Difference between revisions of "Configure WireGuard VPN"

From Organic Design wiki
m (Server configuration)
m (OpenVPN)
Line 4: Line 4:
 
}}
 
}}
  
== OpenVPN ==
 
 
OpenVPN is a full-featured SSL VPN solution which can accomodate a wide range of configurations, including remote access, site-to-site VPNs, WiFi security, and enterprise-scale remote access solutions with load balancing, failover, and fine-grained access-controls. OpenVPN is a single program that is run on both the server hosting the share, and on the clients which will be accessing it. First install it on the server an Linux clients.
 
OpenVPN is a full-featured SSL VPN solution which can accomodate a wide range of configurations, including remote access, site-to-site VPNs, WiFi security, and enterprise-scale remote access solutions with load balancing, failover, and fine-grained access-controls. OpenVPN is a single program that is run on both the server hosting the share, and on the clients which will be accessing it. First install it on the server an Linux clients.
 
{{code|<pre>
 
{{code|<pre>
Line 10: Line 9:
 
</pre>}}
 
</pre>}}
  
 
+
== Create the TUN/TAP device ==
=== Server configuration ===
 
 
'''This step is needed on systems which do not have a TUN/TAP device included'''. If '''/dev/net/tun''' exists then you already have TUN/TAP set up and can move on to the OpenVPN configuration. Some VPS hosts such as [http://www.vpslink.com VPSLink] do not have these devices set up by default, see the [http://forums.vpslink.com/linux/116-dev-net-tun-tun-tap-bridge-disabled-please-enable-it.html issue raised in their forum] and the [http://wiki.vpslink.com/index.php?title=TUN/TAP_device_with_OpenVPN_or_Hamachi solution added to their wiki] for more detail, or do the following to create the device.
 
'''This step is needed on systems which do not have a TUN/TAP device included'''. If '''/dev/net/tun''' exists then you already have TUN/TAP set up and can move on to the OpenVPN configuration. Some VPS hosts such as [http://www.vpslink.com VPSLink] do not have these devices set up by default, see the [http://forums.vpslink.com/linux/116-dev-net-tun-tun-tap-bridge-disabled-please-enable-it.html issue raised in their forum] and the [http://wiki.vpslink.com/index.php?title=TUN/TAP_device_with_OpenVPN_or_Hamachi solution added to their wiki] for more detail, or do the following to create the device.
 
{{code|<pre>
 
{{code|<pre>
Line 19: Line 17:
 
</pre>}}
 
</pre>}}
  
 
+
== Server configuration ==
 
We'll go for a configuration which is as close to the default ''server.conf'' example file as possible to simplify the procedure. The certificate files must be specified with full pathnames, and the protocol must be changed to TCP rather than UDP which is the default. Here's all the required settings with comments removed for brevity.
 
We'll go for a configuration which is as close to the default ''server.conf'' example file as possible to simplify the procedure. The certificate files must be specified with full pathnames, and the protocol must be changed to TCP rather than UDP which is the default. Here's all the required settings with comments removed for brevity.
 
{{code|<pre>
 
{{code|<pre>

Revision as of 04:42, 4 June 2009

Procedure.svg Configure WireGuard VPN
Organic Design procedure

OpenVPN is a full-featured SSL VPN solution which can accomodate a wide range of configurations, including remote access, site-to-site VPNs, WiFi security, and enterprise-scale remote access solutions with load balancing, failover, and fine-grained access-controls. OpenVPN is a single program that is run on both the server hosting the share, and on the clients which will be accessing it. First install it on the server an Linux clients.

apt-get install openvpn

Create the TUN/TAP device

This step is needed on systems which do not have a TUN/TAP device included. If /dev/net/tun exists then you already have TUN/TAP set up and can move on to the OpenVPN configuration. Some VPS hosts such as VPSLink do not have these devices set up by default, see the issue raised in their forum and the solution added to their wiki for more detail, or do the following to create the device.

mkdir -p /dev/net
mknod /dev/net/tun c 10 200
chmod 600 /dev/net/tun

Server configuration

We'll go for a configuration which is as close to the default server.conf example file as possible to simplify the procedure. The certificate files must be specified with full pathnames, and the protocol must be changed to TCP rather than UDP which is the default. Here's all the required settings with comments removed for brevity.

port 1194
proto tcp
dev tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
dh /etc/openvpn/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 4

Creating Keys

There's a utility called easy-rsa in /usr/share/doc/openvpn/examples/easy-rsa which should be copied to another location (we use /etc/openvpn/easy-rsa. The default values for all certificates generated can be updated in the vars file. First, configure easy-rsa with the following shell commands:

cp -pR /usr/share/doc/openvpn/examples/easy-rsa /etc
cd /etc/easy-rsa
mkdir keys
. ./vars
./clean-all

Next we'll user easy-rsa to generate a master key, a server key and a couple of client keys (it's more secure for the client keys to be created locally, but we'll get that procedure sorted out another day!). Each of the commands requires a number of questions to be answered which can all be left as their defaults (which were set up in the vars file above), except for the common name setting which we'll set to "organicdesign-ca" for the master key, "server" for the server key, and the client name for all the client keys (e.g. "nad-laptop" or "zenia-office" for this example).

./build-ca
./build-key-server server
./build-key nad-laptop
./build-key zenia-office

Then after all the keys are made we must build the Diffie Hellman key exchange parameters.

./build-dh

All the generated key files are in the easy-rsa/keys. All the files having the .key suffix are secret and should only be communicated over encrypted connections like SCP. The ca.crt file belongs on the server and all the client machines as well. The files that start with a client name belong on that client machine.

Setting up Ubuntu workstations

First install OpenVPN and the configuration GUI using apt-get install openvpn network-manager-openvpn. The GUI adds a "VPN Connections" item to the network menu from the system tray which VPN's can be added, removed and configured from.

Setting up on Windows workstations

On Windows OpenVPN is normally run from the console, which can be a little annoying to have lying on the taskbar all the time. OpenVPN GUI lets you run OpenVPN without this console window. Instead you get an icon in the notification area (the area on the right side of the taskbar) from which you can control OpenVPN to start/stop your VPN tunnels, view the log, change your password and other useful things.

The simplest setup (and the only one covered here) is if your internet connection is through a normal LAN or Wifi adapter and uses DHCP (i.e. "obtain IP address automatically" is ticked).

After OpenVPN has been installed, you'll notice in network settings that an extra LAN connection has been added. First, right-click it and rename it to "OpenVPN". Then select both the original network connection that you connect to the internet through, and the OpenVPN connection, then right-click and select "Bridge connections" which takes a few seconds to complete. After that's done a new icon will appear in the network list called "Network bridge" or something which you can rename to "OpenVPN Bridge". No more settings are required if your original internet connection used DHCP.

See also