sudo apt-get install openvpnOpenVPN must be installed in both client and server, the configuration file used for starting the service will define the role of each PC.
Now we can start, stop or restart OpenVPN as usual:
Start OpenVPN:
/etc/init.d/openvpn startStop OpenVPN:
/etc/init.d/openvpn stopRestart OpenVPN:
/etc/init.d/openvpn restartEvery time you change settings in /etc/openvpn/openvpn.conf you need to restart OpenVPN.
Create Keys and Certificates
Now we need to create security certificates and keys. We'll do all this in the server as root:
cd /etc/openvpn/Copy the directory easy-rsa to /etc/openvpn:
cp -r /usr/share/doc/openvpn/examples/easy-rsa/ .Remember we're still inside the /etc/openvpn directory. Now let's edit the file vars with our favorite editor (replace vi with yours):
vi easy-rsa/varsKaiman reported a change for this part after June 2008:
vi easy-rsa/2.0/varsComment this line:
#export D=pwdAdd this one:
export D=/etc/openvpn/easy-rsaAnd modify as below:
export KEY_COUNTRY=PEexport KEY_PROVINCE=LIexport KEY_CITY=Limaexport KEY_ORG="Nombre-OpenVPN"export KEY_EMAIL="tu-nombre@example.com"Save and quit.
Now run:
. ./varsImportant: that's a period, a space and another period followed by /vars. This is a common confusion in many setups.
Now:
./clean-allThe next command creates your certificate authority (CA) using the parameters you just set, you should just add Common Name, I used OpenVPN-CA. For this step you'll need OpenSSL; if you don't have it in your server install it by running:
sudo apt-get install opensslOk, now we're ready:
./build-caNow let's create the keys, first the server:
./build-key-server serverThis is important. When build-key-server asks for Common Name write server, the same parameter you provided to the command.
Also you'll need to answer yes to these two questions:
Sign the certificate? [y/n]and
1 out of 1 certificate requests certified, commit? [y/n].
Now the key for the client:
./build-key client1Use client1 as Common Name, the same parameter you used above for build-key.
You can repeat this step if you want to have more clients, just replace the parameter with client2, client3, etc.
Now let's create Diffie Hellman parameters:
./build-dhThere you are! Now you should have a new directory with your certificates and keys: /etc/openvpn/easy-rsa/keys. To configure your first client copy these files from servo to cliento:
ca.crtclient1.crtclient1.keyIdeally you should use a secure channel, I use scp with RSA authentication (topic for another article):
scp alexis@servo:ca.crt .These commands assume you've copied the files to the home of user alexis on the server and assigned read permissions. Then move the files to /etc/openvpn on the client.
scp alexis@servo:client1.crtscp alexis@servo:client1.crt .
scp alexis@servo:client1.keyscp alexis@servo:client1.key .
The Configuration Files: openvpn.conf
Now go to your client and create openvpn.conf in /etc/openvpn. Write this inside:
dev tun
client
proto tcp
remote x.y.z.w 1194
resolv-retry infinite
nobind
user nobody
group nogroup
# Try to preserve some state across restarts.
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
comp-lzo
# Set log file verbosity.
verb 3
Replace x.y.z.w with your server's public IP.
Now in the server: create openvpn.conf in /etc/openvpn and put this:
Now in the server: create openvpn.conf in /etc/openvpn and put this:
dev tun
proto tcp
port 1194
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
user nobody
group nogroup
server 10.8.0.0 255.255.255.0
persist-key
persist-tun
#status openvpn-status.log
#verb 3
client-to-client
push "redirect-gateway def1"
#log-append /var/log/openvpn
comp-lzo
If youre connections are a little slow you can try disabling compression with this:
#comp-lzoFinally, configure IP forwarding and IPTables for doing NAT on the server:
echo 1 > /proc/sys/net/ipv4/ip_forward
sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
You can verify the rule was written correctly with:
If you made a mistake and want to remove all rules from IPTables:
Running ifconfig and route -n you should see a new interface, tun0, in both PC's.
Confirm you can connect with a ping to your new tun0 interfaces, for example:
sudo iptables -L -t natIf you have a firewall you should make sure your VPN traffic can be routed.
If you made a mistake and want to remove all rules from IPTables:
sudo iptables -F -t natNow restart OpenVPN in both client and server and you should be set.
Running ifconfig and route -n you should see a new interface, tun0, in both PC's.
Confirm you can connect with a ping to your new tun0 interfaces, for example:
ping 10.8.0.1
No comments:
Post a Comment