| View previous topic :: View next topic |
| Author |
Message |
adelante
Tux's lil' helper
Joined: 19 Apr 2003
Posts: 133
Location: South Africa - Johannesburg
|
 Posted: Fri Feb 09, 2007 7:15 am Post subject: Howto Openvpn - The quick easy way |
 |
|
Hi,
I've read through a lot of howto's for openvpn, and a lot of them didn't seem to work, I could follow them line for line and I kept running into problems.
Here is my HOWTO on openvpn, which i find was the simpliest way of setting it up.
Server Config
========================================
| Quote: |
# emerge openvpn
# nano /usr/share/openvpn/easy-rsa/vars
|
Paste this into the file and edit to suit you needs
| Code: |
export EASY_RSA="`pwd`"
export KEY_CONFIG="$EASY_RSA/openssl.cnf"
export KEY_DIR="$EASY_RSA/keys"
echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
export KEY_SIZE=1024
export CA_EXPIRE=3650
export KEY_EXPIRE=3650
export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="SanFrancisco"
export KEY_ORG="Fort-Funston"
export KEY_EMAIL="me@myhost.mydomain"
|
| Quote: |
# cd /usr/share/openvpn/easy-rsa/
# source ./vars
# ./clean-all
# ./build-ca
|
Just press enter through everything and select (Y) where necessary
| Quote: |
# ./build-key-server server
# ./build-dh
|
| Quote: |
# cd /etc/openvpn/
# openvpn --genkey --secret ta.key
# mkdir ccd
# nano server.conf
|
Paste this into your server.conf and edit the <network range> value
| Code: |
port 9000
proto udp
dev tun
mode server
ca /usr/share/openvpn/easy-rsa/keys/ca.crt
cert /usr/share/openvpn/easy-rsa/keys/server.crt
key /usr/share/openvpn/easy-rsa/keys/server.key
dh /usr/share/openvpn/easy-rsa/keys/dh1024.pem
server <network range> 255.255.255.0 # for example 192.168.139.0
client-to-client
ifconfig-pool-persist ipp.txt
client-config-dir ccd
keepalive 10 120
tls-auth ta.key 0
tun-mtu 1500
tun-mtu-extra 32
mssfix 1200
duplicate-cn
comp-lzo
max-clients 100
persist-key
persist-tun
status openvpn-status.log
log /var/log/openvpn.log
log-append /var/log/openvpn.log
verb 3
|
| Quote: |
# ln -sf /etc/init.d/openvpn /etc/init.d/openvpn.server
# /etc/init.d/openvpn.server start
# rc-update add openvpn.server default
|
Your server side of things should be up and running now.
If you run an ifconfig you should see the tun0 device.
========================================
Windows Client Configuration
========================================
On the Openvpn server you have just setup:
| Quote: |
cd /usr/share/openvpn/easy-rsa/
source ./vars
./build-key <USERNAME>
|
On the Client side:
# install the openvpn client on windows : http://openvpn.se/files/install_packages/openvpn-2.0.9-gui-1.0.3-install.exe
# create folder : C:\Program Files\OpenVPN\config\<USERNAME>
# create a file called : C:\Program Files\OpenVPN\config\<USERNAME>.ovpn
# open this file with notepad and inside that file put the following and edit the <USERNAME> value and the <vpn server IP> value:
| Code: |
client
dev tun
proto udp
remote <vpn server IP> 9000
resolv-retry infinite
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1200
persist-key
persist-tun
ca "C:\\Program Files\\OpenVPN\\config\\<USERNAME>\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\config\\<USERNAME>\\<USERNAME>.crt"
key "C:\\Program Files\\OpenVPN\\config\\<USERNAME>\\<USERNAME>.key"
tls-auth "C:\\Program Files\\OpenVPN\\config\\<USERNAME>\\ta.key" 1
comp-lzo
verb 3
|
# copy these files from /usr/share/openvpn/easy-rsa/keys/ to C:\Program Files\OpenVPN\config\<USERNAME>\
ca.crt
<USERNAME>.crt
<USERNAME>.key
# copy the ta.key file from /etc/openvpn/ to C:\Program Files\OpenVPN\config\<USERNAME>\
# if you want to assign a specific user an IP address, create a file on the server : /etc/openvpn/ccd/<username>
# and in it put for example :
| Code: |
ifconfig-push 192.168.220.5 192.168.220.6
|
# it must be 2 IP's in the same network, the first is the ip is the tun0 interface the 2nd is just a tunnel ip.
The fire up the client and you should be connected.
========================================
Linux Client Configuration
========================================
On the Openvpn server you have just setup:
| Quote: |
cd /usr/share/openvpn/easy-rsa/
source ./vars
./build-key <USERNAME>
|
On the Client side:
| Quote: |
# emerge openvpn
# cd /etc/openvpn
# mkdir client
# nano client.conf
|
Put this into your client.conf and edit the <vpn server ip> & <username> values.
| Code: |
client
dev tun
proto udp
remote <vpn server ip> 9900
resolv-retry infinite
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1200
persist-key
persist-tun
ca "/etc/openvpn/client/ca.crt"
cert "/etc/openvpn/client/<username>.crt"
key "/etc/openvpn/client/<username>.key"
tls-auth "/etc/openvpn/client/ta.key" 1
comp-lzo
verb 3
|
copy these files from /usr/share/openvpn/easy-rsa/keys/ on the server to /etc/openvpn/client/ on the client side:
ca.crt
<username>.*
copy the ta.key file from /etc/openvpn/ on the server to /etc/openvpn/client on the client side.
| Quote: |
# ln -sf /etc/init.d/openvpn /etc/init.d/openvpn.client
# /etc/init.d/openvpn.client start
# rc-update add openvpn.client default
|
# if you want to assign a specific user an IP address, create a file on the server : /etc/openvpn/ccd/<username>
# and in it put for example :
| Code: |
ifconfig-push 192.168.220.5 192.168.220.6
|
# it must be 2 IP's in the same network, the first is the ip is the tun0 interface the 2nd is just a tunnel ip.
========================================
Please let me know if i've left anything out.
regards
Dave |
|
| Back to top |
|
 |
imind
n00b
Joined: 09 Feb 2007
Posts: 3
|
| Posted: Fri Feb 09, 2007 6:11 pm Post subject: |
|
|
Thanks for sharing this bro  helped alot
_________________
Myspace Games |
|
| Back to top |
|
|
Schangu
n00b
Joined: 08 Feb 2004
Posts: 27
Location: Germany / Jever
|
| Posted: Thu Oct 25, 2007 12:54 pm Post subject: |
|
|
Sorry, but I think there is one mistake:
It is in your Linux-Client Configuration:
You wrote that the VPN Server Port must be 9900 but in your Server Configuration it is 9000 ;] |
|
| Back to top |
|
|
idl0r
Developer
Joined: 24 Jan 2008
Posts: 11
|
| Posted: Fri Feb 01, 2008 11:47 am Post subject: |
|
|
nice howto but:
WARNING: using --duplicate-cn and --client-config-dir together is probably not what you want
WARNING: --ifconfig-pool-persist will not work with --duplicate-cn |
|
| Back to top |
|
|
Tuinslak
Tux's lil' helper
Joined: 26 Nov 2003
Posts: 129
Location: Belgium
|
| Posted: Sun Jul 05, 2009 2:45 am Post subject: |
|
|
thanks, great howto
just watch out with iptables/masquerading when you went to use the VPN server as gateway
_________________
Tuinslak |
|
| Back to top |
|
|
Bethney Piper
n00b
Joined: 08 Jul 2009
Posts: 2
|
| Posted: Wed Jul 08, 2009 10:49 pm Post subject: |
|
|
Usually yes it will route all your traffic through the company LAN. But you can make it do what is known as split-tunneling depending on what VPN vendor you are using. If it is just the microsoft VPN you can go to the VPN connection properties, networking, tcp/ip advanaced, and uncheck "use gateway on remote network".
_________________
ppt2flash |
|
| Back to top |
|
|
|
Documentation, Tips & Tricks
