into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [FR]:

State or Province Name (full name) [Loire]:

Locality Name (eg, city) [Saint-Étienne]:

Organization Name (eg, company) [Falcot Corp]:

Organizational Unit Name (eg, section) []:

Common Name (eg, your name or your server's hostname) [vpn.falcot.com]:

Name []:

Email Address [admin@falcot.com]:

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

Using configuration from /home/rhertzog/pki-falcot/openssl.cnf

Check that the request matches the signature

Signature ok

The Subject's Distinguished Name is as follows

countryName           :PRINTABLE:'FR'

stateOrProvinceName   :PRINTABLE:'Loire'

localityName          :T61STRING:'Saint-\0xFFFFFFC3\0xFFFFFF89tienne'

organizationName      :PRINTABLE:'Falcot Corp'

commonName            :PRINTABLE:'vpn.falcot.com'

emailAddress          :IA5STRING:'admin@falcot.com'

Certificate is to be certified until Oct  9 13:57:42 2020 GMT (3650 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

$ ./build-dh

Generating DH parameters, 1024 bit long safe prime, generator 2

This is going to take a long time

..............+.......+.................................++*++*++*

The following step creates certificates for the VPN clients; one certificate is required for each computer or person allowed to use the VPN:

$ ./build-key JoeSmith

Generating a 1024 bit RSA private key

................++++++

.............................++++++

writing new private key to 'JoeSmith.key'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [FR]:

State or Province Name (full name) [Loire]:

Locality Name (eg, city) [Saint-Étienne]:

Organization Name (eg, company) [Falcot Corp]:

Organizational Unit Name (eg, section) []:

Common Name (eg, your name or your server's hostname) [JoeSmith]:Joe Smith

Name []:

Email Address [admin@falcot.com]:joe@falcot.com

[…]

Now all certificates have been created, they need to be copied where appropriate: the root certificate's public key (keys/ca.crt) will be stored on all machines (both server and clients) as /etc/ssl/certs/Falcot_CA.crt. The server's certificate is installed only on the server (keys/vpn.falcot.com.crt goes to /etc/ssl/vpn.falcot.com.crt, and keys/vpn.falcot.com.key goes to /etc/ssl/private/vpn.falcot.com.key with restricted permissions so that only the administrator can read it), with the corresponding Diffie-Hellman parameters (keys/dh1024.pem) installed to /etc/openvpn/dh1024.pem. Client certificates are installed on the corresponding VPN client in a similar fashion.

10.2.1.2. Configuring the OpenVPN Server

By default, the OpenVPN initialization script tries starting all virtual private networks defined in /etc/openvpn/*.conf. Setting up a VPN server is therefore a matter of storing a corresponding configuration file in this directory. A good starting point is /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz, which leads to a rather standard server. Of course, some parameters need to be adapted: ca, cert, key and dh need to describe the selected locations (respectively, /etc/ssl/certs/Falcot_CA.crt, /etc/ssl/vpn.falcot.com.crt, /etc/ssl/private/vpn.falcot.com.key and /etc/openvpn/dh1024.pem). The server 10.8.0.0 255.255.255.0 directive defines the subnet to be used by the VPN; the server uses the first IP address in that range (10.8.0.1) and the rest of the addresses are allocated to clients.

With this configuration, starting OpenVPN creates the virtual network interface, usually under the tun0 name. However, firewalls are often configured at the same time as the real network interfaces, which happens before OpenVPN starts. Good practice therefore recommends creating a persistent virtual network interface, and configuring OpenVPN to use this pre-existing interface. This further allows choosing the name for this interface. To this end, openvpn --mktun --dev vpn --dev-type tun creates a virtual network interface named vpn with type tun; this command can easily be integrated in the firewall configuration script, or in an up directive of the /etc/network/interfaces file. The OpenVPN configuration file must also be updated accordingly, with the dev vpn and dev-type tun directives.

Barring further action, VPN clients can only access the VPN server itself by way of the 10.8.0.1 address. Granting the clients access to the local network (192.168.0.0/24), requires adding a push route 192.168.0.0 255.255.255.0 directive to the OpenVPN configuration so that VPN clients automatically get a network route telling them that this network is reachable by way of the VPN. Furthermore, machines on the local network also need to be informed that the route to the VPN goes through the VPN server (this automatically works when the VPN server is installed on the gateway). Alternatively, the VPN server can be configured to perform IP masquerading so that connections coming from VPN clients appear as if they are coming from the VPN server instead (see Section 10.1, “Gateway”).

10.2.1.3. Configuring the OpenVPN Client

Setting up an OpenVPN client also requires creating a configuration file in /etc/openvpn/. A standard configuration can be obtained by using /usr/share/doc/openvpn/examples/sample-config-files/client.conf as a starting point. The remote vpn.falcot.com 1194 directive describes the address and port of the OpenVPN server; the ca, cert and key also need to be adapted to describe the locations of the key files.

If the VPN should not be started automatically on boot, set the AUTOSTART directive to none in the /etc/default/openvpn file. Starting or stopping a given VPN connection is always possible with the commands /etc/init.d/openpvn start name and /etc/init.d/openpvn stop name (where the connection name matches the one defined in /etc/openvpn/name.conf).