Leaderboard

Install openvpn using your linux distribution Go to etc/openvpn and remove client configuration cd /etc/openvpn rm client.conf Download easy rsa wget [Hidden Content] tar xvfz easy-rsa.tar.gz Edit vars and execute vi /etc/openvpn/easy-rsa/vars change KEY_PROVINCE, KEY_CITY, KEY_ORG,KEY_EMAIL . ./vars Generate keys ./clean-all (clean /etc/openvpn/easy-rsa/keys) ./build-ca (create root certificate, specify the Common Name ex. vpnserver) ./build-key server (create server certificate; same common name of root certificate) ./build-key client (create clients certificate; same common name of root certificate) ./build-dh (create DIFFIE-HELLMAN used by the server) openvpn --genkey --secret ta.key (ta.key to avid DoS/Flooding) mkdir /etc/openvpn/keys_server/ cd /etc/openvpn/easy-rsa/keys cp * /etc/openvpn/keys_server/ Keys for clients mkdir client_keys cp ca.crt client.crt client.key ta.key dh1024.pem client_keys tar czf client_keys.tar.gz client_keys/ Server configuration vi /etc/openvpn/server.conf daemon port 1194 proto tcp dev tun ca /etc/openvpn/keys_server/ca.crt cert /etc/openvpn/keys_server/server.crt key /etc/openvpn/keys_server/server.key dh /etc/openvpn/keys_server/dh1024.pem server 10.8.0.0 255.255.255.0 push "route 192.168.0.0 255.255.255.0" push "dhcp-option DNS 192.168.0.1" client-to-client keepalive 10 120 tls-auth /etc/openvpn/keys_server/ta.key 0 cipher BF-CBC comp-lzo max-clients 100 persist-key persist-tun status /home/log/openvpn-status.log log-append /home/log/openvpn.log verb 5 change push "route 192.168.0.0 255.255.255.0" and push "dhcp-option DNS 192.168.0.1" to suit your needs. chmod +x /etc/init.d/openvpn /etc/init.d/openvpn start to start the daemon vi /etc/iptables/config and add the line TCP_OPEN_PORTS_EXT="1194" chkconfig openvpn on 345 reboot Check if the daemon is running correctly after the reboot. Nat the port with your router, and check if you can connect with telnet public_ip 1194 Add a static route on your router, something like: Destination 10.8.0.0 Mask 255.255.255.0 Gateway internal_ip Interface LAN Note: pay attention to the file executed each time the stora boots /etc/init.d/oe-bootinit oe-bootinit: rm -rf /etc/openvpn/keys/* - this is why I saved the keys in /etc/openvpn/keys_server Client configuration - Linux client proto tcp dev tun # Server IP address/hostname port remote 123.123.123.123 1194 resolv-retry infinite nobind user nobody group nobody ca /etc/openvpn/keys/ca.crt cert /etc/openvpn/keys/client.crt key /etc/openvpn/keys/client.key tls-auth /etc/openvpn/keys/ta.key 1 cipher BF-CBC comp-lzo persist-key persist-tun verb 3 to start: cd /etc/openvpn openvpn --config client.conf Client configuration - Windows client proto tcp dev tun # Server IP address/hostname port remote 123.123.123.123 1194 resolv-retry infinite nobind ca /etc/openvpn/keys/ca.crt cert /etc/openvpn/keys/client.crt key /etc/openvpn/keys/client.key tls-auth /etc/openvpn/keys/ta.key 1 cipher BF-CBC comp-lzo persist-key persist-tun verb 3 to start: rename the file to something.ovpn right click on the .ovpn file 2 clarifications: 1) UDP has better performance than TCP with a normal home-adsl (remember to apply the relative changes to iptables/router), TCP works better with fiber and low latency lines. 2) For every client generate a different certificate (./build-key client1, ./build-key client2, ...) with a different common name, so the vpn server can recognize the different clients and assign a different IP address to each workstation. Credits: [Hidden Content]