OpenVPN

From aldeid
Jump to navigation Jump to search

OpenVPN

Description

INCOMPLETE SECTION OR ARTICLE
This section/article is being written and is therefore not complete.
Thank you for your comprehension.

Server setup

Packages

On server-side, we first install necessary packages: 

# apt-get install openvpn openssl liblzo2-2

Keys generation

Server keys

Then, we edit the parameters file to update default values: 

# cd /usr/share/doc/openvpn/examples/easy-rsa/2.0/
# vim vars

At the end of the file, locate concerned section and update depending on your needs: 

# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
export KEY_COUNTRY="FR"
export KEY_PROVINCE="France"
export KEY_CITY="Paris"
export KEY_ORG="Aldeid"
export KEY_EMAIL="[email protected]"

Once done, we initialize keys: 

# . ./vars 
# ./clean-all

We need a certificate authority or certification authority (CA): 

# ./build-ca

To generate certificate for the server: 

# ./build-key-server aldeid-server

Client keys

Still on the server, we are going to generate a certificate for the client: 

# cd /usr/share/doc/openvpn/examples/easy-rsa/2.0/
# . ./vars
# ./build-key aldeid-client

We are now generating Diffie Hellman parameter: 

# ./build-dh

We copy necessary keys in /etc/openvpn/: 

# cd keys/
# cp *.key *.crt dh1024.pem /etc/openvpn/

Server configuration file

OpenVPN configuration

We are now going to create a configuration file for openvpn: 

# vim /etc/openvpn/openvn.conf

Add these lines to openvpn.conf file: 

# Listens on port
port 1194

# Protocol (Rather use udp. Consider tcp as a backup for
# cases where udp isn't a viable option)
proto udp

# Virtual interface used by openvpn
dev tun

# Path to our keys
ca /etc/openvpn/ca.crt
cert /etc/openvpn/aldeid-server.crt
key /etc/openvpn/aldeid-server.key
dh /etc/openvpn/dh1024.pem

# Network/mask addresses of our VPN
server 10.0.0.0 255.255.255.0

# Adds local network on VPN client
push "route 192.168.100.0 255.255.255.0"

# Informs VPN client about DNS and WINS servers
push "dhcp-option DNS 192.168.100.1"
#push "dhcp-option WINS 192.168.100.254"

# Ensures client to client visiblity
client-to-client
keepalive 10 120

# Enables compression (faster)
comp-lzo

# Enables persistent connection
persist-key
persist-tun

# Log verbosity (1-9)
verb 3

tun module activation

We need to activate the virtual interface by activating the tun module: 

# modprobe tun

To check that tun module is launched, try: 

# ls mod | grep tun
tun       8292 1

This command should return a result. Also notice that ifconfig command has now added a new interface: 

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet adr:10.10.0.1  P-t-P:10.10.0.2  Masque:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 lg file transmission:100 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

Network configuration

To enable packet forwarding for IPv4, you could issue following command: 

echo 1 > /proc/sys/net/ipv4/ip_forward

Nevertheless, you would have to issue the command each time the server is restarted. To avoid it, rather uncomment following line in /etc/sysctl.conf: 

net.ipv4.ip_forward=1

Then, issue following lines: 

iptables -A FORWARD -i tun0 -j ACCEPT
iptables -t -nat -A POSTROUTING -o eth0 -j MASQUERADE

Firewall configuration

If you have a firewall, you must open the port you have specified in your configuration file (e.g. 1194/udp)

Restart openvpn

# /etc/init.d/openvpn restart

Client setup

Packages

# apt-get install openvpn liblzo2-2

Certificates

On the client, import certificates from server in /etc/openvpn/ directory:

  • ca.crt
  • aldeid-client.crt
  • aldeid-client.key

Configuration

Then Edit the configuration file: 

# vim /etc/openvpn/openvpn.conf

And add theses lines: 

# Indicates a client configuration
client
tls-client

# Server information
remote 80.14.163.161
proto udp
dev tun
ifconfig 10.0.0.2 10.0.0.1

# Path to certificates
ca /etc/openvpn/ca.crt
cert /etc/openvpn/aldeid-client.crt
key /etc/openvpn/aldeid-client.key

# Negociation
reneg-sec 21600

# Activates Compression
comp-lzo

# Log verbosity
verb 3

Network

As for the server, we have to enable IP forwarding on the client: 

# vim /etc/sysctl.conf

Then uncomment following line: 

net.ipv4.ip_forward=1

It is now necessary to create routes: 

# route add -net 10.0.0.0 netmask 255.255.255.0 gw 192.168.100.1

Restart OpenVPN

On client side, we need to restart openvpn for the parameters to take effect: 

# /etc/init.d/openvpn restart

Connection test

On client side, we are going to test our connection by issuing: 

# openvpn --config /etc/openvpn/openvpn.conf
# ping 192.168.100.1
Retrieved from "https://www.aldeid.com/w/index.php?title=OpenVPN&oldid=8282"