Julius Goh

JBANK

Julius Goh

Openvpn configuration ( debian server & client)

by · Published · Updated

Server

  • apt-get install openvpn
  • go into /etc/openvpn/, make a directory easy-rsa ( mkdir easy-rsa ), then run the below command accordingly to your release version :-
    • Wheezy
      • cp -R /usr/share/doc/openvpn/examples/easy-rsa/2.0* easy-rsa/
    • Jessie and above
      • apt-get install easy-rsa
      • cp -R /usr/share/easy-rsa/* easy-rsa/
  • Edit /etc/openvpn/easy-rsa/vars bottom according to your organization.
  • Then execute the following command
  • # cd easy-rsa/
# mkdir keys
# touch keys/index.txt
# echo 01 > keys/serial
# . ./vars  # set environment variables
# ./clean-all
  • Then we can start creating keys and certificate
  • Notes :-
    • only .key files should be kept confidential.
    • .crt and .csr files can be sent over insecure channels such as plaintext email.
    • do not need to copy a .key file between computers.
    • each computer will have its own certificate/key pair.
  • cd into easy-rsa  , and run the following codes
    • ./build-ca
    • ./build-key-server server
    • ./build-dh
    • ./build-key clientname or ./build-key-pass clientname (with PEM Phrase *Password*)
  • it will generate keys in /etc/openvpn/easy-rsa/keys/ , Copy the ca.crt, clientname.crt and clientname.key rom Server to Client into /etc/openvpn/easy-rsa/keys directory
  • cp ca.crt,dh2048.pem,server.crt.server.key from /etc/openvpn/easy-rsa/keys/ to /etc/openvpn
  • After that we will need a server.conf in /etc/openvpn
  • In the file copy the below into 
    port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh2048.pemserver 192.168.10.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120comp-lzo
persist-key
persist-tunstatus openvpn-status.log
log openvpn-log.logverb 3push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
  • To allow vpn client to use openvpn server ip you have to masquerade the eth0 by typing
    • iptabes -t nat -A POSTROUTING -s 192.168.10.0/24 -o eth0 -j MASQUERADE
  • remember to place the masquerade code into /etc/rc.local so every time you reboot the machine it will have the rule
  • then finally  run “service openvpn restart”

Client

  • Different os and device will have different connection method

REFERENCE: https://wiki.debian.org/OpenVPN

You may also like...