I have taken almost all the information from the excellent post from nicolargo.
Install openvpn
sudo aptitude install openvpn
sudo cp -a /usr/share/easy-rsa /etc/openvpn/ sudo chown -R $USER /etc/openvpn/easy-rsa/
Configuration of the openvpn server:
export KEY_COUNTRY="US" export KEY_PROVINCE="US" export KEY_CITY="your city" export KEY_ORG="yourcity.com" export KEY_EMAIL="yourcity@yourcity.co.uk"
cd /etc/openvpn/easy-rsa source vars ./clean-all ./build-dh ./pkitool --initca ./pkitool --server server sudo openvpn --genkey --secret keys/ta.key
sudo cp keys/ca.crt keys/ta.key keys/server.crt keys/server.key keys/dh2048.pem /etc/openvpn/
sudo mkdir /etc/openvpn/jail sudo mkdir /etc/openvpn/jail/tmp sudo mkdir /etc/openvpn/clientconf
# Serveur TCP/1194 mode server proto tcp port 1194 dev tun # Keys and certificates ca ca.crt cert server.crt key server.key dh dh2048.pem tls-auth ta.key 1 key-direction 0 cipher AES-256-CBC # Network server 10.8.0.0 255.255.255.0 push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 208.67.222.222" push "dhcp-option DNS 208.67.220.220" keepalive 10 120 # Security user nobody group nogroup chroot /etc/openvpn/jail persist-key persist-tun comp-lzo # Log verb 3 mute 20 status openvpn-status.log ; log-append /var/log/openvpn.log
Note that lots of firewall/proxy will block port 1194. If you don’t have a https service on your server, you can change the port to 443 and easily bypass those restrictions. If you do have a https, you can use sslh to forward the openvpn trafic coming in at 443 to your openvpn service. You can have a look at one of my tutorials to see how it can be done.
We can then test that the configuration is OK:
cd /etc/openvpn sudo openvpn server.conf
You should have something like this:
Thu Apr 21 10:56:14 2016 OpenVPN 2.3.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Nov 12 2015 Thu Apr 21 10:56:14 2016 library versions: OpenSSL 1.0.1k 8 Jan 2015, LZO 2.08 Thu Apr 21 10:56:14 2016 NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x. Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet. Thu Apr 21 10:56:14 2016 Diffie-Hellman initialized with 2048 bit key Thu Apr 21 10:56:14 2016 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file Thu Apr 21 10:56:14 2016 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Thu Apr 21 10:56:14 2016 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Thu Apr 21 10:56:14 2016 Socket Buffers: R=[87380->131072] S=[16384->131072] Thu Apr 21 10:56:14 2016 ROUTE_GATEWAY 192.168.0.1/255.255.255.0 IFACE=eth0 HWADDR=08:00:27:32:42:6e Thu Apr 21 10:56:14 2016 TUN/TAP device tun0 opened Thu Apr 21 10:56:14 2016 TUN/TAP TX queue length set to 100 Thu Apr 21 10:56:14 2016 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0 Thu Apr 21 10:56:14 2016 /sbin/ip link set dev tun0 up mtu 1500 Thu Apr 21 10:56:14 2016 /sbin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2 Thu Apr 21 10:56:14 2016 /sbin/ip route add 10.8.0.0/24 via 10.8.0.2 Thu Apr 21 08:56:14 2016 chroot to '/etc/openvpn/jail' and cd to '/' succeeded Thu Apr 21 08:56:14 2016 GID set to nogroup Thu Apr 21 08:56:14 2016 UID set to nobody Thu Apr 21 08:56:14 2016 Listening for incoming TCP connection on [undef] Thu Apr 21 08:56:14 2016 TCPv4_SERVER link local (bound): [undef] Thu Apr 21 08:56:14 2016 TCPv4_SERVER link remote: [undef] Thu Apr 21 08:56:14 2016 MULTI: multi_init called, r=256 v=256 Thu Apr 21 08:56:14 2016 IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0 Thu Apr 21 08:56:14 2016 MULTI: TCP INIT maxclients=1024 maxevents=1028 Thu Apr 21 08:56:14 2016 Initialization Sequence Completed
If the server starts correctly (if you see the last line, in bold), you can uncomment the last line of /etc/openvpn/server.conf
log-append /var/log/openvpn.log
We start the server
sudo service openvpn start
We then have to enable port forwarding on the server
sudo sh -c 'echo 1 > /proc/sys/net/ipv4/ip_forward'
To make it permanent, we have to edit /etc/sysctl.conf and uncomment
net.ipv4.ip_forward = 1
We then have to change some IP table rules to let the trafic flow in and out of the server
# rules to open the access of the new tun0 interface: sudo iptables -I FORWARD -i tun0 -j ACCEPT sudo iptables -I FORWARD -o tun0 -j ACCEPT sudo iptables -I OUTPUT -o tun0 -j ACCEPT # address translations sudo iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE sudo iptables -t nat -A POSTROUTING -s 10.8.0.2/24 -o eth0 -j MASQUERADE
To make sure those rules are loaded at each server’s reboot, we need to create a script that will load them at reboot:
sudo sh -c "iptables-save > /etc/iptables.rules"
We then have to modify /etc/network/interfaces. Add after the definition of your main interface (usually eth0):
pre-up iptables-restore < /etc/iptables.rules
Restart the server.
Creation of a client
Let’s say you want to create a key for nico for exemple:
cd /etc/openvpn/easy-rsa source vars ./build-key nico
If you want to protect your key with a password, you will need to use ./build-key-pass instead of ./build-key.
./build-key will generate 3 files in /etc/openvpn/easy-rsa/keys:
- nico.crt: client’s certificate
- nico.csr: certificat to keep on the server
- nico.key: Key for the client
We will then copy the keys in a new folder under /etc/openvpn/clientconf/
sudo mkdir /etc/openvpn/clientconf/nico/ sudo cp /etc/openvpn/ca.crt /etc/openvpn/ta.key keys/nico.crt keys/nico.key /etc/openvpn/clientconf/nico/
We then go in the folder
cd /etc/openvpn/clientconf/nico/
We create the client.conf file (change A.B.C.D with your public IP address):
# Client client dev tun proto tcp-client remote A.B.C.D 1194 resolv-retry infinite cipher AES-256-CBC ; client-config-dir ccd # Keys/certificates ca ca.crt cert nico.crt key nico.key tls-auth ta.key 1 key-direction 1 # Security nobind persist-key persist-tun comp-lzo verb 3
We make sure that we can use it on Windows
sudo cp client.conf client.ovpn
We should therefore have the following files in /etc/openvpn/clientconf/nico/:
- ca.crt: server’s certificate
- client.conf: config file of OpenVpn for Linux, BSD, MacOS X
- client.ovpn: config file of OpenVpn for Windows
- nico.crt: client’s certificate
- nico.key: client’s key
- ta.key: authentification’s key
We zip all those files
sudo zip nico.zip *.*
You just need to copy those files on your machine.