Table of Contents
Abstract
A quick look at the steps needed to bring two tunnels up, each to a different host.
This document is a run-through of setting up a few tunnels with carpaltunnel. I expect you ... (TODO)
# cd /etc
# mkdir openvpn
# cd openvpn
# cp /usr/share/doc/carpaltunnel/examples/carpaltunnel-config .
Now edit carpaltunnel-config. It should contain enough instructions for you to manage.
Run carpaltunnel on each host.
# carpaltunnel
Now every host should have set up a local certificate authority, created a key, and signed it with the local certificate authority.
CarpalTunnel uses peer-to-peer trust semantics, so there is no central certificate authority. Instead, each host operates it's own CA, and signs it's own key. You can decide whether a host trusts another separately for each host pair, and all participants in the VPN are not required to trust a central CA.
To make the hosts trust each other, for each pair (A, B) of hosts that have a tunnel, we need to transfer the public key of A's certificate authority to B, and vice versa. The file that contains this public key is /etc/openvpn/keys/ca/ca.crt, and it should be transferred to /etc/openvpn/peerkeys/full_host_name_of_source.crt on the destination host.
You can use any method you like to transfer the public key, the contents need not be kept secret - however, be aware that any attacker that can modify the file in transit has full access to your tunnel, so use e.g. SHA-1 to check that the file has not changed.
To make transferring CA public keys in a homogenous environment easier, carpaltunnel provides functionality to push and pull keys between hosts with a single command. This uses rsync under the hood. The following examples should clarify its usage.
Host foo.example.com pulls host bar.example.com's CA certificate:
# carpaltunnel --pull bar.example.com
Host foo.example.com pushes its CA certificate to host bar.example.com:
# carpaltunnel --push bar.example.com
Note that rsync should probably run over ssh, it may prompt for interactive authentication, etc. Also, you may not have read or write access to the relevant files. If a push or pull fails, you can always fall back to any alternative method. In general, pull is likely to work in most cases if you have write access to the local peerkeys directory. Note that you really have to use fully qualified host names or the files will invalidly named.
When you have copied the CA public keys, run carpaltunnel again on each host. This time it sees that files exist in peerkeys, and as it now has everything needed to pass traffic on that tunnel, a configuration file is written for the tunnel. They will be started automatically on boot, or with /etc/init.d/openvpn start