This is an old revision of the document!
Table of Contents
Openvpn installation
Install
apt install openvpn
Enable ip forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
Simple setup with static key
This simple setup with static key is really only usable with single client and server, unless you want to run separate openvpn instances on different server ports with different server configurations.
cd /etc/openvpn/ openvpn --genkey --secret static.key
Set up the server.conf, here's a minimum konfiguration
dev tun ifconfig 10.8.0.1 10.8.0.2 secret /etc/openvpn/static.key cipher AES-256-CBC
And client.conf
remote 1.2.3.4 dev tun ifconfig 10.8.0.2 10.8.0.1 secret static.key #route 4.5.6.7 255.255.255.255 vpn_gateway
redirect-gateway def1 cipher AES-256-CBC
Note the static key
and redirect-gateway
options. Redirect gateway will route all client's traffic to go through VPN. For visiting public sites you will need to setup SNAT/MASQUERADING on firewall. See below.
Uncomment route
and comment out redirect-gateway
if you only want to route traffic to specific IP e.g. 4.5.6.7
Start the openvpn on both server and client. Server:
/etc/openvpn# openvpn server/server.conf
and client
sudo openvpn client.ovpn
Both commands should show at the end something like:
... 2024-04-09 10:25:08 Peer Connection Initiated with [AF_INET]1.2.3.4:port 2024-04-09 10:25:08 Initialization Sequence Completed
To verify that the VPN is running, you should be able to ping 10.8.0.2 from the server and 10.8.0.1 from the client.
Firewall setup
Shorewall
Example configuration.
/etc/shorewall/interfaces
############################################################################### #ZONE INTERFACE BROADCAST OPTIONS net eth0 detect tcpflags,logmartians,nosmurfs,dhcp vpn tun0
/etc/shorewall/zones
############################################################################### #ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS fw firewall net ipv4 vpn ipv4
/etc/shorewall/snat - this will masq all traffic to appear to be coming from the IP of the server running Openvpn.
MASQUERADE 10.8.0.0/24 eth0
/etc/shorewall/policy
############################################################################### #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST $FW net ACCEPT $FW vpn ACCEPT vpn $FW ACCEPT vpn net ACCEPT net all DROP info # The FOLLOWING POLICY MUST BE LAST all all REJECT info
/etc/shorewall/rules - connect to openvpn service at this port
... ACCEPT net $FW udp 1194 ...
iptables
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
Tested on
- Debian 12 Bookworw
- shorewall 5.2.8