OpenVPN Setup

The source article can be found here

OpenVPN How-To :

How to set up OpenVPN on Linux servers with Windows (non-admin) road warriors. 

First, the server:

Install the Centos openvpn rpm from the EPEL Repo: yum install openvpn.

N.B: The default config files for the Centos openvpn rpm are in /etc/openvpn, so the fiile locations in the config file are relative to that 'home' dir.

The server config looks something like this:

 

#Use a non-standard port for added security (std is 1194) 

 

port 12345
proto udp
dev tun
ca keys/ca.crt
cert keys/company.crt
key keys/company.key # This file should be kept secret

dh keys/dh1024.pem

#The following line is the network for the VPN clients

#(remember to add a static route for this network to your default gateway)

server 10.8.254.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120

cipher BF-CBC # Blowfish (default)

comp-lzo

max-clients 10

user nobody
group nogroup

persist-key
persist-tun

status openvpn-status.log

verb 3

plugin /usr/lib/openvpn/plugin/lib/openvpn-auth-pam.so /etc/pam.d/login

push "route 192.168.x.0 255.255.255.0"
# Insert your WINS server IP here
push "dhcp-option WINS 12.34.56.78"
# Insert your DNS server IP here
push "dhcp-option DNS 12.34.56.78"
# Insert your second (if you have one) DNS server IP here
push "dhcp-option DNS 12.34.56.79"
# Replace with your search domain
push "dhcp-option DOMAIN domain.tld"

Note: If you use the openvpn-auth-pam.so plugin, you will need to have the pam-devel package installed on your system as well (or OpenVPN will bail on startup).

The Certificate and Keyfiles are generated on the server, and copied to the client via a secure channel (i.e.: Over the LAN, via USB Thumbdrive, etc.. N.B: EMAIL IS NOT SECURE (unless encrypted))

The ca.crt file will be copied to the Client PC from the server via secure channel.
The system.key and system.crt are generated on the server for each individual system that will be connecting to OpenVPN.

To generate a keypair for a client system:

  copy /usr/share/openvn/easy-rsa/2.0 to /etc/openvpn/easyrsa-2.0

Edit the vars file and populate it with your information. Read the README in this directory for how to set up your server and Certificate Authority!

. vars #IMPORTANT!!!
./build-ca
./build-dh
./build-key-server servername
./build-key clientname

Next, the client PC:
My Client config looks like this (save this on the server in the keys directory as a backup):

client
dev tun
proto udp
remote your.host.name 12345
#resolve-retry infinite
nobind
persist-tun
ns-cert-type server
ca "c:/program files/openvpn/keys/ca.crt"
cert "c:/program files/openvpn/keys/system.crt"
key "c:/program files/openvpn/keys/system.key"
comp-lzo
verb 3
auth-user-pass
pull

On the client PC:

As an Administrator, do the following:

Download the current stable version of the OpenVPN gui from http://openvpn.se and install it. You'll need to make a couple post install modifications:

During the install, check "Hide the TAP-Win32 Virtual Ethernet Adapter" box. Leave the rest as their defaults.
Make a new directory: C:\Program Files\OpenVPN\keys
Copy your config to c:\program files\OpenVPN\config

Copy your key and crt files to C:\Program Files\OpenVPN\keys\

(Copy 4 files to the client PC: ca.crt, client.crt, client.key and client.ovpn.)

 

N.B:

  • The front slashes in the windows config file ARE correct (otherwise you have to escape the backslashes). 
  • 'resolve-retry infinite'  doen't seem to be valid in the Centos 5.x openvpn package.

Running OpenVPN GUI as a non-admin user on the Windows PC

You'll have to give the selected user access to start/stop the OpenVPN service:
Download subinacl (a component of the XP Resource Kit) from the Microsoft Website.
Open up a Command Prompt and run the following commands:

cd c:\program files\Windows Resource kits\Tools\
subinacl /SERVICE "OpenVPNService" /GRANT={username}=TO
exit

You'll need to change the following registry keys on the client PC:

HKLM\Software\OpenVPN-GUI\allow_edit=0
HKLM\Software\OpenVPN-GUI\allow_password=0
HKLM\Software\OpenVPN-GUI\allow_proxy=0

 

And that's it... at this point, you should be able to log out and log back in (you'll need to do that *EVERY TIME* you make a change to the OpenVPN-GUI registry keys!), right click the OpenVPN icon in the systray, enter your username and password, and get a connection.

Run OpenVPN-GUI as a NON-Admin user via the Windows XP RUNAS command

You can save the credentials for a runas shortcut thusly (and thanks to the OpenVPN site administrator for clueing me in on this...):
First: toss out the registry entries to start OpenVPN-GUI on bootup: delete HKLM\Software\Microsoft\Windows\Current Version\Run\openvpn-gui.
Next, create a regular shortcut on the desktop to OpenVPN-gui (I usually right-click and drag the binary (C:\Program Files\OpenVPN\bin\openvpn-gui) to the desktop and select "Create a shortcut here...").
Right click the new shortcut and select Properties
In the "Target:" dialog, enter the following before the path to OpenVPN-gui:
C:\windows\system32\runas.exe /savecred /user:"LOCAL ADMIN USERNAME"
Save your shortcut and double-click on it, and you will be presented with a DOS dialog box asking for the password to the account you specified. Enter the password, and the service will start, running under the privileges of the user you specified. NOTE: By saving the credentials this way, a user can run ANY COMMAND ON THE SYSTEM AS AN ADMINISTRATOR, simply by changing the last part of the shortcut!!!

This method is also ONLY AVAILABLE on Windows XP PRO... the /savecred option is silently ignored when using XP Home or any variant of it (i.e. Media Center etc.).

Notes... If your firewall has more than one IP address assigned to the interface you're connecting to OpenVPN on, you may need the float option in your Client config file.
Likewise, you may simply need to make sure that whatever is the primary interface on your firewall is what you're trying to connect to, or that you are properly NATing your OpenVPN traffic fromthe firewall... For examply, my firewall was happily dropping all packets from the remote OpenVPN server because they were coming from the wrong source IP address, and therefore weren't associated with any known ESTABLISHED or RELATED (iptables talk) connection.