Openvpn: Difference between revisions
| No edit summary | No edit summary | ||
| (7 intermediate revisions by one other user not shown) | |||
| Line 3: | Line 3: | ||
| === a)From epel repository for enterprise linux 7=== | === a)From epel repository for enterprise linux 7=== | ||
| we need to add epel repository if it was not done before [how to use yum] | we need to add epel repository if it was not done before [[how to use yum]] | ||
|   wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm |   wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm --no-check-certificate | ||
|   rpm -i epel-release-latest-7.noarch.rpm |   rpm -i epel-release-latest-7.noarch.rpm | ||
|   yum install openvpn |   yum install openvpn | ||
|  yum install easy-rsa | |||
| === b)Using package for enterprise linux 7 from fedoraproject.org=== | === b)Using package for enterprise linux 7 from fedoraproject.org=== | ||
|   wget https://dl.fedoraproject.org/pub/epel/7/x86_64/o/openvpn-2.3.8-1.el7.x86_64.rpm |   wget https://dl.fedoraproject.org/pub/epel/7/x86_64/o/openvpn-2.3.8-1.el7.x86_64.rpm --no-check-certificate | ||
|   rpm -i openvpn-2.3.8-1.el7.x86_64.rpm |   rpm -i openvpn-2.3.8-1.el7.x86_64.rpm | ||
|  yum install easy-rsa | |||
| == enabling service == | == enabling service == | ||
| Line 19: | Line 21: | ||
| =  | = Debian = | ||
| == | == Installing == | ||
|   apt-get install openvpn |   apt-get install openvpn | ||
| == |  # on the latest debian versions is easy-rsa standalone package | ||
|  apt-get install easy-rsa | |||
| == Enabling service startup at boot time == | |||
|   update-rc.d openvpn defaults |   update-rc.d openvpn defaults | ||
| =  | = Configure clients and server= | ||
| ==  | == Setting up server== | ||
| ===  | === Generating server and client keys === | ||
| '''preparing configs from samples''' | '''preparing configs from samples''' | ||
|   mkdir -p /etc/openvpn/easy-rsa/keys |   mkdir -p /etc/openvpn/easy-rsa/keys | ||
|  ## COPY scripts | |||
|  # old debian systems | |||
|   cp -rf /usr/share/openvpn/easy-rsa/2.0/* /etc/openvpn/easy-rsa |   cp -rf /usr/share/openvpn/easy-rsa/2.0/* /etc/openvpn/easy-rsa | ||
|  # OR newer rhel | |||
|  cp -rf /usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa | |||
|  # OR newer debian | |||
|  cp -rf /usr/share/easy-rsa/* /etc/openvpn/easy-rsa | |||
|   cp /usr/share/doc/openvpn-*/sample/sample-config-files/server.conf /etc/openvpn |   cp /usr/share/doc/openvpn-*/sample/sample-config-files/server.conf /etc/openvpn | ||
| Line 58: | Line 68: | ||
|   cp ca.crt client.key client.crt client1 |   cp ca.crt client.key client.crt client1 | ||
| ==  | == Configuring options in /etc/openvpn/server.conf == | ||
| '''You need at least to configure following options''': | '''You need at least to configure following options''': | ||
|   port 1194 |   port 1194 | ||
| Line 88: | Line 98: | ||
|   iroute 192.168.2.0 255.255.255.0 |   iroute 192.168.2.0 255.255.255.0 | ||
|   ifconfig-push 10.8.0.13 10.8.0.14 |   ifconfig-push 10.8.0.13 10.8.0.14 | ||
| openvpn by default push all subnets  | openvpn server by default push routing for all subnets defined earlier in server.conf(192.168.2.0/24, 192.168.3.0/24) to all clients, | ||
| but with this setting it will not push routing for 192.168.2.0/24 to this client and all packets arriving oVPNserver with destination address  | but with this setting it will not push routing for 192.168.2.0/24 to this client and all packets arriving oVPNserver with destination address in subnet 192.168.2.0/24  will be redirected to this client. Additional we require that client will use 10.8.0.13 address. | ||
| ==  | == Configuring client.conf == | ||
| we assume that previously created ca.crt, client.key and client.crt was uploaded to server to /etc/openvpn/key/client1/ | we assume that previously created ca.crt, client.key and client.crt was uploaded to server to /etc/openvpn/key/client1/ | ||
| Line 108: | Line 118: | ||
|   comp-lzo |   comp-lzo | ||
|   verb 3 |   verb 3 | ||
| =Startup= | |||
| ==Startup on sysV== | |||
| vim /etc/default/openvpn | |||
|  AUTOSTART="1" | |||
| ==Startup on systemd== | |||
| in case you have config file stored in /etc/openvpn/1.conf | |||
|  systemctl enable openvpn@1.service | |||
|  systemctl start openvpn@1.service | |||
Latest revision as of 17:34, 14 December 2017
Centos 7
Install ovpn
a)From epel repository for enterprise linux 7
we need to add epel repository if it was not done before how to use yum
wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm --no-check-certificate rpm -i epel-release-latest-7.noarch.rpm yum install openvpn yum install easy-rsa
b)Using package for enterprise linux 7 from fedoraproject.org
wget https://dl.fedoraproject.org/pub/epel/7/x86_64/o/openvpn-2.3.8-1.el7.x86_64.rpm --no-check-certificate rpm -i openvpn-2.3.8-1.el7.x86_64.rpm yum install easy-rsa
enabling service
ln -s /lib/systemd/system/openvpn\@.service /etc/systemd/system/multi-user.target.wants/openvpn\@server.service sytemctl start openvpn@server sytemctl status openvpn@server sytemctl stop openvpn@server
Debian
Installing
apt-get install openvpn # on the latest debian versions is easy-rsa standalone package apt-get install easy-rsa
Enabling service startup at boot time
update-rc.d openvpn defaults
Configure clients and server
Setting up server
Generating server and client keys
preparing configs from samples
mkdir -p /etc/openvpn/easy-rsa/keys ## COPY scripts # old debian systems cp -rf /usr/share/openvpn/easy-rsa/2.0/* /etc/openvpn/easy-rsa # OR newer rhel cp -rf /usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa # OR newer debian cp -rf /usr/share/easy-rsa/* /etc/openvpn/easy-rsa cp /usr/share/doc/openvpn-*/sample/sample-config-files/server.conf /etc/openvpn
You can set export KEY_* in this file for not need to enter credentials for each key separately
vim /etc/openvpn/easy-rsa/vars
Sourcing defined values
cd /etc/openvpn/easy-rsa/ source ./vars
generating server ca,keys
cd /etc/openvpn/easy-rsa/ ./clean-all ./build-ca ./build-key-server server ./build-dh cd keys cp dh2048.pem ca.crt server.crt server.key /etc/openvpn
generating client keys
cd /etc/openvpn/easy-rsa ./build-key client
note:When asked for 'common name' please fill in unique name for client (it will be listed in openvpn.log after login)
cd keys mkdir client1 cp ca.crt client.key client.crt client1
Configuring options in /etc/openvpn/server.conf
You need at least to configure following options:
port 1194 proto udp dev tun ca ca.crt cert server.crt key server.key # This file should be kept secret dh dh2048.pem server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt keepalive 10 120 comp-lzo user nobody group nobody persist-key persist-tun status openvpn-status.log verb 4
optional but usefull options
push "route 192.168.2.0 255.255.255.0" push "route 192.168.3.0 255.255.255.0" client-config-dir ccd client-to-client
example of file ccd/client1 when optional client-config-dir is enabled we suppose that in client's key is its common name defined 'client1'
iroute 192.168.2.0 255.255.255.0 ifconfig-push 10.8.0.13 10.8.0.14
openvpn server by default push routing for all subnets defined earlier in server.conf(192.168.2.0/24, 192.168.3.0/24) to all clients, but with this setting it will not push routing for 192.168.2.0/24 to this client and all packets arriving oVPNserver with destination address in subnet 192.168.2.0/24 will be redirected to this client. Additional we require that client will use 10.8.0.13 address.
Configuring client.conf
we assume that previously created ca.crt, client.key and client.crt was uploaded to server to /etc/openvpn/key/client1/
client dev tun proto udp remote here_address_of_a_vpn_server 1194 resolv-retry infinite nobind persist-key persist-tun ca key/client1/ca.crt cert key/client1/client.crt key key/client1/client.key ns-cert-type server comp-lzo verb 3
Startup
Startup on sysV
vim /etc/default/openvpn
AUTOSTART="1"
Startup on systemd
in case you have config file stored in /etc/openvpn/1.conf
systemctl enable openvpn@1.service systemctl start openvpn@1.service