| View previous topic :: View next topic |
| Author |
Message |
adelante
Tux's lil' helper
Joined: 19 Apr 2003
Posts: 133
Location: South Africa - Johannesburg
|
 Posted: Fri Feb 09, 2007 7:15 am Post subject: Howto Openvpn - The quick easy way |
 |
|
Hi,
I've read through a lot of howto's for openvpn, and a lot of them didn't seem to work, I could follow them line for line and I kept running into problems.
Here is my HOWTO on openvpn, which i find was the simpliest way of setting it up.
Server Config
========================================
| Quote: |
# emerge openvpn
# nano /usr/share/openvpn/easy-rsa/vars
|
Paste this into the file and edit to suit you needs
| Code: |
export EASY_RSA="`pwd`"
export KEY_CONFIG="$EASY_RSA/openssl.cnf"
export KEY_DIR="$EASY_RSA/keys"
echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
export KEY_SIZE=1024
export CA_EXPIRE=3650
export KEY_EXPIRE=3650
export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="SanFrancisco"
export KEY_ORG="Fort-Funston"
export KEY_EMAIL="me@myhost.mydomain"
|
| Quote: |
# cd /usr/share/openvpn/easy-rsa/
# source ./vars
# ./clean-all
# ./build-ca
|
Just press enter through everything and select (Y) where necessary
| Quote: |
# ./build-key-server server
# ./build-dh
|
| Quote: |
# cd /etc/openvpn/
# openvpn --genkey --secret ta.key
# mkdir ccd
# nano server.conf
|
Paste this into your server.conf and edit the <network range> value
| Code: |
port 9000
proto udp
dev tun
mode server
ca /usr/share/openvpn/easy-rsa/keys/ca.crt
cert /usr/share/openvpn/easy-rsa/keys/server.crt
key /usr/share/openvpn/easy-rsa/keys/server.key
dh /usr/share/openvpn/easy-rsa/keys/dh1024.pem
server <network range> 255.255.255.0 # for example 192.168.139.0
client-to-client
ifconfig-pool-persist ipp.txt
client-config-dir ccd
keepalive 10 120
tls-auth ta.key 0
tun-mtu 1500
tun-mtu-extra 32
mssfix 1200
duplicate-cn
comp-lzo
max-clients 100
persist-key
persist-tun
status openvpn-status.log
log /var/log/openvpn.log
log-append /var/log/openvpn.log
verb 3
|
| Quote: |
# ln -sf /etc/init.d/openvpn /etc/init.d/openvpn.server
# /etc/init.d/openvpn.server start
# rc-update add openvpn.server default
|
Your server side of things should be up and running now.
If you run an ifconfig you should see the tun0 device.
========================================
Windows Client Configuration
========================================
On the Openvpn server you have just setup:
| Quote: |
cd /usr/share/openvpn/easy-rsa/
source ./vars
./build-key <USERNAME>
|
On the Client side:
# install the openvpn client on windows : http://openvpn.se/files/install_packages/openvpn-2.0.9-gui-1.0.3-install.exe
# create folder : C:\Program Files\OpenVPN\config\<USERNAME>
# create a file called : C:\Program Files\OpenVPN\config\<USERNAME>.ovpn
# open this file with notepad and inside that file put the following and edit the <USERNAME> value and the <vpn server IP> value:
| Code: |
client
dev tun
proto udp
remote <vpn server IP> 9000
resolv-retry infinite
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1200
persist-key
persist-tun
ca "C:\\Program Files\\OpenVPN\\config\\<USERNAME>\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\config\\<USERNAME>\\<USERNAME>.crt"
key "C:\\Program Files\\OpenVPN\\config\\<USERNAME>\\<USERNAME>.key"
tls-auth "C:\\Program Files\\OpenVPN\\config\\<USERNAME>\\ta.key" 1
comp-lzo
verb 3
|
# copy these files from /usr/share/openvpn/easy-rsa/keys/ to C:\Program Files\OpenVPN\config\<USERNAME>\
ca.crt
<USERNAME>.crt
<USERNAME>.key
# copy the ta.key file from /etc/openvpn/ to C:\Program Files\OpenVPN\config\<USERNAME>\
# if you want to assign a specific user an IP address, create a file on the server : /etc/openvpn/ccd/<username>
# and in it put for example :
| Code: |
ifconfig-push 192.168.220.5 192.168.220.6
|
# it must be 2 IP's in the same network, the first is the ip is the tun0 interface the 2nd is just a tunnel ip.
The fire up the client and you should be connected.
========================================
Linux Client Configuration
========================================
On the Openvpn server you have just setup:
| Quote: |
cd /usr/share/openvpn/easy-rsa/
source ./vars
./build-key <USERNAME>
|
On the Client side:
| Quote: |
# emerge openvpn
# cd /etc/openvpn
# mkdir client
# nano client.conf
|
Put this into your client.conf and edit the <vpn server ip> & <username> values.
| Code: |
client
dev tun
proto udp
remote <vpn server ip> 9900
resolv-retry infinite
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1200
persist-key
persist-tun
ca "/etc/openvpn/client/ca.crt"
cert "/etc/openvpn/client/<username>.crt"
key "/etc/openvpn/client/<username>.key"
tls-auth "/etc/openvpn/client/ta.key" 1
comp-lzo
verb 3
|
copy these files from /usr/share/openvpn/easy-rsa/keys/ on the server to /etc/openvpn/client/ on the client side:
ca.crt
<username>.*
copy the ta.key file from /etc/openvpn/ on the server to /etc/openvpn/client on the client side.
| Quote: |
# ln -sf /etc/init.d/openvpn /etc/init.d/openvpn.client
# /etc/init.d/openvpn.client start
# rc-update add openvpn.client default
|
# if you want to assign a specific user an IP address, create a file on the server : /etc/openvpn/ccd/<username>
# and in it put for example :
| Code: |
ifconfig-push 192.168.220.5 192.168.220.6
|
# it must be 2 IP's in the same network, the first is the ip is the tun0 interface the 2nd is just a tunnel ip.
========================================
Please let me know if i've left anything out.
regards
Dave |
|
| Back to top |
|
 |
Schangu
n00b
Joined: 08 Feb 2004
Posts: 27
Location: Germany / Jever
|
| Posted: Thu Oct 25, 2007 12:54 pm Post subject: |
|
|
Sorry, but I think there is one mistake:
It is in your Linux-Client Configuration:
You wrote that the VPN Server Port must be 9900 but in your Server Configuration it is 9000 ;] |
|
| Back to top |
|
|
idl0r
Developer
Joined: 24 Jan 2008
Posts: 13
|
| Posted: Fri Feb 01, 2008 11:47 am Post subject: |
|
|
nice howto but:
WARNING: using --duplicate-cn and --client-config-dir together is probably not what you want
WARNING: --ifconfig-pool-persist will not work with --duplicate-cn |
|
| Back to top |
|
|
Tuinslak
Tux's lil' helper
Joined: 26 Nov 2003
Posts: 129
Location: Belgium
|
| Posted: Sun Jul 05, 2009 2:45 am Post subject: |
|
|
thanks, great howto
just watch out with iptables/masquerading when you went to use the VPN server as gateway
_________________
Tuinslak |
|
| Back to top |
|
|
Bethney Piper
n00b
Joined: 08 Jul 2009
Posts: 2
|
| Posted: Wed Jul 08, 2009 10:49 pm Post subject: |
|
|
Usually yes it will route all your traffic through the company LAN. But you can make it do what is known as split-tunneling depending on what VPN vendor you are using. If it is just the microsoft VPN you can go to the VPN connection properties, networking, tcp/ip advanaced, and uncheck "use gateway on remote network".
_________________
ppt2flash |
|
| Back to top |
|
|
alex6
Apprentice
Joined: 18 Jul 2011
Posts: 172
|
| Posted: Mon Jul 22, 2013 3:25 pm Post subject: |
|
|
This guide still works except 2 things :
- have to emerge easy-rsa (ok it does make sense but not written in this guide)
- all the paths changed : /usr/share/openvpn/easy-rsa is now /usr/share/easy-rsa |
|
| Back to top |
|
|
solamour
l33t
Joined: 21 Dec 2004
Posts: 691
Location: San Diego, CA
|
| Posted: Fri Dec 06, 2013 7:35 pm Post subject: |
|
|
| alex6 wrote: | This guide still works except 2 things :
- have to emerge easy-rsa (ok it does make sense but not written in this guide)
- all the paths changed : /usr/share/openvpn/easy-rsa is now /usr/share/easy-rsa |
Ha... that's why I wasn't able to find some of the files in the guide. Thanks for sharing.
__
sol |
|
| Back to top |
|
|
fbcyborg
Advocate
Joined: 16 Oct 2005
Posts: 3056
Location: ROMA
|
|
| Back to top |
|
|
djbadballie469
n00b
Joined: 30 Jul 2014
Posts: 1
|
| Posted: Wed Jul 30, 2014 8:28 am Post subject: config files |
|
|
| Hi I'm in south africa durban I'm on 8.ta network Can sum1 email me the config folder with all settings intact. Djbadballie469(at)gmail(dot)com. Tx in advance. I have open vpn but no working config files |
|
| Back to top |
|
|
fincoop
Tux's lil' helper
Joined: 02 Feb 2004
Posts: 143
|
| Posted: Thu Feb 11, 2016 7:49 pm Post subject: Re: Howto Openvpn - The quick easy way |
|
|
| adelante wrote: | Hi,
I've read through a lot of howto's for openvpn, and a lot of them didn't seem to work, I could follow them line for line and I kept running into problems.
|
Thanks a lot, still works! |
|
| Back to top |
|
|
wichtounet
Tux's lil' helper
Joined: 17 Mar 2012
Posts: 122
|
| Posted: Tue Jan 24, 2017 2:00 pm Post subject: |
|
|
Unfortunately, this does not work anymore at all. All the directories have changed.
It's the same issue with the official OpenVPN page of Gentoo :S |
|
| Back to top |
|
|
Joseph_sys
Advocate
Joined: 08 Jun 2004
Posts: 2623
Location: Edmonton, AB
|
| Posted: Tue Feb 07, 2017 12:15 am Post subject: |
|
|
| wichtounet wrote: | Unfortunately, this does not work anymore at all. All the directories have changed.
It's the same issue with the official OpenVPN page of Gentoo :S |
This is not a helpful reply.
Just point it out which directory had change, so far only "/usr/share/easy-rsa" had change. |
|
| Back to top |
|
|
Joseph_sys
Advocate
Joined: 08 Jun 2004
Posts: 2623
Location: Edmonton, AB
|
| Posted: Wed Feb 08, 2017 2:23 am Post subject: |
|
|
Quick and dirty instructions to make openvpn + easy-rsa working.
On SERVER do:
| Code: | cd /usr/share/easy-rsa/
./easyrsa init-pki
./easyrsa build-ca nopass
./easyrsa build-server-full server_clinic_8amd nopass
./easyrsa gen-dh
openvpn --genkey --secret ta.key
mkdir /etc/openvpn/cert
cp pki/ca.crt /etc/openvpn/cert/
cp pki/issued/server_clinic_8amd.crt /etc/openvpn/cert/
cp pki/private/server_clinic_8amd.key /etc/openvpn/cert/
cp pki/dh.pem /etc/openvpn/cert/
cp ta.key /etc/openvpn/cert/
./easyrsa build-client-full syscon7 nopass |
Hit "ENTER" when need to (no need to change anything)
Copy the following files to Client (via USB or ssh 'zip_it" etc. pay attention to permission)
=> The public ca.crt certificate is needed on all servers and clients.
=> The private ca.key key is secret and only needed on the key generating machine. (not in cert/ folder)
=> A server needs server.crt, and dh2048.pem (public), and server.key and ta.key (private).
=> A client needs client.crt (public), and client.key and ta.key (private).
eg. (transfer these files to your client)
cp pki/ca.crt /home/fd/keys/
cp pki/issued/syscon7.crt /home/fd/keys/
cp pki/private/syscon7.key /home/fd/keys/
cp ta.key /home/fd/keys/
Copy file from instruction above to server /etc/openvpn
I copied them to dir "cert" on /etc/openvpn/
| Code: | ll /etc/openvpn/cert/
total 28
-rw------- 1 root root 1749 Feb 7 12:24 ca.crt
-rw------- 1 root root 424 Feb 7 12:28 dh.pem
-rw------- 1 root root 5280 Feb 7 12:26 server_clinic_8amd.crt
-rw------- 1 root root 1704 Feb 7 12:27 server_clinic_8amd.key
-rw------- 1 root root 636 Feb 7 13:35 ta.key
cat server_clinic_8amd.conf (on server PC) |
proto udp
port 9000
dev tun
mode server
ca /etc/openvpn/cert/ca.crt
cert /etc/openvpn/cert/server_clinic_8amd.crt
key /etc/openvpn/cert/server_clinic_8amd.key
dh /etc/openvpn/cert/dh.pem
topology subnet
server 192.168.140.0 255.255.255.0
client-to-client
ifconfig-pool-persist ipp.txt
client-config-dir ccd
keepalive 10 120
tls-auth /etc/openvpn/cert/ta.key
tun-mtu 1500
tun-mtu-extra 32
mssfix 1200
duplicate-cn
comp-lzo
max-clients 10
persist-key
persist-tun
status openvpn-status.log
log /var/log/openvpn.log
log-append /var/log/openvpn.log
verb 3
=================
on SERVER
| Code: | cd /etc/openvpn
touch ipp.txt (on server in /etc/openvpn)
mkdir ccd
nano -w ccd/syscon7 |
ifconfig-push 192.168.140.7 255.255.255.0
"save it"
| Code: | cd /etc/init.d/
ln -s openvpn openvpn.server_clinic_8amd
openvpn.server_clinic_8amd start |
==========================
On a client PC my "syscon7" log in as root:
| Code: | cd /etc/openvpn
mkdir cert_clinic_8amd
and copy the obove "files" to that directory.
# ll cert_clinic_8amd/
total 20
-rwx------ 1 root root 1749 Feb 7 14:21 ca.crt
-rwx------ 1 root root 5239 Feb 7 14:21 syscon7.crt
-rwx------ 1 root root 1704 Feb 7 14:21 syscon7.key
-rwx------ 1 root root 636 Feb 7 14:21 ta.key
nano -w clinic_8amd.conf |
client
dev tun
proto udp
port 9071
topology subnet
remote <your_remote_PC_IP_address> 9071
resolv-retry infinite
tun-mtu 1500
tun-mtu-extra 32
mssfix 1200
persist-key
persist-tun
remote-cert-tls server
ca "/etc/openvpn/cert_clinic_8amd/ca.crt"
cert "/etc/openvpn/cert_clinic_8amd/syscon7.crt"
key "/etc/openvpn/cert_clinic_8amd/syscon7.key"
tls-auth "/etc/openvpn/cert_clinic_8amd/ta.key"
comp-lzo
log /var/log/openvpn.log
log-append /var/log/openvpn.log
verb 3
================
Note: make sure on your server network firewall you forward traffic from incoming port: 9071 to 9000
| Code: | cd /etc/inid.d/
ln -s openvpn openvpn.clinic_8amd
openvpn.clinic_8amd start |
You should have VPN
check it "ifconfig" |
|
| Back to top |
|
|
|
Documentation, Tips & Tricks
