antisaWiki

User Tools

Site Tools

Trace: openvpn_installation
wiki:openvpn_installation

This is an old revision of the document!

Table of Contents

Openvpn installation

Install 

apt install openvpn

Enable ip forwarding 

echo 1 > /proc/sys/net/ipv4/ip_forward

Simple setup with static key

This simple setup with static key is really only usable with single client and server, unless you want to run separate openvpn instances on different server ports with different server configurations. 

cd /etc/openvpn/
openvpn --genkey --secret static.key

Set up the server.conf, here's a minimum konfiguration 

dev tun
ifconfig 10.8.0.1 10.8.0.2
secret /etc/openvpn/static.key
cipher AES-256-CBC

And client.conf 

remote 1.2.3.4
dev tun
ifconfig 10.8.0.2 10.8.0.1
secret static.key

#route 4.5.6.7 255.255.255.255 vpn_gateway
redirect-gateway def1

cipher AES-256-CBC

Note the static key and redirect-gateway options. Redirect gateway will route all client's traffic to go through VPN. For visiting public sites you will need to setup SNAT/MASQUERADING on firewall. See below. Uncomment route and comment out redirect-gateway if you only want to route traffic to specific IP e.g. 4.5.6.7

Start the openvpn on both server and client. Server: 

/etc/openvpn# openvpn server/server.conf

and client 

sudo openvpn client.ovpn

Both commands should show at the end something like: 

...
2024-04-09 10:25:08 Peer Connection Initiated with [AF_INET]1.2.3.4:port
2024-04-09 10:25:08 Initialization Sequence Completed

To verify that the VPN is running, you should be able to ping 10.8.0.2 from the server and 10.8.0.1 from the client.

Firewall setup

Shorewall

Example configuration.

/etc/shorewall/interfaces 

###############################################################################
#ZONE   INTERFACE       BROADCAST       OPTIONS
net     eth0      detect          tcpflags,logmartians,nosmurfs,dhcp
vpn     tun0

/etc/shorewall/zones 

###############################################################################
#ZONE   TYPE    OPTIONS                 IN                      OUT
#                                       OPTIONS                 OPTIONS

fw      firewall
net     ipv4
vpn     ipv4

/etc/shorewall/snat - this will masq all traffic to appear to be coming from the IP of the server running Openvpn. 

MASQUERADE      10.8.0.0/24     eth0

/etc/shorewall/policy 

###############################################################################
#SOURCE         DEST            POLICY          LOG LEVEL       LIMIT:BURST

$FW             net             ACCEPT

$FW             vpn             ACCEPT
vpn             $FW             ACCEPT

vpn             net             ACCEPT
net             all             DROP            info

# The FOLLOWING POLICY MUST BE LAST
all             all             REJECT          info

/etc/shorewall/rules - connect to openvpn service at this port 

...
ACCEPT          net             $FW             udp     1194
...

iptables

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

Tested on

  • Debian 12 Bookworw
  • shorewall 5.2.8

See also

References

wiki/openvpn_installation.1712654757.txt.gz · Last modified: 2024/04/09 11:25 by antisa
Except where otherwise noted, content on this wiki is licensed under the following license: CC0 1.0 Universal
CC0 1.0 Universal Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki