Configure OPENVPN Server:
Assume that this VPN server we have 2 NIC as below:
eth0: use for VPN network with 192.168.1.0/24; gateway .254
eth1: use for management network with 10.0.0.100/24 (or public IP address as you want)
1) Installation
# sudo apt-get install -y openvpn bridge-utils easy-rsa
2) Configuration
# cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf /etc/openvpn/
# vi /etc/openvpn/server.conf
Do this:
# line 53: change
dev tap0
# line 78: change like follows
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
# line 87: change (remember this, in new version, it's maybe create dh2048.pem, you should change this line to suitable file)
dh /etc/openvpn/easy-rsa/keys/dh2048.pem
# line 96: make it comment
# server 10.8.0.0 255.255.255.0
# line 103: make it comment
# ifconfig-pool-persist ipp.txt
# line 115: uncomment and chnage ( [VPN server's IP] [subnetmask] [the range of IP for client] )
server-bridge 192.168.1.100 255.255.255.0 10.0.0.101 10.0.0.150
# line 138: add ( [network VPN server in] [subnetmask] )
push "route 192.168.1.0 255.255.255.0"
# line 275: change
status /var/log/openvpn-status.log
# line 284: uncomment and change
log /var/log/openvpn.log
log-append /var/log/openvpn.log
3) Create CA certificate and CA key.
# cp -R /usr/share/easy-rsa/* /etc/openvpn/easy-rsa
# cd /etc/openvpn/easy-rsa
# mkdir keys
# vi vars
Do this:
# line 64: change to your environment
export KEY_COUNTRY="VN"
export KEY_PROVINCE="HCM"
export KEY_CITY="HCM"
export KEY_ORG="Home"
export KEY_EMAIL="info@home.home"
# source ./vars
# ./clean-all
# ./build-ca
Generating a 2048 bit RSA private key
.................++++++
......++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [VN]:# Enter
State or Province Name (full name) [HCM]:# Enter
Locality Name (eg, city) [HCM]:# Enter
Organization Name (eg, company) [Home]:# Enter
Organizational Unit Name (eg, section) []:# Enter
Common Name (eg, your name or your server's hostname) [GTS CA]:vpn.home.home # input FQDN
Name []:server-ca # set
Email Address [info@home.home]:# Enter
4) Create certificate and key for server
# ./build-key-server server
Generating a 2048 bit RSA private key
........++++++
.......++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [VN]:# Enter
State or Province Name (full name) [HCM]:# Enter
Locality Name (eg, city) [HCM]:# Enter
Organization Name (eg, company) [Home]:# Enter
Organizational Unit Name (eg, section) []:# Enter
Common Name (eg, your name or your server's hostname) [server]:vpn.home.home # input FQDN
Name []:server
Email Address [info@home.home]:# Enter
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: <give yours>
An optional company name []: <give yours>
Using configuration from /etc/openvpn/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName:PRINTABLE:'VN'
stateOrProvinceName:PRINTABLE:'HCM'
localityName:PRINTABLE:'HCM'
organizationName:PRINTABLE:'Home'
commonName:PRINTABLE:'vpn.home.home'
name:PRINTABLE:'server'
emailAddress:IA5STRING:'info@home.home'
Certificate is to be certified until Jul 12 09:30:14 2028 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
5) Generate Diffie Hellman ( DH ) parameter.
# ./build-dh
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
..........................................................
6) Create certificate and key for client.
# ./build-key-pass client
Generating a 2048 bit RSA private key
..................++++++
..................++++++
writing new private key to 'client.key'
Enter PEM pass phrase:# set pass-phrase
Verifying - Enter PEM pass phrase:# confirm
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [VN]:# Enter
State or Province Name (full name) [HCM]:# Enter
Locality Name (eg, city) [HCM]:# Enter
Organization Name (eg, company) [Home]:# Enter
Organizational Unit Name (eg, section) []:# Enter
Common Name (eg, your name or your server's hostname) [client]:vpn.home.home # input FQDN
Name []:client
Email Address [info@home.home]:# Enter
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: <give yours>
An optional company name []: <give yours>
Using configuration from /etc/openvpn/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName:PRINTABLE:'VN'
stateOrProvinceName:PRINTABLE:'HCM'
localityName:PRINTABLE:'HCM'
organizationName:PRINTABLE:'GTS'
commonName:PRINTABLE:'vpn.home.home'
name:PRINTABLE:'client'
emailAddress:IA5STRING:'info@home.home'
Certificate is to be certified until Jul 12 09:31:14 2021 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
7) Start OpenVPN
# cp /usr/share/doc/openvpn/examples/sample-scripts/bridge-start /etc/openvpn/openvpn-startup
# cp /usr/share/doc/openvpn/examples/sample-scripts/bridge-stop /etc/openvpn/openvpn-shutdown
# chmod 755 /etc/openvpn/openvpn-startup
# chmod 755 /etc/openvpn/openvpn-shutdown
# vi /etc/openvpn/openvpn-startup
# line 17-20: change
eth="eth0" # change if needed
eth_ip="192.168.1.100"# IP address will be assigned for bridge
eth_netmask="255.255.255.0"# subnetmask
eth_broadcast="10.0.0.255" #broadcast address
Now start VPN server:
# /etc/rc.d/init.d/openvpn start
Remember, we dont need to run /etc/openvpn/openvpn-startup script to enable bridge, this will be run by /etc/rc.d/init.d/openvpn.
Configure VPN Client (in window):
1) Install Openvpn
Go to http://openvpn.net/index.php/open-source/downloads.html for download and install vpn client.
2) Configure
sFPT or use other way to transfer some below file from vpn server:
/etc/openvpn/easy-rsa/keys/ca.crt
/etc/openvpn/easy-rsa/keys/client.crt
/etc/openvpn/easy-rsa/keys/client.key
To <vpn_client_installed_directory>/config/ in Window desktop
Copy example client configure to /config dir
Copy <vpn_client_installed_directory>\sample-config\client.ovpn to <vpn_client_installed_directory>\config\client.ovpn
and Edit
3) Run OVPN
Right-click on OVPN icon
at taskbar and click "Connect", type password and connect to VPN Server.
No comments:
Post a Comment