Openvpn on Debian: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
No edit summary |
||
| (One intermediate revision by the same user not shown) | |||
| Line 32: | Line 32: | ||
verb 3 | verb 3 | ||
explicit-exit-notify 1 | explicit-exit-notify 1 | ||
</pre> | |||
copy easyrsa to location. | |||
Then | |||
cd easy-rsa | |||
source ./vars | |||
./clean-all | |||
./build-ca | |||
cd keys/ | |||
./build-key-server server | |||
./build-dh | |||
openvpn --genkey --secret keys/ta.key | |||
cd .. | |||
tar cvfz easy-rsa.backup.tgz easy-rsa | |||
chmod 600 easy-rsa.backup.tgz | |||
./build-key client1 | |||
./build-key client2 | |||
./build-key client3 | |||
add below to rc.local | |||
iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE | |||
if you want to add a passphrase to a key, do below: | |||
ssh-keygen -p -f client1.key | |||
< | client example: | ||
client | |||
port 1194 | |||
proto udp | |||
tls-client | |||
cipher AES-256-CBC | |||
auth SHA256 | |||
compress lz4-v2 | |||
remote-cert-tls server | |||
auth-nocache | |||
dev tun0 | |||
remote <hostname of relevant server> 1194 | |||
resolv-retry infinite | |||
nobind | |||
persist-key | |||
persist-tun | |||
block-outside-dns | |||
# This uses the full filepaths to your certificates and keys | |||
ca ca.crt | |||
cert client1.crt | |||
key client1.key | |||
tls-auth ta.key 1 | |||
Latest revision as of 20:24, 20 March 2018
server example with routing:
port 1194 proto udp dev tun ca server/ca.crt cert server/server.crt key server/server.key # This file should be kept secret dh server/dh2048.pem server 10.8.0.0 255.255.255.0 push "route 192.168.0.0 255.255.255.0" push "route 192.168.1.0 255.255.255.0" push "route 192.168.2.0 255.255.255.0" push "route 192.168.3.0 255.255.255.0" push "route 192.168.4.0 255.255.255.0" push "route 192.168.5.0 255.255.255.0" push "dhcp-option DNS 8.8.8.8" ifconfig-pool-persist ipp.txt keepalive 10 120 tls-auth server/ta.key 0 # This file is secret key-direction 0 cipher AES-256-CBC auth SHA256 compress lz4-v2 push "compress lz4-v2" max-clients 100 user nobody group nogroup persist-key persist-tun status openvpn-status.log verb 3 explicit-exit-notify 1
copy easyrsa to location. Then
cd easy-rsa source ./vars ./clean-all ./build-ca cd keys/ ./build-key-server server ./build-dh openvpn --genkey --secret keys/ta.key cd .. tar cvfz easy-rsa.backup.tgz easy-rsa chmod 600 easy-rsa.backup.tgz ./build-key client1 ./build-key client2 ./build-key client3
add below to rc.local
iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
if you want to add a passphrase to a key, do below:
ssh-keygen -p -f client1.key
client example:
client port 1194 proto udp tls-client cipher AES-256-CBC auth SHA256 compress lz4-v2 remote-cert-tls server auth-nocache dev tun0 remote <hostname of relevant server> 1194 resolv-retry infinite nobind persist-key persist-tun block-outside-dns # This uses the full filepaths to your certificates and keys ca ca.crt cert client1.crt key client1.key tls-auth ta.key 1