OpenVPN smcr 2012
OPENVPN MULTI-CLIENT ROUTED SERVER
Here's what I did to get OpenVPN (2.1.4) on my Slackware (13.37) box.
I wanted to get on the internet from public wifi WITHOUT being snooped on so I installed a MULTI-CLIENT, ROUTED (not bridged) OpenVPN server on my Linode. Again, this is MULTI-CLIENT and ROUTED.
1) Install OpenVPN from Slackbuilds.org or using sbopkg 2) Generate the needed certificates and keys- cd /usr/doc/openvpn-2.1.4/easy-rsa/2.0/ vi vars Set the KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, and KEY_EMAIL parameters. Don't leave any of these parameters blank. source ./vars ./clean-all ./build-ca answer questions ./build-key-server server (server could be anything e.g. VPN1.blah.net) answer questions ./build-key client1 (client1 can be anything e.g bobs-phone) answer questions repeat for each client to have ./build-dh 3) Put the server certs and keys where they need to be- mkdir /etc/openvpn/certsnkeys cp ca.crt /etc/openvpn/certsnkeys/ cp ca.key /etc/openvpn/certsnkeys/ cp server.crt /etc/openvpn/certsnkeys/ cp server.key /etc/openvpn/certsnkeys/ cp dh1024.pem /etc/openvpn/ 4) Send the client certs and keys where they need to be- Each client gets a copy of his client.crt and client.key AND a copy of ca.crt EXAMPLE: My android got a copy of client1.crt, client2.key and ca.crt. My laptop got a copy of client2.crt, client2.key and ca.crt NOTE: my android need a .p12 file, more on that below. 5) Configure the server.conf file- cd /usr/doc/openvpn-2.1.4 cp server.conf.sample /etc/openvpn/server.conf cd /etc/openvpn ***NOTE: in /etc/openvpn you will see a file called openvpn.conf. DO NOT USE THAT! Use server.conf*** Edit /etc/openvpn/server.conf CHANGE: ca ca.crt -> ca /etc/openvpn/certsnkeys/ca.crt cert server.crt -> cert /etc/openvpn/certsnkeys/server.crt key server.key -> key /etc/openvpn/certsnkeys/server.key dh dh.pem -> dh /etc/openvpn/dh1024.pem 6) Start OpenVPN- Normally you would start OpenVPN by: openvpn /etc/openvpn/server.conf but, being that I'm a good Slacker, I created an rc.openvpn file... CREATE: /etc/rc.d/rc.openvpn CONTAINS: #!/bin/sh # # /etc/rc.d/rc.openvpn # # Start/stop/restart the openvpn server. # # To make OpenVPN start automatically at boot, make this # file executable: chmod 755 /etc/rc.d/rc.openvpn # ovpn_start() { if [ -x /usr/sbin/openvpn -a -r /etc/openvpn/server.conf ]; then echo "Starting OpenVPN: /usr/sbin/openvpn server.conf" /usr/sbin/openvpn /etc/openvpn/server.conf & fi } ovpn_stop() { killall openvpn } ovpn_restart() { ovpn_stop sleep 2 ovpn_start } case "$1" in 'start') ovpn_start ;; 'stop') ovpn_stop ;; 'restart') ovpn_restart ;; *) # Default is "start", for backwards compatibility with previous # Slackware versions. This may change to a 'usage' error someday. ovpn_start esac 7) Make it executable (and autostart on reboots)- chmod 755 /etc/rc.d/rc.openvpn To start/stop it manually- /etc/rc.d/rc.openvpn start (or stop or restart) Now let's fix the firewall so our clients can get to the rest of the world... 8) Edit/create /etc/rc.d/rc.firewall ADD: iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -i tun+ -j ACCEPT iptables -A FORWARD -o tun+ -j ACCEPT iptables -A FORWARD -j ACCEPT iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE 9) Flush the old firewall rules- iptables -F 10) Activate the new rules now- /etc/rc.d/rc.firewall
If the planets are aligned, you should now have a working OpenVPN server/router.