Skip to content

Instantly share code, notes, and snippets.

@chrisdchristo

chrisdchristo/101_openvpn.md

Last active January 1, 2016 14:39
Show Gist options
  • Save chrisdchristo/8159599 to your computer and use it in GitHub Desktop.
Save chrisdchristo/8159599 to your computer and use it in GitHub Desktop.
Download ZIP
101: OpenVpn
Raw
101_openvpn.md

101: OpenVPN

You might need to ask your hosting provider to enable TUN.

sudo apt-get install openvpn openvpn-blacklist

Create the static key

This is for extra security to avoid DDOS etc.

sudo openvpn --genkey --secret /etc/openvpn/static.key
sudo chown root:root /etc/openvpn/static.key

Setup server config file

Make sure you create a self-KEY + self-CRT signed by the self-CA.

Open it up:

sudo nano /etc/openvpn/server.conf

and set it to the following:

# SETUP TUN
port 1194
proto udp
dev tun

# SSL
ca /etc/ssl/custom/certs/self-ca.crt
cert /etc/ssl/custom/certs/self.crt
key /etc/ssl/custom/keys/self.key
dh /etc/ssl/custom/keys/dh4096.pem

# EXTRA SECURITY - CLIENT NEEDS THIS SET TO 1
tls-auth /etc/openvpn/static.key 0
tls-server

# USE AES FOR ENCRYPTION (MUST SET ON CLIENT ALSO)
cipher AES-256-CBC

# USE PAM TO AUTHENTICATE USERNAME AND PASS
# plugin /usr/lib/openvpn/openvpn-auth-pam.so /etc/pam.d/login
# username-as-common-name

# LIMIT PRIVELEGES OF OPENVPN
user nobody
group nogroup

# AVOID ACCESSING CERTAIN RESOURCES ON RESTART THAT MAY NO LONGER BE ACCESSIBLE DUE TO LIMITED PRIVELEGES
persist-key
persist-tun

# VPN IP RANGE
server 10.8.0.0 255.255.255.0

# PERSIST ALL ASSIGNED CLIENT IP ADDRESSES
ifconfig-pool-persist ipp.txt

# ALL CLIENTS IP TRAFFIC & DNS LOOKSUPS GO THROUGH VPN
push "redirect-gateway def1 bypass-dhcp"

# PING EACH OTHER EVERY 10s, AFTER 120s ASSUME OTHER PEER IS DOWN 
keepalive 10 120

# COMPRESSION (MUST SET ON CLIENT ALSO)
comp-lzo

# MAX CONCURRENT CLIENTS
max-clients 3

# LOG
status openvpn-status.log
log         /var/log/openvpn.log
log-append  /var/log/openvpn.log
verb 9
mute 20

Setup Log file

sudo touch /var/log/openvpn.log
sudo chmod 750 /var/log/openvpn.log

Restart the server:

sudo /etc/init.d/openvpn restart

Check the log:

sudo tail -f /var/log/openvpn.log

Setup NAT

http://www.howtoforge.com/internet-and-lan-over-vpn-using-openvpn-linux-server-windows-linux-clients-works-for-gaming-and-through-firewalls

https://www.septimius.net/linux-howto-setup-openvpn-server/

You can check your connection tunnel:

sudo ifconfig tun0

Now add an iptables rule to do NAT for the VPN clients:

sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j MASQUERADE

Check your nat table:

sudo iptables -L -t nat

If you make a mistake, you can remove all entries as follows:

sudo iptables -F -t nat

Now lets save:

sudo iptables-save > /etc/iptables.rules

Open up /etc/network/interfaces:

sudo nano /etc/network/interfaces

And add the following line:

pre-up iptables-restore < /etc/iptables.rules

Open up /etc/sysctl.conf:

sudo nano /etc/sysctl.conf

and uncomment the line:

net.ipv4.ip_forward##1

Finally force the ip4 forward now:

sysctl -p

Setup the client

client
dev tun
proto udp
remote mydomain.com 1194
cipher AES-256-CBC
resolv-retry infinite
nobind
persist-key
persist-tun
ca self-ca.crt
cert clientChris.crt
key clientChris.key
tls-auth static.key 1
comp-lzo
verb 9
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment