Tạo VPN Server trong Ubuntu 804

Re: Concise OpenVPN installation. . .?

here we go… let’s see if i can compact it into 10 steps
NOTE: all commands run as root. i will skip the sudo everywhere. To fully become root, use

Code:
sudo su

1.) preparing the PKI
copy the easy-rsa from /usr/share/doc/openvpn/examples/easy-rsa/the examples into the /etc/openvpn/easy-rsa folder.

Code:
cp -R /usr/share/doc/openvpn/examples/easy-rsa /ect/openvpn

then go into that folder, and edit the vars to match your enviroment. i’d also suggest you remove all comments after you read them.
The settings in that file are the defaults.
once that is done, load the file with this command

Code:
source vars

NOTE: every time you want to do something on the PKI, you *MUST* load the vars again.

2.) creating the keys
first, let the scripts inititialize the enviroment (all commands run in the directory /etc/openvpn/easy-rsa) :

Code:
./clean-all

first, create a diffie-hellman key (not sure if it is needed – create it anyway)

Code:
./build-dh

then create a CA

Code:
./build-ca

now, build a server key

Code:
./build-server %name

with %name as it’s common name. All Clients will always be referenced with their common name, NOT with any filename or dns name. So make sure you choose the common names of anything wisely. Also, they are in no relation to dns names (like they are in SSL certs) so you can choose them freely

3.) configuring the server
here is a sample config of a server that (should) work. create a file in /etc/openvpn calles vpn1.conf (the vpn1 can be changed to anything, really, stick with the .conf tho – that IS needed):

Code:
daemon
port 1194
proto udp
dev tun0

ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/dh2048.pem 

server 10.20.30.0 255.255.255.0
ifconfig-pool-persist openvpn.dhcp

keepalive 10 120
comp-lzo

user nobody
group nogroup

persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log-append  /var/log/openvpn/openvpn.log
verb 4
mute 20

;push "route 192.168.0.0 255.255.255.0"
;push "route 192.168.173.0 255.255.255.0"
;push "redirect-gateway def1"

;client-config-dir ccd
;route 192.168.40.128 255.255.255.248
;client-to-client
; max-clients 10

# plugin /usr/lib/openvpn/openvpn-auth-pam.so common-auth
# client-cert-not-required
# username-as-common-name

i will not go into detail on this (that would make me use 30 pages aswell)… so if you are unsure about any option, just read up what it does. However you *MUST* change the italic options to correspond to the real filenames (you should have created them in the step beforehand).

lastly, make sure the log directory exists and it is owned by nobody. Othewise, openvpn will fail to write to it’s log and will fail to start.
So, create the directory and chown it with these comands:

Code:
mkdir /var/log/openvpn
chown nobody.nogroup /var/log/openvpn

4.) starting the server
All set, the server should come up fine now…
start it with this command:

Code:
/etc/init.d/openvpn start vpn1

where the vpn1 corresponds to the filename. If anything fails, check the logs in /var/log/openvpn to what failed. If i’ve made no typos, this should work.

5.) allowing passthrough traffic on the VPN server
This is a very tricky point. Since i could write about a book here too, i will just assume some default settings and hope they (kind of) fit your environment.

enable ip_forwarding:

Code:
sysctl -w net.ipv4.ip_forward=1

and enable it so it loads on boot via the /etc/sysctl.conf

Also, masquerade the traffic that leaves the machine, so the pakets can find their way back (this is the *easiest* solution, it is by far not the best !):

Code:
iptables -A POSTROUTING --tabe nat -o ! tun0 -j MASQUERADE

and this line to the /etc/rc.local to make the settings load on boot-up

Code:
/sbin/iptables -A POSTROUTING --tabe nat -o ! tun0 -j MASQUERADE

This should give your vpn clients full connectivity to all networks that are pushed to be accessed over the VPN.

6.) client certificates
every client needs it’s own certificate. you can generate them the same way you have done all the other generation if certificates. go into the the /etc/openvpn/easy-rsa folder, make sure you run the source vars (if this is a new console) and then type

Code:
./build-client %client

where %client is the filename of the client, NOT the common name!

7.) Windows XP Clients
Download the openvpn-gui from http://openvpn.se/ and install it.
Then open the config folder (usually C:\programm files\OpenVPN\config) and create a file with the ovpn extension. this is also a normal textfile. fill it up with this sample configuration:

Code:
float
client
dev tun
proto udp

remote %vpn-server
;redirect-gateway

resolv-retry infinite
nobind
persist-key
persist-tun
ca ..\\cert\\ca.crt
cert ..\\cert\\client.crt
key ..\\cert\\client.key
ns-cert-type server
comp-lzo
verb 3
;mute 20

again, make sure that the italic bits are changed to your setup and filenames. the relative path ..\\ will bring your into the c:\program files\openvpn folder – i usually create a new folder there called cert where i store the keys and certificates.
Also, as you can see, the client needs three files from the server (all found in /etc/openvpn/easy-rsa/keys) – the ca.crt, it’s own certificate and its own key. Make sure it’s got it.
NOTE: Vista clients need a small change in the config as well as a way to start the openvpn-gui as administrator and not unprivilegdes user. I have yet to find a way to do this without problems…

Now, after the config is created, the files are copied and the openvpn-gui is loaded, tell it to connect. If your firewall is not blocking anything, this should work and you should be able to connect to the server. Once that is done, the client should be able to ping the 10.20.30.1 (if you kept my subnet) and the server should be able to ping the 10.20.30.6

that’s pretty much the simplest, shortest way of doing this i can think of. i hope it works, and if it does i will turn this into a howto and paste it in a new thread on this forum.

If anything fails or any questions arise, just ask

PS: only took me seven steps

__________________
Calvin: I’m being educated against my will! My rights are being trampled!
Hobbes: Is it a right to remain ignorant?
Calvin: I don’t know, but I refuse to find out!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: