source: https://help.ubuntu.com/community/OpenVPN
# aptitude install openvpn bridge-utils
To set the Bridge:
- Edit /etc/network/interfaces
When a Linux server is behind a NAT firewall, the /etc/network/interfaces file commonly looks like
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
# The loopback network interface
auto lo eth0
iface lo inet loopback
# The primary network interface
## This device provides internet access.
iface eth0 inet static
address 192.168.1.10
netmask 255.255.255.0
gateway 192.168.1.1
- Edit this and add a bridge interface so that it look similar to:
## This is the network bridge declaration
## Start these interfaces on boot
auto lo br0
iface lo inet loopback
iface br0 inet static
address 192.168.1.10
netmask 255.255.255.0
gateway 192.168.1.1
bridge_ports eth0
iface eth0 inet manual
up ip link set $IFACE up promisc on
down ip link set $IFACE down promisc off
- Restart networking:
# sudo /etc/init.d/networking restart
After installation of OpenVPN let's create the Certificates to be used...
Step 1:
Copy files to the /etc/openvpn/easy-rsa/ directory
sudo mkdir /etc/openvpn/easy-rsa/
sudo cp -R /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa/
Step 2:
Edit /etc/openvpn/easy-rsa/vars
sudo vi /etc/openvpn/easy-rsa/vars
Change these lines at the bottom so that they reflect your new CA.
export KEY_COUNTRY="PH"
export KEY_PROVINCE="BC"
export KEY_CITY="Makati"
export KEY_ORG="verzion"
export KEY_EMAIL="me@myhost.mydomain"
Step 3:
Setup the CA and create the first server certificate. Follow them as is.
cd /etc/openvpn/easy-rsa/
sudo chown -R root:admin .
sudo chmod g+w .
source ./vars
./clean-all
./build-dh
./pkitool --initca
./pkitool --server server
cd keys
openvpn --genkey --secret ta.key
sudo cp server.crt server.key ca.crt dh1024.pem ta.key ../../
The Certificate Authority is now setup and the needed keys are in /etc/openvpn/
Configuring the Server
By default all servers specified in *.conf files in the /etc/openvpn/ directory are started on boot. Therefore, all we have to do is creating a new file named server.conf in the /etc/openvpn/ directory.
First, we're going to create a couple of new scripts to be used by the openvpn server.
sudo vi /etc/openvpn/up.sh
This script should contain the following
#!/bin/sh
BR=$1
DEV=$2
MTU=$3
/sbin/ip link set "$DEV" up promisc on mtu "$MTU"
/usr/sbin/brctl addif $BR $DEV
Now, we'll create a "down" script.
sudo vi /etc/openvpn/down.sh
It should contain the following.
#!/bin/sh
BR=$1
DEV=$2
/usr/sbin/brctl delif $BR $DEV
/sbin/ip link set "$DEV" down
Now, make both scripts executable.
sudo chmod +x /etc/openvpn/up.sh /etc/openvpn/down.sh
And now on to the server configuration itself...
# vim /etc/openvpn/server.conf
here are the content:
mode server
tls-server
# the local ip addr of the server
local 192.168.11.1
# the port can be changed
port 1194
proto tcp
#proto udp
mssfix 1400
#bridging directive
dev tap0
up "/etc/openvpn/up.sh br0"
down "/etc/openvpn/down.sh br0"
# the certificates
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
tls-auth ta.key 0
cipher BF-CBC
comp-lzo
# the VPN ip addr
server-bridge 192.168.1.50 255.255.255.0 192.168.0.100 192.168.1.120
# this will make the other VPN client to communicate
client-to-client
# uncomment below if you wish to have static IP on you clients
#client-config-dir /etc/openvpn/ccd
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 8.8.8.8"
push "redirect-gateway"
keepalive 10 120
# may be changed if more or less users are to connect
# remember to create more VPN tap devices if more users are to connect
max-clients 9
user nobody
group nogroup
persist-key
persist-tun
status /etc/openvpn/openvpn-status.log
verb 3
ping 10
ping restart 120
=== End of file
then to start the OpenVPN server type...
No comments:
Post a Comment