OpenVPN: creating a full openVPN gateway
OpenVPN is a system that allows you to create encrypted tunnels between computers using VPN technology (Virtual Private Network, virtual private network).
The main advantages of this model:
')
Despite these points, I did not find a normal article on configuring OpenVPN on Habrahabr. Well, try to fix it on my own.
I specifically try not to go into technical details, but I will not paint the principles of kernel assembly and software installation in your distribution, it goes beyond the article.
We take OpenVPN-2.0.9 and Gentoo Linux as a server and Linux or Windows as a client as a basis.
Let's take as a basis that our server is located in a remote data center. Those. we will get on it through the Internet.
After installing an encrypted tunnel between the client and the server, the server will NAT all our packages to the Internet. Also, the server will serve the DNS and be a firewall for the VLAN.
External IP of our server (the one that will be openVPN): 212.212.212.212
Internal server IP (visible from the tunnel): 10.10.0.1
The pool of openVPN internal addresses: 10.10.0.2 - 10.10.0.128
Our network name: vpnet
Server name: vpsrv
Client Name: vpclient
Why do I need an external IP, I think it is clear. Internal IP is needed to connect to the server after raising the tunnel. The address pool is the address that the server issues to connected clients.
The network name is conf. files and server name in these conf. files. Client and server names = key file names.
The server has Gentoo Linux 2008.0 installed, updated to the latest versions. The kernel is 2.6.29. All configuration will be done over SSH.
I note right away, at this stage you need to be extremely careful and attentive. If anyone forgot.
The kernel must contain options below on the server. On the client, only TUN and ipv4 are needed.
In the kernel, we need the following functionality, here’s an excerpt from the config:
Well, of course support ipv4, network card and other hardware. We assemble and install the kernel. You can use genkernel . Reboot.
If :) the server is back from the reboot, proceed to install the software.
We wait, sometimes for a long time. After installation, go to /etc/init.d/ and execute:
Having created symlink on ourselves, we indicated openvpn to use the vpnet configuration. In the future, we run it only this way:
Now you do not need to run, because there is nothing to start. :)
In addition, we added iptables, named and openvpn to autoload.
Create the necessary directories and files:
Let's go to / usr / share / openvpn / easy-rsa / . Open the vars file and enter the settings:
Naturally, the values (company, path to keys and easy-rsa, email) need to be changed to suit you.
Immoperating variables: source ./vars
Now create the keys.
And move the remains to the right place:
All keys are ready.
Go to / etc / openvpn / , open vpnet.conf and write there:
All options, in principle, clear. Especially important, I noted comments. Ways and names, addresses - you need to correct for themselves.
Now the server can be started using the /etc/init.d/openvpn.vpnet start command.
If problems arise, the details can be read in the log file.
In order for the server to release our packets to the external network, we need to configure NAT. It's simple.
We prepare and run iptables:
Enable IP forwarding support:
Add a firewall rule:
EXTERNAL_IF, VPN_NET and SERVER_IP replace with external interface, VPN network and external (!) IP server, respectively.
Again, do /etc/init.d/iptables save so that the rule applies when the system boots.
Everything, you can work.
Install software, create paths:
We take files from the server:
ca.crt
vpclient.crt
vpclient.key
ta.key
and throw them in / etc / openvpn / vpnet / client_keys / on the client.
Editing /etc/openvpn/vpnet-client.conf :
The encryption and compression options on the client and server must match .
We start the client. A connection to the server will automatically be established, a tunnel will be created, the default gateway will be the VPN server. If done correctly, you can go to the Internet.
Setup is complete.
I can answer questions in the comments.
The main advantages of this model:
- Simple: setup takes less than an hour and does not require special knowledge.
- Economical: traffic is compressed lzo.
- Secure: all traffic is encrypted, and clients are separated.
- Sometimes it's just different. :)
')
Despite these points, I did not find a normal article on configuring OpenVPN on Habrahabr. Well, try to fix it on my own.
I specifically try not to go into technical details, but I will not paint the principles of kernel assembly and software installation in your distribution, it goes beyond the article.
We take OpenVPN-2.0.9 and Gentoo Linux as a server and Linux or Windows as a client as a basis.
Determine the desired.
Let's take as a basis that our server is located in a remote data center. Those. we will get on it through the Internet.
After installing an encrypted tunnel between the client and the server, the server will NAT all our packages to the Internet. Also, the server will serve the DNS and be a firewall for the VLAN.
External IP of our server (the one that will be openVPN): 212.212.212.212
Internal server IP (visible from the tunnel): 10.10.0.1
The pool of openVPN internal addresses: 10.10.0.2 - 10.10.0.128
Our network name: vpnet
Server name: vpsrv
Client Name: vpclient
Why do I need an external IP, I think it is clear. Internal IP is needed to connect to the server after raising the tunnel. The address pool is the address that the server issues to connected clients.
The network name is conf. files and server name in these conf. files. Client and server names = key file names.
The server has Gentoo Linux 2008.0 installed, updated to the latest versions. The kernel is 2.6.29. All configuration will be done over SSH.
Kernel tuning.
I note right away, at this stage you need to be extremely careful and attentive. If anyone forgot.
The kernel must contain options below on the server. On the client, only TUN and ipv4 are needed.
In the kernel, we need the following functionality, here’s an excerpt from the config:
CONFIG_NF_NAT=m
CONFIG_NF_NAT_PPTP=m
CONFIG_NETFILTER=y
CONFIG_TUN=m
Well, of course support ipv4, network card and other hardware. We assemble and install the kernel. You can use genkernel . Reboot.
Server Tuning.
Software installation.
If :) the server is back from the reboot, proceed to install the software.
emerge --sync
emerge openvpn bind bind-tools iptables
We wait, sometimes for a long time. After installation, go to /etc/init.d/ and execute:
ln -s openvpn openvpn.vpnet
rc-update add openvpn.vpnet default
rc-update add named default
rc-update iptables default
./iptables save
Having created symlink on ourselves, we indicated openvpn to use the vpnet configuration. In the future, we run it only this way:
/etc/init.d/openvpn.vpnet start
Now you do not need to run, because there is nothing to start. :)
In addition, we added iptables, named and openvpn to autoload.
Create the necessary directories and files:
mkdir /etc/openvpn/vpnet/
mkdir /etc/openvpn/vpnet/keys
touch /var/log/openvpn.log
touch /etc/openvpn/vpnet.conf
Key generation.
Let's go to / usr / share / openvpn / easy-rsa / . Open the vars file and enter the settings:
export EASY_RSA="/usr/share/openvpn/easy-rsa/" # easy-rsa.
export KEY_CONFIG="$EASY_RSA/openssl.cnf" # OpenSSL
export KEY_DIR="/etc/openvpn/vpnet/keys" #, .
export KEY_SIZE=1024 #
export CA_EXPIRE=3650 # CA
export KEY_EXPIRE=3650 #
export KEY_COUNTRY="RU" #
export KEY_PROVINCE="XX" # Province,
export KEY_CITY="Town" #
export KEY_ORG="Companyname" #
export KEY_EMAIL="test@mail.ru" # Email
Naturally, the values (company, path to keys and easy-rsa, email) need to be changed to suit you.
Immoperating variables: source ./vars
Now create the keys.
./clean-all # , .
openvpn --genkey --secret ta.key # TLS-auth
./build-dh # -.
./pkitool --initca # Certificate Authority .
./pkitool --server vpsrv # .
./pkitool vpclient # .
And move the remains to the right place:
mv ./ta.key /etc/openvpn/vpnet/keys
All keys are ready.
Server Tuning.
Go to / etc / openvpn / , open vpnet.conf and write there:
mode server
tls-server
proto tcp-server
dev tap
port 5555 #
daemon
tls-auth /etc/openvpn/vpnet/keys/ta.key 0
ca /etc/openvpn/vpnet/keys/ca.crt
cert /etc/openvpn/vpnet/keys/vpsrv.crt
key /etc/openvpn/vpnet/keys/vpsrv.key
dh /etc/openvpn/vpnet/keys/dh1024.pem
ifconfig 10.10.0.1 255.255.255.0 # IP
ifconfig-pool 10.10.0.2 10.10.0.128 # .
push "redirect-gateway def1" # default gateway vpn-. - .
push "route-gateway 10.10.0.1"
duplicate-cn
verb 3
cipher DES-EDE3-CBC # .
persist-key
log-append /var/log/openvpn.log # -.
persist-tun
comp-lzo
All options, in principle, clear. Especially important, I noted comments. Ways and names, addresses - you need to correct for themselves.
Now the server can be started using the /etc/init.d/openvpn.vpnet start command.
If problems arise, the details can be read in the log file.
NAT
In order for the server to release our packets to the external network, we need to configure NAT. It's simple.
We prepare and run iptables:
/etc/init.d/iptables save
/etc/init.d/iptables start
Enable IP forwarding support:
sysctl net.ipv4.ip_forward=1
echo "sysctl net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
Add a firewall rule:
iptables -v -t nat -A POSTROUTING -o EXTERNAL_IF -s VPN_NET/24 -j SNAT --to-source SERVER_IP
EXTERNAL_IF, VPN_NET and SERVER_IP replace with external interface, VPN network and external (!) IP server, respectively.
Again, do /etc/init.d/iptables save so that the rule applies when the system boots.
Everything, you can work.
Customize the client.
Install software, create paths:
emerge openvpn
cd /etc/init.d/
ln -s openvpn openvpn.vpnet-client
rc-update add openvpn.vpnet-client default
mkdir /etc/openvpn/vpnet
mkdir /etc/openvpn/vpnet/client_keys
touch /etc/openvpn/vpnet-client.conf
We take files from the server:
ca.crt
vpclient.crt
vpclient.key
ta.key
and throw them in / etc / openvpn / vpnet / client_keys / on the client.
Editing /etc/openvpn/vpnet-client.conf :
tls-client
proto tcp-client
remote 212.212.212.212
dev tap
port 5555
cd /etc/openvpn/vpnet
pull
tls-auth /etc/openvpn/vpnet/client_keys/ta.key 1
ca /etc/openvpn/vpnet/client_keys/ca.crt
cert /etc/openvpn/vpnet/client_keys/vpclient.crt
key /etc/openvpn/vpnet/client_keys/vpclient.key
cipher DES-EDE3-CBC
log-append /var/log/openvpn.log
comp-lzo
The encryption and compression options on the client and server must match .
We start the client. A connection to the server will automatically be established, a tunnel will be created, the default gateway will be the VPN server. If done correctly, you can go to the Internet.
Setup is complete.
I can answer questions in the comments.
Source: https://habr.com/ru/post/67209/
All Articles