Install OpenVPN and route internet traffic on Debian-based systems
1. Compile OpenVPN from sources or get a binary (easiest way):
apt-get install openvpn
2. Copy scripts for keys generation:
cp -R /usr/share/doc/openvpn/examples/easy-rsa /etc/openvpn
3. Edit default settings for CA:
pico /etc/openvpn/easy-rsa/2.0/vars
4. Initialize the PKI:
cd /etc/openvpn/easy-rsa/2.0/ . ./vars ./clean-all ./build-ca
5. Generate certificate and private key for the server:
./build-key-server server
6. Generate Diffie Hellman parameters:
./build-dh
7. Generate certificate and key for client:
./build-key client1
8. Explenation of generated keys and certificates:
Filename | Needed By | Purpose | Secret |
ca.crt | server + all clients | Root CA certificate | NO |
ca.key | key signing machine only | Root CA key | YES |
dh{n}.pem | server only | Diffie Hellman parameters | NO |
server.crt | server only | Server Certificate | NO |
server.key | server only | Server Key | YES |
client1.crt | client1 only | Client1 Certificate | NO |
client1.key | client1 only | Client1 Key | YES |
9. Move keys an certyficates to /etc/openvpn/:
mv keys/ca.crt keys/ca.key keys/dh1024.pem keys/server.crt keys/server.key /etc/openvpn/
10. Move client1.crt, client1.key and copy ca.crt to your client1.
11. Create a config file for server:
pico /etc/openvpn/server.conf
proto tcp port 52367 dev tun0 ca /etc/openvpn/ca.crt cert /etc/openvpn/server.crt key /etc/openvpn/server.key dh /etc/openvpn/dh1024.pem server 10.8.0.0 255.255.255.0 ifconfig-pool-persist /etc/openvpn/ipp.txt keepalive 60 320 comp-lzo client-to-client user _openvpn group _openvpn status /var/log/openvpn/status.log log-appendĀ /var/log/openvpn/openvpn.log persist-tun persist-key cipher AES-256-CBC push "redirect-gateway def1"
12. Create dir for logs:
mkdir /var/log/openvpn
13. Create user and group for OpenVPN:
groupadd _openvpn useradd -d /dev/null -g _openvpn -s /bin/false _openvpn
14. Set permissions for logs dir:
chown -R _openvpn:_openvpn /var/log/openvpn
15. Start OpenVPN:
/etc/init.d/openvpn start
* In case of any problems with tun0, ex: “Note: Cannot open TUN/TAP dev /dev/net/tun: No such file or directory”
try to create it manually:
cd /dev mkdir net cd net mknod tun c 10 200 chmod 666 tun
16. Route internet traffic via server:
pico /root/iptables.sh
#!/bin/sh IPT="/sbin/iptables" # Flush old rules, old custom tables $IPT --flush $IPT --delete-chain # Set default policies for all three default chains $IPT -P INPUT DROP $IPT -P FORWARD DROP $IPT -P OUTPUT DROP # Enable free use of loopback interfaces $IPT -A INPUT -i lo -j ACCEPT $IPT -A OUTPUT -o lo -j ACCEPT # All TCP sessions should begin with SYN $IPT -A INPUT -p tcp ! --syn -m state --state NEW -s 0.0.0.0/0 -j DROP # Accept inbound TCP packets $IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -A INPUT -p tcp --dport 22 -m state --state NEW -s 0.0.0.0/0 -j ACCEPT $IPT -A INPUT -p tcp --dport 52367 -m state --state NEW -s 0.0.0.0/0 -j ACCEPT # Accept outbound packets $IPT -I OUTPUT 1 -m state --state RELATED,ESTABLISHED -j ACCEPT $IPT -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT $IPT -A OUTPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT # NAT $IPT -t nat -A POSTROUTING -o eth0 -j MASQUERADE $IPT -A FORWARD -i eth0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT $IPT -A FORWARD -i tun0 -o eth0 -j ACCEPT # Enables packet forwarding by kernel echo 1 > /proc/sys/net/ipv4/ip_forward
sh /root/iptables.sh
17. Create config for client:
client remote 10.12.0.1 52367 proto tcp dev tun0 keepalive 30 120 nobind persist-key persist-tun ca ca.crt cert client1.crt key client1.key ns-cert-type server comp-lzo cipher AES-256-CBC
18. Now you can connect to VPN from client1.