Information gathered from https://help.ubuntu.com/12.04/serverguide/openvpn.html
and from https://openvpn.net/index.php/open-source/documentation/howto.html
First install openvpn:
sudo apt-get install openvpn
Public Key Infrastructure Setup
The first step in building an OpenVPN configuration is to establish a PKI (public key infrastructure). The PKI consists of:- a separate certificate (also known as a public key) and private key for the server and each client, and
-
a master Certificate Authority (CA) certificate and key which is used to sign each of the server and client certificates.
first change to root:
sudo suNow make the folder where we'll do the server configuration:
mkdir /etc/openvpn/easy-rsa/Now copy the openvpn example configuration and setup scripts:
cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa/Next, edit /etc/openvpn/easy-rsa/vars adjusting the following to your environment:
export KEY_COUNTRY="US" export KEY_PROVINCE="NC" export KEY_CITY="Winston-Salem" export KEY_ORG="Example Company" export KEY_EMAIL="steve@example.com"Run the following commands to generate the master Certificate Authority (CA) certificate and key:
cd /etc/openvpn/easy-rsa/ source vars ./clean-all ./build-caServer Certificates:
Next, we will generate a certificate and private key for the server:
./build-key-server myservernameYou will get two queries: "Sign the certificate? [y/n]" and "1 out of 1 certificate requests certified, commit? [y/n]" answer both with y.
Diffie Hellman parameters must be generated for the OpenVPN server:
./build-dhThe keys have been generated to a subdirectory of "keys/". A common practice is to copy them to /etc/openvpn/ folder:
cd keys/ cp myservername.crt myservername.key ca.crt dh2048.pem /etc/openvpn/Note: the dh2048.pem file name might be dh1024.pem depending what the default is or what bit keys you generated.
Client Certificates:
The client will also need certificates to authenticate itself to the server.
to create the certificate and key for client1 run the follow commands as root:
cd /etc/openvpn/easy-rsa/ source vars ./build-key client1Copy the following files to the client using a secure method:
- /etc/openvpn/ca.crt
- /etc/openvpn/easy-rsa/keys/client1.crt
- /etc/openvpn/easy-rsa/keys/client1.key
Simple Server Configuration
Copy the example server configuration file and unpack it from /usr/share/doc/openvpn/examples/sample-config-files/:
sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/ sudo gzip -d /etc/openvpn/server.conf.gzEdit /etc/openvpn/server.conf to make sure the following lines are pointing to the certificates and keys you created in the section above.
ca ca.crt cert myservername.crt key myservername.key dh dh2048.pem #Note this might be dh1024.pemNow start the server. You will find logging and error messages in your syslog.
root@server:/etc/openvpn# service openvpn start * Starting virtual private network daemon(s)... * Autostarting VPN 'server' [ OK ]Now check if OpenVPN created a tun0 interface:
root@server:/etc/openvpn# ifconfig tun0
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
[...]
Simple Client ConfigurationCopy the example client configuration file to the same location on the client computer as you did the previous client files (ca.crt client1.crt client1.key). The example configuration file is at /usr/share/doc/openvpn/examples/sample-config-files/client.conf. For windows you'll probably want to rename the file to client1.ovpn instead of client1.conf.
The openvpn gui program on windows looks for the configuration files in C:\Program Files\OpenVPN\config by default so that's probably where you want to place them once you've done editing the configuration file.
On Ubuntu you'll probably want to create a hidden .vpn folder in your home directory and place all the client files into the directory. Also if you're using network manager on Ubuntu install the openvpn network manager plugin to be able to use openvpn configuration files with networkmanager.
sudo apt-get install network-manager-openvpnOther distros will have similar packages for network manager that you can install.
For more client implementations check the following article:
https://help.ubuntu.com/12.04/serverguide/openvpn.html#openvpn-client-implementations
The minimal changes you need to make in the example configuration are as follows. Make sure they keyword client is in the configuration file and that the file has the correct OpenVPN server name or address:
client remote vpnserver.example.com 1194And also make sure your client.conf or client.ovpn (if you renamed it already) has the following pointing to your client certificates and keys.
ca ca.crt cert client1.crt key client1.keyNow import your vpn configuration file from network manager gui and try connecting or if you're using another OS or a different client implementation it will be different. For different implementations check here. If you're behind a NAT you'll be unable to connect as well so continue to the next step.
Behind NAT Configurations
Basically all that you need to do in the gateway (The gateway may be your router) is forward port 1194 or whatever port you chose in the configuration files to your OpenVPN server. You will want a static IP address for your server. Next allow the port through your firewall on both the gateway and OpenVPN server.Including multiple machines on the server side when using a routed VPN (dev tun)
First, you must advertise your subnet to VPN clients as being accessible through the VPN. In this case we will assume that your subnet is 10.66.0.0/24 and the VPN IP address pool uses 10.8.0.0/24. This can easily be done with the following server-side config file directive:
push "route 10.66.0.0 255.255.255.0"Note: if your IP address is 192.168.1.10 your subnet is probably 192.168.1.0/24. Another thing if this is you subnet on server you should probably change it since it's a common subnet therefore there might be routing conflicts with client.
On linux you can check you subnet with ip command:
$ ip route default via 192.168.1.1 dev br0 192.168.1.0/24 dev br0 proto kernel scope link src 192.168.1.10Next you need to set up a static route on the gateway to route the client subnet (10.8.0.0/24) to your OpenVPN server.
Note: there might might be separate field to enter netmask for example
192.168.0.0/24 would be written as 192.168.0.0, netmask 255.255.255.0
See more information here. http://en.wikipedia.org/wiki/Subnetwork
The last step is to enable IP and TUN/TAP forwarding on the OpenVPN server.
On the server run the following command to enable IP forwarding:
echo 1 > /proc/sys/net/ipv4/ip_forwardAnd the following commands to allow TUN forwarding on iptables (firewall).
Allow TUN interface connections to OpenVPN server:
iptables -A INPUT -i tun+ -j ACCEPTAllow TUN interface connections to be forwarded through other interfaces
iptables -A FORWARD -i tun+ -j ACCEPTAlso make sure that your network interface is in promiscuous mode.
$ netstat -i Kernel Interface table Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg eth0 1500 0 651606 0 9 0 430319 0 0 0 BMRU lo 65536 0 73440 0 0 0 73440 0 0 0 LRU tun0 1500 0 0 0 0 0 0 0 0 0 MOPRUThe P flag is for promiscuous mode.
Glad it worked for you.
ReplyDeleteI pretty much just wrote this down for myself so I didn't spend much time correcting mistakes in this post.
Thank you.Good configuration and scripts for VPN server.It works fine.
ReplyDelete10webhostingservice.com