OpenVPN smcr 2012
Jump to navigation
Jump to search
OPENVPN MULTI-CLIENT ROUTED SERVER
Here's what I did to get OpenVPN (2.1.4) on my Slackware (13.37) box.
I wanted to get on the internet from public wifi WITHOUT being snooped on so I installed a MULTI-CLIENT, ROUTED (not bridged) OpenVPN server on my Linode. Again, this is MULTI-CLIENT and ROUTED.
1) Install OpenVPN from Slackbuilds.org or using sbopkg
2) Generate the needed certificates and keys-
cd /usr/doc/openvpn-2.1.4/easy-rsa/2.0/
vi vars
Set the KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, and KEY_EMAIL parameters.
Don't leave any of these parameters blank.
source ./vars
./clean-all
./build-ca
answer questions
./build-key-server server (server could be anything e.g. VPN1.blah.net)
answer questions
./build-key client1 (client1 can be anything e.g bobs-phone)
answer questions
repeat for each client to have
./build-dh
3) Put the server certs and keys where they need to be-
mkdir /etc/openvpn/certsnkeys
cp ca.crt /etc/openvpn/certsnkeys/
cp ca.key /etc/openvpn/certsnkeys/
cp server.crt /etc/openvpn/certsnkeys/
cp server.key /etc/openvpn/certsnkeys/
cp dh1024.pem /etc/openvpn/
4) Send the client certs and keys where they need to be-
Each client gets a copy of his client.crt and client.key AND a copy of ca.crt
EXAMPLE: My android got a copy of client1.crt, client2.key and ca.crt.
My laptop got a copy of client2.crt, client2.key and ca.crt
NOTE: my android need a .p12 file, more on that below.
5) Configure the server.conf file-
cd /usr/doc/openvpn-2.1.4
cp server.conf.sample /etc/openvpn/server.conf
cd /etc/openvpn
***NOTE: in /etc/openvpn you will see a file called openvpn.conf. DO NOT USE THAT!
Use server.conf***
Edit /etc/openvpn/server.conf
CHANGE:
ca ca.crt -> ca /etc/openvpn/certsnkeys/ca.crt
cert server.crt -> cert /etc/openvpn/certsnkeys/server.crt
key server.key -> key /etc/openvpn/certsnkeys/server.key
dh dh.pem -> dh /etc/openvpn/dh1024.pem
6) Start OpenVPN-
Normally you would start OpenVPN by: openvpn /etc/openvpn/server.conf
but, being that I'm a good Slacker, I created an rc.openvpn file...
CREATE: /etc/rc.d/rc.openvpn
CONTAINS:
#!/bin/sh
#
# /etc/rc.d/rc.openvpn
#
# Start/stop/restart the openvpn server.
#
# To make OpenVPN start automatically at boot, make this
# file executable: chmod 755 /etc/rc.d/rc.openvpn
#
ovpn_start() {
if [ -x /usr/sbin/openvpn -a -r /etc/openvpn/server.conf ]; then
echo "Starting OpenVPN: /usr/sbin/openvpn server.conf"
/usr/sbin/openvpn /etc/openvpn/server.conf &
fi
}
ovpn_stop() {
killall openvpn
}
ovpn_restart() {
ovpn_stop
sleep 2
ovpn_start
}
case "$1" in
'start')
ovpn_start
;;
'stop')
ovpn_stop
;;
'restart')
ovpn_restart
;;
*)
# Default is "start", for backwards compatibility with previous
# Slackware versions. This may change to a 'usage' error someday.
ovpn_start
esac
7) Make it executable (and autostart on reboots)-
chmod 755 /etc/rc.d/rc.openvpn
To start/stop it manually- /etc/rc.d/rc.openvpn start (or stop or restart)
Now let's fix the firewall so our clients can get to the rest of the world...
8) Edit/create /etc/rc.d/rc.firewall
ADD:
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A FORWARD -o tun+ -j ACCEPT
iptables -A FORWARD -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
9) Flush the old firewall rules-
iptables -F
10) Activate the new rules now-
/etc/rc.d/rc.firewall
If the planets are aligned, you should now have a working OpenVPN server/router.