Openvpn: Difference between revisions

From VoIPmonitor.org
Jump to navigation Jump to search
No edit summary
No edit summary
Line 14: Line 14:
== setting up server==
== setting up server==
=== generating server and client keys ===
=== generating server and client keys ===
'''preparing configs from samples'''
  yum install easy-rsa
  yum install easy-rsa
  mkdir -p /etc/openvpn/easy-rsa/keys
  mkdir -p /etc/openvpn/easy-rsa/keys
Line 19: Line 20:
  cp /usr/share/doc/openvpn-*/sample/sample-config-files/server.conf /etc/openvpn
  cp /usr/share/doc/openvpn-*/sample/sample-config-files/server.conf /etc/openvpn


You can set export KEY_* in this file for not need to enter credentials for each key separately
'''You can set export KEY_* in this file for not need to enter credentials for each key separately'''
  vim /etc/openvpn/easy-rsa/vars
  vim /etc/openvpn/easy-rsa/vars


Sourcing defined values
'''Sourcing defined values'''
  cd /etc/openvpn/easy-rsa/
  cd /etc/openvpn/easy-rsa/
  source ./vars
  source ./vars


generating server ca,keys
'''generating server ca,keys'''
  cd /etc/openvpn/easy-rsa/
  cd /etc/openvpn/easy-rsa/
  ./clean-all
  ./clean-all
Line 35: Line 36:
  cp dh2048.pem ca.crt server.crt server.key /etc/openvpn
  cp dh2048.pem ca.crt server.crt server.key /etc/openvpn


generating client keys
'''generating client keys'''
  cd /etc/openvpn/easy-rsa
  cd /etc/openvpn/easy-rsa
  ./build-key client
  ./build-key client
note:When asked for 'common name' please fill in unique name for client (it will be listed in openvpn.log after login)
note:When asked for 'common name' please fill in unique name for client (it will be listed in openvpn.log after login)
cd keys
mkdir client1
cp ca.crt client.key client.crt client1
== configuring options in /etc/openvpn/server.conf ==
'''You need at least configure following options''':
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key  # This file should be kept secret
dh dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 4
'''optional but usefull options'''
push "route 192.168.2.0 255.255.255.0"
push "route 192.168.3.0 255.255.255.0"
client-config-dir ccd
client-to-client
'''example of file ccd/client1'''
iroute 192.168.2.0 255.255.255.0
ifconfig-push 10.8.0.13 10.8.0.14
openvpn by default push all subnets routes defined earlier in server.conf(192.168.2.0/24, 192.168.3.0/24), but with this setting not push routing for 192.168.2.0/24 but all packets with dest address from this segment are forwarded here from VPN server)
== configuring client.conf ==


== enabling service ==
== enabling service ==

Revision as of 13:42, 27 August 2015

Centos 7

Install ovpn

a)From epel repository for enterprise linux 7

we need to add epel repository if it was not done before [how to use yum]

wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
rpm -i epel-release-latest-7.noarch.rpm
yum install openvpn

b)Using package for enterprise linux 7 from fedoraproject.org

wget https://dl.fedoraproject.org/pub/epel/7/x86_64/o/openvpn-2.3.8-1.el7.x86_64.rpm
rpm -i openvpn-2.3.8-1.el7.x86_64.rpm

setting up server

generating server and client keys

preparing configs from samples

yum install easy-rsa
mkdir -p /etc/openvpn/easy-rsa/keys
cp -rf /usr/share/openvpn/easy-rsa/2.0/* /etc/openvpn/easy-rsa
cp /usr/share/doc/openvpn-*/sample/sample-config-files/server.conf /etc/openvpn

You can set export KEY_* in this file for not need to enter credentials for each key separately

vim /etc/openvpn/easy-rsa/vars

Sourcing defined values

cd /etc/openvpn/easy-rsa/
source ./vars

generating server ca,keys

cd /etc/openvpn/easy-rsa/
./clean-all
./build-ca
./build-key-server server
./build-dh
cd keys
cp dh2048.pem ca.crt server.crt server.key /etc/openvpn

generating client keys

cd /etc/openvpn/easy-rsa
./build-key client

note:When asked for 'common name' please fill in unique name for client (it will be listed in openvpn.log after login)

cd keys
mkdir client1
cp ca.crt client.key client.crt client1

configuring options in /etc/openvpn/server.conf

You need at least configure following options:

port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key  # This file should be kept secret
dh dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 4

optional but usefull options

push "route 192.168.2.0 255.255.255.0"
push "route 192.168.3.0 255.255.255.0"
client-config-dir ccd
client-to-client

example of file ccd/client1

iroute 192.168.2.0 255.255.255.0
ifconfig-push 10.8.0.13 10.8.0.14

openvpn by default push all subnets routes defined earlier in server.conf(192.168.2.0/24, 192.168.3.0/24), but with this setting not push routing for 192.168.2.0/24 but all packets with dest address from this segment are forwarded here from VPN server)

configuring client.conf

enabling service

ln -s /lib/systemd/system/openvpn\@.service /etc/systemd/system/multi-user.target.wants/openvpn\@server.service
sytemctl start openvpn@server
sytemctl status openvpn@server
sytemctl stop openvpn@server


debian