Linux/OpenVPN: Difference between revisions
< Linux
No edit summary |
|||
Line 152: | Line 152: | ||
= Required key files = | = Required key files = | ||
Server: | |||
* ca.crt | |||
* dh.pem | |||
* server.crt | |||
* server.key | |||
* ta.key | |||
Clients: | |||
* ca.crt | |||
* client1.crt | |||
* client1.key | |||
* ta.key | |||
= EasyRSA 3.x = | = EasyRSA 3.x = |
Revision as of 20:49, 27 May 2019
Also see: OpenWrt/OpenVPN
OpenVPN - Routing Howto
OpenVPN Internet Server
- easy-rsa
- /etc/openvpn/server.conf
port 1194 proto udp dev tun ca /etc/openvpn/easy-rsa/keys/ca.crt cert /etc/openvpn/easy-rsa/keys/server.crt key /etc/openvpn/easy-rsa/keys/server.key dh /etc/openvpn/easy-rsa/keys/dh2048.pem tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0 server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt client-config-dir /etc/openvpn/clients route 192.168.111.0 255.255.255.0 push "dhcp-option DNS 10.8.0.1" client-to-client keepalive 10 120 comp-lzo max-clients 20 user nobody group nogroup persist-key persist-tun status openvpn-status.log verb 3
;push "route 192.168.10.0 255.255.255.0" ;push "route 192.168.20.0 255.255.255.0"
;route 192.168.40.128 255.255.255.248 ;client-config-dir ccd ;route 10.9.0.0 255.255.255.252 ;learn-address ./script ;push "redirect-gateway def1 bypass-dhcp" ;push "dhcp-option DNS 208.67.222.222" ;push "dhcp-option DNS 208.67.220.220" ;duplicate-cn ;cipher BF-CBC # Blowfish (default) ;cipher AES-128-CBC # AES ;cipher DES-EDE3-CBC # Triple-DES ;log openvpn.log ;log-append openvpn.log ;mute 20
- /etc/openvpn/clients/router.local
iroute 192.168.111.0 255.255.255.0
- /etc/sysctl.conf
net.ipv4.ip_forward=1
- rc.local
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE /etc/init.d/dnsmasq start
- apt-get install dnsmasq
- /etc/dnsmasq.conf
interfaces=tun0 bind-interfaces no-hosts address=/server.domain.de/10.8.0.1
OpenVPN Home Router Client (OpenWrt)
- /etc/config/dhcp
option rebind_protection '0'
- /etc/openvpn/client.ovpn
client dev tun proto udp remote server.domain.de 1194 resolv-retry infinite nobind persist-key persist-tun ca /etc/openvpn/ca.crt cert /etc/openvpn/router.local.crt key /etc/openvpn/router.localt.key ns-cert-type server tls-auth /etc/openvpn/ta.key 1 comp-lzo verb 3 log /tmp/log/openvpn.log script-security 3 system up /etc/openvpn/tun-up.sh down /etc/openvpn/tun-down.sh
- /etc/openvpn/tun-up.sh
#!/bin/sh mv /tmp/resolv.conf.auto /tmp/resolv.conf.auto.hold #echo search mlnet > /tmp/resolv.conf.auto echo $foreign_option_1 | sed -e 's/dhcp-option DOMAIN/domain/g' -e 's/dhcp-option DNS/nameserver/g' > /tmp/resolv.conf.auto #echo $foreign_option_2 | sed -e 's/dhcp-option DOMAIN/domain/g' -e 's/dhcp-option DNS/nameserver/g' >> /tmp/resolv.conf.auto #echo $foreign_option_3 | sed -e 's/dhcp-option DOMAIN/domain/g' -e 's/dhcp-option DNS/nameserver/g' >> /tmp/resolv.conf.auto
- /etc/openvpn/tun-down.sh
#!/bin/sh mv /tmp/resolv.conf.auto.hold /tmp/resolv.conf.auto
- OpenWrt / Network / Interfaces
Add interface Name: vpn protocol: unmanaged interface: tun0
- OpenWrt / Network / Firewall
Add zone Input: accept Output: accept Forward: accept Masquerading: check covered networks: vpn = check Interzone forwarding: allow to = check allow from = check
OpenVPN Mobile Client
- Internal traffic through VPN / Internet traffic through ISP
client dev tun proto udp remote server.domain.de 1194 resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert device1.crt key device1.key ns-cert-type server tls-auth ta.key 1 comp-lzo verb 3
- Internal traffic through VPN + Internet traffic through VPN
client dev tun proto udp remote server.domain.de 1194 resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert device1.crt key device1.key ns-cert-type server tls-auth ta.key 1 comp-lzo verb 3 redirect-gateway def1 bypass-dhcp
Required key files
Server:
- ca.crt
- dh.pem
- server.crt
- server.key
- ta.key
Clients:
- ca.crt
- client1.crt
- client1.key
- ta.key
EasyRSA 3.x
EasyRSA 2.x
Initial setup
make-cadir certificates && cd certificates
- edit "vars":
export KEY_COUNTRY="US" export KEY_PROVINCE="CA" export KEY_CITY="SanFrancisco" export KEY_ORG="Fort-Funston" export KEY_EMAIL="me@myhost.mydomain" export KEY_OU="MyOrganizationalUnit"
source vars
./clean-all
./build-ca
./build-key-server server
./build-dh
openvpn --genkey --secret keys/ta.key
Create client keys
source vars
./build-key client1
./build-key --batch client1
Auto generate user config packages
- create $vpnname-client.ovpn template with:
- %usercrt
- %userkey
- %cacrt
- %tlskey
- /etc/openvpn/certificates/create_user.sh
#!/bin/bash user="$1" vpnname="myvpn" source vars ./build-key --batch $user mkdir -p temp/$vpnname cp keys/$user.crt temp/$vpnname cp keys/$user.key temp/$vpnname cp keys/ca.crt temp/$vpnname cp keys/ta.key temp/$vpnname cp client.ovpn temp/$vpnname-client.ovpn sed -i -e "s:%usercrt:$vpnname/$user.crt:g" temp/$vpnname-client.ovpn sed -i -e "s:%userkey:$vpnname/$user.key:g" temp/$vpnname-client.ovpn sed -i -e "s:%cacrt:$vpnname/ca.crt:g" temp/$vpnname-client.ovpn sed -i -e "s:%tlskey:$vpnname/ta.key:g" temp/$vpnname-client.ovpn cd temp zip -r $vpnname-$user.zip * cd .. cp temp/$vpnname-$user.zip /srv/openvpn/userconfigs rm -r temp
Links
- Web frontends:
- http://www.smallnetbuilder.com/security/security-howto/30353-how-to-set-up-a-site-to-site-vpn-with-openvpn?start=4
- http://serverfault.com/questions/368412/getting-openvpn-to-fully-connect-two-networks
- http://wiki.ubuntuusers.de/OpenVPN
- http://sarwiki.informatik.hu-berlin.de/OpenVPN_(deutsch)#Wahl_des_virtuellen_Device
- http://openvpn.net/index.php/open-source/documentation/howto.html#pki
- http://www.dd-wrt.com/wiki/index.php/OpenVPN_-_Site-to-Site_routed_VPN_between_two_routers#Server_Configuration
- https://blog.ipredator.se/howto/openwrt/configuring-openvpn-on-openwrt.html
- http://wiki.openwrt.org/doc/howto/vpn.server.openvpn.tun
- http://thomas-leister.de/allgemein/openvpn-server-als-internet-gateway-unter-ubuntu-12-04/
- https://wiki.archlinux.org/index.php/Openvpn
- http://www.area536.com/projects/securely-link-two-offices-using-openvpn/