Indeed, you better start with installing OpenVPN:
sudo apt-get install openvpn
Then we need to create some server and client certificates. For this, we use tools provided by OpenVPN.
sudo mkdir /etc/openvpn/easy-rsa/
sudo cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa/
sudo chown -R $USER /etc/openvpn/easy-rsa/
If we want to do things nicely, we also modify /etc/openvpn/easy-rsa/vars for our own needs:
export KEY_COUNTRY="NL"
export KEY_PROVINCE="NH"
export KEY_CITY="Amsterdam"
export KEY_ORG="Vrije Universiteit"
export KEY_EMAIL="cs@vu.nl"
Now we can create the certificates:
cd /etc/openvpn/easy-rsa/
source vars
./clean-all
./build-dh
./pkitool --initca
./pkitool --server server
cd keys
openvpn --genkey --secret ta.key
sudo cp server.crt server.key ca.crt dh1024.pem ta.key /etc/openvpn/
cd /etc/openvpn/easy-rsa/
source vars
./pkitool client
Note that these last steps that generate a certificate for a client normally should be repeated for each client again. By enabling the duplicate-cn option in server.conf, however, we ignore this restriction.
Clients need the following files to connect. We place them in /etc/openvpn/client for now.
cd /etc/openvpn/
sudo mkdir client
cd easy-rsa/keys
sudo cp ca.crt client.crt client.key ta.key ../../client/
It is now time to setup the server and client configuration files. First consider server.conf. You might want to use one of the sample-config-files and edit this.
sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
sudo gzip -d /etc/openvpn/server.conf.gz
The server.conf that I am using looks a bit like this.
# No need for setting local.
# Let OpenVPN listen on every IP.
;local a.b.c.d
# These are default. Be sure to forward
# UDP port 1194 if you're behind a NAT.
port 1194
proto udp
# We set up a routed IP tunnel instead
# of a bridged ethernet tunnel. For
# differences, checkout this and
# that.
dev tun
# These are our certificates
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
tls-auth ta.key 0
# OpenVPN server will take 192.168.0.1.
# Everything else will be for the
# clients. Be sure that this is network
# is not used on your LAN already.
server 192.168.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
# Push these routes to the client so
# that it can reach other private subnets
push "route 10.40.40.1 255.255.255.255"
push "route 10.40.40.17 255.255.255.255"
push "route 10.42.42.0 255.255.255.0"
# We generated only one client certificate,
# which multiple clients will use. Note
# that this is only allowed in testing
# environments :)
duplicate-cn
keepalive 10 120
comp-lzo
# More secure
user nobody
group nogroup
persist-key
persist-tun
# Log settings
verb 3
status status.log
log openvpn.log
log-append openvpn.log
This should be enough to start the server:
sudo /etc/init.d/openvpn restart
Our last configuration will be client.conf:
# This is the client configuration
client
# This should be similar to server.conf
dev tun
proto udp
# Replace
# of your OpenVPN server.
remote
# Keep trying idefinitely to resolve the host.
# Useful on laptops.
resolv-retry infinite
nobind
# More security
user nobody
group nogroup
persist-key
persist-tun
# Silence duplicate packet warnings
mute-replay-warnings
# Our certificates
ca ca.crt
cert client.crt
key client.key
tls-auth ta.key 1
ns-cert-type server
comp-lzo
# Log settings
verb 3
log rc-logs/red-cross.log
log-append rc-logs/red-cross.log
mute 20
Now move above client.conf to /etc/openvpn/client/
sudo mv client.conf ./client/
To let clients connect to your OpenVPN server, simply let them copy the contents of your /etc/openvpn/client/ directory into their /etc/openvpn/ directory, followed by restarting OpenVPN via sudo /etc/init.d/openvpn restart and they should be good to go.
Note that server.key, ta.key and client.key are secret files. Do not send them over in plain text.
In my situation, my OpenVPN server also acted as an OpenVPN client, connecting through the 10.42.42.0/24 tunnel. I wanted to give others access to this tunnel as well, for which I needed to set up a OpenVPN server. In order to forward packets coming from the one tunnel through the other tunnel, I had to hit the following commands as well:
sudo sysctl net.ipv4.ip_forward=1
sudo iptables -t nat -A POSTROUTING -o tun1 -j MASQUERADE
Where tun1 is the tunnel that connects to the other OpenVPN environment.
Geen opmerkingen:
Een reactie posten