Linux/OpenVPN: Difference between revisions

From Wiki
mNo edit summary
mNo edit summary
Line 168: Line 168:
* ta.key
* ta.key


= EasyRSA 3.x =
= EasyRSA 2.x =
== Initial setup ==
<pre>make-cadir certificates && cd certificates</pre>
* edit "vars":
<blockquote><pre>export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="SanFrancisco"
export KEY_ORG="Fort-Funston"
export KEY_EMAIL="me@myhost.mydomain"
export KEY_OU="MyOrganizationalUnit"</pre></blockquote>
<pre>source vars</pre>
<pre>./clean-all</pre>
<pre>./build-ca</pre>
<pre>./build-key-server server</pre>
<pre>./build-dh</pre>
<pre>openvpn --genkey --secret keys/ta.key</pre>
== Create client keys ==
<pre>source vars</pre>
<pre>./build-key client1</pre>
<pre>./build-key --batch client1</pre>
== Auto generate user config packages ==
* create $vpnname-client.ovpn template with:
** %usercrt
** %userkey
** %cacrt
** %tlskey
* /etc/openvpn/certificates/create_user.sh
<pre>
#!/bin/bash
user="$1"
vpnname="myvpn"
source vars
./build-key --batch $user
mkdir -p temp/$vpnname
cp keys/$user.crt temp/$vpnname
cp keys/$user.key temp/$vpnname
cp keys/ca.crt temp/$vpnname
cp keys/ta.key temp/$vpnname
cp client.ovpn temp/$vpnname-client.ovpn
sed -i -e "s:%usercrt:$vpnname/$user.crt:g" temp/$vpnname-client.ovpn
sed -i -e "s:%userkey:$vpnname/$user.key:g" temp/$vpnname-client.ovpn
sed -i -e "s:%cacrt:$vpnname/ca.crt:g" temp/$vpnname-client.ovpn
sed -i -e "s:%tlskey:$vpnname/ta.key:g" temp/$vpnname-client.ovpn
cd temp
zip -r $vpnname-$user.zip *
cd ..
cp temp/$vpnname-$user.zip /srv/openvpn/userconfigs
rm -r temp
</pre>


= Links =
= Links =
* Web frontends:
* Web frontends:
** https://github.com/Chocobozzz/OpenVPN-Admin
** https://github.com/Chocobozzz/OpenVPN-Admin

Revision as of 18:33, 10 April 2022

Also see: OpenWrt/OpenVPN

EasyRSA keys


OpenVPN - Routing Howto

OpenVPN Internet Server

  • easy-rsa
  • /etc/openvpn/server.conf
port 1194
proto udp
dev tun
ca    /etc/openvpn/easy-rsa/keys/ca.crt
cert  /etc/openvpn/easy-rsa/keys/server.crt
key   /etc/openvpn/easy-rsa/keys/server.key
dh    /etc/openvpn/easy-rsa/keys/dh2048.pem
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-config-dir /etc/openvpn/clients
route 192.168.111.0 255.255.255.0
push "dhcp-option DNS 10.8.0.1"
client-to-client
keepalive 10 120
comp-lzo
max-clients 20
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3

;push "route 192.168.10.0 255.255.255.0"
;push "route 192.168.20.0 255.255.255.0"

;route 192.168.40.128 255.255.255.248
;client-config-dir ccd
;route 10.9.0.0 255.255.255.252
;learn-address ./script
;push "redirect-gateway def1 bypass-dhcp"
;push "dhcp-option DNS 208.67.222.222"
;push "dhcp-option DNS 208.67.220.220"
;duplicate-cn
;cipher BF-CBC        # Blowfish (default)
;cipher AES-128-CBC   # AES
;cipher DES-EDE3-CBC  # Triple-DES
;log         openvpn.log
;log-append  openvpn.log
;mute 20
  • /etc/openvpn/clients/router.local
iroute 192.168.111.0 255.255.255.0
  • /etc/sysctl.conf
net.ipv4.ip_forward=1
  • rc.local
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
/etc/init.d/dnsmasq start
  • apt-get install dnsmasq
  • /etc/dnsmasq.conf
interfaces=tun0
bind-interfaces
no-hosts
address=/server.domain.de/10.8.0.1

OpenVPN Home Router Client (OpenWrt)

  • /etc/config/dhcp
 option rebind_protection '0'
  • /etc/openvpn/client.ovpn
client
dev tun
proto udp
remote server.domain.de 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/router.local.crt
key /etc/openvpn/router.localt.key
ns-cert-type server
tls-auth /etc/openvpn/ta.key 1
comp-lzo
verb 3
log /tmp/log/openvpn.log
script-security 3 system
up /etc/openvpn/tun-up.sh
down /etc/openvpn/tun-down.sh
  • /etc/openvpn/tun-up.sh
#!/bin/sh
mv /tmp/resolv.conf.auto /tmp/resolv.conf.auto.hold
#echo search mlnet > /tmp/resolv.conf.auto
echo $foreign_option_1 | sed -e 's/dhcp-option DOMAIN/domain/g' -e 's/dhcp-option DNS/nameserver/g' > /tmp/resolv.conf.auto
#echo $foreign_option_2 | sed -e 's/dhcp-option DOMAIN/domain/g' -e 's/dhcp-option DNS/nameserver/g' >> /tmp/resolv.conf.auto
#echo $foreign_option_3 | sed -e 's/dhcp-option DOMAIN/domain/g' -e 's/dhcp-option DNS/nameserver/g' >> /tmp/resolv.conf.auto
  • /etc/openvpn/tun-down.sh
#!/bin/sh
mv /tmp/resolv.conf.auto.hold /tmp/resolv.conf.auto
  • OpenWrt / Network / Interfaces
Add interface
Name: vpn
protocol: unmanaged
interface: tun0
  • OpenWrt / Network / Firewall
Add zone
Input: accept
Output: accept
Forward: accept
Masquerading: check
covered networks: vpn = check
Interzone forwarding: allow to = check
allow from = check

OpenVPN Mobile Client

  • Internal traffic through VPN / Internet traffic through ISP
client
dev tun
proto udp
remote server.domain.de 1194 
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert device1.crt
key device1.key
ns-cert-type server
tls-auth ta.key 1
comp-lzo
verb 3
  • Internal traffic through VPN + Internet traffic through VPN
client
dev tun
proto udp
remote server.domain.de 1194
resolv-retry infinite
nobind 
persist-key
persist-tun
ca ca.crt
cert device1.crt
key device1.key
ns-cert-type server
tls-auth ta.key 1
comp-lzo
verb 3
redirect-gateway def1 bypass-dhcp

Required key files

Server:

  • ca.crt
  • dh.pem
  • server.crt
  • server.key
  • ta.key

Clients:

  • ca.crt
  • client1.crt
  • client1.key
  • ta.key


Links


Retrieved from "https://wiki.marcluerssen.de/index.php?title=Linux/OpenVPN&oldid=3318"