Linux/OpenVPN: Difference between revisions

From Wiki
No edit summary
Line 152: Line 152:


= Required key files =
= Required key files =
Server:
* ca.crt
* dh.pem
* server.crt
* server.key
* ta.key
Clients:
* ca.crt
* client1.crt
* client1.key
* ta.key


= EasyRSA 3.x =
= EasyRSA 3.x =

Revision as of 20:49, 27 May 2019

Also see: OpenWrt/OpenVPN


OpenVPN - Routing Howto

OpenVPN Internet Server

  • easy-rsa
  • /etc/openvpn/server.conf
port 1194
proto udp
dev tun
ca    /etc/openvpn/easy-rsa/keys/ca.crt
cert  /etc/openvpn/easy-rsa/keys/server.crt
key   /etc/openvpn/easy-rsa/keys/server.key
dh    /etc/openvpn/easy-rsa/keys/dh2048.pem
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-config-dir /etc/openvpn/clients
route 192.168.111.0 255.255.255.0
push "dhcp-option DNS 10.8.0.1"
client-to-client
keepalive 10 120
comp-lzo
max-clients 20
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
;push "route 192.168.10.0 255.255.255.0"
;push "route 192.168.20.0 255.255.255.0"
;route 192.168.40.128 255.255.255.248
;client-config-dir ccd
;route 10.9.0.0 255.255.255.252
;learn-address ./script
;push "redirect-gateway def1 bypass-dhcp"
;push "dhcp-option DNS 208.67.222.222"
;push "dhcp-option DNS 208.67.220.220"
;duplicate-cn
;cipher BF-CBC        # Blowfish (default)
;cipher AES-128-CBC   # AES
;cipher DES-EDE3-CBC  # Triple-DES
;log         openvpn.log
;log-append  openvpn.log
;mute 20
  • /etc/openvpn/clients/router.local
iroute 192.168.111.0 255.255.255.0
  • /etc/sysctl.conf
net.ipv4.ip_forward=1
  • rc.local
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
/etc/init.d/dnsmasq start
  • apt-get install dnsmasq
  • /etc/dnsmasq.conf
interfaces=tun0
bind-interfaces
no-hosts
address=/server.domain.de/10.8.0.1

OpenVPN Home Router Client (OpenWrt)

  • /etc/config/dhcp
 option rebind_protection '0'
  • /etc/openvpn/client.ovpn
client
dev tun
proto udp
remote server.domain.de 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/router.local.crt
key /etc/openvpn/router.localt.key
ns-cert-type server
tls-auth /etc/openvpn/ta.key 1
comp-lzo
verb 3
log /tmp/log/openvpn.log
script-security 3 system
up /etc/openvpn/tun-up.sh
down /etc/openvpn/tun-down.sh
  • /etc/openvpn/tun-up.sh
#!/bin/sh
mv /tmp/resolv.conf.auto /tmp/resolv.conf.auto.hold
#echo search mlnet > /tmp/resolv.conf.auto
echo $foreign_option_1 | sed -e 's/dhcp-option DOMAIN/domain/g' -e 's/dhcp-option DNS/nameserver/g' > /tmp/resolv.conf.auto
#echo $foreign_option_2 | sed -e 's/dhcp-option DOMAIN/domain/g' -e 's/dhcp-option DNS/nameserver/g' >> /tmp/resolv.conf.auto
#echo $foreign_option_3 | sed -e 's/dhcp-option DOMAIN/domain/g' -e 's/dhcp-option DNS/nameserver/g' >> /tmp/resolv.conf.auto
  • /etc/openvpn/tun-down.sh
#!/bin/sh
mv /tmp/resolv.conf.auto.hold /tmp/resolv.conf.auto
  • OpenWrt / Network / Interfaces
Add interface
Name: vpn
protocol: unmanaged
interface: tun0
  • OpenWrt / Network / Firewall
Add zone
Input: accept
Output: accept
Forward: accept
Masquerading: check
covered networks: vpn = check
Interzone forwarding: allow to = check
allow from = check

OpenVPN Mobile Client

  • Internal traffic through VPN / Internet traffic through ISP
client
dev tun
proto udp
remote server.domain.de 1194 
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert device1.crt
key device1.key
ns-cert-type server
tls-auth ta.key 1
comp-lzo
verb 3
  • Internal traffic through VPN + Internet traffic through VPN
client
dev tun
proto udp
remote server.domain.de 1194
resolv-retry infinite
nobind 
persist-key
persist-tun
ca ca.crt
cert device1.crt
key device1.key
ns-cert-type server
tls-auth ta.key 1
comp-lzo
verb 3
redirect-gateway def1 bypass-dhcp

Required key files

Server:

  • ca.crt
  • dh.pem
  • server.crt
  • server.key
  • ta.key

Clients:

  • ca.crt
  • client1.crt
  • client1.key
  • ta.key

EasyRSA 3.x

EasyRSA 2.x

Initial setup

make-cadir certificates && cd certificates
  • edit "vars":
export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="SanFrancisco"
export KEY_ORG="Fort-Funston"
export KEY_EMAIL="me@myhost.mydomain"
export KEY_OU="MyOrganizationalUnit"
source vars
./clean-all
./build-ca
./build-key-server server
./build-dh
openvpn --genkey --secret keys/ta.key

Create client keys

source vars
./build-key client1
./build-key --batch client1

Auto generate user config packages

  • create $vpnname-client.ovpn template with:
    • %usercrt
    • %userkey
    • %cacrt
    • %tlskey
  • /etc/openvpn/certificates/create_user.sh
#!/bin/bash

user="$1"
vpnname="myvpn"

source vars
./build-key --batch $user

mkdir -p temp/$vpnname
cp keys/$user.crt temp/$vpnname
cp keys/$user.key temp/$vpnname
cp keys/ca.crt temp/$vpnname
cp keys/ta.key temp/$vpnname
cp client.ovpn temp/$vpnname-client.ovpn

sed -i -e "s:%usercrt:$vpnname/$user.crt:g" temp/$vpnname-client.ovpn
sed -i -e "s:%userkey:$vpnname/$user.key:g" temp/$vpnname-client.ovpn
sed -i -e "s:%cacrt:$vpnname/ca.crt:g" temp/$vpnname-client.ovpn
sed -i -e "s:%tlskey:$vpnname/ta.key:g" temp/$vpnname-client.ovpn

cd temp
zip -r $vpnname-$user.zip *
cd ..

cp temp/$vpnname-$user.zip /srv/openvpn/userconfigs

rm -r temp

Links