Openvpn on Debian: Difference between revisions

From lippmann wiki
Jump to navigation Jump to search
No edit summary
No edit summary
 
Line 56: Line 56:
if you want to add a passphrase to a key, do below:
if you want to add a passphrase to a key, do below:
  ssh-keygen -p -f client1.key
  ssh-keygen -p -f client1.key
client example:
client
port 1194
proto udp
tls-client
cipher AES-256-CBC
auth SHA256
compress lz4-v2
remote-cert-tls server
auth-nocache
dev tun0
remote <hostname of relevant server> 1194
resolv-retry infinite
nobind
persist-key
persist-tun
block-outside-dns
# This uses the full filepaths to your certificates and keys
ca ca.crt
cert client1.crt
key client1.key
tls-auth ta.key 1

Latest revision as of 20:24, 20 March 2018

server example with routing:

port 1194
proto udp
dev tun
ca server/ca.crt
cert server/server.crt
key server/server.key  # This file should be kept secret
dh server/dh2048.pem
server 10.8.0.0  255.255.255.0
push "route 192.168.0.0  255.255.255.0"
push "route 192.168.1.0  255.255.255.0"
push "route 192.168.2.0  255.255.255.0"
push "route 192.168.3.0  255.255.255.0"
push "route 192.168.4.0  255.255.255.0"
push "route 192.168.5.0  255.255.255.0"
push "dhcp-option DNS 8.8.8.8"
ifconfig-pool-persist ipp.txt
keepalive 10 120
tls-auth server/ta.key 0 # This file is secret
key-direction 0
cipher AES-256-CBC
auth SHA256
compress lz4-v2
push "compress lz4-v2"
max-clients 100
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
explicit-exit-notify 1

copy easyrsa to location. Then

cd easy-rsa
source ./vars
./clean-all
./build-ca
cd keys/
./build-key-server server
./build-dh
openvpn --genkey --secret keys/ta.key
cd ..
tar cvfz easy-rsa.backup.tgz easy-rsa
chmod 600 easy-rsa.backup.tgz
./build-key client1
./build-key client2
./build-key client3

add below to rc.local

iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

if you want to add a passphrase to a key, do below:

ssh-keygen -p -f client1.key

client example:

client
port 1194
proto udp
tls-client
cipher AES-256-CBC
auth SHA256
compress lz4-v2
remote-cert-tls server
auth-nocache
dev tun0
remote <hostname of relevant server> 1194
resolv-retry infinite
nobind
persist-key
persist-tun
block-outside-dns
# This uses the full filepaths to your certificates and keys
ca ca.crt
cert client1.crt
key client1.key
tls-auth ta.key 1