wiki:openvpn_installation
Differences
This shows you the differences between two versions of the page.
Next revision | Previous revision | ||
wiki:openvpn_installation [2024/04/09 11:25] – created antisa | wiki:openvpn_installation [2024/05/13 16:18] (current) – [References] add shorewall doc link antisa | ||
---|---|---|---|
Line 54: | Line 54: | ||
To verify that the VPN is running, you should be able to ping 10.8.0.2 from the server and 10.8.0.1 from the client. | To verify that the VPN is running, you should be able to ping 10.8.0.2 from the server and 10.8.0.1 from the client. | ||
+ | ===== Setup for multiple clients - one server ===== | ||
+ | This is the " | ||
+ | |||
+ | ==== Certificate generation ==== | ||
+ | |||
+ | Download the easy-rsa: | ||
+ | |||
+ | wget https:// | ||
+ | tar xf EasyRSA-3.1.7.tgz | ||
+ | cd EasyRSA-3.1.7 | ||
+ | |||
+ | Copy vars.example to vars and change variables accordingly. vars will be automatically sourced by easy-rsa script. | ||
+ | cp vars.example vars | ||
+ | |||
+ | Also add the '' | ||
+ | '' | ||
+ | < | ||
+ | etc/ | ||
+ | # X509 extensions for a client | ||
+ | |||
+ | basicConstraints = CA:FALSE | ||
+ | subjectKeyIdentifier = hash | ||
+ | authorityKeyIdentifier = keyid, | ||
+ | extendedKeyUsage = clientAuth | ||
+ | keyUsage = digitalSignature, | ||
+ | </ | ||
+ | |||
+ | 1. Initialize the PKI directories | ||
+ | ./easyrsa init-pki | ||
+ | |||
+ | 2. Create the CA. Used in client and server configuration: | ||
+ | ./easyrsa build-ca | ||
+ | |||
+ | 3. Generate Diffie-Hellman (DH) params. | ||
+ | ./easyrsa gen-dh | ||
+ | |||
+ | 4. Create the vpn server' | ||
+ | ./easyrsa gen-req server nopass | ||
+ | ./easyrsa sign-req server server | ||
+ | | ||
+ | 5. Create client signing request and certificate. Change EntityName, '' | ||
+ | ./easyrsa gen-req EntityName nopass | ||
+ | ./easyrsa sign-req client EntityName | ||
+ | |||
+ | |||
+ | | ||
+ | For each new client just repeat last step. | ||
+ | |||
+ | ==== Creating configuration files for server and clients ==== | ||
+ | === Server === | ||
+ | |||
+ | You can copy the example file and adapt the fields to your config | ||
+ | cp / | ||
+ | |||
+ | Edit the ca, cert, key, and dh parameters to point to the files you generated and any other configuration you need. Also create the ta.key | ||
+ | |||
+ | openvpn --genkey tls-auth ta.key | ||
+ | |||
+ | Also create the openvpn user | ||
+ | adduser --no-create-home --disabled-login openvpn | ||
+ | |||
+ | and uncomment this in server.conf | ||
+ | ... | ||
+ | ;user openvpn | ||
+ | ;group openvpn | ||
+ | ... | ||
+ | |||
+ | === Client === | ||
+ | cp / | ||
+ | |||
+ | * Like the server configuration file, first edit the ca, cert, and key parameters to point to the files you generated. | ||
+ | * Edit the '' | ||
+ | * Ensure that the client configuration file is consistent with the directives used in the server configuration. The major thing to check for is that the dev (tun or tap) and proto (udp or tcp) directives are consistent. Also make sure that comp-lzo and fragment, if used, are present in both client and server config files. | ||
+ | |||
+ | You can now try running the openvpn on client and server like mentioned in Simple setup above. | ||
===== Firewall setup ===== | ===== Firewall setup ===== | ||
Line 111: | Line 186: | ||
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE | iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE | ||
- | | + | |
+ | ===== Running openvpn server as a service ===== | ||
+ | |||
+ | Debian 12 ships with systemd units for this. The way to run it is to first make sure the server configuration file is located in /// | ||
+ | |||
+ | systemctl enable --now openvpn-server@myvpnserver | ||
+ | |||
+ | Check logs with | ||
+ | journalctl -xefu openvpn-server@server.service | ||
====== Tested on ====== | ====== Tested on ====== | ||
* Debian 12 Bookworw | * Debian 12 Bookworw | ||
Line 117: | Line 201: | ||
====== See also ====== | ====== See also ====== | ||
+ | * [[wiki: | ||
====== References ====== | ====== References ====== | ||
* https:// | * https:// | ||
* https:// | * https:// | ||
* https:// | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
wiki/openvpn_installation.1712654757.txt.gz · Last modified: 2024/04/09 11:25 by antisa