You followed the previous recipes and everything works. Now, what do you do for a production VPN server? You want to set it up so that you can connect to your work network from your home Linux PC. Your work Internet account has a static, routable IP address. Your home PC has no overlapping addresses with your work network or your OpenVPN addressing. Your OpenVPN server is on your border router.
Again, keep in mind that using a static key is less secure than using a proper Public Key Infrastructure (PKI).
Follow the previous recipe to generate and distribute the shared static key. Then, you'll need more options in your configuration files, and to configure your firewall to allow the VPN traffic.
Your setup should look something like Figure 9-2.
Next, copy these client and server configurations, using your own IP addresses and domain names. The local IP address must be your WAN address. These files have different names than in the previous recipe, which speeds up testing as you will see:
## openvpn server2.conf dev tun proto udp ifconfig 10.0.0.1 10.0.0.2 local 208.201.239.37 secret /etc/openvpn/keys/static.key keepalive 10 60 comp-lzo daemon
Next, the client configuration file:
## openvpn client2.conf remote router.alrac.net dev tun ifconfig 10.0.0.2 10.0.0.1 route 192.168.1.0 255.255.255.0 secret /etc/openvpn/keys/static.key keepalive 10 60 comp-lzo
Then, you'll need to allow the VPN traffic through your work firewall through UDP port 1194. If you're using a nice stout iptables firewall, use these rules:
iptables -A INPUT -p udp --dport 1194 -j ACCEPT iptables -A INPUT -i tun+ -j ACCEPT iptables -A FORWARD -i tun+ -j ACCEPT
Now, start OpenVPN manually and test it, just like we did in previous recipes:
root@xena:~# openvpn /etc/openvpn/server2.conf
root@stinkpad:~# openvpn /etc/openvpn/client2.confThis is a nice simple setup when you control your work and home networks. Don't do this for others—just for yourself.
What if your work site does not have a static IP address, but a dynamically assigned address? Use the free dynamic DNS (DDNS) service at DynDns.com (http://www.dyndns.com/) to give it a persistent address.
The route option in
client2.conf lets your remote client access the
whole LAN.
keepalive 10 60 keeps the
connection alive by sending a ping every 10
seconds. If there is no response after 60 seconds, OpenVPN assumes the connection is broken.
comp-lzo compresses your
traffic. This option must be present in server and client
configuration files.
daemon runs OpenVPN in
listening mode. As soon as you run the openvpn /etc/openvpn/server2.conf command,
it drops into the background and returns you to the command
prompt.
The plus mark in the iptables rules is a
wildcard, so tun+ means "all tun
devices."
Using a proper PKI is only a little more work than using static keys, and many times more secure. See the next recipe to learn how to do this.
man 8 openvpnOpenVPN How-to: http://openvpn.net/howto.html