Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Howto Openvpn - The quick easy way
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks
View previous topic :: View next topic  
Author Message
adelante
Tux's lil' helper
Tux's lil' helper


Joined: 19 Apr 2003
Posts: 133
Location: South Africa - Johannesburg

PostPosted: Fri Feb 09, 2007 7:15 am    Post subject: Howto Openvpn - The quick easy way Reply with quote

Hi,

I've read through a lot of howto's for openvpn, and a lot of them didn't seem to work, I could follow them line for line and I kept running into problems.

Here is my HOWTO on openvpn, which i find was the simpliest way of setting it up.

Server Config
========================================
Quote:

# emerge openvpn
# nano /usr/share/openvpn/easy-rsa/vars


Paste this into the file and edit to suit you needs

Code:

export EASY_RSA="`pwd`"
export KEY_CONFIG="$EASY_RSA/openssl.cnf"
export KEY_DIR="$EASY_RSA/keys"
echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
export KEY_SIZE=1024
export CA_EXPIRE=3650
export KEY_EXPIRE=3650
export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="SanFrancisco"
export KEY_ORG="Fort-Funston"
export KEY_EMAIL="me@myhost.mydomain"


Quote:

# cd /usr/share/openvpn/easy-rsa/
# source ./vars
# ./clean-all
# ./build-ca


Just press enter through everything and select (Y) where necessary

Quote:

# ./build-key-server server
# ./build-dh


Quote:

# cd /etc/openvpn/
# openvpn --genkey --secret ta.key
# mkdir ccd
# nano server.conf


Paste this into your server.conf and edit the <network range> value
Code:

port 9000
proto udp
dev tun
mode server
ca /usr/share/openvpn/easy-rsa/keys/ca.crt
cert /usr/share/openvpn/easy-rsa/keys/server.crt
key /usr/share/openvpn/easy-rsa/keys/server.key
dh /usr/share/openvpn/easy-rsa/keys/dh1024.pem
server <network range> 255.255.255.0 # for example 192.168.139.0
client-to-client
ifconfig-pool-persist ipp.txt
client-config-dir ccd
keepalive 10 120
tls-auth ta.key 0
tun-mtu 1500
tun-mtu-extra 32
mssfix 1200
duplicate-cn
comp-lzo
max-clients 100
persist-key
persist-tun
status openvpn-status.log
log        /var/log/openvpn.log
log-append /var/log/openvpn.log
verb 3


Quote:

# ln -sf /etc/init.d/openvpn /etc/init.d/openvpn.server
# /etc/init.d/openvpn.server start
# rc-update add openvpn.server default


Your server side of things should be up and running now.
If you run an ifconfig you should see the tun0 device.

========================================


Windows Client Configuration
========================================

On the Openvpn server you have just setup:

Quote:

cd /usr/share/openvpn/easy-rsa/
source ./vars
./build-key <USERNAME>


On the Client side:

# install the openvpn client on windows : http://openvpn.se/files/install_packages/openvpn-2.0.9-gui-1.0.3-install.exe
# create folder : C:\Program Files\OpenVPN\config\<USERNAME>
# create a file called : C:\Program Files\OpenVPN\config\<USERNAME>.ovpn
# open this file with notepad and inside that file put the following and edit the <USERNAME> value and the <vpn server IP> value:

Code:

client
dev tun
proto udp
remote <vpn server IP> 9000
resolv-retry infinite
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1200
persist-key
persist-tun
ca "C:\\Program Files\\OpenVPN\\config\\<USERNAME>\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\config\\<USERNAME>\\<USERNAME>.crt"
key "C:\\Program Files\\OpenVPN\\config\\<USERNAME>\\<USERNAME>.key"
tls-auth "C:\\Program Files\\OpenVPN\\config\\<USERNAME>\\ta.key" 1
comp-lzo
verb 3


# copy these files from /usr/share/openvpn/easy-rsa/keys/ to C:\Program Files\OpenVPN\config\<USERNAME>\
ca.crt
<USERNAME>.crt
<USERNAME>.key

# copy the ta.key file from /etc/openvpn/ to C:\Program Files\OpenVPN\config\<USERNAME>\

# if you want to assign a specific user an IP address, create a file on the server : /etc/openvpn/ccd/<username>
# and in it put for example :
Code:

ifconfig-push 192.168.220.5 192.168.220.6


# it must be 2 IP's in the same network, the first is the ip is the tun0 interface the 2nd is just a tunnel ip.

The fire up the client and you should be connected.
========================================


Linux Client Configuration
========================================
On the Openvpn server you have just setup:

Quote:

cd /usr/share/openvpn/easy-rsa/
source ./vars
./build-key <USERNAME>


On the Client side:

Quote:

# emerge openvpn
# cd /etc/openvpn
# mkdir client
# nano client.conf


Put this into your client.conf and edit the <vpn server ip> & <username> values.
Code:

client
dev tun
proto udp
remote <vpn server ip> 9900
resolv-retry infinite
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1200
persist-key
persist-tun
ca "/etc/openvpn/client/ca.crt"
cert "/etc/openvpn/client/<username>.crt"
key "/etc/openvpn/client/<username>.key"
tls-auth "/etc/openvpn/client/ta.key" 1
comp-lzo
verb 3


copy these files from /usr/share/openvpn/easy-rsa/keys/ on the server to /etc/openvpn/client/ on the client side:
ca.crt
<username>.*

copy the ta.key file from /etc/openvpn/ on the server to /etc/openvpn/client on the client side.

Quote:

# ln -sf /etc/init.d/openvpn /etc/init.d/openvpn.client
# /etc/init.d/openvpn.client start
# rc-update add openvpn.client default


# if you want to assign a specific user an IP address, create a file on the server : /etc/openvpn/ccd/<username>
# and in it put for example :
Code:

ifconfig-push 192.168.220.5 192.168.220.6


# it must be 2 IP's in the same network, the first is the ip is the tun0 interface the 2nd is just a tunnel ip.

========================================


Please let me know if i've left anything out.

regards
Dave
Back to top
View user's profile Send private message
Schangu
n00b
n00b


Joined: 08 Feb 2004
Posts: 27
Location: Germany / Jever

PostPosted: Thu Oct 25, 2007 12:54 pm    Post subject: Reply with quote

Sorry, but I think there is one mistake:

It is in your Linux-Client Configuration:
You wrote that the VPN Server Port must be 9900 but in your Server Configuration it is 9000 ;]
Back to top
View user's profile Send private message
idl0r
Developer
Developer


Joined: 24 Jan 2008
Posts: 13

PostPosted: Fri Feb 01, 2008 11:47 am    Post subject: Reply with quote

nice howto but:
WARNING: using --duplicate-cn and --client-config-dir together is probably not what you want
WARNING: --ifconfig-pool-persist will not work with --duplicate-cn
Back to top
View user's profile Send private message
Tuinslak
Tux's lil' helper
Tux's lil' helper


Joined: 26 Nov 2003
Posts: 129
Location: Belgium

PostPosted: Sun Jul 05, 2009 2:45 am    Post subject: Reply with quote

thanks, great howto
just watch out with iptables/masquerading when you went to use the VPN server as gateway
_________________
Tuinslak
Back to top
View user's profile Send private message
Bethney Piper
n00b
n00b


Joined: 08 Jul 2009
Posts: 2

PostPosted: Wed Jul 08, 2009 10:49 pm    Post subject: Reply with quote

Usually yes it will route all your traffic through the company LAN. But you can make it do what is known as split-tunneling depending on what VPN vendor you are using. If it is just the microsoft VPN you can go to the VPN connection properties, networking, tcp/ip advanaced, and uncheck "use gateway on remote network".
_________________
ppt2flash
Back to top
View user's profile Send private message
alex6
Apprentice
Apprentice


Joined: 18 Jul 2011
Posts: 172

PostPosted: Mon Jul 22, 2013 3:25 pm    Post subject: Reply with quote

This guide still works except 2 things :
- have to emerge easy-rsa (ok it does make sense but not written in this guide)
- all the paths changed : /usr/share/openvpn/easy-rsa is now /usr/share/easy-rsa
Back to top
View user's profile Send private message
solamour
l33t
l33t


Joined: 21 Dec 2004
Posts: 698
Location: San Diego, CA

PostPosted: Fri Dec 06, 2013 7:35 pm    Post subject: Reply with quote

alex6 wrote:
This guide still works except 2 things :
- have to emerge easy-rsa (ok it does make sense but not written in this guide)
- all the paths changed : /usr/share/openvpn/easy-rsa is now /usr/share/easy-rsa

Ha... that's why I wasn't able to find some of the files in the guide. Thanks for sharing.
__
sol
Back to top
View user's profile Send private message
fbcyborg
Advocate
Advocate


Joined: 16 Oct 2005
Posts: 3056
Location: ROMA

PostPosted: Fri Dec 06, 2013 8:48 pm    Post subject: Reply with quote

Thank you for the information. Actually I had the same problem! :D

That should be put in the first post!
_________________
[HOWTO] Come criptare la /home usando cryptsetup e luks
[HOWTO] Abilitare il supporto al dom0 XEN su kernel 3.X
Help answer the unanswered
Back to top
View user's profile Send private message
djbadballie469
n00b
n00b


Joined: 30 Jul 2014
Posts: 1

PostPosted: Wed Jul 30, 2014 8:28 am    Post subject: config files Reply with quote

Hi I'm in south africa durban I'm on 8.ta network Can sum1 email me the config folder with all settings intact. Djbadballie469(at)gmail(dot)com. Tx in advance. I have open vpn but no working config files
Back to top
View user's profile Send private message
fincoop
Tux's lil' helper
Tux's lil' helper


Joined: 02 Feb 2004
Posts: 143

PostPosted: Thu Feb 11, 2016 7:49 pm    Post subject: Re: Howto Openvpn - The quick easy way Reply with quote

adelante wrote:
Hi,

I've read through a lot of howto's for openvpn, and a lot of them didn't seem to work, I could follow them line for line and I kept running into problems.



Thanks a lot, still works!
Back to top
View user's profile Send private message
wichtounet
Tux's lil' helper
Tux's lil' helper


Joined: 17 Mar 2012
Posts: 122

PostPosted: Tue Jan 24, 2017 2:00 pm    Post subject: Reply with quote

Unfortunately, this does not work anymore at all. All the directories have changed.

It's the same issue with the official OpenVPN page of Gentoo :S
Back to top
View user's profile Send private message
Joseph_sys
Advocate
Advocate


Joined: 08 Jun 2004
Posts: 2712
Location: Edmonton, AB

PostPosted: Tue Feb 07, 2017 12:15 am    Post subject: Reply with quote

wichtounet wrote:
Unfortunately, this does not work anymore at all. All the directories have changed.

It's the same issue with the official OpenVPN page of Gentoo :S


This is not a helpful reply.
Just point it out which directory had change, so far only "/usr/share/easy-rsa" had change.
Back to top
View user's profile Send private message
Joseph_sys
Advocate
Advocate


Joined: 08 Jun 2004
Posts: 2712
Location: Edmonton, AB

PostPosted: Wed Feb 08, 2017 2:23 am    Post subject: Reply with quote

Quick and dirty instructions to make openvpn + easy-rsa working.

On SERVER do:

Code:
cd /usr/share/easy-rsa/
./easyrsa init-pki
./easyrsa build-ca nopass
./easyrsa build-server-full server_clinic_8amd nopass
./easyrsa gen-dh
openvpn --genkey --secret ta.key

mkdir /etc/openvpn/cert

cp pki/ca.crt /etc/openvpn/cert/
cp pki/issued/server_clinic_8amd.crt /etc/openvpn/cert/
cp pki/private/server_clinic_8amd.key /etc/openvpn/cert/
cp pki/dh.pem /etc/openvpn/cert/
cp ta.key /etc/openvpn/cert/
./easyrsa build-client-full syscon7 nopass


Hit "ENTER" when need to (no need to change anything)

Copy the following files to Client (via USB or ssh 'zip_it" etc. pay attention to permission)
=> The public ca.crt certificate is needed on all servers and clients.
=> The private ca.key key is secret and only needed on the key generating machine. (not in cert/ folder)
=> A server needs server.crt, and dh2048.pem (public), and server.key and ta.key (private).
=> A client needs client.crt (public), and client.key and ta.key (private).


eg. (transfer these files to your client)
cp pki/ca.crt /home/fd/keys/
cp pki/issued/syscon7.crt /home/fd/keys/
cp pki/private/syscon7.key /home/fd/keys/
cp ta.key /home/fd/keys/

Copy file from instruction above to server /etc/openvpn
I copied them to dir "cert" on /etc/openvpn/

Code:
ll /etc/openvpn/cert/
total 28
-rw------- 1 root root 1749 Feb  7 12:24 ca.crt
-rw------- 1 root root  424 Feb  7 12:28 dh.pem
-rw------- 1 root root 5280 Feb  7 12:26 server_clinic_8amd.crt
-rw------- 1 root root 1704 Feb  7 12:27 server_clinic_8amd.key
-rw------- 1 root root  636 Feb  7 13:35 ta.key

cat server_clinic_8amd.conf (on server PC)


    proto udp
    port 9000
    dev tun
    mode server
    ca /etc/openvpn/cert/ca.crt
    cert /etc/openvpn/cert/server_clinic_8amd.crt
    key /etc/openvpn/cert/server_clinic_8amd.key
    dh /etc/openvpn/cert/dh.pem
    topology subnet
    server 192.168.140.0 255.255.255.0
    client-to-client
    ifconfig-pool-persist ipp.txt
    client-config-dir ccd
    keepalive 10 120
    tls-auth /etc/openvpn/cert/ta.key
    tun-mtu 1500
    tun-mtu-extra 32
    mssfix 1200
    duplicate-cn
    comp-lzo
    max-clients 10
    persist-key
    persist-tun
    status openvpn-status.log
    log /var/log/openvpn.log
    log-append /var/log/openvpn.log
    verb 3

=================
on SERVER
Code:
cd /etc/openvpn
touch ipp.txt (on server in /etc/openvpn)
mkdir ccd
nano -w ccd/syscon7

ifconfig-push 192.168.140.7 255.255.255.0

"save it"

Code:
cd /etc/init.d/
ln -s openvpn openvpn.server_clinic_8amd
openvpn.server_clinic_8amd start


==========================

On a client PC my "syscon7" log in as root:
Code:
cd /etc/openvpn
mkdir cert_clinic_8amd

and copy the obove "files" to that directory.
# ll cert_clinic_8amd/
total 20
-rwx------ 1 root root 1749 Feb  7 14:21 ca.crt
-rwx------ 1 root root 5239 Feb  7 14:21 syscon7.crt
-rwx------ 1 root root 1704 Feb  7 14:21 syscon7.key
-rwx------ 1 root root  636 Feb  7 14:21 ta.key

nano -w clinic_8amd.conf


    client
    dev tun
    proto udp
    port 9071
    topology subnet

    remote <your_remote_PC_IP_address> 9071

    resolv-retry infinite
    tun-mtu 1500
    tun-mtu-extra 32
    mssfix 1200
    persist-key
    persist-tun
    remote-cert-tls server
    ca "/etc/openvpn/cert_clinic_8amd/ca.crt"
    cert "/etc/openvpn/cert_clinic_8amd/syscon7.crt"
    key "/etc/openvpn/cert_clinic_8amd/syscon7.key"
    tls-auth "/etc/openvpn/cert_clinic_8amd/ta.key"
    comp-lzo
    log /var/log/openvpn.log
    log-append /var/log/openvpn.log
    verb 3

================

Note: make sure on your server network firewall you forward traffic from incoming port: 9071 to 9000

Code:
cd /etc/inid.d/
ln -s openvpn openvpn.clinic_8amd
openvpn.clinic_8amd start


You should have VPN
check it "ifconfig"
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum