2 Installation

This chapter describes how to build and install Campagnol. The procedure is the same on all the supported platforms.

2.1 Dependencies

2.1.1 Runtime dependencies

OpenSSL library version >= 0.9.8m, http://www.openssl.org/
Using OpenSSL 1.0.0* is recommended.

Cygwin users should use the OpenSSL package from the Cygwin repository.
TUN/TAP driver
For Linux and *BSD, the TUN/TAP driver is the Universal TUN/TAP driver from http://vtun.sourceforge.net/tun.

This driver is included in the default kernel of FreeBSD, NetBSD and OpenBSD. The kernel option on Linux is called ‘CONFIG_TUN’ (which is enabled in the default kernel of most Linux distributions).

For Cygwin, the TAP driver comes from the OpenVPN project (TAP-Win32). It is available on their website (http://openvpn.net).

2.1.2 Build-time dependencies

In addition to the runtime dependencies, you need the following packages to build Campagnol:

OpenSSL development packages
The development files for OpenSSL are sometimes shipped in a separate package (openssl-dev, libssl-dev…).
If the source tree doesn’t contain the ‘./configure’ file (you checked out the sources from the SVN repository), you will need:
- autoconf >= 2.61
- automake >= 1.10

2.2 Building Campagnol

If the ‘./configure’ script is missing, you need to prepare the source tree by running:

autoreconf -if

You first need to use the ‘configure’ script.

./configure --help

It will use pkg-config to configure OpenSSL. If you do not have pkg-config or if you have installed OpenSSL in a non standard directory, you should have a look at the ‘--with-openssl*’ options for the ‘configure’ script.

./configure --with-openssl=/usr/local

If you do not want to build the RDV server or the client, you can use the options ‘--disable-server’ and ‘--disable-client’.

Build Campagnol:

make

Install Campagnol:

make install

2.3 Creating the certificates

You will need to create a small certificate authority for your VPN.

Campagnol comes with a small wrapper script around the OpenSSL utilities: ca_wrap.sh. It can be used to

create a basic OpenSSL configuration file
build the root certificate authority key and certificate
create new keys and signed certificates for your VPN
revoke certificates
generate a certificate revocation list

2.3.1 Startup

Create a directory (e.g. ‘/etc/campagnol/’) for your CA and copy the script into this directory.
Edit the script. You will have to check/set the variables defined at the top of the file:
- ‘TOP_DIR’ is the working directory. It can be an absolute path or a relative path from your current directory.
- the ‘SSL_*_DEFAULT’ variables define the default certificate validity period, the default key size, and the default values for the certificate fields. They are used to generate the configuration file.
Run ./ca_wrap.sh gen_conf to create the directories and the configuration file.
You may review the generated file.

2.3.2 Create the root CA

./ca_wrap.sh gen_ca
This will create the private key, the root certificate and the necessary files.
You are asked for a pass phrase to protect the CA private key.
You are asked for the fields of the certificate. The default values are the one you defined at the beginning of the script.

2.3.3 Create a key and a signed certificate for a client

For each client on the VPN, you will have to create a new key/certificate.

Use the gen_cert command, for example:
```
./ca_wrap.sh gen_cert box_1
```
This will create a new key and signed certificate that will be output in the directory ‘box_1’.
You are asked for fields of the certificate.
The default ‘Organizational Unit Name’ is set to the directory name. You should set something unique for the ‘Common Name’ but it’s not required. The default values are fine for the other fields.

Note that with the generated configuration file, the ‘Country Name’, ‘State Or Province Name’ and ‘Organization Name’ fields must be the same for the CA certificate and the client certificates.
The password of the CA key is asked to sign the certificate request.
The key is in ‘box_1/key.pem’. The certificate is in ‘box_1/certificate.pem’ and a copy is kept in the ‘certs/’ directory. The database of the CA has been updated with the new certificate.
The client will need this key and certificate, and the CA certificate (‘cacert.pem’) to do mutual authentication. Keep the key private and distribute it to the client using a secure channel.

2.3.4 Revoke a certificate

If the key of a client has been compromised or if you do not want to authorize it anymore, you can revoke the certificate.

If you want to revoke the certificate in the ‘old_cert’ directory (which must have been created with ./ca_wrap.sh gen_cert old_cert), run ./ca_wrap.sh revoke_crt old_cert.
You are asked for the pass phrase of the CA private key.
The CA database is updated.

2.3.5 Generate a CRL

To tell the clients that some certificate have been revoked, you have to create a Certificate Revocation List and distribute it to all the clients.

./ca_wrap.sh gen_crl
You are asked for the pass phrase of the CA private key.
The CRL is in ‘crl.pem’. It’s default validity period is defined in the configuration file.

This document was generated using texi2html 5.0.