OpenVPN
OpenVPN is an open-source virtual private network (VPN).
This tutorial was written for Debian 10 (buster) in March, 2020.
Contents
Server
The official Debian 10 repository contains a package for OpenVPN 2.4.
The following command installs this package:
apt install openvpnEasy RSA
OpenVPN utilizes SSL/TLS security mechanisms.
Therefore, certificates (and keys) need to be generated and signed
by a certificate authority (CA). Easy RSA is helpful in that regard.
Use the following command to initialize a directory easy-rsa with files
that help creating the required certificates:
cd /etc/openvpn
make-cadir easy-rsa
Default values for certificates can be specified by uncommenting corresponding
fields in the following file:
/etc/openvpn/easy-rsa/vars-
#... # Organizational fields (used with 'org' mode and ignored in 'cn_only' mode.) # These are the default values for fields which will be placed in the # certificate. Don't leave any of these fields blank, although interactively # you may omit any specific field by typing the "." symbol (not valid for # email.) #set_var EASYRSA_REQ_COUNTRY "US" #set_var EASYRSA_REQ_PROVINCE "California" #set_var EASYRSA_REQ_CITY "San Francisco" #set_var EASYRSA_REQ_ORG "Copyleft Certificate Co" #set_var EASYRSA_REQ_EMAIL "me@example.net" #set_var EASYRSA_REQ_OU "My Organizational Unit" #...
The following commands generate the certificate authority (CA),
a certificate/key pair for the server and a certificate/key pair for
a client named client1:
cd /etc/openvpn/easy-rsa
./easyrsa init-pki
./easyrsa build-ca
./easyrsa build-server-full server
./easyrsa gen-dh
./easyrsa build-client-full client1
If the OpenVPN server is started on boot, removing the passphrase
prevents being prompted for a password:
./easyrsa set-rsa-pass server nopassTo change the passphrase:
./easyrsa set-rsa-pass serverCreate an archive for the client:
cd /etc/openvpn
tar czvf client1_ovpn.tar.gz easy-rsa/pki/ca.crt easy-rsa/pki/issued/client1.crt easy-rsa/pki/private/client1.key
Server Config
Copy the example config file for the server to the correct location:
zcat /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz > /etc/openvpn/server/server.confEdit relevant parts in server config file:
/etc/openvpn/server/server.conf-
#... # SSL/TLS root certificate (ca), certificate # (cert), and private key (key). Each client # and the server must have their own cert and # key file. The server and all clients will # use the same ca file. # # See the "easy-rsa" directory for a series # of scripts for generating RSA certificates # and private keys. Remember to use # a unique Common Name for the server # and each of the client certificates. # # Any X509 key management system can be used. # OpenVPN can also use a PKCS #12 formatted key file # (see "pkcs12" directive in man page). ca /etc/openvpn/easy-rsa/pki/ca.crt cert /etc/openvpn/easy-rsa/pki/issued/server.crt key /etc/openvpn/easy-rsa/pki/private/server.key # Diffie hellman parameters. # Generate your own with: # openssl dhparam -out dh2048.pem 2048 dh /etc/openvpn/easy-rsa/pki/dh.pem #... # Uncomment this directive to allow different # clients to be able to "see" each other. # By default, clients will only see the server. # To force clients to only see the server, you # will also need to appropriately firewall the # server's TUN/TAP interface. client-to-client #... # For extra security beyond that provided # by SSL/TLS, create an "HMAC firewall" # to help block DoS attacks and UDP port flooding. # # Generate with: # openvpn --genkey --secret ta.key # # The server and each client must have # a copy of this key. # The second parameter should be '0' # on the server and '1' on the clients. ;tls-auth ta.key 0 # This file is secret #...
Start Server
Start OpenVPN with the config /etc/openvpn/server/server.conf:
systemctl start openvpn-server@serverStart the given config on boot:
systemctl enable openvpn-server@serverClient
OpenVPN needs to be installed on the clients:
apt install openvpnClient Certificates
Copy the certificate/key pair from the server to a client:
cd /etc/openvpn
tar xvf client1_ovpn.tar.gz
Each client should have its own certificate/key pair.
Client Config
Copy the example config file for the client to the correct location:
cat /usr/share/doc/openvpn/examples/sample-config-files/client.conf > /etc/openvpn/client/vpn.example.net.confEdit relevant parts in the client config file:
/etc/openvpn/client/vpn.example.net.conf-
#... # The hostname/IP and port of the server. # You can have multiple remote entries # to load balance between the servers. remote vpn.example.net 1194 #... # SSL/TLS parms. # See the server config file for more # description. It's best to use # a separate .crt/.key file pair # for each client. A single ca # file can be used for all clients. ca /etc/openvpn/easy-rsa/pki/ca.crt cert /etc/openvpn/easy-rsa/pki/issued/client1.crt key /etc/openvpn/easy-rsa/pki/private/client1.key #... # If a tls-auth key is used on the server # then every client must also have the key. ;tls-auth ta.key 1 #...
Start Client
Start OpenVPN with the config /etc/openvpn/client/vpn.example.net.conf:
systemctl start openvpn-client@vpn.example.netGUI
A system tray icon for systemd services can be used as graphical user interface (GUI)
for an OpenVPN client.
Internet Access
This section describes how to route all client traffic (including web-traffic)
through the VPN.
Server
Enable IPv4 packet forwarding in the kernel:
/etc/sysctl.conf-
#... # Uncomment the next line to enable packet forwarding for IPv4 net.ipv4.ip_forward=1 #...
Forward traffic from the VPN over the interface eth0:
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADEClient
/etc/openvpn/client/vpn.example.net.conf-
#... redirect-gateway autolocal
External Links
| CONTENT.html | source | 2022-07-07 | 8.8 KB |