Openvpn – How to set up an advanced network config with OpenVPN

openvpn

I need to set up an OpenVPN network with two protected segments.

1) A developer network where all developers can reach each other machines.
2) A support network with two roles, supporter and client. Preferably clients can not initiate connections to the supporter, but the support can initiate connections to clients.

The easy way to set up this would be with two separate OpenVPN configurations, 2 key infrastructures etc.

However, I think this should be also possible with only one OpenVPN configuration, allowing people who are both supporter and developer to use only one certificate for both purposes.

How should I set this up?

(OpenVPN version 2.0.x, openSuse 11.1)

Best Answer

I've seen an openvpn deployment as server, where clients use pre-shared keys and certificates for authentication, with only one config file and each client with his certificate

further more, the traffic rules between the networks can be settled via netfilter

I'll try to install it this weekend and come up with a howto

@@@@ later edit

1 - follow http://www.openvpn.net/index.php/open-source/documentation/howto.html#pki for issuing certificates with the built-in tools of openvpn

2 - server config

local 1.2.3.4
port 1977
proto tcp
dev tap-server

ca /etc/openvpn/certs/ca.crt
cert /etc/openvpn/certs/server.crt
key /etc/openvpn/certs/server.key
dh /etc/openvpn/certs/dh1024.pem

server 172.17.188.0 255.255.255.0
ifconfig-pool-persist /etc/openvpn/var/pool.txt
client-to-client
keepalive 10 120
#tls-auth /etc/openvpn/certs/ta.key 0
#cipher DES-EDE3-CBC
max-clients 10
persist-key
persist-tun
status /var/log/openvpn/server-status.log
log-append /var/log/openvpn/server.log
verb 3
mute 10

push "route 10.0.0.56 255.255.255.255"
#client-config-dir /etc/openvpn/var/routes

3 - on the client side, along with ca.crt and user.(key,csr,crt)

remote 1.2.3.4
client
dev tap
nobind
port 1977
proto tcp-client
persist-key
persist-tun
ping-timer-rem
ping-restart 60
ping 10 
verb 3
ca ca.crt
cert user.crt
key user.key

you can have various settings starting from this schema, following openvpn's examples

Best Answer

Related Solutions

Security – OpenVPN vs. IPsec – Pros and cons, what to use

OpenVPN: Setup a virtual network that only contain Servers – Is this possible

Related Topic