OpenVPN smcr 2012

From SlackWiki
Revision as of 19:16, 9 June 2012 by Arfon (talk | contribs) (CREATED! Saved because I put a lot of work into it so far and don't wanna lose it)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Here's what I did yo get OpenVPN (2.1.4) on my Slackware (13.37) box.

I wanted to get on the internet from public wifi WITHOUT being snooped on so I installed a MULTI-CLIENT, ROUTED (not bridged) OpenVPN server on my Linode. Again, this is MULTI-CLIENT and ROUTED.

1) Install OpenVPN from or using sbopkg

2) Generate the needed certificates and keys-

	cd /usr/doc/openvpn-2.1.4/easy-rsa/2.0/
	vi vars
		Don't leave any of these parameters blank.

	source ./vars
		answer questions
	./build-key-server server (server could be anything e.g.
		answer questions
	./build-key client1 (client1 can be anything e.g bobs-phone)
		answer questions
		repeat for each client to have

3) Put the server certs and keys where they need to be-
	mkdir /etc/openvpn/certsnkeys
	cp ca.crt /etc/openvpn/certsnkeys/
	cp ca.key /etc/openvpn/certsnkeys/
	cp server.crt /etc/openvpn/certsnkeys/
	cp server.key /etc/openvpn/certsnkeys/
	cp dh1024.pem /etc/openvpn/

4) Send the client certs and keys where they need to be-
	Each client gets a copy of his client.crt and client.key AND a copy of ca.crt
	EXAMPLE: My android got a copy of client1.crt, client2.key and ca.crt.
		My laptop got a copy of client2.crt, client2.key and ca.crt
	NOTE: my android need a .p12 file, more on that below.

5) Configure the server.conf file-
	cd /usr/doc/openvpn-2.1.4
	cp server.conf.sample /etc/openvpn/server.conf
	cd /etc/openvpn

***NOTE: in /etc/openvpn you will see a file called openvpn.conf.  DO NOT USE THAT!
Use server.conf***

	Edit /etc/openvpn/server.conf
		ca ca.crt	-> ca /etc/openvpn/certs/ca.crt
		cert server.crt	-> cert /etc/openvpn/certsnkeys/server.crt
		key server.key	-> key /etc/openvpn/certsnkeys/server.key
		dh dh.pem	-> dh /etc/openvpn/dh1024.pem

6) Start OpenVPN-
Normally you would start OpenVPN by: openvpn /etc/openvpn/server.conf
but, being that I'm a good Slacker, I created an rc.openvpn file...

	CREATE: /etc/rc.d/rc.openvpn
		# /etc/rc.d/rc.openvpn
		# Start/stop/restart the openvpn server.
		# To make OpenVPN start automatically at boot, make this
		# file executable:  chmod 755 /etc/rc.d/rc.openvpn
		ovpn_start() {
		  if [ -x /usr/sbin/openvpn -a -r /etc/openvpn/server.conf ]; then
		    echo "Starting OpenVPN:  /usr/sbin/openvpn server.conf"
		    /usr/sbin/openvpn /etc/openvpn/server.conf &
		ovpn_stop() {
		  killall openvpn
		ovpn_restart() {
		  sleep 2
		case "$1" in
		  # Default is "start", for backwards compatibility with previous
		  # Slackware versions.  This may change to a 'usage' error someday.

7) Make it executable (and autostart on reboots)-

	chmod 755 /etc/rc.d/rc.openvpn

To start/stop it manually- /etc/rc.d/rc.openvpn start (or stop or restart)

Now let's fix the firewall so our clients can get to the rest of the world...

8) Edit/create /etc/rc.d/rc.firewall

	iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
	iptables -A FORWARD -i tun+ -j ACCEPT
	iptables -A FORWARD -o tun+ -j ACCEPT
	iptables -A FORWARD -j ACCEPT
	iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADE

9) Flush the old firewall rules-

	iptables -F

10) Activate the new rules now-


If the planets are aligned, you should now have a working OpenVPN server/router.