Table of Contents
Abstract
A quick look at the steps needed to bring two tunnels up, each to a different host.
This document is a run-through of setting up a few tunnels with carpaltunnel. I expect you ... (TODO)
# cd /etc
# mkdir openvpn
# cd openvpn
# cp /usr/share/doc/carpaltunnel/examples/carpaltunnel-config .
Now edit carpaltunnel-config. It
should contain enough instructions for you to manage.
Run carpaltunnel on each host.
# carpaltunnel
Now every host should have set up a local certificate authority, created a key, and signed it with the local certificate authority.
CarpalTunnel uses peer-to-peer trust semantics, so there is no central certificate authority. Instead, each host operates it's own CA, and signs it's own key. You can decide whether a host trusts another separately for each host pair, and all participants in the VPN are not required to trust a central CA.
To make the hosts trust each other, for each pair (A, B)
of hosts that have a tunnel, we need to transfer the public
key of A's certificate authority to B, and vice versa. The
file that contains this public key is
/etc/openvpn/keys/ca/ca.crt, and it
should be transferred to
/etc/openvpn/peerkeys/full_host_name_of_source.crt
on the destination host.
You can use any method you like to transfer the public key, the contents need not be kept secret - however, be aware that any attacker that can modify the file in transit has full access to your tunnel, so use e.g. SHA-1 to check that the file has not changed.
To make transferring CA public keys in a homogenous environment easier, carpaltunnel provides functionality to push and pull keys between hosts with a single command. This uses rsync under the hood. The following examples should clarify its usage.
Host foo.example.com pulls host bar.example.com's CA certificate:
# carpaltunnel --pull bar.example.com
Host foo.example.com pushes its CA certificate to host bar.example.com:
# carpaltunnel --push bar.example.com
Note that rsync should probably run
over ssh, it may prompt for interactive
authentication, etc. Also, you may not have read or write access
to the relevant files. If a push or pull fails, you can always
fall back to any alternative method. In general, pull is likely
to work in most cases if you have write access to the local
peerkeys directory. Note that you really
have to use fully qualified host names or the files will
invalidly named.
When you have copied the CA public keys, run
carpaltunnel again on each host. This time
it sees that files exist in peerkeys, and
as it now has everything needed to pass traffic on that tunnel,
a configuration file is written for the tunnel. They will be
started automatically on boot, or with
/etc/init.d/openvpn start