
Tutorial for CarpalTunnel

Tommi Virtanen

   Jul 18, 2002
     _________________________________________________________________

   Table of Contents

   Introduction
   Installation
   Configuration
   Deployment

        Creation of keys and certificates
        Establishing trust
        Starting the VPN

   Finetuning

   Abstract

   A quick look at the steps needed to bring two tunnels up, each to a
   different host.

Introduction

   This document is a run-through of setting up a few tunnels with
   carpaltunnel. I expect you ... (TODO)

Installation

   # apt-get install carpaltunnel

Configuration

   # cd /etc
   # mkdir openvpn
   # cd openvpn
   # cp /usr/share/doc/carpaltunnel/examples/carpaltunnel-config .

   Now edit carpaltunnel-config. It should contain enough instructions
   for you to manage.

Deployment

Creation of keys and certificates

   Run carpaltunnel on each host.

     # carpaltunnel

   Now every host should have set up a local certificate authority,
   created a key, and signed it with the local certificate authority.

Establishing trust

   CarpalTunnel uses peer-to-peer trust semantics, so there is no central
   certificate authority. Instead, each host operates it's own CA, and
   signs it's own key. You can decide whether a host trusts another
   separately for each host pair, and all participants in the VPN are not
   required to trust a central CA.

   To make the hosts trust each other, for each pair (A, B) of hosts that
   have a tunnel, we need to transfer the public key of A's certificate
   authority to B, and vice versa. The file that contains this public key
   is /etc/openvpn/keys/ca/ca.crt, and it should be transferred to
   /etc/openvpn/peerkeys/full_host_name_of_source.crt on the destination
   host.

   You can use any method you like to transfer the public key, the
   contents need not be kept secret - however, be aware that any attacker
   that can modify the file in transit has full access to your tunnel, so
   use e.g. SHA-1 to check that the file has not changed.

   To make transferring CA public keys in a homogenous environment
   easier, carpaltunnel provides functionality to push and pull keys
   between hosts with a single command. This uses rsync under the hood.
   The following examples should clarify its usage.

   Host foo.example.com pulls host bar.example.com's CA certificate:

     # carpaltunnel --pull bar.example.com

   Host foo.example.com pushes its CA certificate to host
   bar.example.com:

     # carpaltunnel --push bar.example.com

   Note that rsync should probably run over ssh, it may prompt for
   interactive authentication, etc. Also, you may not have read or write
   access to the relevant files. If a push or pull fails, you can always
   fall back to any alternative method. In general, pull is likely to
   work in most cases if you have write access to the local peerkeys
   directory. Note that you really have to use fully qualified host names
   or the files will invalidly named.

Starting the VPN

   When you have copied the CA public keys, run carpaltunnel again on
   each host. This time it sees that files exist in peerkeys, and as it
   now has everything needed to pass traffic on that tunnel, a
   configuration file is written for the tunnel. They will be started
   automatically on boot, or with /etc/init.d/openvpn start

Finetuning

   Talk about firewall rules here.. (TODO)
