antisaWiki

User Tools

Site Tools

Trace:
wiki:openvpn_installation

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
wiki:openvpn_installation [2024/04/09 16:54] – [Certificate generation] add info about keyEncipherment antisawiki:openvpn_installation [2024/05/13 16:18] (current) – [References] add shorewall doc link antisa
Line 81: Line 81:
 </code> </code>
  
- +1. Initialize the PKI directories
-1. Create the CA:+
   ./easyrsa init-pki   ./easyrsa init-pki
  
-2. Create signing requestChange EntityName, ''nopass'' if you don't want private key to be encrypted +2. Create the CAUsed in client and server configuration: 
-  ./easyrsa gen-req EntityName nopass+  ./easyrsa build-ca
  
-3. Sign CSR and create crt. Here you need to provide the password of the CA.key in step 1:+3. Generate Diffie-Hellman (DH) params. 
 +  ./easyrsa gen-dh 
 + 
 +4. Create the vpn server's sign request and then certificate. This should be used in server.conf ''cert'' along with ''key'' which will also be generated with these commands Here you need to provide the password of the CA.key in step 2: 
 +  ./easyrsa gen-req server nopass 
 +  ./easyrsa sign-req server server 
 +   
 +5. Create client signing request and certificate. Change EntityName, ''nopass'' if you don't want private key to be encrypted 
 +  ./easyrsa gen-req EntityName nopass
   ./easyrsa sign-req client EntityName   ./easyrsa sign-req client EntityName
  
-4. Generate Diffie-Hellman (DH) params +
-  ./easyrsa gen-dh+
      
-For each new client just repeat steps 2 and 3.+For each new client just repeat last step.
  
 ==== Creating configuration files for server and clients ==== ==== Creating configuration files for server and clients ====
Line 180: Line 186:
  
   iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE   iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
-  + 
 +===== Running openvpn server as a service ===== 
 + 
 +Debian 12 ships with systemd units for this. The way to run it is to first make sure the server configuration file is located in ///etc/openvpn/server// directory. The file must end with .conf. So if you have a configuration file called ''myvpnserver.conf'' you need to run it as 
 + 
 +  systemctl enable --now openvpn-server@myvpnserver 
 + 
 +Check logs with 
 +  journalctl -xefu openvpn-server@server.service 
 ====== Tested on ====== ====== Tested on ======
   * Debian 12 Bookworw   * Debian 12 Bookworw
Line 192: Line 207:
   * https://serverfault.com/questions/480069/how-to-force-all-traffic-through-vpn   * https://serverfault.com/questions/480069/how-to-force-all-traffic-through-vpn
   * https://openvpn.net/community-resources/how-to/#setting-up-your-own-certificate-authority-ca-and-generating-certificates-and-keys-for-an-openvpn-server-and-multiple-clients   * https://openvpn.net/community-resources/how-to/#setting-up-your-own-certificate-authority-ca-and-generating-certificates-and-keys-for-an-openvpn-server-and-multiple-clients
 +  * https://www.openssl.org/docs/man1.1.1/man5/x509v3_config.html
 +  * https://shorewall.org/OPENVPN.html
    
wiki/openvpn_installation.1712674441.txt.gz · Last modified: 2024/04/09 16:54 by antisa
Except where otherwise noted, content on this wiki is licensed under the following license: CC0 1.0 Universal
CC0 1.0 Universal Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki