Linux/OpenVPN: Difference between revisions

From Wiki
 
(31 intermediate revisions by the same user not shown)
Line 1: Line 1:
Also see: [[OpenWrt/OpenVPN]]
Also see: [[OpenWrt/OpenVPN]]


 
== EasyRSA keys ==
* [[Linux/OpenVPN/EasyRSA]]


= OpenVPN - Routing Howto =
= OpenVPN - Routing Howto =
== OpenVPN Internet Server ==
== OpenVPN Internet Server ==
* easy-rsa
* easy-rsa
* server.conf
* /etc/openvpn/server.conf
  port 1194
  port 1194
  proto udp
  proto udp
Line 17: Line 18:
  server 10.8.0.0 255.255.255.0
  server 10.8.0.0 255.255.255.0
  ifconfig-pool-persist ipp.txt
  ifconfig-pool-persist ipp.txt
client-config-dir /etc/openvpn/clients
route 192.168.111.0 255.255.255.0
  push "dhcp-option DNS 10.8.0.1"
  push "dhcp-option DNS 10.8.0.1"
  client-to-client
  client-to-client
Line 31: Line 34:
  ;push "route 192.168.10.0 255.255.255.0"
  ;push "route 192.168.10.0 255.255.255.0"
  ;push "route 192.168.20.0 255.255.255.0"
  ;push "route 192.168.20.0 255.255.255.0"
;client-config-dir ccd
 
  ;route 192.168.40.128 255.255.255.248
  ;route 192.168.40.128 255.255.255.248
  ;client-config-dir ccd
  ;client-config-dir ccd
Line 47: Line 50:
  ;mute 20
  ;mute 20


* /etc/openvpn/clients/router.local
iroute 192.168.111.0 255.255.255.0
* /etc/sysctl.conf
* /etc/sysctl.conf
  net.ipv4.ip_forward=1
  net.ipv4.ip_forward=1
Line 54: Line 59:
* apt-get install dnsmasq
* apt-get install dnsmasq
* /etc/dnsmasq.conf
* /etc/dnsmasq.conf
  interfaces=tun0
  interface=tun0
  bind-interfaces
  bind-interfaces
  no-hosts
  no-hosts
  address=/server.domain.de/10.8.0.1
  address=/server.domain.de/10.8.0.1


== OpenVPN Home Router Client ==
== OpenVPN Home Router Client (OpenWrt) ==
* /etc/config/dhcp
  option rebind_protection '0'
 
* /etc/openvpn/client.ovpn
client
dev tun
proto udp
remote server.domain.de 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/router.local.crt
key /etc/openvpn/router.localt.key
ns-cert-type server
tls-auth /etc/openvpn/ta.key 1
comp-lzo
verb 3
log /tmp/log/openvpn.log
script-security 3 system
up /etc/openvpn/tun-up.sh
down /etc/openvpn/tun-down.sh
 
* /etc/openvpn/tun-up.sh
#!/bin/sh
mv /tmp/resolv.conf.auto /tmp/resolv.conf.auto.hold
#echo search mlnet > /tmp/resolv.conf.auto
echo $foreign_option_1 | sed -e 's/dhcp-option DOMAIN/domain/g' -e 's/dhcp-option DNS/nameserver/g' > /tmp/resolv.conf.auto
#echo $foreign_option_2 | sed -e 's/dhcp-option DOMAIN/domain/g' -e 's/dhcp-option DNS/nameserver/g' >> /tmp/resolv.conf.auto
#echo $foreign_option_3 | sed -e 's/dhcp-option DOMAIN/domain/g' -e 's/dhcp-option DNS/nameserver/g' >> /tmp/resolv.conf.auto
 
* /etc/openvpn/tun-down.sh
#!/bin/sh
mv /tmp/resolv.conf.auto.hold /tmp/resolv.conf.auto
 
* OpenWrt / Network / Interfaces
Add interface
Name: vpn
protocol: unmanaged
interface: tun0
* OpenWrt / Network / Firewall
Add zone
Input: accept
Output: accept
Forward: accept
Masquerading: check
covered networks: vpn = check
Interzone forwarding: allow to = check
allow from = check
 
== OpenVPN Mobile Client ==
== OpenVPN Mobile Client ==
* Internal traffic through VPN / Internet traffic through ISP
* Internal traffic through VPN / Internet traffic through ISP
Line 96: Line 152:
  redirect-gateway def1 bypass-dhcp
  redirect-gateway def1 bypass-dhcp


== Links ==
= Required key files =
 
Server:
* ca.crt
* dh.pem
* server.crt
* server.key
* ta.key
 
Clients:
* ca.crt
* client1.crt
* client1.key
* ta.key
 
 
= Links =
* Web frontends:
** https://github.com/Chocobozzz/OpenVPN-Admin
** https://github.com/furlongm/openvpn-monitor/
 
* https://heavymetaldev.com/openvpn-with-docker
 
* http://www.smallnetbuilder.com/security/security-howto/30353-how-to-set-up-a-site-to-site-vpn-with-openvpn?start=4
* http://www.smallnetbuilder.com/security/security-howto/30353-how-to-set-up-a-site-to-site-vpn-with-openvpn?start=4
* http://serverfault.com/questions/368412/getting-openvpn-to-fully-connect-two-networks
* http://serverfault.com/questions/368412/getting-openvpn-to-fully-connect-two-networks
Line 110: Line 188:
* https://wiki.archlinux.org/index.php/Openvpn
* https://wiki.archlinux.org/index.php/Openvpn
* http://www.area536.com/projects/securely-link-two-offices-using-openvpn/
* http://www.area536.com/projects/securely-link-two-offices-using-openvpn/
[[Category:Linux/Services]]
[[Category:Linux]]

Latest revision as of 19:41, 12 April 2022

Also see: OpenWrt/OpenVPN

EasyRSA keys

OpenVPN - Routing Howto

OpenVPN Internet Server

  • easy-rsa
  • /etc/openvpn/server.conf
port 1194
proto udp
dev tun
ca    /etc/openvpn/easy-rsa/keys/ca.crt
cert  /etc/openvpn/easy-rsa/keys/server.crt
key   /etc/openvpn/easy-rsa/keys/server.key
dh    /etc/openvpn/easy-rsa/keys/dh2048.pem
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-config-dir /etc/openvpn/clients
route 192.168.111.0 255.255.255.0
push "dhcp-option DNS 10.8.0.1"
client-to-client
keepalive 10 120
comp-lzo
max-clients 20
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
;push "route 192.168.10.0 255.255.255.0"
;push "route 192.168.20.0 255.255.255.0"
;route 192.168.40.128 255.255.255.248
;client-config-dir ccd
;route 10.9.0.0 255.255.255.252
;learn-address ./script
;push "redirect-gateway def1 bypass-dhcp"
;push "dhcp-option DNS 208.67.222.222"
;push "dhcp-option DNS 208.67.220.220"
;duplicate-cn
;cipher BF-CBC        # Blowfish (default)
;cipher AES-128-CBC   # AES
;cipher DES-EDE3-CBC  # Triple-DES
;log         openvpn.log
;log-append  openvpn.log
;mute 20
  • /etc/openvpn/clients/router.local
iroute 192.168.111.0 255.255.255.0
  • /etc/sysctl.conf
net.ipv4.ip_forward=1
  • rc.local
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
/etc/init.d/dnsmasq start
  • apt-get install dnsmasq
  • /etc/dnsmasq.conf
interface=tun0
bind-interfaces
no-hosts
address=/server.domain.de/10.8.0.1

OpenVPN Home Router Client (OpenWrt)

  • /etc/config/dhcp
 option rebind_protection '0'
  • /etc/openvpn/client.ovpn
client
dev tun
proto udp
remote server.domain.de 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/router.local.crt
key /etc/openvpn/router.localt.key
ns-cert-type server
tls-auth /etc/openvpn/ta.key 1
comp-lzo
verb 3
log /tmp/log/openvpn.log
script-security 3 system
up /etc/openvpn/tun-up.sh
down /etc/openvpn/tun-down.sh
  • /etc/openvpn/tun-up.sh
#!/bin/sh
mv /tmp/resolv.conf.auto /tmp/resolv.conf.auto.hold
#echo search mlnet > /tmp/resolv.conf.auto
echo $foreign_option_1 | sed -e 's/dhcp-option DOMAIN/domain/g' -e 's/dhcp-option DNS/nameserver/g' > /tmp/resolv.conf.auto
#echo $foreign_option_2 | sed -e 's/dhcp-option DOMAIN/domain/g' -e 's/dhcp-option DNS/nameserver/g' >> /tmp/resolv.conf.auto
#echo $foreign_option_3 | sed -e 's/dhcp-option DOMAIN/domain/g' -e 's/dhcp-option DNS/nameserver/g' >> /tmp/resolv.conf.auto
  • /etc/openvpn/tun-down.sh
#!/bin/sh
mv /tmp/resolv.conf.auto.hold /tmp/resolv.conf.auto
  • OpenWrt / Network / Interfaces
Add interface
Name: vpn
protocol: unmanaged
interface: tun0
  • OpenWrt / Network / Firewall
Add zone
Input: accept
Output: accept
Forward: accept
Masquerading: check
covered networks: vpn = check
Interzone forwarding: allow to = check
allow from = check

OpenVPN Mobile Client

  • Internal traffic through VPN / Internet traffic through ISP
client
dev tun
proto udp
remote server.domain.de 1194 
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert device1.crt
key device1.key
ns-cert-type server
tls-auth ta.key 1
comp-lzo
verb 3
  • Internal traffic through VPN + Internet traffic through VPN
client
dev tun
proto udp
remote server.domain.de 1194
resolv-retry infinite
nobind 
persist-key
persist-tun
ca ca.crt
cert device1.crt
key device1.key
ns-cert-type server
tls-auth ta.key 1
comp-lzo
verb 3
redirect-gateway def1 bypass-dhcp

Required key files

Server:

  • ca.crt
  • dh.pem
  • server.crt
  • server.key
  • ta.key

Clients:

  • ca.crt
  • client1.crt
  • client1.key
  • ta.key


Links