://www.oberhumer.com/opensource/lzo/download/

This will come down as an archive file. Extract the contents of the file, then open a Terminal window and change directory to the location of the extracted files. Run the following commands:

./configure --enable-shared
make
make test
sudo make install

Download the current version of OpenVPN from http://openvpn.net

Again this will be an archive file. Extract the contents of the file, then open a Terminal window and change directory to the location of the extracted files. Run the following commands:

./configure --with-ssl-lib=/sw/include/ --with-ssl-headers=/sw/include/ 
--with-lzo-lib=/usr/local/lib/ --with-lzo-headers=/usr/local/lib/
make
sudo make install

Now create a directory for OpenVPN:

sudo mkdir /etc/openvpn

Copy your certificate and key files into this directory:

ca.crt
client.crt
client.key

Now create an openvpn.conf text file containing the following script:

client
dev tun0
proto udp
remote (server address) 1194
resolv-retry infinite
user nobody
group nobody
persist-key
persist-tun
mute-replay-warnings
ca /etc/openvpn/ca.crt
cert /etc/openvpn/client.crt
key /etc/openvpn/client.key
comp-lzo
verb 3
mute 20

(where (server address) will need to be substituted for the external name or IP address of the VPN server.

Save the file to the /etc/openvpn directory

To initiate the connection, issue the following command:

sudo /usr/local/sbin/openvpn --config /etc/openvpn/openvpn.conf

There is a free GUI for OpenVPN that allows you to initiate connections from the menu bar without having to type the above command into Terminal every time. The GUI is called Tunnelblick and is available from the Google web site: http://code.google.com/p/tunnelblick/

Once installed, Tunnelblick adds an icon to the menu bar, shaped like a tunnel:

To configure Tunnelblick, simply click on Details and then ‘Edit Configuration’. Paste in the same script that you created above.

Configure the Pocket PC client

The Pocket PC client for the Windows Mobile platform can be downloaded from here - http://ovpnppc.ziggurat29.com/ovpnppc-files.htm

The client can be downloaded either as an executable package that must be installed onto the PDA from a PC via ActiveSync, or as a CAB file package that can be installed on the device locally.

Once installed, an icon for the client will be added to the Today screen and also to the Programs folder:

In order to configure the client, the required keys must be copied to the PDA as with the previous clients, to the \Program Files\OpenVPN\Config directory:

ca.crt
client.crt
client.key

However once on the device, the crt files must be renamed with a .pem extension, giving:

ca.pem
client.pem
client.key

In the /config directory on the PDA will be a file named 'sample.opvn'. Copy this file and rename it to the desired name of your configuration as you want it appear within the client.
The easiest way to do this is to copy the file to your PC, edit it, then copy it back again.
Enter the following text into the file:

client
dev tap
proto udp
remote (server address) 1194
resolv-retry infinite
nobind
persist-key
persist-tun
mute-replay-warnings
ca "\\Program Files\\OpenVPN\\Config\\ca.pem"
cert "\\Program Files\\OpenVPN\\Config\\client.pem"
key "\\Program Files\\OpenVPN\\Config\\client.key"
comp-lzo
verb 3
mute 20

Once the configuration file has been saved to the PDA, it will be listed as an available connection within the OpenVPN client on the Today screen:

If desired, within the Settings of the client it is possible to specify which Internet connection the OpenVPN client should use to initiate the connection to the OpenVPN server: