OpenVPN: creating a server on Windows
Openvpn - virtual private network. With its help, we can:
Main advantages:
Like the author of the article on installing OpenVPN on Linux, I didn’t find a normal article, and even one to describe everything in detail. In this article on Habrahabr I will try to explain everything as much as possible. So let's go!
At the time of this writing, the available version is 2.3.2 . We download from here the Windows installer 32-bit or 64-bit version under the bit of your operating system.
When installing, be sure to check all the boxes with birds, the answer to the proposal to install the driver is in the affirmative. A new virtual network adapter will appear in the system.
')
Once this point stopped me, they say well, these are their keys, I will go and look for something simpler. But, alas, I did not find anything better. So, go to C: \ Program files \ OpenVPN \ easy-rsa, run init-config.bat, vars.bat will appear, open it in notepad. We are interested in the lines at the bottom, they need to fill as you like. For example:
set KEY_COUNTRY = RU
set KEY_PROVINCE = Baldur
set KEY_CITY = Piter
set KEY_ORG = OpenVPN
set KEY_EMAIL=my@sobaka.ru
set KEY_CN = server
set KEY_NAME = server
set KEY_OU = ouou
Where it is written server do not touch. Saved.
Now open openssl-1.0.0.cnf and look for the line default_days 365, set 3650. This will extend the life of our certificates for 10 years. We save. Next, open the command line in the start-standard-command line (on Windows Vista / 7/8 as administrator), we write sequentially:
cd C: \ OpenVPN \ easy-rsa
vars
clean-all
In response, should write two times "Copied files: 1". So it's okay. In the same window we type:
build-dh
Will create the key Diffie-Hellman.
build-ca
Will create a master certificate.
Questions will be asked, just press Enter until you see the path C: \ Program files \ OpenVPN \ easy-rsa. Next, type:
build-key-server
Questions also press Enter, just do not rush! At the end there will be two questions: “Sign the certificate?” And “1 out of 1 certificate requests certified, commit?”, We answer Y to both questions. Now we will create a client certificate:
build-key client
Here you need to be more attentive, when asking for the Common Name (eg, your server’s hostname), you must enter the client. In the end, also two times Y. For each client, you need to create a new certificate, only with a different name, for example, build-key client1 and also specify it in the common name. If done correctly, you can exhale! The hardest thing behind. In the folder C: \ Program Files \ OpenVPN \ easy-rsa \ keys pick up: ca.crt, dh1024.pem, server.crt, server.key and put them in C: \ Program Files \ OpenVPN \ config.
Go to C: \ Program Files \ OpenVPN \ config, create a text document, paste:
# Raise the L3-tunnel
dev tun
# Protocol
proto udp
# Port that listens vpn
port 12345
# Keys and certificates
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
# Roughly speaking, we save addresses
topology subnet
# Address Pool
server 10.8.0.0 255.255.255.0
# Encryption method
cipher AES-128-CBC
# Compression
comp-lzo
# A little better ping
mssfix
# Customer lifetime, if not responded - disables
keepalive 10 120
# Debug level
verb 3
Save the file as server.ovpn. This is our server config. Now we try to start the server. On the desktop, there will be an OpenVPN Gui shortcut. After launch, a red icon will appear in the tray. We click on it twice, if it lights up green, then everything is fine, if not, then we look at the log in the log folder.
Now client config:
client
dev tun
proto udp
# Server address and port
12345 remote address
# Keys should be in the folder with the config
ca ca.crt
cert client.crt
key client.key
cipher AES-128-CBC
nobind
comp-lzo
persist-key
persist tun
verb 3
We save as client.ovpn. We create any folder and put the config client.ovpn and ca.crt, client.crt, client.key certificates that are in C: \ Program files \ OpenVPN \ easy-rsa. The client for Windows is downloaded here. On the client machine, install, transfer the folder with the config and certificate and run client.ovpn. If you are connected, try typing ping 10.8.0.1 on the command line. Have the packages gone? Congratulations! The server is ready! Now we go to the control panel-administration-service, look for OpenVPN there, double click and set it automatically. Now the server will start itself after a reboot.
Now I will tell how to distribute the Internet and other trivia related to the setting. Let's start with the little things. All the manipulations will be carried out with the server config.
If you want clients to “see” each other, i.e. could exchange information, then enter the config
client-to-client .
If you want clients to be given static addresses, then in the config folder, create an ip.txt file and enter into the config file
ifconfig-pool-persist ip.txt
Reluctant to create certificates for each? Then we write duplicate-cn , but note that ifconfig-pool-persist does not work with this option.
Now about the client config. You can not transfer certificate files, but enter them directly into the config, just do it better not from a notebook, but from AkelPad or Notepad ++ for example. Open ca.crt and select from ----- BEGIN CERTIFICATE ----- to ----- END CERTIFICATE -----. In the config will look like this:
To do this, enter the server configuration:
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
DNS-addresses substitute those that are given in the settings. You can view it by going to the control panel-network connections, double-clicking on the adapter that looks to the Internet. For Win7 Control Panel-Network and Internet-based Network and Sharing Center — changing adapter settings. Next, go to the properties of the same adapter, the access tab, put the bird next to "Allow other network users ..." and in the drop-down list, if available, select the virtual adapter vpn. Then we go into the properties of the adapter vpn, the properties of ipv4 and set the receipt of ip and dns automatically. Thanks for attention!
- Create a secure channel link, while we are sitting with free Wi-Fi in a cafe.
- Share files between network members.
- Distribute the Internet using a common gateway.
Main advantages:
- Easy to set up.
- Security.
- Does not require additional equipment.
- High speed and stability.
Like the author of the article on installing OpenVPN on Linux, I didn’t find a normal article, and even one to describe everything in detail. In this article on Habrahabr I will try to explain everything as much as possible. So let's go!
Download the distribution.
At the time of this writing, the available version is 2.3.2 . We download from here the Windows installer 32-bit or 64-bit version under the bit of your operating system.
Installation
When installing, be sure to check all the boxes with birds, the answer to the proposal to install the driver is in the affirmative. A new virtual network adapter will appear in the system.
')
Creating certificates and keys.
Once this point stopped me, they say well, these are their keys, I will go and look for something simpler. But, alas, I did not find anything better. So, go to C: \ Program files \ OpenVPN \ easy-rsa, run init-config.bat, vars.bat will appear, open it in notepad. We are interested in the lines at the bottom, they need to fill as you like. For example:
set KEY_COUNTRY = RU
set KEY_PROVINCE = Baldur
set KEY_CITY = Piter
set KEY_ORG = OpenVPN
set KEY_EMAIL=my@sobaka.ru
set KEY_CN = server
set KEY_NAME = server
set KEY_OU = ouou
Where it is written server do not touch. Saved.
Now open openssl-1.0.0.cnf and look for the line default_days 365, set 3650. This will extend the life of our certificates for 10 years. We save. Next, open the command line in the start-standard-command line (on Windows Vista / 7/8 as administrator), we write sequentially:
cd C: \ OpenVPN \ easy-rsa
vars
clean-all
In response, should write two times "Copied files: 1". So it's okay. In the same window we type:
build-dh
Will create the key Diffie-Hellman.
build-ca
Will create a master certificate.
Questions will be asked, just press Enter until you see the path C: \ Program files \ OpenVPN \ easy-rsa. Next, type:
build-key-server
Questions also press Enter, just do not rush! At the end there will be two questions: “Sign the certificate?” And “1 out of 1 certificate requests certified, commit?”, We answer Y to both questions. Now we will create a client certificate:
build-key client
Here you need to be more attentive, when asking for the Common Name (eg, your server’s hostname), you must enter the client. In the end, also two times Y. For each client, you need to create a new certificate, only with a different name, for example, build-key client1 and also specify it in the common name. If done correctly, you can exhale! The hardest thing behind. In the folder C: \ Program Files \ OpenVPN \ easy-rsa \ keys pick up: ca.crt, dh1024.pem, server.crt, server.key and put them in C: \ Program Files \ OpenVPN \ config.
Create configs.
Go to C: \ Program Files \ OpenVPN \ config, create a text document, paste:
# Raise the L3-tunnel
dev tun
# Protocol
proto udp
# Port that listens vpn
port 12345
# Keys and certificates
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
# Roughly speaking, we save addresses
topology subnet
# Address Pool
server 10.8.0.0 255.255.255.0
# Encryption method
cipher AES-128-CBC
# Compression
comp-lzo
# A little better ping
mssfix
# Customer lifetime, if not responded - disables
keepalive 10 120
# Debug level
verb 3
Save the file as server.ovpn. This is our server config. Now we try to start the server. On the desktop, there will be an OpenVPN Gui shortcut. After launch, a red icon will appear in the tray. We click on it twice, if it lights up green, then everything is fine, if not, then we look at the log in the log folder.
Now client config:
client
dev tun
proto udp
# Server address and port
12345 remote address
# Keys should be in the folder with the config
ca ca.crt
cert client.crt
key client.key
cipher AES-128-CBC
nobind
comp-lzo
persist-key
persist tun
verb 3
We save as client.ovpn. We create any folder and put the config client.ovpn and ca.crt, client.crt, client.key certificates that are in C: \ Program files \ OpenVPN \ easy-rsa. The client for Windows is downloaded here. On the client machine, install, transfer the folder with the config and certificate and run client.ovpn. If you are connected, try typing ping 10.8.0.1 on the command line. Have the packages gone? Congratulations! The server is ready! Now we go to the control panel-administration-service, look for OpenVPN there, double click and set it automatically. Now the server will start itself after a reboot.
We finish a config or to each the.
Now I will tell how to distribute the Internet and other trivia related to the setting. Let's start with the little things. All the manipulations will be carried out with the server config.
If you want clients to “see” each other, i.e. could exchange information, then enter the config
client-to-client .
If you want clients to be given static addresses, then in the config folder, create an ip.txt file and enter into the config file
ifconfig-pool-persist ip.txt
Reluctant to create certificates for each? Then we write duplicate-cn , but note that ifconfig-pool-persist does not work with this option.
Now about the client config. You can not transfer certificate files, but enter them directly into the config, just do it better not from a notebook, but from AkelPad or Notepad ++ for example. Open ca.crt and select from ----- BEGIN CERTIFICATE ----- to ----- END CERTIFICATE -----. In the config will look like this:
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
We distribute the Internet
To do this, enter the server configuration:
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
DNS-addresses substitute those that are given in the settings. You can view it by going to the control panel-network connections, double-clicking on the adapter that looks to the Internet. For Win7 Control Panel-Network and Internet-based Network and Sharing Center — changing adapter settings. Next, go to the properties of the same adapter, the access tab, put the bird next to "Allow other network users ..." and in the drop-down list, if available, select the virtual adapter vpn. Then we go into the properties of the adapter vpn, the properties of ipv4 and set the receipt of ip and dns automatically. Thanks for attention!
Source: https://habr.com/ru/post/197744/
All Articles