User Guide - OpenVPN (Virtual Private Network)
- 28/07/2006 8:52 PM
Applicable plans: All Advanced VPS, all Premier VPS plans, all Dedicated VPS plans
User Guide - OpenVPN
OpenVPN is a free and open source virtual private network (VPN) program for creating point-to-point or server-to-multiclient encrypted tunnels between host computers. - from http://en.wikipedia.org/wiki/OpenVPNOverview
The eApps OpenVPN service will allow you to establish a secure point to point connection between your local computer and your eApps VPS. This will allow you to securely access shared folders, create secured access to a web application, or encrypt e-mail sent back and forth to users on your domain. Your local computer will the client, and your eApps VPS will be the server.The OpenVPN service creates a secure and encrypted point to point connection from your local computer to your eApps VPS. The OpenVPN service cannot be used to connect from your local computer to your VPS and then on to the Internet - this connection cannot be used as a gateway or router. The connection is point to point only.
OpenVPN is only available on the Advanced, Premier and Dedicated plans. OpenVPN is not available on the Standard plans.
To see what plan you are on, click on the My Account tab in the Control Panel. Then, click on Subscriptions. The plan for the VPS is shown in the Hosting Plan column.
To upgrade your plan, click on the Upgrade Center tab in the Control Panel, then click on Change Hosting Plan. Your current plan will be in bold, and you can choose your new plan from the list. Follow the prompts to continue and upgrade the plan. If you have questions on this, contact our Billing Department.
Installing OpenVPN
Installing the OpenVPN software
Connecting to the OpenVPN service
Creating additional OpenVPN client keys
Adding the Internal Address to your DNS Zone
Using the OpenVPN Service
Links to other information
Installing OpenVPN
To install OpenVPN, login to the Control Panel, and click on the System Tab. If necessary, click the Select Another System (Subscription) link on the left and choose the correct Virtuozzo container.Go to Applications, and click on the Add Application link, Select the box next to OpenVPN, and then scroll down and click the Next button.
OpenVPN requires a $50 one time setup fee, so you will be taken to a screen to approve the order. There is no ongoing service fee to use OpenVPN.
Once the order is processed, you will be sent a questionnaire asking for the information needed to set up your first set of OpenVPN keys. Until you reply to that questionnaire, no work can be done on your OpenVPN setup.
As part of the setup fee, the OpenVPN service is configured on your VPS, and one set of client keys is created using the information provided in the questionnaire. Instructions on how to create more keys are included in this User Guide.
eApps Support will try to set up your OpenVPN and create the first set of keys as soon as possible, but it may take 24 to 48 hours to complete. The setup is done only as technicians are available to do the work.
The OpenVPN keys which will be sent to you will have been tested using your OpenVPN service. Verifying that the keys and the OpenVPN service are working as expected is essentially the limit of our support. While we will make every effort to assist you with connecting to your OpenVPN service, it is impossible for us to replicate every type of computer and networking setup. You may need to do some troubleshooting and computer or network configuration to be able to fully use the OpenVPN service. |
Installing the OpenVPN software
Once the OpenVPN is setup and the keys created, they will be tested and e-mailed to you. The keys will be compressed in tar or tar.gz format. For Windows, an application like WinRAR - http://www.rarlab.com/ (which has a free evaluation copy available) will extract the files.The OpenVPN software can be downloaded from here - http://openvpn.net/index.php/open-source/downloads.html. Most customers will want to download the latest version of the Windows Installer.
Install the OpenVPN software. The default location for the installation is C:\Program Files\OpenVPN. You can choose another location, but you will need to edit the OpenVPN configuration file to match that location.
Extract or copy the files from the key to the location where OpenVPN is installed. There will be four files:
client.crt
client.key
client.ovpn
ca.crt
client.key
client.ovpn
ca.crt
where "client" is the name you gave in the questionnaire for "CLIENT= (the desired one word name of the first client for your VPN)".
If the location of the OpenVPN software is not C:\Program Files\OpenVPN, the client.ovpn file will have to be edited, changing these lines to match your specific configuration:
cert C:\\Program\ Files\\OpenVPN\\client.crt
key C:\\Program\ Files\\OpenVPN\\client.key
ca C:\\Program\ Files\\OpenVPN\\ca.crt
Connecting to the OpenVPN service
Once the OpenVPN software is installed and the keys extracted to the correct location, you can then connect to the OpenVPN server. To do this, right click on the client.ovpn file, and then click on "Start OpenVPN on this config file". This should be the second menu option, just below Open.This should open a DOS window, which will scroll with quite a few status updates. When the window stops scrolling, there will be a few lines that let you know that you are now connected to the OpenVPN service. At this point, the tunnel is up, and you should be able to ping the eApps VPS over the VPN tunnel.
The last three lines - route ADD, Route addition and Initialization Sequence, show that the VPN tunnel is connected. On the route ADD line is the IP address of the VPN tunnel (10.8.0.1) and the IP address of the local workstation on the VPN network (10.8.0.5).
If there are any error messages, please make careful note of what they say. You should then be able to search online for more information and a resolution. If you need to submit a support ticket, please include the errors in the ticket.
Once the OpenVPN tunnel is up, you can now begin to use the service. Please see the Using the OpenVPN Service section of this User Guide for more information.
Creating additional OpenVPN client keys
The setup fee for your OpenVPN service includes one set of client keys. If you need additional keys, you can either make them yourself using the following instructions, or have eApps make them for you, at a cost of $10 per set. If you need a large number of keys, please contact our Sales department who can provide a quote for this service.You cannot share one set of keys between multiple users. If two people are using the same keys, then the first person to connect will get bumped from the VPN tunnel when the second person connects with the same keys. If the first person tried to reconnect, they will bump the second user off the VPN tunnel, etc. |
To create the new client keys, you will need to be able to access and work from the Windows command prompt. Please see the documentation that came with your version of Windows if you need assistance in accessing this function.
Creating new OpenVPN client keys
To create the new keys, you will need three files, one of which is normally not distributed with the standard client key setup:ca.crt
client.opvn
ca.key
client.opvn
ca.key
The ca.key file is not part of the standard files sent with the original OpenVPN key setup. If you have access to the VPS via SSH or SFTP, you can retrieve the file from /etc/openvpn/keys Please note that you cannot access this directory with FTP.
If you cannot access the VPS using SSH or SFTP, send a ticket to eApps Support. The request must come from an authorized contact on the account, for security reasons. Once the request is received, the ca.key file will be sent to you as an attachment to the ticket.
Once all the files are in place, do the following from the DOS prompt.
Change directories to the OpenVPN\easy-rsa directory, and issue the init-config command.
Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\Documents and Settings\Administrator>cd C:\Program Files\OpenVPN\easy-rsa C:\Program Files\OpenVPN\easy-rsa>init-config C:\Program Files\OpenVPN\easy-rsa>copy vars.bat.sample vars.bat 1 file(s) copied. C:\Program Files\OpenVPN\easy-rsa>copy openssl.cnf.sample openssl.cnf 1 file(s) copied. C:\Program Files\OpenVPN\easy-rsa> |
Edit the vars.bat file using either the DOS Editor, or with a plain text editor such as Wordpad or Notepad. Do not use a word processor such as Microsoft Word. Only use a plain text editor.
Using the information from the original client keys, change the following lines. If you need to see the correct values again, double click on the ca.crt file, and then on the Details tab. Then click on the Issuer line.
In the ca.crt file, these are how the values correlate to the values in vars.bat:
E = KEY_EMAIL
O = KEY_ORG
L = KEY_CITY
S = KEY_PROVINCE
C = KEY_COUNTRY
Change these lines in the vars.bat file to match the values in the ca.crt file. The values must match - otherwise the new keys will not be able to connect to the VPN service.
set KEY_COUNTRY=US
set KEY_PROVINCE=CA
set KEY_CITY=SanFrancisco
set KEY_ORG=FortFunston
set KEY_EMAIL=mail@host.domain
Once you have made the changes in vars.bat, save and exit the file.
Running the init-config command and editing the vars.bat file only has to be done the very first time you create a new client key. For any new keys, start at the steps below. |
Continue from the DOS prompt. In this example, a key called new_client will be created. The information for the new_client key will be from the values entered in the vars.bat file, but you will need to enter the Common Name as the name of the new client you are creating.
C:\PROGRA~1\OpenVPN\easy-rsa>vars C:\PROGRA~1\OpenVPN\easy-rsa>clean-all 1 file(s) copied. 1 file(s) copied. |
This creates a new directory of C:\Program Files\OpenVPN\easy-rsa\keys. Copy the ca.crt and ca.key files into this directory.
Run the vars command again, and then the build-key.bat command with the new key name as the argument.
Most of the values will already be populated from the information from the vars file. Just press return to continue for those values. For the Organizational Unit Name, enter a period (.) and press return.
C:\Program Files\OpenVPN\easy-rsa>vars C:\Program Files\OpenVPN\easy-rsa>build-key.bat new_client Loading 'screen' into random state - done Generating a 1024 bit RSA private key ...............................++++++ ....................++++++ writing new private key to 'keys\new_client.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [US]: State or Province Name (full name) [GA]: Locality Name (eg, city) [Atlanta]: Organization Name (eg, company) [eApps-Example]: Organizational Unit Name (eg, section) []:. (enter a period (.) press return) Common Name (eg, your name or your server's hostname) []:new_client Email Address [user@eapps-example.com]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:(press return here) An optional company name [](press return here): Using configuration from openssl.cnf Loading 'screen' into random state - done Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'US' stateOrProvinceName :PRINTABLE:'GA' localityName :PRINTABLE:'Atlanta' organizationName :PRINTABLE:'eApps-Example' commonName :T61STRING:'new_client' emailAddress :IA5STRING:'user@eapps-example.com' Certificate is to be certified until Feb 23 19:11:23 2020 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated C:\Program Files\OpenVPN\easy-rsa> |
This creates a new_client.crt and new_client.key file in the keys directory.
Create a new directory for these files in the main OpenVPN directory. For this example, the directory of C:\Program Files\OpenVPN\new_client was created. Copy the new_client.crt and new_client.key into this directory, and then copy the ca.crt file and client.ovpn file from the original set of client keys into that directory.
Rename the client.ovpn file to match the new keys you have just created. In this example, it would be renamed new_client.ovpn.
Edit the new_client.ovpn file with the same plain text editor you used edit the vars.bat file. so that it looks in the correct location for the new keys. In the original ovpn file, the lines will look like this:
cert C:\\Program\ Files\\OpenVPN\\client.crt
key C:\\Program\ Files\\OpenVPN\\client.key
ca C:\\Program\ Files\\OpenVPN\\ca.crt
Change those to point to the new directory and new file names:
cert C:\\Program\ Files\\OpenVPN\\new_client\\new_client.crt
key C:\\Program\ Files\\OpenVPN\\new_client\\new_client.key
ca C:\\Program\ Files\\OpenVPN\\new_client\\ca.crt
Now you should be able to right click on the new_client.ovpn file and select "Start OpenVPN on this config file". This should open a DOS window, which will scroll with quite a few status updates. When the window stops scrolling, there will be a few lines that let you know that you are now connected to the OpenVPN service. At this point, the tunnel is up, and you should be able to ping your eApps VPS over the VPN tunnel. See the Connecting to the OpenVPN Service section of this User Guide for more information.
If this connection was successful, you can then distribute the folder containing the four files to the user who needs them. They will need to install OpenVPN on their own computer, and move the files into that folder. They will also need to edit the new_client.ovpn file to point to the correct location of the ca.crt, new_client.key and new_client.crt files if they are moved from their original location.
Never distribute the ca.key file. It should be kept secret for security reasons.
Adding the OpenVPN Internal Address to your DNS Zone
OpenVPN creates a connection over what is referred to as a private or internal IP address, also called a non-routable IP address. This means that the IP address assigned to the OpenVPN connection - 10.8.0.1 - is not accessible outside of the actual OpenVPN tunnel. The OpenVPN service creates a point to point connection.This also means that you cannot use the VPS or site hostname for the OpenVPN connection, meaning that you have to use the IP address of 10.8.0.1 instead.
However, it is possible to set up a DNS name for the internal address. Go to the Control Panel, System Tab. If necessary, click the Select Another System (Subscription) link on the left and choose the correct Virtuozzo container. Then go to All My Domains, and click on the main domain name of the VPS where the OpenVPN is located.
Click on the DNS Zone tab at the top of the screen, and then click on New Record. Add the following:
- Name - give the service a name that corresponds with what you are doing, like vpn
- TTL - this is the Time To Live, in seconds. This is the length of time the DNS record is active before the record is refreshed at the authoritative name server for the domain. 600 seconds is 10 minutes. This value cannot be changed.
- Type - select A from the drop down menu
- Priority - this value is only relevant to MX or SRV records, so is not used here.
- Value - enter the IP address of the VPN: 10.8.0.1. - note the period at the end of the IP address
- Comment - an optional comment can go here.
Allow a few hours for the domain name to propagate. Then, instead of using the IP address for the VPN in a URL or for a hostname, you can use this new DNS record.
Using the OpenVPN Service
There are several ways to use the OpenVPN service. The most common ways are to securely share a folder between other users on the VPN, to put a web application behind an internal VPN tunnel, and to secure e-mail between users connected to the VPN.Shared folder configuration
Using an application called Samba (for SMB - Server Message Block), you can create a folder on the VPS that can be shared with other users who are connected via the VPN. This folder will appear as a network drive on their computer. Samba is available by default on your eApps VPS.Setting up the shared folder - VPS configuration
The following must be done from the command line of the VPS while logged in via SSH, as the root user. The ability to edit files with the vim text editor is also needed. |
If you are not able to work from the Linux command line, but want the shared folder setup, please contact eApps Sales for a quote on having this done for you by eApps Support.
Once connected to the VPS, verify that the Samba service is running with the service command. The Samba service is called smb, and it runs with another service called nmb.
[root@eapps-example ~]# service smb status smbd is stopped nmbd is stopped [root@eapps-example ~]# |
This shows that the Samba service is stopped. You can start it with:
[root@eapps-example ~]# service smb start Starting SMB services: [ OK ] Starting NMB services: [ OK ] |
To make sure that the Samba service restarts if the VPS restarts, use the chkconfig command.
[root@eapps-example ~]# chkconfig --list smb smb 0:off 1:off 2:off 3:off 4:off 5:off 6:off [root@eapps-example ~]# chkconfig smb on [root@eapps-example ~]# chkconfig --list smb smb 0:off 1:off 2:on 3:on 4:on 5:on 6:off [root@eapps-example ~]# |
And then verify that the smb service is running:
[root@eapps-example ~]# service smb status smbd (pid 3672 3667) is running... nmbd (pid 3670) is running... [root@eapps-example ~]# |
Once the service is running, you can now add the shared folder and configure the users.
Change directories to the /etc/samba directory, and first make a backup of the existing smb.conf file.
[root@eapps-example ~]# cd /etc/samba/ [root@eapps-example samba]# cp smb.conf{,.bck} [root@eapps-example samba]# |
Edit the smb.conf file to add a share. The shares are located near the end of the file.
This is just one very simple example of how to create a share using Samba. For more examples, see the official Samba documentation, available either on-line or in printed form. The user name, the share name, the variables - all can be changed or customized to your needs. The Samba documentation will explain how. |
[root@eapps-example samba]# vim smb.conf |
Find the section of the file called Share Definitions. There will be a [homes] and [printers] share already in place.
If all you wish to do is allow access to the user's home directories on the Linux server, nothing needs to be done.
If you want to allow access to a shared folder for all users, then add the following below the existing [printers]share, changing the [sharename] and path to meet your specific needs.
[example]
comment = Example Share
path = /home/example
writable = yes
browseable = yes
guest ok = no
write list = +webadmin
Save and exit the file. This creates a share called example, with the files stored in the /home/example directory. The share is writable, and only users who are part of the webadmin group can access it.
Next, create the /home/example directory, and set the owner and group of the directory to webadmin.
[root@eapps-example samba]# cd /home [root@eapps-example home]# mkdir example [root@eapps-example home]# ll -d example/ drwxr-xr-x 2 root root 4096 Mar 15 10:40 example/ [root@eapps-example home]# [root@eapps-example home]# chown -R webadmin:webadmin example/ [root@eapps-example home]# ll -d example/ drwxr-xr-x 2 webadmin webadmin 4096 Mar 15 10:40 example/ [root@eapps-example home]# |
Restart the smb service.
[root@eapps-example home]# service smb restart Shutting down SMB services: [ OK ] Shutting down NMB services: [ OK ] Starting SMB services: [ OK ] Starting NMB services: [ OK ] [root@eapps-example home]# |
Now add the users to Samba, so that they can connect to the shares. This example uses the existing webadmin user, but you can add other users. However, the users you add to Samba must also exist on the Linux server.
To set the Samba password for the existing webadmin user, do the following.
[root@eapps-example samba]# smbpasswd -a webadmin New SMB password:passwd Retype new SMB password:passwd [root@eapps-example samba]# |
The Samba password for webadmin and the actual system password for webadmin are two different things. The Samba password only authenticates the user to Samba, not to the actual Linux server. |
To create a new user, use the adduser command first, then the smbpasswd command.
[root@eapps-example samba]# adduser example_user [root@eapps-example samba]# smbpasswd -a example_user New SMB password:passwd Retype new SMB password:passwd Added user example_user. [root@eapps-example samba]# |
Next, add the new example_user to the webadmin group, so it has access to the share.
[root@eapps-example samba]# usermod -a -G example_user webadmin |
Setting up the shared folder - local PC configuration
To connect to the share from a local PC, you will need to add the new share to My Network Places.This example uses Windows XP Pro. Windows Vista and Windows 7 users may need to consult their operating system documentation to be able to access the correct locations on their computers. |
To begin, make sure that you are connected to the VPN. The shared folders are only accessible to users who are connected to the VPN.
Go to My Network Places, and click on Add a network place.
Click Next to continue
In the Where do you want to create this network place screen, select Choose another network location.
Click Next
In the What is the address of this network place screen, enter in the IP address of the VPN, and the share name. For this example, this network place is \\10.8.0.1\example
Click Next
If there are any errors connecting to the VPN and the Samba share, an error will show here. If there are no errors, then on the What do you want to name this place screen, enter a name for this network place.
Click Next
On the Completing the Add Network Place Wizard screen, click Finish. This will open the new network place, and show the contents of the Samba share.
To connect to the Samba share in the future, just click on the name in My Network Places (assuming the VPN tunnel is up). Since the Samba share is on your eApps VPS and the connection is encrypted via an OpenVPN tunnel, you can securely share documents with your teammates and coworkers.
Securing Web Applications
Using the OpenVPN service, you can secure a web application running on the eApps VPS as if it was on a local intranet, only allowing users on the VPN to access the application.To do this, the application needs to run from the /var/www/html directory instead of the normal DocumentRoot directory for a virtual host site.
Connect to the OpenVPN tunnel, and open a web browser. Instead of typing a domain name, type in the internal address for the OpenVPN tunnel (10.8.0.1). If you had an index.html file in /var/www/html, then the URL would be http://10.8.0.1/index.html.
If you don't want to use the internal IP address of the OpenVPN every time, you can set a host name for the connection. See the Adding the Internal Address to your DNS Zone section of this User Guide for more information.
Securing E-mail
It is possible to secure e-mail transmission between users connected to the VPN, using the internal IP address of the VPN as the mail server. However, the e-mail is only encrypted and secured as long as both sender and recipient are connected to the VPN tunnel.As an example, consider three users - User A, User B and User C. Users A and B are both connected to the VPN, User C is not.
If User A sends an e-mail to User B, then the e-mail is sent securely over the VPN tunnel from sender to receiver. The e-mail is encrypted and secured.
However, if User A sends an e-mail to User C, then only the connection from User A to the server is encrypted and secured. To deliver the e-mail to User C, the e-mail has to then leave the secure connection and travel across the Internet to reach User C. That connection is not secure.
The easiest way to use the VPN tunnel for e-mail is to use Open Webmail, which requires the least amount of configuration. To use Open Webmail over the VPN, use a URL that connects to the VPS private address over the VPN tunnel. So instead of using a URL like http://eapps-example.com/mail, you would use http://10.8.0.1/mail (assuming you are connected to the VPN).
To use an actual e-mail client like Outlook or Thunderbird, you will need to change your POP/IMAP and SMTP server to the internal IP address of the VPN tunnel. However, you will need to be connected to the VPN before you can send or receive e-mail. See the documentation for your specific e-mail client for more information on how to change these values.
See the Adding the Internal Address to your DNS Zone section of this User Guide to learn how to set a host name for the VPN connection if you do not want to always have to use the IP address of the VPN.
Links to other information
OpenVPN - http://openvpn.net/OpenVPN application downloads - http://openvpn.net/index.php/open-source/downloads.html
Official Samba Site - http://www.samba.org/
Samba How To - http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/
Samba Wiki - http://wiki.samba.org/index.php/Main_Page
Comments
Powered by WHMCompleteSolution