Configuring OpenVPN Internet Gateway on Debian, which is on OpenVZ
So, gentlemen, the first of August is approaching, so I thought about getting an ip of a country in which it is easier with the legislation in the field of p2p, namely the Netherlands. After quite a long search, I found a provider who promised two cores from E3-1230, a couple of gigabytes of memory, 460 gigs of screw and a fine unlimited (specifically associated with support on this issue - they say that the channel does not cut even after hundreds of terabytes) for some 40 gigabit with a penny bucks. The only thing is OpenVZ virtualization - I usually set up OpenVPN on XEN or KVM, so everything didn’t go as smoothly as usual, and so I decided to share the knowledge I had gained.
OS Distribution - Debian 6
So, let's begin:
Install OpenVPN and dnsmasq
')
Next, copy the key generation scripts
Then we are usually offered to correct the / etc/openvpn/easy- rsa/2.0/vars file, but if the gateway is made “for itself”, then this item is completely optional. If you want beauty then at the end of the above file we correct the following:
After editing vars we generate root certificate
Next, we generate server and client \ client certificates (instead of cli1, cli2, you can come up with names that are convenient for you)
Then we generate the Diffie-Hellman parameters.
Spread the keys, on the client side you need to give the files ca.crt cli1.crt cli1.key , and in the / etc / openvpn directory put the files ca.crt ca.key dh1024.pem server.crt server.key
Now let's copy into the / etc / openvpn directory the example of the config that comes with the software.
In order for our VPN server to distribute the Internet to its clients in /etc/openvpn/server.conf we add
Next, turn on ip-forwarding
in the /etc/sysctl.conf file we uncomment the line
and in the console we will execute
to apply changes without rebooting.
Next, configure iptables.
If you have a dedicated server, or virtual on Xen or KVM, then in the console we write
If the virtualization is OpenVZ, then normal NAT will not work, and you need to use SNAT, for this we write in the console
Instead of abcd, respectively, the external ip of your server
In order for iptables rules to be applied when booting the OS, we will write them in /etc/rc.local , and there, after applying the iptables rules, we will add a dnsmasq reboot. Example file /etc/rc.local after making changes -
for dedicated \ Xen \ KVM:
for OpenVZ:
Next, configure dnsmasq, to ​​do this, open the file /etc/dnsmasq.conf and uncomment \ fix two lines
This completes the server setup, you can restart the services and start setting up clients.
In my case, all the clients were on Windows 7, so I’ll tell you only about client settings on Windows.
Download software - OpenVPN , install, in the case of Windows 7 run on behalf of the administrator "Start \ OpenVPN \ OpenVPN Gui "
Next, create the file % name% .ovpn with the following contents
Instead abcd is the server address.
Folding file % name% .ovpn and previously obtained ca.crt cli1.crt cli1.key in C: / Programm files (x86) / OpenVPN / config
That's all, in the tray with the right mouse click on the icon OpenVPN -> Connect and transfers us to another country.
OS Distribution - Debian 6
So, let's begin:
Install OpenVPN and dnsmasq
aptitude install openvpn udev dnsmasq ')
Next, copy the key generation scripts
cp -R /usr/share/doc/openvpn/examples/easy-rsa/ /etc/openvpn Then we are usually offered to correct the / etc/openvpn/easy- rsa/2.0/vars file, but if the gateway is made “for itself”, then this item is completely optional. If you want beauty then at the end of the above file we correct the following:
export KEY_COUNTRY="XX" export KEY_PROVINCE="XX" export KEY_CITY="City" export KEY_ORG="MyCompany" export KEY_EMAIL="habr@habr.ru" After editing vars we generate root certificate
cd /etc/openvpn/easy-rsa/2.0/ . /etc/openvpn/easy-rsa/2.0/vars . /etc/openvpn/easy-rsa/2.0/clean-all . /etc/openvpn/easy-rsa/2.0/build-ca Next, we generate server and client \ client certificates (instead of cli1, cli2, you can come up with names that are convenient for you)
. /etc/openvpn/easy-rsa/2.0/build-key-server server . /etc/openvpn/easy-rsa/2.0/build-key cli1 . /etc/openvpn/easy-rsa/2.0/build-key cli2 Then we generate the Diffie-Hellman parameters.
. /etc/openvpn/easy-rsa/2.0/build-dh Spread the keys, on the client side you need to give the files ca.crt cli1.crt cli1.key , and in the / etc / openvpn directory put the files ca.crt ca.key dh1024.pem server.crt server.key
cd /etc/openvpn/easy-rsa/2.0/keys cp ca.crt ca.key dh1024.pem server.crt server.key /etc/openvpn Now let's copy into the / etc / openvpn directory the example of the config that comes with the software.
cd /usr/share/doc/openvpn/examples/sample-config-files gunzip -d server.conf.gz cp server.conf /etc/openvpn/ In order for our VPN server to distribute the Internet to its clients in /etc/openvpn/server.conf we add
push "redirect-gateway def1" push "dhcp-option DNS 10.8.0.1" Next, turn on ip-forwarding
in the /etc/sysctl.conf file we uncomment the line
net.ipv4.ip_forward=1 and in the console we will execute
echo 1 > /proc/sys/net/ipv4/ip_forward to apply changes without rebooting.
Next, configure iptables.
If you have a dedicated server, or virtual on Xen or KVM, then in the console we write
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT iptables -A FORWARD -j REJECT iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE If the virtualization is OpenVZ, then normal NAT will not work, and you need to use SNAT, for this we write in the console
iptables -t nat -A POSTROUTING -o venet0 -j SNAT --to <b>abcd</b> iptables -A FORWARD -i venet0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -i tun0 -o venet0 -j ACCEPT Instead of abcd, respectively, the external ip of your server
In order for iptables rules to be applied when booting the OS, we will write them in /etc/rc.local , and there, after applying the iptables rules, we will add a dnsmasq reboot. Example file /etc/rc.local after making changes -
for dedicated \ Xen \ KVM:
#!/bin/sh -e # # [...] # iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT iptables -A FORWARD -j REJECT iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE /etc/init.d/dnsmasq restart exit 0 for OpenVZ:
#!/bin/sh -e # # [...] # iptables -t nat -A POSTROUTING -o venet0 -j SNAT --to <b>abcd</b> iptables -A FORWARD -i venet0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -i tun0 -o venet0 -j ACCEPT /etc/init.d/dnsmasq restart exit 0 Next, configure dnsmasq, to ​​do this, open the file /etc/dnsmasq.conf and uncomment \ fix two lines
listen-address=127.0.0.1,10.8.0.1 bind-interfaces This completes the server setup, you can restart the services and start setting up clients.
service openvpn restart service dnsmasq restart In my case, all the clients were on Windows 7, so I’ll tell you only about client settings on Windows.
Download software - OpenVPN , install, in the case of Windows 7 run on behalf of the administrator "Start \ OpenVPN \ OpenVPN Gui "
Next, create the file % name% .ovpn with the following contents
push "redirect-gateway def1" client dev tun proto udp remote <b>abcd</b> 1194 resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert <b>cli1.crt </b> key <b>cli1.key</b> comp-lzo verb 3 Instead abcd is the server address.
Folding file % name% .ovpn and previously obtained ca.crt cli1.crt cli1.key in C: / Programm files (x86) / OpenVPN / config
That's all, in the tray with the right mouse click on the icon OpenVPN -> Connect and transfers us to another country.
Source: https://habr.com/ru/post/188474/
All Articles