antisaWiki

User Tools

Site Tools

Trace:
wiki:openvpn_installation

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
wiki:openvpn_installation [2024/04/09 15:59] – [See also] add ovpn_file_example antisawiki:openvpn_installation [2024/07/02 13:49] (current) – [Shorewall] add detect option antisa
Line 1: Line 1:
-{{tag>vpn}}+{{tag>vpn openvpn}}
  
 ====== Openvpn installation ====== ====== Openvpn installation ======
Line 68: Line 68:
   cp vars.example vars   cp vars.example vars
  
-1. Create the CA:+Also add the ''keyEncipherment'' option in //x509-types/client// file otherwise you will get an error like 
 +''Client failed: unsupported certificate purpose'' eg. 
 +<code> 
 +etc/openvpn/EasyRSA-3.1.7# cat x509-types/client  
 +# X509 extensions for a client 
 + 
 +basicConstraints = CA:FALSE 
 +subjectKeyIdentifier = hash 
 +authorityKeyIdentifier = keyid,issuer:always 
 +extendedKeyUsage = clientAuth 
 +keyUsage = digitalSignature, keyEncipherment 
 +</code> 
 + 
 +1. Initialize the PKI directories
   ./easyrsa init-pki   ./easyrsa init-pki
  
-2. Create signing requestChange EntityName, ''nopass'' if you don't want private key to be encrypted +2. Create the CAUsed in client and server configuration: 
-  ./easyrsa gen-req EntityName nopass+  ./easyrsa build-ca
  
-3. Sign CSR and create crt. Here you need to provide the password of the CA.key in step 1:+3. Generate Diffie-Hellman (DH) params. 
 +  ./easyrsa gen-dh 
 + 
 +4. Create the vpn server's sign request and then certificate. This should be used in server.conf ''cert'' along with ''key'' which will also be generated with these commands Here you need to provide the password of the CA.key in step 2: 
 +  ./easyrsa gen-req server nopass 
 +  ./easyrsa sign-req server server 
 +   
 +5. Create client signing request and certificate. Change EntityName, ''nopass'' if you don't want private key to be encrypted 
 +  ./easyrsa gen-req EntityName nopass
   ./easyrsa sign-req client EntityName   ./easyrsa sign-req client EntityName
  
-4. Generate Diffie-Hellman (DH) params +
-  ./easyrsa gen-dh+
      
-For each new client just repeat steps 2 and 3.+For each new client just repeat last step.
  
 ==== Creating configuration files for server and clients ==== ==== Creating configuration files for server and clients ====
Line 109: Line 129:
  
 You can now try running the openvpn on client and server like mentioned in Simple setup above. You can now try running the openvpn on client and server like mentioned in Simple setup above.
 +
 +==== Redirecting traffic over VPN ====
 +=== Redirect all traffic ===
 +In server.conf add
 +
 +  push "redirect-gateway def1 bypass-dhcp"
 +
 +
 +In client.conf add:
 +  redirect-gateway def1
 +
 +=== Redirect only some IPs (aka Split tunnel) ===
 +In server.conf add:
 +
 +  push "route 192.168.10.0 255.255.255.0"
 +  push "route 192.168.20.0 255.255.255.0"
 +  ...
 +
 +Remove the redirect-gateway lines from conf.
 +
 +<WRAP center round important 60%>
 +[[https://web.archive.org/web/20240521145319/https://i.sstatic.net/KNr6M.png|Ubuntu Network Manager]] doesn't seem to need above settings, so you can just uncheck the "Use this connection only for resources on its network" to redirect all traffic over VPN.
 +</WRAP>
 +
 +===== Redirect DNS through VPN =====
 +First uninstall any other DNS server/resolver like ''systemd-resolved''. Now install dnsmasq
 +
 +  apt install dnsmasq
 +
 +Now make the ///etc/resolv.conf// look like this
 +
 +  nameserver ::1
 +  nameserver 127.0.0.1
 +  options trust-ad
 +
 +You might need to [[https://wiki.archlinux.org/title/Domain_name_resolution#Overwriting_of_/etc/resolv.conf|write protect]] this file because some other programs might overwrite this.
 +
 +In ///etc/dnsmasq.conf// add one or more upstream servers that dnsmasq will use for name resolution i.e.
 +
 +  listen-address=::1,127.0.0.1,10.8.0.1
 +  interface=tun0
 +  # Google's nameservers, for example
 +  server=8.8.8.8
 +  server=8.8.4.4
 +
 +Adapt the listen-address IP to your VPN interface IP and interface as well and uncomment ''no-resolv''.
 +
 +In ///etc/openvpn/server/server.conf// make sure you push DNS and redirect gateway:
 +
 +  ...
 +  push "redirect-gateway def1 bypass-dhcp"
 +  push "dhcp-option DNS 10.13.13.1"
 +  ...
 +  
 +<WRAP center round info 60%>
 +If you run into problems with DNS not going through VPN in Windows installed as a VM in Virtualbox for example, you will need to disable automatic metric on VPN interface and set it to lower then the default Ethernet or wifi. To check open the powershell and type ''nslookup example.org'' and you should get a response from VPN IP e.g. 10.8.0.1.
 +{{ :wiki:screenshots:windows:windows_metric-2024-05-22_14-17.png?400 |}}
 +</WRAP>
 +
 +==== Resolve specific domains names to hard-coded IP ====
 +Say you need to always resolve example.org to 1.2.3.4 address, you have two options.
 +
 +1. Add the resolution to ///etc/hosts// i.e.
 +
 +  ...
 +  1.2.3.4 www.example.org example.org
 +
 +2. Remove the above from ///etc/hosts// and in ///etc/dnsmasq.conf// add following
 +  address=/example.org/1.2.3.4
 +
 +Also [[https://wiki.archlinux.org/title/dnsmasq#Tips_and_tricks|there are other]] stuff you can do.
  
 ===== Firewall setup ===== ===== Firewall setup =====
Line 120: Line 211:
 #ZONE   INTERFACE       BROADCAST       OPTIONS #ZONE   INTERFACE       BROADCAST       OPTIONS
 net     eth0      detect          tcpflags,logmartians,nosmurfs,dhcp net     eth0      detect          tcpflags,logmartians,nosmurfs,dhcp
-vpn     tun0+vpn     tun0      detect
 </code> </code>
  
Line 166: Line 257:
  
   iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE   iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
-  + 
 +===== Running openvpn server as a service ===== 
 + 
 +Debian 12 ships with systemd units for this. The way to run it is to first make sure the server configuration file is located in ///etc/openvpn/server// directory. The file must end with .conf. So if you have a configuration file called ''myvpnserver.conf'' you need to run it as 
 + 
 +  systemctl enable --now openvpn-server@myvpnserver 
 + 
 +Check logs with 
 +  journalctl -xefu openvpn-server@server.service 
 ====== Tested on ====== ====== Tested on ======
   * Debian 12 Bookworw   * Debian 12 Bookworw
Line 173: Line 273:
 ====== See also ====== ====== See also ======
   * [[wiki:ovpn_file_example]]   * [[wiki:ovpn_file_example]]
 +  * [[wiki:vpn_troubleshooting|VPN troubleshooting]]
 ====== References ====== ====== References ======
   * https://openvpn.net/community-resources/static-key-mini-howto/   * https://openvpn.net/community-resources/static-key-mini-howto/
Line 178: Line 279:
   * https://serverfault.com/questions/480069/how-to-force-all-traffic-through-vpn   * https://serverfault.com/questions/480069/how-to-force-all-traffic-through-vpn
   * https://openvpn.net/community-resources/how-to/#setting-up-your-own-certificate-authority-ca-and-generating-certificates-and-keys-for-an-openvpn-server-and-multiple-clients   * https://openvpn.net/community-resources/how-to/#setting-up-your-own-certificate-authority-ca-and-generating-certificates-and-keys-for-an-openvpn-server-and-multiple-clients
 +  * https://www.openssl.org/docs/man1.1.1/man5/x509v3_config.html
 +  * https://shorewall.org/OPENVPN.html
 +  * https://openvpn.net/community-resources/reference-manual-for-openvpn-2-4/
 +  * [[https://superuser.com/a/966833|windows metric issue]]
    
wiki/openvpn_installation.1712671173.txt.gz · Last modified: 2024/04/09 15:59 by antisa
Except where otherwise noted, content on this wiki is licensed under the following license: CC0 1.0 Universal
CC0 1.0 Universal Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki