Difference between revisions of "Openvpn on Debian"
From lippmann wiki
(Created page with "server example with routing: <pre>port 1194 proto udp dev tun ca server/ca.crt cert server/server.crt key server/server.key # This file should be kept secret dh server/dh20...") |
|||
(2 intermediate revisions by the same user not shown) | |||
Line 4: | Line 4: | ||
proto udp | proto udp | ||
dev tun | dev tun | ||
− | |||
ca server/ca.crt | ca server/ca.crt | ||
cert server/server.crt | cert server/server.crt | ||
key server/server.key # This file should be kept secret | key server/server.key # This file should be kept secret | ||
dh server/dh2048.pem | dh server/dh2048.pem | ||
− | |||
− | |||
server 10.8.0.0 255.255.255.0 | server 10.8.0.0 255.255.255.0 | ||
− | |||
− | |||
− | |||
push "route 192.168.0.0 255.255.255.0" | push "route 192.168.0.0 255.255.255.0" | ||
push "route 192.168.1.0 255.255.255.0" | push "route 192.168.1.0 255.255.255.0" | ||
Line 21: | Line 15: | ||
push "route 192.168.4.0 255.255.255.0" | push "route 192.168.4.0 255.255.255.0" | ||
push "route 192.168.5.0 255.255.255.0" | push "route 192.168.5.0 255.255.255.0" | ||
− | + | push "dhcp-option DNS 8.8.8.8" | |
− | push "dhcp-option DNS | + | |
− | + | ||
ifconfig-pool-persist ipp.txt | ifconfig-pool-persist ipp.txt | ||
− | |||
keepalive 10 120 | keepalive 10 120 | ||
− | |||
tls-auth server/ta.key 0 # This file is secret | tls-auth server/ta.key 0 # This file is secret | ||
key-direction 0 | key-direction 0 | ||
− | |||
cipher AES-256-CBC | cipher AES-256-CBC | ||
auth SHA256 | auth SHA256 | ||
− | |||
compress lz4-v2 | compress lz4-v2 | ||
push "compress lz4-v2" | push "compress lz4-v2" | ||
− | |||
max-clients 100 | max-clients 100 | ||
− | |||
user nobody | user nobody | ||
group nogroup | group nogroup | ||
− | |||
persist-key | persist-key | ||
persist-tun | persist-tun | ||
− | |||
status openvpn-status.log | status openvpn-status.log | ||
− | |||
verb 3 | verb 3 | ||
− | |||
explicit-exit-notify 1 | explicit-exit-notify 1 | ||
+ | </pre> | ||
− | + | copy easyrsa to location. | |
+ | Then | ||
+ | cd easy-rsa | ||
+ | source ./vars | ||
+ | ./clean-all | ||
+ | ./build-ca | ||
+ | cd keys/ | ||
+ | ./build-key-server server | ||
+ | ./build-dh | ||
+ | openvpn --genkey --secret keys/ta.key | ||
+ | cd .. | ||
+ | tar cvfz easy-rsa.backup.tgz easy-rsa | ||
+ | chmod 600 easy-rsa.backup.tgz | ||
+ | ./build-key client1 | ||
+ | ./build-key client2 | ||
+ | ./build-key client3 | ||
+ | |||
+ | add below to rc.local | ||
+ | iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE | ||
+ | |||
+ | if you want to add a passphrase to a key, do below: | ||
+ | ssh-keygen -p -f client1.key | ||
+ | |||
+ | client example: | ||
+ | |||
+ | client | ||
+ | port 1194 | ||
+ | proto udp | ||
+ | tls-client | ||
+ | cipher AES-256-CBC | ||
+ | auth SHA256 | ||
+ | compress lz4-v2 | ||
+ | remote-cert-tls server | ||
+ | auth-nocache | ||
+ | dev tun0 | ||
+ | remote <hostname of relevant server> 1194 | ||
+ | resolv-retry infinite | ||
+ | nobind | ||
+ | persist-key | ||
+ | persist-tun | ||
+ | block-outside-dns | ||
+ | # This uses the full filepaths to your certificates and keys | ||
+ | ca ca.crt | ||
+ | cert client1.crt | ||
+ | key client1.key | ||
+ | tls-auth ta.key 1 |
Latest revision as of 20:24, 20 March 2018
server example with routing:
port 1194 proto udp dev tun ca server/ca.crt cert server/server.crt key server/server.key # This file should be kept secret dh server/dh2048.pem server 10.8.0.0 255.255.255.0 push "route 192.168.0.0 255.255.255.0" push "route 192.168.1.0 255.255.255.0" push "route 192.168.2.0 255.255.255.0" push "route 192.168.3.0 255.255.255.0" push "route 192.168.4.0 255.255.255.0" push "route 192.168.5.0 255.255.255.0" push "dhcp-option DNS 8.8.8.8" ifconfig-pool-persist ipp.txt keepalive 10 120 tls-auth server/ta.key 0 # This file is secret key-direction 0 cipher AES-256-CBC auth SHA256 compress lz4-v2 push "compress lz4-v2" max-clients 100 user nobody group nogroup persist-key persist-tun status openvpn-status.log verb 3 explicit-exit-notify 1
copy easyrsa to location. Then
cd easy-rsa source ./vars ./clean-all ./build-ca cd keys/ ./build-key-server server ./build-dh openvpn --genkey --secret keys/ta.key cd .. tar cvfz easy-rsa.backup.tgz easy-rsa chmod 600 easy-rsa.backup.tgz ./build-key client1 ./build-key client2 ./build-key client3
add below to rc.local
iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
if you want to add a passphrase to a key, do below:
ssh-keygen -p -f client1.key
client example:
client port 1194 proto udp tls-client cipher AES-256-CBC auth SHA256 compress lz4-v2 remote-cert-tls server auth-nocache dev tun0 remote <hostname of relevant server> 1194 resolv-retry infinite nobind persist-key persist-tun block-outside-dns # This uses the full filepaths to your certificates and keys ca ca.crt cert client1.crt key client1.key tls-auth ta.key 1