Stora as OpenVPN server

[_.:=iTake=:._]

Install openvpn using your linux distribution

 

Go to etc/openvpn and remove client configuration

 

cd /etc/openvpn

 

rm client.conf

 

Download easy rsa wget

This is the hidden content, please

• Sign In
• or
• Sign Up

 

tar xvfz easy-rsa.tar.gz

 

 

Edit vars and execute

 

vi /etc/openvpn/easy-rsa/vars

 

change KEY_PROVINCE, KEY_CITY, KEY_ORG,KEY_EMAIL

 

. ./vars

 

 

Generate keys ./clean-all (clean /etc/openvpn/easy-rsa/keys)

 

./build-ca (create root certificate, specify the Common Name ex. vpnserver)

 

./build-key server (create server certificate; same common name of root certificate)

 

./build-key client (create clients certificate; same common name of root certificate)

 

./build-dh (create DIFFIE-HELLMAN used by the server)

 

openvpn --genkey --secret ta.key (ta.key to avid DoS/Flooding)

 

mkdir /etc/openvpn/keys_server/

 

cd /etc/openvpn/easy-rsa/keys

 

cp * /etc/openvpn/keys_server/

 

 

Keys for clients mkdir client_keys

 

cp ca.crt client.crt client.key ta.key dh1024.pem client_keys

 

tar czf client_keys.tar.gz client_keys/

 

Server configuration vi /etc/openvpn/server.conf

 

daemon

port 1194

proto tcp

dev tun

ca /etc/openvpn/keys_server/ca.crt

cert /etc/openvpn/keys_server/server.crt

key /etc/openvpn/keys_server/server.key

dh /etc/openvpn/keys_server/dh1024.pem

server 10.8.0.0 255.255.255.0

push "route 192.168.0.0 255.255.255.0"

push "dhcp-option DNS 192.168.0.1"

client-to-client

keepalive 10 120

tls-auth /etc/openvpn/keys_server/ta.key 0

cipher BF-CBC

comp-lzo

max-clients 100

persist-key

persist-tun

status /home/log/openvpn-status.log

log-append /home/log/openvpn.log

verb 5

 

change push "route 192.168.0.0 255.255.255.0" and push "dhcp-option DNS 192.168.0.1" to suit your needs.

 

chmod +x /etc/init.d/openvpn

 

/etc/init.d/openvpn start to start the daemon

 

vi /etc/iptables/config and add the line TCP_OPEN_PORTS_EXT="1194"

 

chkconfig openvpn on 345

 

reboot

 

Check if the daemon is running correctly after the reboot.

 

Nat the port with your router, and check if you can connect with telnet public_ip 1194

 

Add a static route on your router, something like:

 

Destination 10.8.0.0 Mask 255.255.255.0 Gateway internal_ip Interface LAN

 

Note: pay attention to the file executed each time the stora boots /etc/init.d/oe-bootinit oe-bootinit: rm -rf /etc/openvpn/keys/* - this is why I saved the keys in /etc/openvpn/keys_server

 

Client configuration - Linux

 

client

proto tcp

dev tun

# Server IP address/hostname port

remote 123.123.123.123 1194

resolv-retry infinite

nobind

user nobody

group nobody

ca /etc/openvpn/keys/ca.crt

cert /etc/openvpn/keys/client.crt

key /etc/openvpn/keys/client.key

tls-auth /etc/openvpn/keys/ta.key 1

cipher BF-CBC

comp-lzo

persist-key

persist-tun

verb 3

 

to start:

 

cd /etc/openvpn

 

openvpn --config client.conf

 

Client configuration - Windows

 

client

proto tcp

dev tun

# Server IP address/hostname port

remote 123.123.123.123 1194

resolv-retry infinite

nobind

ca /etc/openvpn/keys/ca.crt

cert /etc/openvpn/keys/client.crt

key /etc/openvpn/keys/client.key

tls-auth /etc/openvpn/keys/ta.key 1

cipher BF-CBC

comp-lzo

persist-key

persist-tun

verb 3

 

to start:

 

rename the file to something.ovpn

 

right click on the .ovpn file

 

 

2 clarifications:

 

1) UDP has better performance than TCP with a normal home-adsl (remember to apply the relative changes to iptables/router), TCP works better with fiber and low latency lines.

 

2) For every client generate a different certificate (./build-key client1, ./build-key client2, ...) with a different common name, so the vpn server can recognize the different clients and assign a different IP address to each workstation.

 

Credits:

 

This is the hidden content, please

• Sign In
• or
• Sign Up