Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Original from: https://stavrovski.net/blog/how-to-install-and-set-up-openvpn-in-debian-7-wheezy#system-update
- 1) apt-get update
- 2) apt-get install openvpn easy-rsa bridge-utils
- sudo ln -s $(which brctl) /usr/sbin/brctl
- 3) make sure tun is available
- test ! -c /dev/net/tun && echo openvpn requires tun support || echo tun is available
- 4) cd /usr/share/doc/easy-rsa/
- make-cadir /etc/openvpn/easy-rsa/
- cd /etc/openvpn/easy-rsa/
- cp vars{,.orig}
- source ./vars
- ./clean-all
- ./build-ca
- 6b) ./build-dh
- 7) ./build-key dvr
- 8) mkdir -p /etc/openvpn/easy-rsa/keys/
- openvpn --genkey --secret /etc/openvpn/easy-rsa/keys/ta.key
- 9) Deploy the certificates
- The public ca.crt certificate is needed on all servers and clients
- The private ca.key key is secret and only needed on the key generating machine
- A server needs server.crt, dh2048.pem (public), server.key and ta.key (private)
- A client needs client.crt (public), client.key and ta.key (private)
- 10) setup cert keys on server
- mkdir -p /etc/openvpn/certs
- mkdir -p /etc/openvpn/keys
- cd /etc/openvpn/easy-rsa/keys
- cp -pv /etc/openvpn/easy-rsa/keys/{ca.{crt,key},dvr.{crt,key},ta.key,dh2048.pem} /etc/openvpn/certs/
- 11) set-up OpenVPN server configuration file in /etc/openvpn/server.conf
- nano /etc/openvpn/server.conf
- port 1194
- proto udp
- dev tun
- ca /etc/openvpn/certs/ca.crt
- cert /etc/openvpn/certs/dvr.crt
- key /etc/openvpn/certs/dvr.key
- dh /etc/openvpn/certs/dh2048.pem
- tls-auth /etc/openvpn/certs/ta.key 0
- server 192.168.88.0 255.255.255.0
- ifconfig-pool-persist ipp.txt
- push "redirect-gateway def1 bypass-dhcp"
- push "dhcp-option DNS 8.8.8.8"
- push "dhcp-option DNS 8.8.4.4"
- client-to-client
- keepalive 1800 4000
- cipher DES-EDE3-CBC # Triple-DES
- comp-lzo
- max-clients 10
- user nobody
- group nogroup
- persist-key
- persist-tun
- #log openvpn.log
- #status openvpn-status.log
- verb 5
- mute 20
- #
- #
- 12) start openvpn
- service openvpn restart
- update-rc.d -f openvpn defaults
- 13) Enable forwarding and set-up iptables
- iptables -A INPUT -p udp -m state --state NEW -m udp --dport 1194 -j ACCEPT
- iptables -A FORWARD -s 192.168.88.0/24 -j ACCEPT
- iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
- iptables -t nat -A POSTROUTING -s 192.168.88.0/24 -o eth0 -j MASQUERADE
- ufw allow openvpn
- iptables-save > /etc/iptables.rules
- 14) for persistent firewall rules you may want to use the iptables-persistent package or just set-up a simple script in /etc/network/if-pre-up.d/ which will load the rules in /etc/iptables.rules using iptables-restore
- for example:
- cat /etc/network/if-pre-up.d/iptables
- #!/bin/bash
- test -e /etc/iptables.rules && iptables-restore -c /etc/iptables.rules
- 15) client config (copy ca.crt, dvr.crt, dvr.key, ta.key to c:\PROGRA~1\OpenVPN\config\dvr)
- client
- dev tun
- proto udp
- auth-user-pass
- ns-cert-type server
- remote dvr.owner.com 1194
- ca ca.crt
- cert dvr.crt
- key dvr.key
- tls-auth ta.key 1
- ca c:\\PROGRA~1\\OpenVPN\\config\\dvr\\ca.crt
- cert c:\\PROGRA~1\\OpenVPN\\config\\dvr\\dvr.crt
- key c:\\PROGRA~1\\OpenVPN\\config\\dvr\\dvr.key
- tls-auth c:\\PROGRA~1\\OpenVPN\\config\\dvr\\ta.key 1
- cipher DES-EDE3-CBC
- comp-lzo
- resolv-retry infinite
- nobind
- auth-nocache
- script-security 2
- persist-key
- persist-tun
- verb 2
- remote dvr.owner.com
- ca /home/d/confs/certs/vpn/ca.crt
- cert /home/d/confs/certs/vpn/dvr.crt
- key /home/d/confs/certs/vpn/dvr.key
- tls-auth /home/d/confs/certs/vpn/ta.key 1
- cipher DES-EDE3-CBC
- comp-lzo yes
- dev tun
- proto udp
- nobind
- auth-nocache
- script-security 2
- persist-key
- persist-tun
- user nobody
- group nogroup
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement