DestinyBlog

Vyatta is a great free firewall/routing solution.  As of version 5 (I’m specifically using 5.0.2), OpenVPN support was added.  OpenVPN is a much better alternative than any of the L2TP/IPSec VPN solutions out there, and with just a little problem solving, I was able to get a Client-Server (aka road-warrior) vpn set up.

Prior to setting up the actual OpenVPN solution, a few steps are required to generate the PKI certificates and keys used by TLS in order to secure the communication.  Pre-shared keys are not available for a Client-Server OpenVPN setup in Vyatta.  I don’t believe this is a limitation of OpenVPN but rather Vyatta.  We’ll see if this changes in the future.  The steps below will generate self-signed certificates and set up Vyatta as its own certificate authority.  More advanced setup for certificates and keys may be found on the OpenVPN website.

• The pkitool and all of the key/cert scripts such as ./build-key can be found under /usr/share/doc/openvpn/examples/easy-rsa/2.0
• when asked to sign the certs, answer yes
• when asked for passwords, only enter one if you know the client to be used can decrypt a passworded key.  At the time of this writing, OpenVPN GUI for windows could not.

1. Log into the console as root.
2. Configure the vars file with the correct KEY_DIR and certificate details.  I used /root for the KEY_DIR as it was easy to remember where they were when configuring Vyatta.
3. Create an index.txt and serial file in KEY_DIR.  These 2 files must be present in the folder used for KEY_DIR.  To make the index.txt file, just use the command “touch index.txt” and to create the serial file, “echo 01 > serial” .  This will create a zero-byte file index.txt and a file called serial with the contents “01″
4. run “./build-ca” to create the Certificate Authority certificate.
5. run “./build-key-server servername” to create a key and certificate for the vyatta server.  Enter your desired name for “servername”.  It will be referenced when configuring TLS in Vyatta.
6. run “./build-dh” to create the diffie hellman exchange file.
7. run “./build-key clientname” to create a key and certificate for a specific client.  Enter your desired name for the “clientname”.  This is the certificate and key required by the client to be allowed connection with the OpenVPN server.

At this point, you are ready to configure OpenVPN in Vyatta.

This entry was posted on Wednesday, June 10th, 2009 at 2:52 pm and is filed under Computers. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.