Linux/OpenVPN: Difference between revisions
< Linux
No edit summary |
|||
(9 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
Also see: [[OpenWrt/OpenVPN]] | Also see: [[OpenWrt/OpenVPN]] | ||
== EasyRSA keys == | |||
* [[Linux/OpenVPN/EasyRSA]] | |||
= OpenVPN - Routing Howto = | = OpenVPN - Routing Howto = | ||
Line 58: | Line 59: | ||
* apt-get install dnsmasq | * apt-get install dnsmasq | ||
* /etc/dnsmasq.conf | * /etc/dnsmasq.conf | ||
interface=tun0 | |||
bind-interfaces | bind-interfaces | ||
no-hosts | no-hosts | ||
Line 151: | Line 152: | ||
redirect-gateway def1 bypass-dhcp | redirect-gateway def1 bypass-dhcp | ||
= | = Required key files = | ||
Server: | |||
* ca.crt | |||
* dh.pem | |||
* server.crt | |||
* server.key | |||
* ta.key | |||
Clients: | |||
* ca.crt | |||
* client1.crt | |||
* client1.key | |||
* ta.key | |||
= Links = | = Links = | ||
* Web frontends: | * Web frontends: | ||
** https://github.com/Chocobozzz/OpenVPN-Admin | ** https://github.com/Chocobozzz/OpenVPN-Admin | ||
** https://github.com/furlongm/openvpn-monitor/ | ** https://github.com/furlongm/openvpn-monitor/ | ||
* https://heavymetaldev.com/openvpn-with-docker | |||
* http://www.smallnetbuilder.com/security/security-howto/30353-how-to-set-up-a-site-to-site-vpn-with-openvpn?start=4 | * http://www.smallnetbuilder.com/security/security-howto/30353-how-to-set-up-a-site-to-site-vpn-with-openvpn?start=4 |
Latest revision as of 19:41, 12 April 2022
Also see: OpenWrt/OpenVPN
EasyRSA keys
OpenVPN - Routing Howto
OpenVPN Internet Server
- easy-rsa
- /etc/openvpn/server.conf
port 1194 proto udp dev tun ca /etc/openvpn/easy-rsa/keys/ca.crt cert /etc/openvpn/easy-rsa/keys/server.crt key /etc/openvpn/easy-rsa/keys/server.key dh /etc/openvpn/easy-rsa/keys/dh2048.pem tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0 server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt client-config-dir /etc/openvpn/clients route 192.168.111.0 255.255.255.0 push "dhcp-option DNS 10.8.0.1" client-to-client keepalive 10 120 comp-lzo max-clients 20 user nobody group nogroup persist-key persist-tun status openvpn-status.log verb 3
;push "route 192.168.10.0 255.255.255.0" ;push "route 192.168.20.0 255.255.255.0"
;route 192.168.40.128 255.255.255.248 ;client-config-dir ccd ;route 10.9.0.0 255.255.255.252 ;learn-address ./script ;push "redirect-gateway def1 bypass-dhcp" ;push "dhcp-option DNS 208.67.222.222" ;push "dhcp-option DNS 208.67.220.220" ;duplicate-cn ;cipher BF-CBC # Blowfish (default) ;cipher AES-128-CBC # AES ;cipher DES-EDE3-CBC # Triple-DES ;log openvpn.log ;log-append openvpn.log ;mute 20
- /etc/openvpn/clients/router.local
iroute 192.168.111.0 255.255.255.0
- /etc/sysctl.conf
net.ipv4.ip_forward=1
- rc.local
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE /etc/init.d/dnsmasq start
- apt-get install dnsmasq
- /etc/dnsmasq.conf
interface=tun0 bind-interfaces no-hosts address=/server.domain.de/10.8.0.1
OpenVPN Home Router Client (OpenWrt)
- /etc/config/dhcp
option rebind_protection '0'
- /etc/openvpn/client.ovpn
client dev tun proto udp remote server.domain.de 1194 resolv-retry infinite nobind persist-key persist-tun ca /etc/openvpn/ca.crt cert /etc/openvpn/router.local.crt key /etc/openvpn/router.localt.key ns-cert-type server tls-auth /etc/openvpn/ta.key 1 comp-lzo verb 3 log /tmp/log/openvpn.log script-security 3 system up /etc/openvpn/tun-up.sh down /etc/openvpn/tun-down.sh
- /etc/openvpn/tun-up.sh
#!/bin/sh mv /tmp/resolv.conf.auto /tmp/resolv.conf.auto.hold #echo search mlnet > /tmp/resolv.conf.auto echo $foreign_option_1 | sed -e 's/dhcp-option DOMAIN/domain/g' -e 's/dhcp-option DNS/nameserver/g' > /tmp/resolv.conf.auto #echo $foreign_option_2 | sed -e 's/dhcp-option DOMAIN/domain/g' -e 's/dhcp-option DNS/nameserver/g' >> /tmp/resolv.conf.auto #echo $foreign_option_3 | sed -e 's/dhcp-option DOMAIN/domain/g' -e 's/dhcp-option DNS/nameserver/g' >> /tmp/resolv.conf.auto
- /etc/openvpn/tun-down.sh
#!/bin/sh mv /tmp/resolv.conf.auto.hold /tmp/resolv.conf.auto
- OpenWrt / Network / Interfaces
Add interface Name: vpn protocol: unmanaged interface: tun0
- OpenWrt / Network / Firewall
Add zone Input: accept Output: accept Forward: accept Masquerading: check covered networks: vpn = check Interzone forwarding: allow to = check allow from = check
OpenVPN Mobile Client
- Internal traffic through VPN / Internet traffic through ISP
client dev tun proto udp remote server.domain.de 1194 resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert device1.crt key device1.key ns-cert-type server tls-auth ta.key 1 comp-lzo verb 3
- Internal traffic through VPN + Internet traffic through VPN
client dev tun proto udp remote server.domain.de 1194 resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert device1.crt key device1.key ns-cert-type server tls-auth ta.key 1 comp-lzo verb 3 redirect-gateway def1 bypass-dhcp
Required key files
Server:
- ca.crt
- dh.pem
- server.crt
- server.key
- ta.key
Clients:
- ca.crt
- client1.crt
- client1.key
- ta.key
Links
- Web frontends:
- http://www.smallnetbuilder.com/security/security-howto/30353-how-to-set-up-a-site-to-site-vpn-with-openvpn?start=4
- http://serverfault.com/questions/368412/getting-openvpn-to-fully-connect-two-networks
- http://wiki.ubuntuusers.de/OpenVPN
- http://sarwiki.informatik.hu-berlin.de/OpenVPN_(deutsch)#Wahl_des_virtuellen_Device
- http://openvpn.net/index.php/open-source/documentation/howto.html#pki
- http://www.dd-wrt.com/wiki/index.php/OpenVPN_-_Site-to-Site_routed_VPN_between_two_routers#Server_Configuration
- https://blog.ipredator.se/howto/openwrt/configuring-openvpn-on-openwrt.html
- http://wiki.openwrt.org/doc/howto/vpn.server.openvpn.tun
- http://thomas-leister.de/allgemein/openvpn-server-als-internet-gateway-unter-ubuntu-12-04/
- https://wiki.archlinux.org/index.php/Openvpn
- http://www.area536.com/projects/securely-link-two-offices-using-openvpn/