Notice that in this setup, only the traffic targeted for the network behind the VPN server (defined by `push route` in `server.conf`) will be sent over OpenVPN connection. The normal traffic will use the normal connection. This further simplifies the process because you do not have to deal with NAT setups etc. for accessing internet while connected to VPN and you will get fastest direct Internet access while connected to VPN server.
You will need to open/forward port UDP port 1194 to be able to connect to your server.
Step 1
Install OpenVPN server and `easy-rsa` packages. (these are `openvpn` and `easy-rsa` on Ubuntu)
Step 2
Execute the following commands. You can use defaults for all the fields. You will only need to say `y` for signing the certificates. The `easy-rsa` path is from Ubuntu package. You may need to adjust your paths accordingly. (Note: The # sign means you need to be "root" user when executing these commands)
# cd /etc/openvpn # cp /usr/share/easy-rsa/* . # . ./vars # ./clean-all # ./build-ca # ./build-key-server server # ./build-key client1 # openvpn --genkey --secret keys/ta.key # ./build-dh
Below is a full output of the commands when executed as an example:
# cd /etc/openvpn # cp /usr/share/easy-rsa/* . # . ./vars NOTE: If you run ./clean-all, I will be doing a rm -rf on /home/eyurtese/openvpn/keys # ./clean-all # ./build-ca Generating a 2048 bit RSA private key ......................................+++ ...............+++ writing new private key to 'ca.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [US]: State or Province Name (full name) [CA]: Locality Name (eg, city) [SanFrancisco]: Organization Name (eg, company) [Fort-Funston]: Organizational Unit Name (eg, section) [MyOrganizationalUnit]: Common Name (eg, your name or your server's hostname) [Fort-Funston CA]: Name [EasyRSA]: Email Address [me@myhost.mydomain]: # ./build-key-server server Generating a 2048 bit RSA private key ...............................+++ .......................+++ writing new private key to 'server.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [US]: State or Province Name (full name) [CA]: Locality Name (eg, city) [SanFrancisco]: Organization Name (eg, company) [Fort-Funston]: Organizational Unit Name (eg, section) [MyOrganizationalUnit]: Common Name (eg, your name or your server's hostname) [server]: Name [EasyRSA]: Email Address [me@myhost.mydomain]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /home/eyurtese/openvpn/openssl-1.0.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'US' stateOrProvinceName :PRINTABLE:'CA' localityName :PRINTABLE:'SanFrancisco' organizationName :PRINTABLE:'Fort-Funston' organizationalUnitName:PRINTABLE:'MyOrganizationalUnit' commonName :PRINTABLE:'server' name :PRINTABLE:'EasyRSA' emailAddress :IA5STRING:'me@myhost.mydomain' Certificate is to be certified until May 22 10:41:07 2027 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated # ./build-key client1 Generating a 2048 bit RSA private key .............+++ ........................................+++ writing new private key to 'client1.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [US]: State or Province Name (full name) [CA]: Locality Name (eg, city) [SanFrancisco]: Organization Name (eg, company) [Fort-Funston]: Organizational Unit Name (eg, section) [MyOrganizationalUnit]: Common Name (eg, your name or your server's hostname) [client1]: Name [EasyRSA]: Email Address [me@myhost.mydomain]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /home/eyurtese/openvpn/openssl-1.0.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'US' stateOrProvinceName :PRINTABLE:'CA' localityName :PRINTABLE:'SanFrancisco' organizationName :PRINTABLE:'Fort-Funston' organizationalUnitName:PRINTABLE:'MyOrganizationalUnit' commonName :PRINTABLE:'client1' name :PRINTABLE:'EasyRSA' emailAddress :IA5STRING:'me@myhost.mydomain' Certificate is to be certified until May 22 10:41:47 2027 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated # openvpn --genkey --secret keys/ta.key # ./build-dh Generating DH parameters, 2048 bit long safe prime, generator 2 This is going to take a long time ..................................+................................................................................................................................................................................................................................+................................................+.......................................................................+..............+......................................................................................................................+........................................................................................................+................................................................................................+.................+........................+...............................................................+...............................................................................+.................................................+.................................................................................................+.............................................+..............................................................................................................................................................................................................................+.....................................................................................................................................................................................................................................................................................................................+..............................................................................................+.....................................................................................................................................................................................................................................................................................................+................................................................................................................................+..........................................................................................................................+..........................+....................................................+............................................................+........................................................................................+................................+.............................................................................+............................................................+................................................................+................................................................................................................................................................................................................................................................................................................+..............+........................+.........................+........................................+.............................................................................................................................................................+........................................................+...............................................................................................................+........................+....................................................+.............................+....................................+.........................................................................+......................................................................................................................................................................................++*++*Step 3
Create the OpenVPN server conf file at `/etc/openvpn/server.conf`. The `push route` command tells the server to push a route to client. In this setup only the pushed route is accessed through the VPN.
port 1194 proto udp dev tun ca keys/ca.crt cert keys/server.crt key keys/server.key dh keys/dh2048.pem server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt # CHANGE TO YOUR HOME NETWORK BLOCK! push "route 192.168.0.0 255.255.255.0" keepalive 10 120 cipher AES-256-CBC max-clients 100 user nobody group nogroup persist-key persist-tun status openvpn-status.log verb 3 tls-auth keys/ta.key 0 client-cert-not-required script-security 3 auth-user-pass-verify /etc/openvpn/checkpass.sh via-env
Step 4
Create client .ovpn file. The client program will ask username and password. The .ovpn file holds the client configuration and you will use it when connecting to the server. Clients with GUI often has an option to import the .ovpn file.
client dev tun remote YOUR_HOST_NAME 1194 udp auth-user-pass fast-io float explicit-exit-notify cipher AES-256-CBC remote-cert-tls serverPUT (COPY/PASTE) CONTENTS OF keys/ca.crt HERE PUT (COPY/PASTE) CONTENTS OF keys/client.key HERE PUT (COPY/PASTE) CONTENTS OF keys/client1.crt HERE PUT (COPY/PASTE) CONTENTS OF keys/ta.key HERE key-direction 1
Step 5
Create a password checking script at `/etc/openvpn/checkpass.sh` this is a simple script which uses plaintext passwords. You have to make sure to give execute permission to the script, eg. 755, otherwise OpenVPN server would not start. Using plaintext passwords is not a problem as long as you have the password file secure on your openvpn server. The OpenVPN authentication still uses encryption.
#!/bin/bash
# :mode=shellscript
#
# Gets environment from OpenVPN and checks user:pass from file
# set > /tmp/auth-user.env
LINE=`grep ${username} /etc/openvpn/userpass.txt`
IFS=: read user pass <<< ${LINE}
if [ "${password}" == "${pass}" ]; then
exit 0
else
exit 1
fi
Step 6
Create the actual passwords file at `/etc/openvpn/userpass.txt` and set its owner as `nobody:nogroup` and permissions as 600. You need to define your own usernames and passwords
username1:password1inClearText username2:password2inClearText username3:password3inClearText
No comments:
Post a Comment