Home > Linux, Useful commands > Install OpenVPN and route internet traffic on Debian-based systems

Install OpenVPN and route internet traffic on Debian-based systems

1. Compile OpenVPN from sources or get a binary (easiest way):

apt-get install openvpn

2. Copy scripts for keys generation:

cp -R /usr/share/doc/openvpn/examples/easy-rsa /etc/openvpn

3. Edit default settings for CA:

pico /etc/openvpn/easy-rsa/2.0/vars

4. Initialize the PKI:

cd /etc/openvpn/easy-rsa/2.0/
. ./vars
./clean-all
./build-ca

5. Generate certificate and private key for the server:

./build-key-server server

6. Generate Diffie Hellman parameters:

./build-dh

7. Generate certificate and key for client:

./build-key client1

8. Explenation of generated keys and certificates:

Filename Needed By Purpose Secret
ca.crt server + all clients Root CA certificate NO
ca.key key signing machine only Root CA key YES
dh{n}.pem server only Diffie Hellman parameters NO
server.crt server only Server Certificate NO
server.key server only Server Key YES
client1.crt client1 only Client1 Certificate NO
client1.key client1 only Client1 Key YES

9. Move keys an certyficates to /etc/openvpn/:

mv keys/ca.crt keys/ca.key keys/dh1024.pem keys/server.crt keys/server.key /etc/openvpn/

10. Move client1.crt, client1.key and copy ca.crt to your client1.

11. Create a config file for server:

pico /etc/openvpn/server.conf

 

proto tcp
port 52367
dev tun0
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
dh /etc/openvpn/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /etc/openvpn/ipp.txt
keepalive 60 320
comp-lzo
client-to-client
user _openvpn
group _openvpn
status /var/log/openvpn/status.log
log-appendĀ  /var/log/openvpn/openvpn.log
persist-tun
persist-key
cipher AES-256-CBC
push "redirect-gateway def1"

12. Create dir for logs:

mkdir /var/log/openvpn

13. Create user and group for OpenVPN:

groupadd _openvpn
useradd -d /dev/null -g _openvpn -s /bin/false _openvpn

14. Set permissions for logs dir:

chown -R _openvpn:_openvpn /var/log/openvpn

15. Start OpenVPN:

/etc/init.d/openvpn start

* In case of any problems with tun0, ex: “Note: Cannot open TUN/TAP dev /dev/net/tun: No such file or directory”
try to create it manually:

cd /dev
mkdir net
cd net
mknod tun c 10 200
chmod 666 tun

16. Route internet traffic via server:

pico /root/iptables.sh

 

#!/bin/sh

IPT="/sbin/iptables"

# Flush old rules, old custom tables
$IPT --flush
$IPT --delete-chain

# Set default policies for all three default chains
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT DROP

# Enable free use of loopback interfaces
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT

# All TCP sessions should begin with SYN
$IPT -A INPUT -p tcp ! --syn -m state --state NEW -s 0.0.0.0/0 -j DROP

# Accept inbound TCP packets
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -s 0.0.0.0/0 -j ACCEPT
$IPT -A INPUT -p tcp --dport 52367 -m state --state NEW -s 0.0.0.0/0 -j ACCEPT

# Accept outbound packets
$IPT -I OUTPUT 1 -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT
$IPT -A OUTPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT

# NAT
$IPT -t nat -A POSTROUTING -o eth0 -j MASQUERADE
$IPT -A FORWARD -i eth0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A FORWARD -i tun0 -o eth0 -j ACCEPT

# Enables packet forwarding by kernel
echo 1 > /proc/sys/net/ipv4/ip_forward

 

sh /root/iptables.sh

17. Create config for client:

client
remote 10.12.0.1 52367
proto tcp
dev tun0
keepalive 30 120
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
ns-cert-type server
comp-lzo
cipher AES-256-CBC

18. Now you can connect to VPN from client1.

Categories: Linux, Useful commands
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: