- IPsec Versus OpenVPN
- Requirements for the OpenVPN Solution
- Setting Up the Public Key Infrastructure (PKI)
- Setting Up the VPN Serve
- Configuring OpenVPN
- Configuring a Sample Client
- Connecting to the Server
- Configuring the Routing
- Working with Unprivileged Users
- Advantages and Disadvantages of This Solution
Like this article? We recommend
Like this article? We recommend
Like this article? We recommend
Configuring a Sample Client
Our client will be a Windows 2000 machine with OpenVPN and the OpenVPN GUI. Upon completion of the OpenVPN setup, a new icon should appear in the notification area next to your computer clock, showing the connection status.
Once the software is installed, the CA certificate and client's key/certificate have to be copied to the local machine. In this example, we're storing this information in c:\OpenVPN\Keys. The directory's permissions should be configured restrictively so that only members of the Administrators group and SYSTEM account have access to the keys.
Configuring wlan-vpn.ovpn
OpenVPN can be both a client and server. To set up our system as a client, we must specify the client directive in the wlan-vpn.ovpn file. In our previous server setup, we enabled it to accept incoming tunnel connections, which means that dev tun has to be enabled on the client. The default protocol for this connection will be defined with proto udp. Next, the remote server's IP address/host name needs to be defined with the remote and port directives.
With the physical configurations complete, we must now set up the authentication information. As previously mentioned, you should have three keys on your local system. Each of these keys needs to be listed in the configuration file. First, specify the ‚ca' certificate, then the clients certificate (‚cert'), and finally the client's private key (‚key'). In addition, you should set the ‚ns-cert-type' value, which allows the client to connect only to servers with the certificate option ns-cert-type=server, to prevent a malicious client from performing a man-in-the-middle attack. Compression can be enabled on the VPN link using the ‚comp-lzo' entry, but this setting has some disadvantages, such as increased overhead and implications on interactive applications such as SSH and Telnet.
A complete sample configuration file is available on my web site.