Difference between revisions of "Openvpn on Debian"

From lippmann wiki
Jump to: navigation, search
(Created page with "server example with routing: <pre>port 1194 proto udp dev tun ca server/ca.crt cert server/server.crt key server/server.key # This file should be kept secret dh server/dh20...")
 
 
(2 intermediate revisions by the same user not shown)
Line 4: Line 4:
 
proto udp
 
proto udp
 
dev tun
 
dev tun
 
 
ca server/ca.crt
 
ca server/ca.crt
 
cert server/server.crt
 
cert server/server.crt
 
key server/server.key  # This file should be kept secret
 
key server/server.key  # This file should be kept secret
 
dh server/dh2048.pem
 
dh server/dh2048.pem
 
 
 
server 10.8.0.0  255.255.255.0
 
server 10.8.0.0  255.255.255.0
 
#push "redirect-gateway def1 bypass-dhcp"
 
 
 
push "route 192.168.0.0  255.255.255.0"
 
push "route 192.168.0.0  255.255.255.0"
 
push "route 192.168.1.0  255.255.255.0"
 
push "route 192.168.1.0  255.255.255.0"
Line 21: Line 15:
 
push "route 192.168.4.0  255.255.255.0"
 
push "route 192.168.4.0  255.255.255.0"
 
push "route 192.168.5.0  255.255.255.0"
 
push "route 192.168.5.0  255.255.255.0"
 
+
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 192.168.2.254"
+
 
+
 
ifconfig-pool-persist ipp.txt
 
ifconfig-pool-persist ipp.txt
 
 
keepalive 10 120
 
keepalive 10 120
 
 
tls-auth server/ta.key 0 # This file is secret
 
tls-auth server/ta.key 0 # This file is secret
 
key-direction 0
 
key-direction 0
 
 
cipher AES-256-CBC
 
cipher AES-256-CBC
 
auth SHA256
 
auth SHA256
 
 
compress lz4-v2
 
compress lz4-v2
 
push "compress lz4-v2"
 
push "compress lz4-v2"
 
 
max-clients 100
 
max-clients 100
 
 
user nobody
 
user nobody
 
group nogroup
 
group nogroup
 
 
persist-key
 
persist-key
 
persist-tun
 
persist-tun
 
 
status openvpn-status.log
 
status openvpn-status.log
 
 
verb 3
 
verb 3
 
 
explicit-exit-notify 1
 
explicit-exit-notify 1
 +
</pre>
  
</pre>
+
copy easyrsa to location.
 +
Then
 +
cd easy-rsa
 +
source ./vars
 +
./clean-all
 +
./build-ca
 +
cd keys/
 +
./build-key-server server
 +
./build-dh
 +
openvpn --genkey --secret keys/ta.key
 +
cd ..
 +
tar cvfz easy-rsa.backup.tgz easy-rsa
 +
chmod 600 easy-rsa.backup.tgz
 +
./build-key client1
 +
./build-key client2
 +
./build-key client3
 +
 
 +
add below to rc.local
 +
iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
 +
 
 +
if you want to add a passphrase to a key, do below:
 +
ssh-keygen -p -f client1.key
 +
 
 +
client example:
 +
 
 +
client
 +
port 1194
 +
proto udp
 +
tls-client
 +
cipher AES-256-CBC
 +
auth SHA256
 +
compress lz4-v2
 +
remote-cert-tls server
 +
auth-nocache
 +
dev tun0
 +
remote <hostname of relevant server> 1194
 +
resolv-retry infinite
 +
nobind
 +
persist-key
 +
persist-tun
 +
block-outside-dns
 +
# This uses the full filepaths to your certificates and keys
 +
ca ca.crt
 +
cert client1.crt
 +
key client1.key
 +
tls-auth ta.key 1

Latest revision as of 20:24, 20 March 2018

server example with routing:

port 1194
proto udp
dev tun
ca server/ca.crt
cert server/server.crt
key server/server.key  # This file should be kept secret
dh server/dh2048.pem
server 10.8.0.0  255.255.255.0
push "route 192.168.0.0  255.255.255.0"
push "route 192.168.1.0  255.255.255.0"
push "route 192.168.2.0  255.255.255.0"
push "route 192.168.3.0  255.255.255.0"
push "route 192.168.4.0  255.255.255.0"
push "route 192.168.5.0  255.255.255.0"
push "dhcp-option DNS 8.8.8.8"
ifconfig-pool-persist ipp.txt
keepalive 10 120
tls-auth server/ta.key 0 # This file is secret
key-direction 0
cipher AES-256-CBC
auth SHA256
compress lz4-v2
push "compress lz4-v2"
max-clients 100
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
explicit-exit-notify 1

copy easyrsa to location. Then

cd easy-rsa
source ./vars
./clean-all
./build-ca
cd keys/
./build-key-server server
./build-dh
openvpn --genkey --secret keys/ta.key
cd ..
tar cvfz easy-rsa.backup.tgz easy-rsa
chmod 600 easy-rsa.backup.tgz
./build-key client1
./build-key client2
./build-key client3

add below to rc.local

iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

if you want to add a passphrase to a key, do below:

ssh-keygen -p -f client1.key

client example:

client
port 1194
proto udp
tls-client
cipher AES-256-CBC
auth SHA256
compress lz4-v2
remote-cert-tls server
auth-nocache
dev tun0
remote <hostname of relevant server> 1194
resolv-retry infinite
nobind
persist-key
persist-tun
block-outside-dns
# This uses the full filepaths to your certificates and keys
ca ca.crt
cert client1.crt
key client1.key
tls-auth ta.key 1