OpenVPN's capabilities are best described in the opening paragraphs of their HOWTO. Previous versions of OpenVPN required that each client connect to its own server process; in version 2.0, multiple clients can now connect to a single server process, thus allowing much greater scalability. Our solution will use the new feature.
If your distribution doesn't have a package for it, OpenVPN can be downloaded from http://openvpn.net.
OpenVPN is capable of working at OSI Layer 2, which involves using Ethernet bridging, or Layer 3, which involves encapsulation of IP. A Layer 2 VPN is much more complex to set up, and can be slower; thus, the examples will construct the VPN at Layer 3.
There is still one small bit of complexity involved with doing things at Layer 3: to prevent routing confusion, the physical network over which OpenVPN is operating should not have the same IP address schema as the virtual network being run by OpenVPN. As per our diagram, the OpenVPN network will be 10.42.1.0/24.
The underlying physical network, on the other hand, can be numbered in any valid way; in our examples below, we will use 192.168.1.0/24. Under this setup, eth1 on the wired endpoint is assigned 192.168.1.1, and the AP's address is 192.168.1.2.
OpenVPN makes use of the Diffie-Hellman algorithm for secret key generation and agreement; to make it work, we have to generate seed parameters with the following command:
openssl dhparam -out <dhparams-file> 1024
This file is then specified through the dh option in the OpenVPN config file.
# Listen on the interface attached to the WAP. local 192.168.1.1 1194 # Run the VPN over UDP. proto udp # We're doing layer 3 tunneling. dev tun # Virtually create the following network. server 10.42.1.0 255.255.255.0 # All traffic should be routed through the VPN. push "redirect-gateway local" # Prevent transmission stalls. tun-mtu 1500 mssfix 1300 # Keep connections alive. keepalive 10 60 # Allow no more than 15 simultaneous clients. max-clients 15 # Turn on LZO compression to improve throughput. comp-lzo # # Cryptographic configuration # # Use 256-bit AES for stream encryption. cipher AES-256-CBC # Diffie-Hellman parameters. dh /path/to/dhparams # CA root certificate. ca /path/to/cacertificate # Server's signed certificate. cert /path/to/servercertificate # Server's private key. key /path/to/serverkey
# Accept config directives from the server. client # Run the VPN over UDP. proto udp # We're doing layer 3 tunneling. dev tun # The server's IP. remote 192.168.1.1 1194 # No need to bind to a specific local port. nobind # Preserve state in the event of a crash. persist-key persist-tun # Prevent transmission stalls. tun-mtu 1500 mssfix 1300 # Enable compression. comp-lzo # # Cryptographic stuff # # Use 256-bit AES for stream encryption. cipher AES-256-CBC # The CA certificate. ca /path/to/cacertificate # Our certificate. cert /path/to/hostcertificate # Our private key. key /path/to/hostkey