sohotcall

Setting OpenVPN Debian

Sep 2nd, 2020
90
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. https://tecadmin.net/install-openvpn-debian-10/
  2.  
  3. ======
  4. SERVER
  5. ======
  6.  
  7. $ apt-get update -y
  8. $ apt-get upgrade -y
  9. $ apt-get install openvpn -y
  10. $ cp -r /usr/share/easy-rsa /etc/openvpn/
  11. $ cd /etc/openvpn/easy-rsa
  12. $ nano vars
  13. change it
  14. $ ./easyrsa init-pki
  15. $ ./easyrsa build-ca
  16. you will need a passphrase
  17. then you'll have ca.key and ca.crt
  18. $ ./easyrsa gen-req tecadmin-server nopass
  19. now you have certificates files tecadmin-server.req and tecadmin-server.key
  20. $ ./easyrsa sign-req server tecadmin-server
  21. now you have certificate signed tecadmin-server.crt
  22. $ openssl verify -CAfile pki/ca.crt pki/issued/tecadmin-server.crt
  23. pki/issued/tecadmin-server.crt: OK
  24. $ ./easyrsa gen-dh
  25. you'll have diffie-helman key dh.pem
  26. $ cp pki/ca.crt /etc/openvpn/server/
  27. $ cp pki/dh.pem /etc/openvpn/server/
  28. $ cp pki/private/tecadmin-server.key /etc/openvpn/server/
  29. $ cp pki/issued/tecadmin-server.crt /etc/openvpn/server/
  30. $ ./easyrsa gen-req client nopass
  31. you'll have client.req and client.key
  32. $ ./easyrsa sign-req client client
  33. you'll have signed certificate client.crt
  34. $ cp pki/ca.crt /etc/openvpn/client/
  35. $ cp pki/issued/client.crt /etc/openvpn/client/
  36. $ cp pki/private/client.key /etc/openvpn/client/
  37. $ nano /etc/openvpn/server.conf
  38. #I commented redirect-gateway def1 because I don't want my server become a proxy of my client.
  39. #I just want them to connect and able to call each other.
  40.  
  41. #####
  42. port 1194
  43. proto udp
  44. dev tun
  45. ca /etc/openvpn/server/ca.crt
  46. cert /etc/openvpn/server/tecadmin-server.crt
  47. key /etc/openvpn/server/tecadmin-server.key
  48. dh /etc/openvpn/server/dh.pem
  49. server 10.8.0.0 255.255.255.0
  50. #push "redirect-gateway def1"
  51.  
  52. push "dhcp-option DNS 208.67.222.222"
  53. push "dhcp-option DNS 208.67.220.220"
  54. duplicate-cn
  55. cipher AES-256-CBC
  56. tls-version-min 1.2
  57. tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
  58. auth SHA512
  59. auth-nocache
  60. keepalive 20 60
  61. persist-key
  62. persist-tun
  63. compress lz4
  64. daemon
  65. user nobody
  66. group nogroup
  67. log-append /var/log/openvpn.log
  68. verb 3
  69. #####
  70.  
  71. $ systemctl start openvpn@server
  72. $ systemctl enable openvpn@server
  73. $ systemctl status openvpn@server
  74. $ ip a show tun0
  75.  
  76. Finish.
  77. You will need to call these to fill some values on client.ovpn on client.
  78. $ cat pki/ca.crt
  79. $ cat pki/issued/client.crt
  80. $ cat pki/private/client.key
  81.  
  82. ======
  83. CLIENT
  84. ======
  85.  
  86. $ apt-get install openvpn -y
  87. $ nano client.ovpn
  88.  
  89. #####
  90. client
  91. dev tun
  92. proto udp
  93. remote vpn-server-ip 1194
  94. ca ca.crt
  95. cert client.crt
  96. key client.key
  97. cipher AES-256-CBC
  98. auth SHA512
  99. auth-nocache
  100. tls-version-min 1.2
  101. tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
  102. resolv-retry infinite
  103. compress lz4
  104. nobind
  105. persist-key
  106. persist-tun
  107. mute-replay-warnings
  108. verb 3
  109. <ca>
  110. -----BEGIN CERTIFICATE-----
  111. ...
  112. -----END CERTIFICATE-----
  113. </ca>
  114. <cert>
  115. -----BEGIN CERTIFICATE-----
  116. ...
  117. -----END CERTIFICATE-----
  118. </cert>
  119. <key>
  120. -----BEGIN PRIVATE KEY-----
  121. .....
  122. -----END PRIVATE KEY-----
  123. </key>
  124. #####
  125.  
  126. $ openvpn --config client.ovpn
RAW Paste Data