Openvpn on Debian: Difference between revisions
Jump to navigation
Jump to search
(Created page with "server example with routing: <pre>port 1194 proto udp dev tun ca server/ca.crt cert server/server.crt key server/server.key # This file should be kept secret dh server/dh20...") |
No edit summary |
||
| (2 intermediate revisions by the same user not shown) | |||
| Line 4: | Line 4: | ||
proto udp | proto udp | ||
dev tun | dev tun | ||
ca server/ca.crt | ca server/ca.crt | ||
cert server/server.crt | cert server/server.crt | ||
key server/server.key # This file should be kept secret | key server/server.key # This file should be kept secret | ||
dh server/dh2048.pem | dh server/dh2048.pem | ||
server 10.8.0.0 255.255.255.0 | server 10.8.0.0 255.255.255.0 | ||
push "route 192.168.0.0 255.255.255.0" | push "route 192.168.0.0 255.255.255.0" | ||
push "route 192.168.1.0 255.255.255.0" | push "route 192.168.1.0 255.255.255.0" | ||
| Line 21: | Line 15: | ||
push "route 192.168.4.0 255.255.255.0" | push "route 192.168.4.0 255.255.255.0" | ||
push "route 192.168.5.0 255.255.255.0" | push "route 192.168.5.0 255.255.255.0" | ||
push "dhcp-option DNS 8.8.8.8" | |||
push "dhcp-option DNS | |||
ifconfig-pool-persist ipp.txt | ifconfig-pool-persist ipp.txt | ||
keepalive 10 120 | keepalive 10 120 | ||
tls-auth server/ta.key 0 # This file is secret | tls-auth server/ta.key 0 # This file is secret | ||
key-direction 0 | key-direction 0 | ||
cipher AES-256-CBC | cipher AES-256-CBC | ||
auth SHA256 | auth SHA256 | ||
compress lz4-v2 | compress lz4-v2 | ||
push "compress lz4-v2" | push "compress lz4-v2" | ||
max-clients 100 | max-clients 100 | ||
user nobody | user nobody | ||
group nogroup | group nogroup | ||
persist-key | persist-key | ||
persist-tun | persist-tun | ||
status openvpn-status.log | |||
verb 3 | |||
explicit-exit-notify 1 | |||
</pre> | |||
copy easyrsa to location. | |||
Then | |||
cd easy-rsa | |||
source ./vars | |||
./clean-all | |||
./build-ca | |||
cd keys/ | |||
./build-key-server server | |||
./build-dh | |||
openvpn --genkey --secret keys/ta.key | |||
cd .. | |||
tar cvfz easy-rsa.backup.tgz easy-rsa | |||
chmod 600 easy-rsa.backup.tgz | |||
./build-key client1 | |||
./build-key client2 | |||
./build-key client3 | |||
add below to rc.local | |||
iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE | |||
if you want to add a passphrase to a key, do below: | |||
ssh-keygen -p -f client1.key | |||
client example: | |||
< | client | ||
port 1194 | |||
proto udp | |||
tls-client | |||
cipher AES-256-CBC | |||
auth SHA256 | |||
compress lz4-v2 | |||
remote-cert-tls server | |||
auth-nocache | |||
dev tun0 | |||
remote <hostname of relevant server> 1194 | |||
resolv-retry infinite | |||
nobind | |||
persist-key | |||
persist-tun | |||
block-outside-dns | |||
# This uses the full filepaths to your certificates and keys | |||
ca ca.crt | |||
cert client1.crt | |||
key client1.key | |||
tls-auth ta.key 1 | |||
Latest revision as of 20:24, 20 March 2018
server example with routing:
port 1194 proto udp dev tun ca server/ca.crt cert server/server.crt key server/server.key # This file should be kept secret dh server/dh2048.pem server 10.8.0.0 255.255.255.0 push "route 192.168.0.0 255.255.255.0" push "route 192.168.1.0 255.255.255.0" push "route 192.168.2.0 255.255.255.0" push "route 192.168.3.0 255.255.255.0" push "route 192.168.4.0 255.255.255.0" push "route 192.168.5.0 255.255.255.0" push "dhcp-option DNS 8.8.8.8" ifconfig-pool-persist ipp.txt keepalive 10 120 tls-auth server/ta.key 0 # This file is secret key-direction 0 cipher AES-256-CBC auth SHA256 compress lz4-v2 push "compress lz4-v2" max-clients 100 user nobody group nogroup persist-key persist-tun status openvpn-status.log verb 3 explicit-exit-notify 1
copy easyrsa to location. Then
cd easy-rsa source ./vars ./clean-all ./build-ca cd keys/ ./build-key-server server ./build-dh openvpn --genkey --secret keys/ta.key cd .. tar cvfz easy-rsa.backup.tgz easy-rsa chmod 600 easy-rsa.backup.tgz ./build-key client1 ./build-key client2 ./build-key client3
add below to rc.local
iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
if you want to add a passphrase to a key, do below:
ssh-keygen -p -f client1.key
client example:
client port 1194 proto udp tls-client cipher AES-256-CBC auth SHA256 compress lz4-v2 remote-cert-tls server auth-nocache dev tun0 remote <hostname of relevant server> 1194 resolv-retry infinite nobind persist-key persist-tun block-outside-dns # This uses the full filepaths to your certificates and keys ca ca.crt cert client1.crt key client1.key tls-auth ta.key 1