This article is a part of BluVPN.

Contents 1 The core 1.1 Introduction 1.2 Dependencies 1.3 Setup 1.3.1 Keys 1.3.2 Configuration file 1.4 Firewall 1.5 Note, .. 2 Client VPN 2.1 Introduction 2.2 Dependencies 2.3 Setup 2.3.1 Configuration file 2.3.2 Easy RSA

[edit] The core

[edit] Introduction

BluVPN is interconnected using OpenVPN tunnels. According to BluVPN:Network Layout, one server has multiple tunnels since the core is meshed together. For the mesh core, a configuration file looks like this:

[edit] Dependencies

• OpenVPN
• Kernel tun/tap support

[edit] Setup

[edit] Keys

If two servers wants to connect, they must share a secret key, which in this case is located in secrets/static.key. Such a secret key can be generated using

openvpn --genkey --secret secret2.key

Both sides of the link must use the same secret.

[edit] Configuration file

/etc/openvpn/bluserv.conf on gamma:

# The remote host to connect to
remote blucoders.net
# This node is NATed and the router may break its source port, so this is an override in order to allow the connection even if the source port is wrong.
float
# The network interface to use.
dev tun0
# What addresses to set? 10.159.2.1 is the local address and 10.159.1.1 is the remote
ifconfig 10.159.2.1 10.159.1.1
# The protocol to use is UDP
proto udp
# We will send to port 1195 from port 1195 and (by default) expect the other end to reply on the same source port (But we have a workaround - float)
port 1193
# The secret which is used for securing the session
secret secrets/static.key

[edit] Firewall

You will need to open the port you chose for OpenVPN to use in your firewall!

[edit] Note, ..

More experimenting will be done with IPSec later for the backbone. If we get that working, we can minimalize latency, overhead and maximalize throughput!

[edit] Client VPN

[edit] Introduction

We can also set up a client VPN for connecting from work/school/etc to our localnet inside BluVPN for remote access.

[edit] Dependencies

• OpenVPN
• Kernel tun/tap support
• ifconfig
• bridge-utils and bridge support in the kernel if you want to use that functionality

[edit] Setup

[edit] Configuration file

Gamma has this solution on port 443/TCP.

# Listen on all interfaces
local 0.0.0.0
# Port 443
port 443
# This is a TCP server
proto tcp-server
# The interface to use is tap0
dev tap0
# Clients should be able to talk to other clients
client-to-client

# Security files, as explained later
ca secrets/ca.crt
cert secrets/server.crt
key secrets/server.key
dh secrets/dh1024.pem

# Since we are using a tap, we use server-bridge, and 10.159.2.1 is the server address, 255.255.255.0 is the netmask, 10.159.2.101 is the first address OpenVPN will allocate and 10.159.2.150 is the last address
server-bridge 10.159.2.1 255.255.255.0 10.159.2.101 10.159.2.150

# Ping every 10 seconds, assume that remote
# peer is down if no ping received during
# a 120 second time period
keepalive 10 120
# Some kind of secret cipher... who knows?
cipher BF-CBC
# Enable compression
comp-lzo
# Self-explanatory?
max-clients 1000
# The persist options will try to avoid
# accessing certain resources on restart
# that may no longer be accessible because
# of the privilege downgrade.
persist-key
persist-tun

# Same client gets same address even when the server reboots 
ifconfig-pool-persist clients/ipp.txt
# In this directory, you can give clients individual config
client-config-dir clients/ccd

# We want the whole VPN routable when you connect
push "route 10.159.0.0 255.255.0.0 10.159.2.1"
# We also want you to use BluVPN DNS
push "dhcp-option DNS 10.159.2.1"
# push "redirect-gateway"               # Will cause the clients to route internet traffic through us

# Verbosity level
verb 4
# Number of equal messages to be logged before a mute triggers
mute 20

[edit] Easy RSA

As you probably have noticed, you need keys for this VPN too. You will start out by generating a dh (dh1024.pem), and then the ca.crt and the server certificate. You will then generate a client certificate for every client you connect to the VPN. We will use a system called easy-rsa 2.0, which (in debian) can be found in /usr/share/doc/openvpn/examples/easy-rsa/2.0/ and in arch, /usr/share/openvpn/easy-rsa/.

• Note: For Bluserv, easy-rsa is located in /root/easy-rsa.

First, edit your ./vars file. When it is edited, you can source it using

# Get the variables from vars
source ./vars

If this is the first time you use this directory, or you have used it earlier, you will use ./clean-all to remove the keys directory and get set for your new keys. Be careful when you do this and don't remove something you didn't intend to remove!

./clean-all

You can now use ./build-dh and ./pkitool to generate everything you need.

# Generate the dh1024.pem
./build-dh

It doesn't take as long as it tells you... Maybe because it was intended on regular calculators? When you're finished, generate the certificate and generate the server sertificate

# Certificate generation
./pkitool --initca
# Server certificate
./pkitool --server gamma
# Then generate certificates for all your clients
./pkitool hawken-pc
# If you want to password protect your certificate and use a password every time you want to connect, here's how
./pkitool --pass hawken-school

From now on, every time you want to generate a certificate for a client:

# For arch
cd /usr/share/openvpn/easy-rsa/
# For debian
cd /usr/share/doc/openvpn/examples/easy-rsa/2.0/
# source the vars file
source ./vars
# Generate a new client certificate
./pkitool myclient

Everything is saved to the keys/ folder in the directory, so to set up your server, you need to copy a few files to openvpn

# Create the destination directory
mkdir -pv /etc/openvpn/secrets
# Secure it
chmod 700 /etc/openvpn/secrets
# Copy the server files over
cp -v keys/dh1024.pem keys/ca.crt keys/gamma.crt keys/gamma.key /etc/openvpn/secrets/

For every client you want to connect, it will need these files (in case of hawken-pc):

ca.crt -- The main certificate.

hawken-pc.crt -- hawken-pc's client certificate.

hawken-pc.key -- The key needed to use it.

In debian, individual VPN instances may be started or stopped using /etc/init.d/openvpn <action> <vpn name> <vpn name2> <vpn name3>. In arch, you can only restart the whole VPN at once. /etc/rc.d/opevpn <action>.

tun interfaces will configure themselves and always be ready, but tap interfaces are down by default and need to be configured manually.

# If I do not want a bridge, I can configure tap0 like this:
ifconfig tap0 up 10.159.2.1 netmask 255.255.255.0
# If I want a bridge, I can do like this:
brctl addbr br0
ifconfig tap0 up
ifconfig eth1 up
ifconfig br0 up 10.159.2.1 netmask 255.255.255.0
brctl addif br0 tap0
brctl addif br0 eth1
# If the bridge already exists, I can do this:
ifconfig tap0 up
brctl addif br0 tap0