OpenVPN is a VPN implementation for both client and server for Linux/Windows/Mac. To use OpenVPN, it is necessary to have an OpenVPN server in the target network, either the gateway or a dedicated “DMZ” (with publicly available IP and connected to the internal network). The client software must be installed, and the server address, port, encryption key, etc. must be configured.
OpenVPN can work on a server with TCP/IP routing ie, “tun” interface or bridge to LAN ie, “tap” interface. In the case of the “tun” interface, firewall rules must be configured for the “tun +” interface, in the case of the “tap” interface, a bridge must be set between “tap+” and the interface to the chain (internal network).
The packages required on Linux are OpenVPN and easy–RSA. Windows requires the OpenVPN package different server or client does the configuration file.
By default, OpenVPN uses port 1194 on UDP. Another TCP or UDP port can be set.
Backup
1. The configuration of the access keys – it is done only once – when installing on the server. Server keys are generated and – possibly – several client keys. The client keys can be additionally protected with the password. It is the most complicated and time-consuming step from the entire process.
2. Configure the /etc/OpenVPN/server.conf file, firewall rules, and set the OpenVPN service to boot.
3. Configuring the Linux or Windows client.
Solution
Step 1
Once we finish with the installation of the easy-rsa package, we will have in the directory /usr/share/doc/easy-RSA or /usr/share/doc/packages/easy-rsa a Readme which presents the steps for generating server /client keys. Binaries are in the /usr/share/easy-RSA directory, and it is generally recommended to copy them to /etc/OpenVPN which is the main configuration directory of OpenVPN.
cp -r /usr/share/easy-RSA / /etc/OpenVPN/easy-RSA
Go to the directory where the file “vars” exists and edit the variables which are at the bottom of it: KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, and KEY_EMAIL
export KEY_COUNTRY= “US.”
export KEY_PROVINCE= “SC.”
export KEY_CITY= “Myrtle Beach.”
export KEY_ORG= “Home.”
export KEY_EMAIL=” [email protected]”
export KEY_OU= “PreferredOrganization.”
cd /usr/openvpn/easy-rsa – the directory that contains the vars file
source ./vars – loads the variable settings
./clean-all – any older keys will be deleted
./build-ca – Cert Authority (CA) is generated
./build-key-server – generates the certificate and private key for the server with the name “server”
./build-dh – generates dh.pem
The keys for generating VPN clients are to be generated – client, client 2 , client 3:
./build-key client
./build-key client 2
./build-key client 3
If you want the password for each client use build-key-pass instead of build-key.
Later other keys can be generated from the same directory with the command ./build-key <name> after running source ./vars
The generated keys are copied on the server – for example – to the /etc/openvpn/keys directory
mkdir / etc / openvpn / keys
Step 2
Edit the .conf file on the server:
A simple configuration is given below and must be created in /etc/openvpn/server.conf
(Configuration examples included in the openVPN package are given in /usr/share/doc/openvpn/examples)
• port 1194 (change your port)
• port 1337
• You can use UDP or TCP
• proto UDP
• “Dev tun” will create a routed IP tunnel.
dev tun
#Certify Configuration
# as certified
ca /etc/openvpn/keys/ca.crt
#Server Certificate
cert /etc/openvpn/keys/server.crt
#Server Key and keep this is secret
key /etc/openvpn/keys/server.key
#See the size a dh key in / etc / openvpn / keys /
dh /etc/openvpn/keys/dh2048.pem
#Internal IP will get when already connect
server 192.168.50.0 255.255.255.0
#this line will redirect all traffic through our OpenVPN
push “redirect-gateway def1”
# Provide DNS servers to the client, you can use google DNS
push “dhcp-option DNS 8.8.8.8”
push “dhcp-option DNS 8.8.4.4”
#Enable multiple clients to connect with same key
duplicate-cn
keepalive 20 60
comp-Iso
persist-key
persist-tun
daemon
#enable log
log-append /var/log/myvpn/openvpn.log
#Log Level
verb 3
To test the configuration it can be launched as root
openvpn –config server.conf (or openvpn /etc/openvpn/server.conf)
And then stop with
killall -9 openvpn
Or you can start as a service:
systemctl list-unit-files | grep enabled
systemctl enable openvpn
systemctl start openvpn
or stop with systemctl stop openvpn
sudo service openvpn start
or stop or restart
Firewall Rules
Firewall rules must be set for VPN ↔ LAN traffic to work:
iptables -I INPUT -i tun + -j ACCEPT
iptables -I FORWARD -s <local_lan_ip / 24> -d 192.168.200.0/24 -j ACCEPT
iptables -I FORWARD -d <local_lan_ip / 24> -s 192.168.200.0/24 -j ACCEPT
It must also allow internet access because in the server.conf file we set the default route through VPN
(echo 1> / proc / sys / net / ipv4 / ip_forward)
iptables -t nat -A POSTROUTING -s 192.168.200.0/24 -o eth0 -j MASQUERADE
Step 3
ClientX.key, clientX.crt and ca.crt must be reached with the client.conf configuration file.
Under windows client.conf rename client.ovpn
At “remote” put the public address of the openVPN server and the port:
========================================
client
dev tun
proto udp
#Server IP and Port
remote 192.168.2.1 1337
resolv-retry infinite
nobind
persist-key
persist-tun
move-replay-warnings
as ca.crt
certain clientX.crt
key clientX.key
ns-cert-type server
comp-Iso
========================================
For windows, files must be copied to C:/ProgramFiles/openvpnconf and run as administrator because they must have rights to create the tuner interface.
For Linux, copy the keys and client.conf in the same directory and launch:
sudo OpenVPN –config client.conf &