Openvpn: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
No edit summary |
||
| Line 14: | Line 14: | ||
== setting up server== | == setting up server== | ||
=== generating server and client keys === | === generating server and client keys === | ||
'''preparing configs from samples''' | |||
yum install easy-rsa | yum install easy-rsa | ||
mkdir -p /etc/openvpn/easy-rsa/keys | mkdir -p /etc/openvpn/easy-rsa/keys | ||
| Line 19: | Line 20: | ||
cp /usr/share/doc/openvpn-*/sample/sample-config-files/server.conf /etc/openvpn | cp /usr/share/doc/openvpn-*/sample/sample-config-files/server.conf /etc/openvpn | ||
You can set export KEY_* in this file for not need to enter credentials for each key separately | '''You can set export KEY_* in this file for not need to enter credentials for each key separately''' | ||
vim /etc/openvpn/easy-rsa/vars | vim /etc/openvpn/easy-rsa/vars | ||
Sourcing defined values | '''Sourcing defined values''' | ||
cd /etc/openvpn/easy-rsa/ | cd /etc/openvpn/easy-rsa/ | ||
source ./vars | source ./vars | ||
generating server ca,keys | '''generating server ca,keys''' | ||
cd /etc/openvpn/easy-rsa/ | cd /etc/openvpn/easy-rsa/ | ||
./clean-all | ./clean-all | ||
| Line 35: | Line 36: | ||
cp dh2048.pem ca.crt server.crt server.key /etc/openvpn | cp dh2048.pem ca.crt server.crt server.key /etc/openvpn | ||
generating client keys | '''generating client keys''' | ||
cd /etc/openvpn/easy-rsa | cd /etc/openvpn/easy-rsa | ||
./build-key client | ./build-key client | ||
note:When asked for 'common name' please fill in unique name for client (it will be listed in openvpn.log after login) | note:When asked for 'common name' please fill in unique name for client (it will be listed in openvpn.log after login) | ||
cd keys | |||
mkdir client1 | |||
cp ca.crt client.key client.crt client1 | |||
== configuring options in /etc/openvpn/server.conf == | |||
'''You need at least configure following options''': | |||
port 1194 | |||
proto udp | |||
dev tun | |||
ca ca.crt | |||
cert server.crt | |||
key server.key # This file should be kept secret | |||
dh dh2048.pem | |||
server 10.8.0.0 255.255.255.0 | |||
ifconfig-pool-persist ipp.txt | |||
keepalive 10 120 | |||
comp-lzo | |||
user nobody | |||
group nobody | |||
persist-key | |||
persist-tun | |||
status openvpn-status.log | |||
verb 4 | |||
'''optional but usefull options''' | |||
push "route 192.168.2.0 255.255.255.0" | |||
push "route 192.168.3.0 255.255.255.0" | |||
client-config-dir ccd | |||
client-to-client | |||
'''example of file ccd/client1''' | |||
iroute 192.168.2.0 255.255.255.0 | |||
ifconfig-push 10.8.0.13 10.8.0.14 | |||
openvpn by default push all subnets routes defined earlier in server.conf(192.168.2.0/24, 192.168.3.0/24), but with this setting not push routing for 192.168.2.0/24 but all packets with dest address from this segment are forwarded here from VPN server) | |||
== configuring client.conf == | |||
== enabling service == | == enabling service == | ||
Revision as of 13:42, 27 August 2015
Centos 7
Install ovpn
a)From epel repository for enterprise linux 7
we need to add epel repository if it was not done before [how to use yum]
wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm rpm -i epel-release-latest-7.noarch.rpm yum install openvpn
b)Using package for enterprise linux 7 from fedoraproject.org
wget https://dl.fedoraproject.org/pub/epel/7/x86_64/o/openvpn-2.3.8-1.el7.x86_64.rpm rpm -i openvpn-2.3.8-1.el7.x86_64.rpm
setting up server
generating server and client keys
preparing configs from samples
yum install easy-rsa mkdir -p /etc/openvpn/easy-rsa/keys cp -rf /usr/share/openvpn/easy-rsa/2.0/* /etc/openvpn/easy-rsa cp /usr/share/doc/openvpn-*/sample/sample-config-files/server.conf /etc/openvpn
You can set export KEY_* in this file for not need to enter credentials for each key separately
vim /etc/openvpn/easy-rsa/vars
Sourcing defined values
cd /etc/openvpn/easy-rsa/ source ./vars
generating server ca,keys
cd /etc/openvpn/easy-rsa/ ./clean-all ./build-ca ./build-key-server server ./build-dh cd keys cp dh2048.pem ca.crt server.crt server.key /etc/openvpn
generating client keys
cd /etc/openvpn/easy-rsa ./build-key client
note:When asked for 'common name' please fill in unique name for client (it will be listed in openvpn.log after login)
cd keys mkdir client1 cp ca.crt client.key client.crt client1
configuring options in /etc/openvpn/server.conf
You need at least configure following options:
port 1194 proto udp dev tun ca ca.crt cert server.crt key server.key # This file should be kept secret dh dh2048.pem server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt keepalive 10 120 comp-lzo user nobody group nobody persist-key persist-tun status openvpn-status.log verb 4
optional but usefull options
push "route 192.168.2.0 255.255.255.0" push "route 192.168.3.0 255.255.255.0" client-config-dir ccd client-to-client
example of file ccd/client1
iroute 192.168.2.0 255.255.255.0 ifconfig-push 10.8.0.13 10.8.0.14
openvpn by default push all subnets routes defined earlier in server.conf(192.168.2.0/24, 192.168.3.0/24), but with this setting not push routing for 192.168.2.0/24 but all packets with dest address from this segment are forwarded here from VPN server)
configuring client.conf
enabling service
ln -s /lib/systemd/system/openvpn\@.service /etc/systemd/system/multi-user.target.wants/openvpn\@server.service sytemctl start openvpn@server sytemctl status openvpn@server sytemctl stop openvpn@server