Difference between revisions of "OpenVPN notes"
| Line 1: | Line 1: | ||
[[Category:Engineering]] | [[Category:Engineering]] | ||
| − | + | == general client setup == | |
| − | Put all user config files in ~/.openvpn. Note that each user will have their own client.key and client.crt files. The client.conf file will need to be slightly updated for each user. | + | Put all of the user's config files in ~/.openvpn. Note that each user will have their own client.key and client.crt files. The client.conf file will need to be slightly updated for each user. |
*client.conf | *client.conf | ||
| Line 21: | Line 21: | ||
</pre> | </pre> | ||
| − | You will also want to add up and down hooks in your ~/.openvpn/client.conf for | + | You will also want to add up and down hooks in your ~/.openvpn/client.conf for this script, [http://njr.sabi.net/2005/11/07/alternate-openvpn-os-x-dns-updating-script/ openvpn-dns-config.sh]. You can drop that in ~/.openvpn. This will allow OpenVPN to automatically update your /etc/resolv.conf with the DNS server on the remote side of the VPN. |
<pre> | <pre> | ||
| Line 35: | Line 35: | ||
alias vpnup='sudo /usr/sbin/openvpn --config ~/.openvpn/client.conf --writepid ~/.openvpn/openvpn.pid --daemon' | alias vpnup='sudo /usr/sbin/openvpn --config ~/.openvpn/client.conf --writepid ~/.openvpn/openvpn.pid --daemon' | ||
alias vpndown='sudo kill -INT `cat ~/.openvpn/openvpn.pid`' | alias vpndown='sudo kill -INT `cat ~/.openvpn/openvpn.pid`' | ||
| + | </pre> | ||
| + | |||
| + | == Remove the password from an OpenVPN key == | ||
| + | |||
| + | The user's client.key generated by `openvpn --genkey` is an OpenSSL RSA key. You can use `openssl` commands on the key. '''This will overwrite the existing user.key file''': | ||
| + | |||
| + | <pre> | ||
| + | openssl rsa -in client.key -out client.key | ||
</pre> | </pre> | ||
Revision as of 06:53, 22 October 2008
Contents
general client setup
Put all of the user's config files in ~/.openvpn. Note that each user will have their own client.key and client.crt files. The client.conf file will need to be slightly updated for each user.
- client.conf
- ca.crt
- client.crt
- client.key
- openvpn-dns-config.sh
client.conf
Note that you will have to edit ~/.openvpn/client.conf to set the full path your the ca.crt, client.crt, and client.key files. Unfortunately OpenVPN does not expand ~ notation for the user home directory. Otherwise all users could have the exact same client.conf file. The only difference would be the client.key and client.crt. This seems like a stupid oversight to me that complicates the config process. Perhaps there is some other idiom to handle this problem. Find the following lines in client.conf and replace USERNAME with the username in question:
ca /home/USERNAME/.openvpn/ca.crt cert /home/USERNAME/.openvpn/client.crt key /home/USERNAME/.openvpn/client.key
You will also want to add up and down hooks in your ~/.openvpn/client.conf for this script, openvpn-dns-config.sh. You can drop that in ~/.openvpn. This will allow OpenVPN to automatically update your /etc/resolv.conf with the DNS server on the remote side of the VPN.
up "~/.openvpn/openvpn-dns-config.sh up" down "~/.openvpn/openvpn-dns-config.sh down"
VPN startup and shutdown
Add these alias to your .bash_aliases file or wherever you keep them:
alias vpnup='sudo /usr/sbin/openvpn --config ~/.openvpn/client.conf --writepid ~/.openvpn/openvpn.pid --daemon' alias vpndown='sudo kill -INT `cat ~/.openvpn/openvpn.pid`'
Remove the password from an OpenVPN key
The user's client.key generated by `openvpn --genkey` is an OpenSSL RSA key. You can use `openssl` commands on the key. This will overwrite the existing user.key file:
openssl rsa -in client.key -out client.key
