Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Howto Openvpn - The quick easy way
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks
View previous topic :: View next topic  
Author Message
adelante
Tux's lil' helper
Tux's lil' helper


Joined: 19 Apr 2003
Posts: 133
Location: South Africa - Johannesburg

PostPosted: Fri Feb 09, 2007 7:15 am    Post subject: Howto Openvpn - The quick easy way Reply with quote

Hi,

I've read through a lot of howto's for openvpn, and a lot of them didn't seem to work, I could follow them line for line and I kept running into problems.

Here is my HOWTO on openvpn, which i find was the simpliest way of setting it up.

Server Config
========================================
Quote:

# emerge openvpn
# nano /usr/share/openvpn/easy-rsa/vars


Paste this into the file and edit to suit you needs

Code:

export EASY_RSA="`pwd`"
export KEY_CONFIG="$EASY_RSA/openssl.cnf"
export KEY_DIR="$EASY_RSA/keys"
echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
export KEY_SIZE=1024
export CA_EXPIRE=3650
export KEY_EXPIRE=3650
export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="SanFrancisco"
export KEY_ORG="Fort-Funston"
export KEY_EMAIL="me@myhost.mydomain"


Quote:

# cd /usr/share/openvpn/easy-rsa/
# source ./vars
# ./clean-all
# ./build-ca


Just press enter through everything and select (Y) where necessary

Quote:

# ./build-key-server server
# ./build-dh


Quote:

# cd /etc/openvpn/
# openvpn --genkey --secret ta.key
# mkdir ccd
# nano server.conf


Paste this into your server.conf and edit the <network range> value
Code:

port 9000
proto udp
dev tun
mode server
ca /usr/share/openvpn/easy-rsa/keys/ca.crt
cert /usr/share/openvpn/easy-rsa/keys/server.crt
key /usr/share/openvpn/easy-rsa/keys/server.key
dh /usr/share/openvpn/easy-rsa/keys/dh1024.pem
server <network range> 255.255.255.0 # for example 192.168.139.0
client-to-client
ifconfig-pool-persist ipp.txt
client-config-dir ccd
keepalive 10 120
tls-auth ta.key 0
tun-mtu 1500
tun-mtu-extra 32
mssfix 1200
duplicate-cn
comp-lzo
max-clients 100
persist-key
persist-tun
status openvpn-status.log
log        /var/log/openvpn.log
log-append /var/log/openvpn.log
verb 3


Quote:

# ln -sf /etc/init.d/openvpn /etc/init.d/openvpn.server
# /etc/init.d/openvpn.server start
# rc-update add openvpn.server default


Your server side of things should be up and running now.
If you run an ifconfig you should see the tun0 device.

========================================


Windows Client Configuration
========================================

On the Openvpn server you have just setup:

Quote:

cd /usr/share/openvpn/easy-rsa/
source ./vars
./build-key <USERNAME>


On the Client side:

# install the openvpn client on windows : http://openvpn.se/files/install_packages/openvpn-2.0.9-gui-1.0.3-install.exe
# create folder : C:\Program Files\OpenVPN\config\<USERNAME>
# create a file called : C:\Program Files\OpenVPN\config\<USERNAME>.ovpn
# open this file with notepad and inside that file put the following and edit the <USERNAME> value and the <vpn server IP> value:

Code:

client
dev tun
proto udp
remote <vpn server IP> 9000
resolv-retry infinite
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1200
persist-key
persist-tun
ca "C:\\Program Files\\OpenVPN\\config\\<USERNAME>\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\config\\<USERNAME>\\<USERNAME>.crt"
key "C:\\Program Files\\OpenVPN\\config\\<USERNAME>\\<USERNAME>.key"
tls-auth "C:\\Program Files\\OpenVPN\\config\\<USERNAME>\\ta.key" 1
comp-lzo
verb 3


# copy these files from /usr/share/openvpn/easy-rsa/keys/ to C:\Program Files\OpenVPN\config\<USERNAME>\
ca.crt
<USERNAME>.crt
<USERNAME>.key

# copy the ta.key file from /etc/openvpn/ to C:\Program Files\OpenVPN\config\<USERNAME>\

# if you want to assign a specific user an IP address, create a file on the server : /etc/openvpn/ccd/<username>
# and in it put for example :
Code:

ifconfig-push 192.168.220.5 192.168.220.6


# it must be 2 IP's in the same network, the first is the ip is the tun0 interface the 2nd is just a tunnel ip.

The fire up the client and you should be connected.
========================================


Linux Client Configuration
========================================
On the Openvpn server you have just setup:

Quote:

cd /usr/share/openvpn/easy-rsa/
source ./vars
./build-key <USERNAME>


On the Client side:

Quote:

# emerge openvpn
# cd /etc/openvpn
# mkdir client
# nano client.conf


Put this into your client.conf and edit the <vpn server ip> & <username> values.
Code:

client
dev tun
proto udp
remote <vpn server ip> 9900
resolv-retry infinite
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1200
persist-key
persist-tun
ca "/etc/openvpn/client/ca.crt"
cert "/etc/openvpn/client/<username>.crt"
key "/etc/openvpn/client/<username>.key"
tls-auth "/etc/openvpn/client/ta.key" 1
comp-lzo
verb 3


copy these files from /usr/share/openvpn/easy-rsa/keys/ on the server to /etc/openvpn/client/ on the client side:
ca.crt
<username>.*

copy the ta.key file from /etc/openvpn/ on the server to /etc/openvpn/client on the client side.

Quote:

# ln -sf /etc/init.d/openvpn /etc/init.d/openvpn.client
# /etc/init.d/openvpn.client start
# rc-update add openvpn.client default


# if you want to assign a specific user an IP address, create a file on the server : /etc/openvpn/ccd/<username>
# and in it put for example :
Code:

ifconfig-push 192.168.220.5 192.168.220.6


# it must be 2 IP's in the same network, the first is the ip is the tun0 interface the 2nd is just a tunnel ip.

========================================


Please let me know if i've left anything out.

regards
Dave
Back to top
View user's profile Send private message
imind
n00b
n00b


Joined: 09 Feb 2007
Posts: 3

PostPosted: Fri Feb 09, 2007 6:11 pm    Post subject: Reply with quote

Thanks for sharing this bro :P helped alot
_________________
Myspace Games
Back to top
View user's profile Send private message
Schangu
n00b
n00b


Joined: 08 Feb 2004
Posts: 27
Location: Germany / Jever

PostPosted: Thu Oct 25, 2007 12:54 pm    Post subject: Reply with quote

Sorry, but I think there is one mistake:

It is in your Linux-Client Configuration:
You wrote that the VPN Server Port must be 9900 but in your Server Configuration it is 9000 ;]
Back to top
View user's profile Send private message
idl0r
Developer
Developer


Joined: 24 Jan 2008
Posts: 13

PostPosted: Fri Feb 01, 2008 11:47 am    Post subject: Reply with quote

nice howto but:
WARNING: using --duplicate-cn and --client-config-dir together is probably not what you want
WARNING: --ifconfig-pool-persist will not work with --duplicate-cn
Back to top
View user's profile Send private message
Tuinslak
Tux's lil' helper
Tux's lil' helper


Joined: 26 Nov 2003
Posts: 129
Location: Belgium

PostPosted: Sun Jul 05, 2009 2:45 am    Post subject: Reply with quote

thanks, great howto
just watch out with iptables/masquerading when you went to use the VPN server as gateway
_________________
Tuinslak
Back to top
View user's profile Send private message
Bethney Piper
n00b
n00b


Joined: 08 Jul 2009
Posts: 2

PostPosted: Wed Jul 08, 2009 10:49 pm    Post subject: Reply with quote

Usually yes it will route all your traffic through the company LAN. But you can make it do what is known as split-tunneling depending on what VPN vendor you are using. If it is just the microsoft VPN you can go to the VPN connection properties, networking, tcp/ip advanaced, and uncheck "use gateway on remote network".
_________________
ppt2flash
Back to top
View user's profile Send private message
alex6
Tux's lil' helper
Tux's lil' helper


Joined: 18 Jul 2011
Posts: 140

PostPosted: Mon Jul 22, 2013 3:25 pm    Post subject: Reply with quote

This guide still works except 2 things :
- have to emerge easy-rsa (ok it does make sense but not written in this guide)
- all the paths changed : /usr/share/openvpn/easy-rsa is now /usr/share/easy-rsa
Back to top
View user's profile Send private message
solamour
Guru
Guru


Joined: 21 Dec 2004
Posts: 505
Location: San Diego, CA

PostPosted: Fri Dec 06, 2013 7:35 pm    Post subject: Reply with quote

alex6 wrote:
This guide still works except 2 things :
- have to emerge easy-rsa (ok it does make sense but not written in this guide)
- all the paths changed : /usr/share/openvpn/easy-rsa is now /usr/share/easy-rsa

Ha... that's why I wasn't able to find some of the files in the guide. Thanks for sharing.
__
sol
Back to top
View user's profile Send private message
fbcyborg
Advocate
Advocate


Joined: 16 Oct 2005
Posts: 3021
Location: ROMA

PostPosted: Fri Dec 06, 2013 8:48 pm    Post subject: Reply with quote

Thank you for the information. Actually I had the same problem! :D

That should be put in the first post!
_________________
[HOWTO] Come criptare la /home usando cryptsetup e luks
[HOWTO] Abilitare il supporto al dom0 XEN su kernel 3.X
Help answer the unanswered
Back to top
View user's profile Send private message
djbadballie469
n00b
n00b


Joined: 30 Jul 2014
Posts: 1

PostPosted: Wed Jul 30, 2014 8:28 am    Post subject: config files Reply with quote

Hi I'm in south africa durban I'm on 8.ta network Can sum1 email me the config folder with all settings intact. Djbadballie469(at)gmail(dot)com. Tx in advance. I have open vpn but no working config files
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum