OpenVPN smcr 2012

From SlackWiki
Jump to: navigation, search


OPENVPN MULTI-CLIENT ROUTED SERVER

Here's what I did to get OpenVPN (2.1.4) on my Slackware (13.37) box.

I wanted to get on the internet from public wifi WITHOUT being snooped on so I installed a MULTI-CLIENT, ROUTED (not bridged) OpenVPN server on my Linode. Again, this is MULTI-CLIENT and ROUTED.

1) Install OpenVPN from Slackbuilds.org or using sbopkg

2) Generate the needed certificates and keys-

	cd /usr/doc/openvpn-2.1.4/easy-rsa/2.0/
	vi vars
		Set the KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, and KEY_EMAIL parameters.
		Don't leave any of these parameters blank.

	source ./vars
	./clean-all
	./build-ca
		answer questions
	./build-key-server server (server could be anything e.g. VPN1.blah.net)
		answer questions
	./build-key client1 (client1 can be anything e.g bobs-phone)
		answer questions
		repeat for each client to have
	./build-dh

3) Put the server certs and keys where they need to be-
	mkdir /etc/openvpn/certsnkeys
	cp ca.crt /etc/openvpn/certsnkeys/
	cp ca.key /etc/openvpn/certsnkeys/
	cp server.crt /etc/openvpn/certsnkeys/
	cp server.key /etc/openvpn/certsnkeys/
	cp dh1024.pem /etc/openvpn/

4) Send the client certs and keys where they need to be-
	Each client gets a copy of his client.crt and client.key AND a copy of ca.crt
	EXAMPLE: My android got a copy of client1.crt, client2.key and ca.crt.
		My laptop got a copy of client2.crt, client2.key and ca.crt
	NOTE: my android need a .p12 file, more on that below.

5) Configure the server.conf file-
	cd /usr/doc/openvpn-2.1.4
	cp server.conf.sample /etc/openvpn/server.conf
	cd /etc/openvpn

***NOTE: in /etc/openvpn you will see a file called openvpn.conf.  DO NOT USE THAT!
Use server.conf***

	Edit /etc/openvpn/server.conf
	CHANGE:
		ca ca.crt	-> ca /etc/openvpn/certsnkeys/ca.crt
		cert server.crt	-> cert /etc/openvpn/certsnkeys/server.crt
		key server.key	-> key /etc/openvpn/certsnkeys/server.key
		dh dh.pem	-> dh /etc/openvpn/dh1024.pem

6) Start OpenVPN-
Normally you would start OpenVPN by: openvpn /etc/openvpn/server.conf
but, being that I'm a good Slacker, I created an rc.openvpn file...

	CREATE: /etc/rc.d/rc.openvpn
	CONTAINS:
		#!/bin/sh
		#
		# /etc/rc.d/rc.openvpn
		#
		# Start/stop/restart the openvpn server.
		#
		# To make OpenVPN start automatically at boot, make this
		# file executable:  chmod 755 /etc/rc.d/rc.openvpn
		#
		
		ovpn_start() {
		  if [ -x /usr/sbin/openvpn -a -r /etc/openvpn/server.conf ]; then
		    echo "Starting OpenVPN:  /usr/sbin/openvpn server.conf"
		    /usr/sbin/openvpn /etc/openvpn/server.conf &
		  fi
		}
		
		ovpn_stop() {
		  killall openvpn
		}
		
		ovpn_restart() {
		  ovpn_stop
		  sleep 2
		  ovpn_start
		}
		
		case "$1" in
		'start')
		  ovpn_start
		  ;;
		'stop')
		  ovpn_stop
		  ;;
		'restart')
		  ovpn_restart
		  ;;
		*)
		  # Default is "start", for backwards compatibility with previous
		  # Slackware versions.  This may change to a 'usage' error someday.
		  ovpn_start
		esac

7) Make it executable (and autostart on reboots)-

	chmod 755 /etc/rc.d/rc.openvpn

To start/stop it manually- /etc/rc.d/rc.openvpn start (or stop or restart)

Now let's fix the firewall so our clients can get to the rest of the world...

8) Edit/create /etc/rc.d/rc.firewall

	ADD:
	iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
	iptables -A FORWARD -i tun+ -j ACCEPT
	iptables -A FORWARD -o tun+ -j ACCEPT
	iptables -A FORWARD -j ACCEPT
	iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

9) Flush the old firewall rules-

	iptables -F

10) Activate the new rules now-

	/etc/rc.d/rc.firewall

If the planets are aligned, you should now have a working OpenVPN server/router.