2 Blocks away: » Building a cheap secure wireless (WLAN) infrastructure with OpenVPN and Linux (an advanced tutorial of OpenVPN)

Building a cheap secure wireless (WLAN) infrastructure with OpenVPN and Linux (an advanced tutorial of OpenVPN)

Step 3: Installing the backbone (OpenVPN)
After you have a clear picture of everything install Fedora Core 6 on your OpenVPN server. We won’t go through the installation here but I think it is clear that you won’t need X or any GUI, a simple minimal install is enough. Configure it that one network card is configured on your internal LAN and one network card to the “public”, yes this machine will become a router. Don’t worry we will secure it.

Now that you have a functioning Linux server, you can just log into it and type:

yum install openvpn

and hit enter. It will download all the packages and install OpenVPN for you. Once installed you are ready to go to Step 4. But please make sure you have a regular update schedule for this server, for security updates. Also make sure it is up to date (

yum update && yum upgrade

) before you bring it online as a production unit.

Step 4: Prepare the server (Certificates for OpenVPN)
Log into the OpenVPN Server and become root. Create the easy-rsa directory and copy the necessary OpenVPN scripts in /usr/share/openvpn/easy-rsa/2.0 to /etc/openvpn/easy-rsa (Fedora Core 6 example:

mkdir /etc/openvpn/easy-rsa && cp -R /usr/share/openvpn/easy-rsa/2.0/* /etc/openvpn/easy-rsa/

).
Now change to the /etc/openvpn/easy-rsa directory and execute the following 3 commands:

. ./vars
./clean-all
./build-ca

And yes, that is a space on the . ./vars. The last command (build-ca) will ask you to enter information to make your Certificate Authority. Write every information you put in down and fill it in according to your company.Once done, you can do an ls -l in your /etc/openvpn/easy-rsa directory and will notice there is a new directory called keys. If you find files like this:

[root@shorty easy-rsa]# ls keys/ca.crt  ca.key  index.txt  serial

in there, you are ready to go to the next command. The next command we will do will create a certificate for the server. This will be used by your server to communicate with the clients. It is special thats why it will be issued with the build-key-server command like so :

./build-key-server server

where “server” means the name of your server. That will make it easier later on for you to identify the server certificate, and it adds a layer of personality :). You will be asked again to enter a lot of information, try using the same you used on the CA, but in the common name use the servers hostname. Also, if you enter a password for the server certificate you will need to enter this every time you restart the OpenVPN service, in my case i leave it blank but you should add one. When you are prompted to “sign the certificate” say YES and also to the COMMIT. Your response will be something like this:

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

In the keys directory you will now have 3 more files, the servername.key, .crt and .csr. You need to complete 3 more commands and you are ready to go to configure everything :). On a note, from an infrastructure point of view, you are about 50% done.
You now need to create at least one client certificate so you can test connectivity later on. Do not create client certificates yet for all your users. You can do that later since you need to get the keys later all securely to the users anyway and teach them. Better make sure it works before that.

The next command therefore is

./build-key admin

where admin is the user that will test this later (e.g. YOU!). Enter again all the information necessary and this time make sure you GIVE a password. this password is the one that the user will later on use to bring his VPN connection up. SIGN and COMMIT the process again and tada you have your keys generated in the keys directory. Now you only need to build encryption keys and authentication keys for the server and the clients and you are done. Running the command

./build-dh

will take a while (about 20 seconds on a Pentium 4) but requires no user intervention and it generates the file: dh1024.pem in your keys directory. This is the handshake mechanism between the server and the client and to make that even stronger we generate a tls-auth key as well. This requires each handshake to be signed before you can even start. very neat and very secure. To do this run :

openvpn --genkey --secret keys/ta.key

. You have now a nice long list of files in your keys directory. This is your most important directory on the server, make backups of it whenever you have made new certificates etc.

Technorati Tags: central authentication, cheap solution, corporate lan, fast secure, linux unix, openvpn, open source, security, wep encryption, wireless infrastructure, wlan, wlan meetingroom

Popularity: 58% [?]

Pages: 1 2 3 4 5 6

EMail this post to a friend

kr0ll said on December 11, 2006 at 6:20 pm

WOW, that is some long article. Must have taken ou ages to put this together, kudos thou. Very well done.
//Kr0ll

flosse said on December 12, 2006 at 1:16 am

Thanks, it did. Anyone with recommendations for APs or switches?

bsd said on December 24, 2006 at 10:30 pm

I think, is better to edit the copied .vars and set the following which you will find near the end of this file:

export KEY_COUNTRY=”IN” # Two letters youe countary code
export KEY_PROVINCE=”UT” # Name of your State/Provice
export KEY_CITY=”Chandigarh” # Name of your city
export KEY_ORG=”Anu’s Linux@HOME” # Name of your organization
export KEY_OU=”Wireless Network” # Name of the Unit/Division
export KEY_EMAIL=”admin@cto.homelinux.net” # Admin’s e-mail

before you run . ./vars

flosse said on December 24, 2006 at 10:35 pm

nice one, thanks.
Yes that would be an easier way and saves you a lot of time.

//Flosse

Secure wireless « 0ddn1x: tricks with *nix said on January 4, 2007 at 7:16 am

[…] Secure wireless Filed under: Linux — 0ddn1x @ 2007-01-04 04:09:43 +0000 http://blog.2blocksaway.com/2006/12/11/building-a-cheap-secure-wireless-wlan-infrastructure-with-openvpn-and-linux-an-advanced-tutorial-of-openvpn/ […]

consumer said on January 6, 2007 at 3:55 am

Wow. Nice work.
I am part of popular demand and would like a pdf version.
thanks!

flosse said on January 6, 2007 at 4:08 am

PDF version of this article will be available within this weekend. Also the IPtables tutorial will be done then!

Thanks to everyone

consumer said on January 9, 2007 at 1:29 am

Hello
Thanks for posting the pdfs…however, when I open them in Preview or Acrobat 5/6 Reader or Pro, I see the images, but no text.

This is for both this article and the IPtables. Is there compatibility issue that I am unaware?

flosse said on January 9, 2007 at 3:27 pm

sorry, my bad. It is now fixed on the articles that have PDF and TXT versions. This means all iptables parts, the openvpn and the porn blocking proxy. PDF and txt will from now on uploaded as the articles are written

consumer said on January 9, 2007 at 10:16 pm

cheers to you!

Ricardo Martins » Blog Archive » Constriundo uma infraestrutura wireless segura com OpenVPN e Linux said on March 17, 2007 at 7:36 am

[…] [ link ] Converter em pdf. […]

alex said on April 13, 2007 at 5:28 am

hi nice site.

flosse said on April 13, 2007 at 9:03 am

thanks… glad someone finds it useful

Building a cheap secure wireless (WLAN) infrastructure with OpenVPN and Linux (an advanced tutorial of OpenVPN)

Skip to comment form »

Leave a comment

Entry Details

Light Reading

Other blogs

Security-related Websites

Latest Posts