antisaWiki

User Tools

Site Tools

Trace:
wiki:openvpn_installation

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision		Previous revision
wiki:openvpn_installation [2024/04/09 11:25] – created antisawiki:openvpn_installation [2024/05/13 16:18] (current) – [References] add shorewall doc link antisa
Line 54: Line 54:
 To verify that the VPN is running, you should be able to ping 10.8.0.2 from the server and 10.8.0.1 from the client. To verify that the VPN is running, you should be able to ping 10.8.0.2 from the server and 10.8.0.1 from the client.
  
 +===== Setup for multiple clients - one server =====
 +This is the "proper" way to do it when there are multiple clients involved.
 +
 +==== Certificate generation ====
 +
 +Download the easy-rsa: 
 +
 +  wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.1.7/EasyRSA-3.1.7.tgz
 +  tar xf EasyRSA-3.1.7.tgz
 +  cd EasyRSA-3.1.7
 +
 +Copy vars.example to vars and change variables accordingly. vars will be automatically sourced by easy-rsa script.
 +  cp vars.example vars
 +
 +Also add the ''keyEncipherment'' option in //x509-types/client// file otherwise you will get an error like
 +''Client failed: unsupported certificate purpose'' eg.
 +<code>
 +etc/openvpn/EasyRSA-3.1.7# cat x509-types/client 
 +# X509 extensions for a client
 +
 +basicConstraints = CA:FALSE
 +subjectKeyIdentifier = hash
 +authorityKeyIdentifier = keyid,issuer:always
 +extendedKeyUsage = clientAuth
 +keyUsage = digitalSignature, keyEncipherment
 +</code>
 +
 +1. Initialize the PKI directories
 +  ./easyrsa init-pki
 +
 +2. Create the CA. Used in client and server configuration:
 +  ./easyrsa build-ca
 +
 +3. Generate Diffie-Hellman (DH) params.
 +  ./easyrsa gen-dh
 +
 +4. Create the vpn server's sign request and then certificate. This should be used in server.conf ''cert'' along with ''key'' which will also be generated with these commands.  Here you need to provide the password of the CA.key in step 2:
 +  ./easyrsa gen-req server nopass
 +  ./easyrsa sign-req server server
 +  
 +5. Create client signing request and certificate. Change EntityName, ''nopass'' if you don't want private key to be encrypted
 +  ./easyrsa gen-req EntityName nopass
 +  ./easyrsa sign-req client EntityName
 +
 +
 +  
 +For each new client just repeat last step.
 +
 +==== Creating configuration files for server and clients ====
 +=== Server ===
 +
 +You can copy the example file and adapt the fields to your config
 +  cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf server.conf
 +
 +Edit the ca, cert, key, and dh parameters to point to the files you generated and any other configuration you need. Also create the ta.key
 +
 +  openvpn --genkey tls-auth ta.key
 +
 +Also create the openvpn user
 +  adduser --no-create-home --disabled-login openvpn
 +
 +and uncomment this in server.conf
 +  ...
 +  ;user openvpn
 +  ;group openvpn
 +  ...
 +
 +=== Client ===
 +  cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf client.conf.example
 +
 +  * Like the server configuration file, first edit the ca, cert, and key parameters to point to the files you generated.
 +  * Edit the ''remote'' directive to point to the hostname/IP address and port number of the OpenVPN server
 +  * Ensure that the client configuration file is consistent with the directives used in the server configuration. The major thing to check for is that the dev (tun or tap) and proto (udp or tcp) directives are consistent. Also make sure that comp-lzo and fragment, if used, are present in both client and server config files.
 +
 +You can now try running the openvpn on client and server like mentioned in Simple setup above.
  
 ===== Firewall setup ===== ===== Firewall setup =====
Line 111: Line 186:
  
   iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE   iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
-  + 
 +===== Running openvpn server as a service ===== 
 + 
 +Debian 12 ships with systemd units for this. The way to run it is to first make sure the server configuration file is located in ///etc/openvpn/server// directory. The file must end with .conf. So if you have a configuration file called ''myvpnserver.conf'' you need to run it as 
 + 
 +  systemctl enable --now openvpn-server@myvpnserver 
 + 
 +Check logs with 
 +  journalctl -xefu openvpn-server@server.service 
 ====== Tested on ====== ====== Tested on ======
   * Debian 12 Bookworw   * Debian 12 Bookworw
Line 117: Line 201:
  
 ====== See also ====== ====== See also ======
 +  * [[wiki:ovpn_file_example]]
 ====== References ====== ====== References ======
   * https://openvpn.net/community-resources/static-key-mini-howto/   * https://openvpn.net/community-resources/static-key-mini-howto/
   * https://wiki.archlinux.org/title/Shorewall#/etc/shorewall/masq   * https://wiki.archlinux.org/title/Shorewall#/etc/shorewall/masq
   * https://serverfault.com/questions/480069/how-to-force-all-traffic-through-vpn   * https://serverfault.com/questions/480069/how-to-force-all-traffic-through-vpn
 +  * https://openvpn.net/community-resources/how-to/#setting-up-your-own-certificate-authority-ca-and-generating-certificates-and-keys-for-an-openvpn-server-and-multiple-clients
 +  * https://www.openssl.org/docs/man1.1.1/man5/x509v3_config.html
 +  * https://shorewall.org/OPENVPN.html
    
wiki/openvpn_installation.1712654757.txt.gz · Last modified: 2024/04/09 11:25 by antisa
Except where otherwise noted, content on this wiki is licensed under the following license: CC0 1.0 Universal
CC0 1.0 Universal Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki