OpenVPN smcr 2012

From SlackWiki
Revision as of 19:18, 9 June 2012 by Arfon (talk | contribs) (Fixed some trash)
Jump to navigation Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

OPENVPN MULTI-CLIENT ROUTED SERVER

Here's what I did to get OpenVPN (2.1.4) on my Slackware (13.37) box.

I wanted to get on the internet from public wifi WITHOUT being snooped on so I installed a MULTI-CLIENT, ROUTED (not bridged) OpenVPN server on my Linode. Again, this is MULTI-CLIENT and ROUTED.

1) Install OpenVPN from Slackbuilds.org or using sbopkg

2) Generate the needed certificates and keys-

	cd /usr/doc/openvpn-2.1.4/easy-rsa/2.0/
	vi vars
		Set the KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, and KEY_EMAIL parameters.
		Don't leave any of these parameters blank.

	source ./vars
	./clean-all
	./build-ca
		answer questions
	./build-key-server server (server could be anything e.g. VPN1.blah.net)
		answer questions
	./build-key client1 (client1 can be anything e.g bobs-phone)
		answer questions
		repeat for each client to have
	./build-dh

3) Put the server certs and keys where they need to be-
	mkdir /etc/openvpn/certsnkeys
	cp ca.crt /etc/openvpn/certsnkeys/
	cp ca.key /etc/openvpn/certsnkeys/
	cp server.crt /etc/openvpn/certsnkeys/
	cp server.key /etc/openvpn/certsnkeys/
	cp dh1024.pem /etc/openvpn/

4) Send the client certs and keys where they need to be-
	Each client gets a copy of his client.crt and client.key AND a copy of ca.crt
	EXAMPLE: My android got a copy of client1.crt, client2.key and ca.crt.
		My laptop got a copy of client2.crt, client2.key and ca.crt
	NOTE: my android need a .p12 file, more on that below.

5) Configure the server.conf file-
	cd /usr/doc/openvpn-2.1.4
	cp server.conf.sample /etc/openvpn/server.conf
	cd /etc/openvpn

***NOTE: in /etc/openvpn you will see a file called openvpn.conf.  DO NOT USE THAT!
Use server.conf***

	Edit /etc/openvpn/server.conf
	CHANGE:
		ca ca.crt	-> ca /etc/openvpn/certs/ca.crt
		cert server.crt	-> cert /etc/openvpn/certsnkeys/server.crt
		key server.key	-> key /etc/openvpn/certsnkeys/server.key
		dh dh.pem	-> dh /etc/openvpn/dh1024.pem

6) Start OpenVPN-
Normally you would start OpenVPN by: openvpn /etc/openvpn/server.conf
but, being that I'm a good Slacker, I created an rc.openvpn file...

	CREATE: /etc/rc.d/rc.openvpn
	CONTAINS:
		#!/bin/sh
		#
		# /etc/rc.d/rc.openvpn
		#
		# Start/stop/restart the openvpn server.
		#
		# To make OpenVPN start automatically at boot, make this
		# file executable:  chmod 755 /etc/rc.d/rc.openvpn
		#
		
		ovpn_start() {
		  if [ -x /usr/sbin/openvpn -a -r /etc/openvpn/server.conf ]; then
		    echo "Starting OpenVPN:  /usr/sbin/openvpn server.conf"
		    /usr/sbin/openvpn /etc/openvpn/server.conf &
		  fi
		}
		
		ovpn_stop() {
		  killall openvpn
		}
		
		ovpn_restart() {
		  ovpn_stop
		  sleep 2
		  ovpn_start
		}
		
		case "$1" in
		'start')
		  ovpn_start
		  ;;
		'stop')
		  ovpn_stop
		  ;;
		'restart')
		  ovpn_restart
		  ;;
		*)
		  # Default is "start", for backwards compatibility with previous
		  # Slackware versions.  This may change to a 'usage' error someday.
		  ovpn_start
		esac

7) Make it executable (and autostart on reboots)-

	chmod 755 /etc/rc.d/rc.openvpn

To start/stop it manually- /etc/rc.d/rc.openvpn start (or stop or restart)

Now let's fix the firewall so our clients can get to the rest of the world...

8) Edit/create /etc/rc.d/rc.firewall

	ADD:
	iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
	iptables -A FORWARD -i tun+ -j ACCEPT
	iptables -A FORWARD -o tun+ -j ACCEPT
	iptables -A FORWARD -j ACCEPT
	iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

9) Flush the old firewall rules-

	iptables -F

10) Activate the new rules now-

	/etc/rc.d/rc.firewall

If the planets are aligned, you should now have a working OpenVPN server/router.