Re: Concise OpenVPN installation. . .?
here we go… let’s see if i can compact it into 10 steps
NOTE: all commands run as root. i will skip the sudo everywhere. To fully become root, use
1.) preparing the PKI
cp -R /usr/share/doc/openvpn/examples/easy-rsa /ect/openvpn
then go into that folder, and edit the vars to match your enviroment. i’d also suggest you remove all comments after you read them.
NOTE: every time you want to do something on the PKI, you *MUST* load the vars again.
2.) creating the keys
first, create a diffie-hellman key (not sure if it is needed – create it anyway)
then create a CA
now, build a server key
with %name as it’s common name. All Clients will always be referenced with their common name, NOT with any filename or dns name. So make sure you choose the common names of anything wisely. Also, they are in no relation to dns names (like they are in SSL certs) so you can choose them freely
3.) configuring the server
daemon port 1194 proto udp dev tun0 ca /etc/openvpn/easy-rsa/keys/ca.crt cert /etc/openvpn/easy-rsa/keys/server.crt key /etc/openvpn/easy-rsa/keys/server.key dh /etc/openvpn/dh2048.pem server 10.20.30.0 255.255.255.0 ifconfig-pool-persist openvpn.dhcp keepalive 10 120 comp-lzo user nobody group nogroup persist-key persist-tun status /var/log/openvpn/openvpn-status.log log-append /var/log/openvpn/openvpn.log verb 4 mute 20 ;push "route 192.168.0.0 255.255.255.0" ;push "route 192.168.173.0 255.255.255.0" ;push "redirect-gateway def1" ;client-config-dir ccd ;route 192.168.40.128 255.255.255.248 ;client-to-client ; max-clients 10 # plugin /usr/lib/openvpn/openvpn-auth-pam.so common-auth # client-cert-not-required # username-as-common-name
i will not go into detail on this (that would make me use 30 pages aswell)… so if you are unsure about any option, just read up what it does. However you *MUST* change the italic options to correspond to the real filenames (you should have created them in the step beforehand).
lastly, make sure the log directory exists and it is owned by nobody. Othewise, openvpn will fail to write to it’s log and will fail to start.
mkdir /var/log/openvpn chown nobody.nogroup /var/log/openvpn
4.) starting the server
/etc/init.d/openvpn start vpn1
where the vpn1 corresponds to the filename. If anything fails, check the logs in /var/log/openvpn to what failed. If i’ve made no typos, this should work.
5.) allowing passthrough traffic on the VPN server
sysctl -w net.ipv4.ip_forward=1
and enable it so it loads on boot via the /etc/sysctl.conf
Also, masquerade the traffic that leaves the machine, so the pakets can find their way back (this is the *easiest* solution, it is by far not the best !):
iptables -A POSTROUTING --tabe nat -o ! tun0 -j MASQUERADE
and this line to the /etc/rc.local to make the settings load on boot-up
/sbin/iptables -A POSTROUTING --tabe nat -o ! tun0 -j MASQUERADE
This should give your vpn clients full connectivity to all networks that are pushed to be accessed over the VPN.
6.) client certificates
where %client is the filename of the client, NOT the common name!
7.) Windows XP Clients
float client dev tun proto udp remote %vpn-server ;redirect-gateway resolv-retry infinite nobind persist-key persist-tun ca ..\\cert\\ca.crt cert ..\\cert\\client.crt key ..\\cert\\client.key ns-cert-type server comp-lzo verb 3 ;mute 20
again, make sure that the italic bits are changed to your setup and filenames. the relative path ..\\ will bring your into the c:\program files\openvpn folder – i usually create a new folder there called cert where i store the keys and certificates.
Now, after the config is created, the files are copied and the openvpn-gui is loaded, tell it to connect. If your firewall is not blocking anything, this should work and you should be able to connect to the server. Once that is done, the client should be able to ping the 10.20.30.1 (if you kept my subnet) and the server should be able to ping the 10.20.30.6
that’s pretty much the simplest, shortest way of doing this i can think of. i hope it works, and if it does i will turn this into a howto and paste it in a new thread on this forum.
If anything fails or any questions arise, just ask
PS: only took me seven steps
Calvin: I’m being educated against my will! My rights are being trampled!
Hobbes: Is it a right to remain ignorant?
Calvin: I don’t know, but I refuse to find out!