VirtenSys VPN Installation on Linux =================================== 1. Install OpenVPN version 2.1 or later 2. Copy ca.crt to /etc/openvpn/ca.crt 3. Copy client.conf to /etc/openvpn/virtensys.conf 4. Copy your private key and certificate into directory /etc/openvpn Make sure that the key has mode 0600 5. Edit /etc/openvpn/virtensys.conf to change the "cert" and "key" parameters so that they refer to your private certificate and key files. You should at this point be able to bring up a VPN connection by using: # service openvpn start You'll br prompted for your regular VirtenSys username and password. You won't at this point be able to do forward or reverse DNS lookups for the VirtenSys network. The simplest way to do this is to script changes to your /etc/resolv.conf file so that it uses VirtenSys DNS servers whilst the VPN is running. This can be done by copying the client.up and client.down scripts from the OpenVPN package into /etc/openvpn, making them executable and then adding the following lines to /etc/openvpn/virtensys.conf # Listen to DHCP hints from server pull dhcp-options # Configure DNS when connection comes up up /etc/openvpn/client.up # Allow connection-down script to run as root plugin /usr/lib/openvpn/plugin/lib/openvpn-down-root.so /etc/openvpn/client.down However, this approach suffers from a limitation of glibc: each process only reads /etc/resolv.conf once, when the first DNS lookup is done. So if /etc/resolv.conf changes after a process (e.g. a shell) starts, the change won't be noticed by that process. This can lead to mysterious DNS lookup failures. A better solution is to run your own nameserver and get it to forward queries for names and addresses on the VirtenSys network down the VPN. If you are not currently running a nameserver, you can install one as follows: # yum install caching-nameserver Make sure it starts up at every reboot: # chkconfig named on Start the server: # service named start Use the server for all DNS lookups by removing all "nameserver" lines from /etc/resolv.conf and adding: nameserver 127.0.0.1 To ensure that your carefully-edited /etc/resolv.conf file doesn't get clobbered by your DHCP client, add the following line to /etc/sysconfig/network PEERDNS=no Configuring the server to forward VirtenSys network lookups down the VPN is just a case of adding the following entries to /etc/named.conf: // // Forward VirtenSys DMZ forward and reverse DNS lookups down the VPN // zone "dmz.virtensys.com" { type forward; forward only; forwarders { 10.9.0.3; 10.9.1.1; }; }; zone "exchange.virtensys.com" { type forward; forward only; forwarders { 10.9.0.3; 10.9.1.1; }; }; zone "0.10.10.in-addr.arpa" { type forward; forward only; forwarders { 10.9.0.3; 10.9.1.1; }; }; // // Forward VirtenSys Extranet forward and reverse DNS lookups down the VPN // zone "extranet.virtensys.com" { type forward; forward only; forwarders { 10.9.0.3; 10.9.1.1; }; }; zone "0.20.10.in-addr.arpa" { type forward; forward only; forwarders { 10.9.0.3; 10.9.1.1; }; }; // // Forward US LAN forward and reverse DNS lookups down the VPN // zone "virtensys-us.local" { type forward; forward only; forwarders { 10.9.0.3; 10.9.1.1; }; }; zone "164.168.192.in-addr.arpa" { type forward; forward only; forwarders { 10.9.0.3; 10.9.1.1; }; }; // // Forward UK LAN forward and reverse DNS lookups down the VPN // zone "uk.virtensys.com" { type forward; forward only; forwarders { 10.9.0.3; 10.9.1.1; }; }; zone "0.8.10.in-addr.arpa" { type forward; forward only; forwarders { 10.9.0.3; 10.9.1.1; }; }; zone "0.9.10.in-addr.arpa" { type forward; forward only; forwarders { 10.9.0.3; 10.9.1.1; }; }; zone "1.9.10.in-addr.arpa" { type forward; forward only; forwarders { 10.9.0.3; 10.9.1.1; }; }; zone "2.9.10.in-addr.arpa" { type forward; forward only; forwarders { 10.9.0.3; 10.9.1.1; }; }; zone "3.9.10.in-addr.arpa" { type forward; forward only; forwarders { 10.9.0.3; 10.9.1.1; }; }; zone "4.9.10.in-addr.arpa" { type forward; forward only; forwarders { 10.9.0.3; 10.9.1.1; }; }; zone "5.9.10.in-addr.arpa" { type forward; forward only; forwarders { 10.9.0.3; 10.9.1.1; }; }; zone "6.9.10.in-addr.arpa" { type forward; forward only; forwarders { 10.9.0.3; 10.9.1.1; }; }; zone "7.9.10.in-addr.arpa" { type forward; forward only; forwarders { 10.9.0.3; 10.9.1.1; }; }; You can then restart the nameserver: # service named restart Installation is now complete.