Step by step setting up OpenVPN in debian with routing (tun) connection
Verify if TUN support is enabled on the system
#test ! -c /dev/net/tun && echo openvpn requires tun support || echo tun is available tun is available
Installing OpenVPN on the server
#apt-get install openvpn
Preparing to generate the keys
#mkdir /etc/openvpn/easy-rsa
#cp /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa
Generating the certificate authority (CA) which will be used to sign the server and client certificates.
#cd /etc/openvpn/easy-rsa
#source ./vars
#./clean-all
#./build-ca
Creating the server keys
#./build-key-server servername
Generating the diffie-hellman parameters which are used for key exchange between the client and server
#./build-dh
Creating some client keys which will be used to allow clients to authenticate with the server
#./build-key-pkcs12 client1
You will be asked for a password which the client will use to connect to the server
we need to configure the server. You need to make a decision here whether you want tun (routed) or tap (bridged) connections. The main difference is that tap will give the client a network address on the server network, whereas tun creates a private network managed by the server.
Configure openvpn using routing (tun) connection
Configuring the server
#vim /etc/openvpn/server.conf
(add the following lines)
port 443
proto udp
dev tun
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/vpnsarandi.crt
key /etc/openvpn/easy-rsa/keys/vpnsarandi.key
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
ifconfig-pool-persist ipp.txt
server 10.1.0.0 255.255.255.0
client-config-dir ccd
route 192.168.1.0 255.255.255.0
route 192.168.2.0 255.255.255.0
client-to-client
push “route 192.168.1.0 255.255.255.0”
push “route 192.168.2.0 255.255.255.0”
keepalive 10 120
comp-lzo
persist-key
persist-tun
status /var/log/openvpn-status.log
verb 3
Making directory ccd:
#mkdir /etc/openvpn/ccd
Making file client1 in ccd directory
#vim /etc/openvpn/ccd/clent1
(add the following lines)
iroute 192.168.1.0 255.255.255.0
Restart OpenVPN:
#/etc/init.d/openvpn restart
Setting up the windows client. First, download the OpenVPN client from here (at the time of writing, select 2.1 RC15). Install it, and create a file ‘client.conf’ in the config directory with the following parameters
client
dev tun
proto udp
remote x.x.x.x 443 # (replace with your server IP)
resolv-retry infinite
nobind
pkcs12 client1.p12 # (replace with the client name)
ns-cert-type server
comp-lzo
verb 3
#redirect-gateway
You can also add ‘redirect-gateway’ to the client configuration to pass all traffic down the VPN tunnel (rather than just traffic intended for the VPN itself).
copy the client1.p12 certificate file to the config directory on the client, start the gui, and connect.
If you need to create any clients in the future, do the following command:
#cd /etc/openvpn/easy-rsa
#source ./vars
#./build-key-pkcs12 clientx
Enable IP and TUN/TAP forwarding:
On linux client
IP Forwarding
Check if IP Forwarding is enabled
#sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 0
or
cat /proc/sys/net/ipv4/ip_forward
0
As we can see in both the above examples this was disabled (as show by the value 0).
Enable IP Forwarding on the fly
#sysctl -w net.ipv4.ip_forward=1
or
#echo 1 > /proc/sys/net/ipv4/ip_forward
Permanent setting using /etc/sysctl.conf
#/etc/sysctl.conf:
net.ipv4.ip_forward = 1
#sysctl -p /etc/sysctl.conf
On RedHat based systems this is also enabled when restarting the network service:
#service network restart
and on Debian/Ubuntu systems this can be also done restarting the procps service:
#/etc/init.d/procps.sh restart
Using distribution specific init scripts
Although the methods presented above should work just fine and you would not need any other method of doing this, I just wanted to note that there are also other methods to enable IP Forwarding specific to some Linux distributions.
For example Debian based distributions might use the setting:
#/etc/network/options:
ip_forward=no
set it to yes and restart the network service.
Also RedHat distributions might set this using:
#/etc/sysconfig/network:
FORWARD_IPV4=true
and again restart the network service.
Regardless the method you have used once you have completed this you can check it out using the same method shown above:
#sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1
#cat /proc/sys/net/ipv4/ip_forward
1
If the result is 1 then the Linux system will start forwarding IP packets even if they are not destined to any of its own network interfaces.
TUN/TAP forwarding:
Allow TUN interface connections to OpenVPN server
# iptables -A INPUT -i tun+ -j ACCEPT
Allow TUN interface connections to be forwarded through other interfaces
# iptables -A FORWARD -i tun+ -j ACCEPT
Allow TAP interface connections to OpenVPN server
# iptables -A INPUT -i tap+ -j ACCEPT
Allow TAP interface connections to be forwarded through other interfaces
# iptables -A FORWARD -i tap+ -j ACCEPT
** rule iptables for internet sharing from eth1 to eth0.
#iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
#iptables-save
Restart Networking and OpenVPN
#/etc/init.d/networking restart
#/etc/init.d/openvpn restart
On Windows client:
To enable TCP/IP forwarding, follow these steps:
Start Registry Editor (Regedit.exe).
In Registry Editor, locate the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Set the following registry value:
Value Name: IPEnableRouter
Value type: REG_DWORD
Value Data: 1
A value of 1 enables TCP/IP forwarding for all network connections that are installed and used by this computer.
Quit Registry Editor.
Use IP address OpenVPN client as gateway on LAN . So that every workstation behind LAN Client can communicate each others.
Installing OpenVPN
1. Installing OpenVPN on the server
#apt-get install openvpn
2. Preparing to generate the keys
#mkdir /etc/openvpn/easy-rsa
#cp /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa
3. Generating the certificate authority (CA) which will be used to sign the server and client certificates.
#cd /etc/openvpn/easy-rsa
#source ./vars
#./clean-all
#./build-ca
4. Creating the server keys
#./build-key-server servername
5. Generating the diffie-hellman parameters which are used for key exchange between the client and server
#./build-dh
6. Creating some client keys which will be used to allow clients to authenticate with the server
#./build-key-pkcs12 client1
You will be asked for a password which the client will use to connect to the server
we need to configure the server. You need to make a decision here whether you want tun (routed) or tap (bridged) connections. The main difference is that tap will give the client a network address on the server network, whereas tun creates a private network managed by the server.
Configure openvpn using routing (tun) connection
7. Configuring the server
#vim /etc/openvpn/server.conf
(add the following lines)
port 443
proto udp
dev tun
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/vpnsarandi.crt
key /etc/openvpn/easy-rsa/keys/vpnsarandi.key
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
ifconfig-pool-persist ipp.txt
server 10.1.0.0 255.255.255.0
client-config-dir ccd
route 192.168.1.0 255.255.255.0
route 192.168.2.0 255.255.255.0
client-to-client
push “route 192.168.1.0 255.255.255.0”
push “route 192.168.2.0 255.255.255.0”
keepalive 10 120
comp-lzo
persist-key
persist-tun
status /var/log/openvpn-status.log
verb 3
8. Making directory ccd:
#mkdir /etc/openvpn/ccd
9. Making file client1 in ccd directory
#vim /etc/openvpn/ccd/clent1
(add the following lines)
iroute 192.168.1.0 255.255.255.0
10. Restart OpenVPN:
#/etc/init.d/openvpn restart
Setting up the windows client. First, download the OpenVPN client from here (at the time of writing, select 2.1 RC15). Install it, and create a file ‘client.conf’ in the config directory with the following parameters
client
dev tun
proto udp
remote x.x.x.x 443 # (replace with your server IP)
resolv-retry infinite
nobind
pkcs12 client1.p12 # (replace with the client name)
ns-cert-type server
comp-lzo
verb 3
#redirect-gateway
You can also add ‘redirect-gateway’ to the client configuration to pass all traffic down the VPN tunnel (rather than just traffic intended for the VPN itself).
11. copy the client1.p12 certificate file to the config directory on the client, start the gui, and connect.
12. If you need to create any clients in the future, do the following command:
#cd /etc/openvpn/easy-rsa
#source ./vars
#./build-key-pkcs12 clientx
Enable IP and TUN/TAP forwarding:
On linux client
IP Forwarding
15. Check if IP Forwarding is enabled
#sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 0
or
cat /proc/sys/net/ipv4/ip_forward
0
As we can see in both the above examples this was disabled (as show by the value 0).
16. Enable IP Forwarding on the fly
#sysctl -w net.ipv4.ip_forward=1
or
#echo 1 > /proc/sys/net/ipv4/ip_forward
17. Permanent setting using /etc/sysctl.conf
#/etc/sysctl.conf:
net.ipv4.ip_forward = 1
#sysctl -p /etc/sysctl.conf
On RedHat based systems this is also enabled when restarting the network service:
#service network restart
and on Debian/Ubuntu systems this can be also done restarting the procps service:
#/etc/init.d/procps.sh restart
Using distribution specific init scripts
Although the methods presented above should work just fine and you would not need any other method of doing this, I just wanted to note that there are also other methods to enable IP Forwarding specific to some Linux distributions.
For example Debian based distributions might use the setting:
#/etc/network/options:
ip_forward=no
set it to yes and restart the network service.
Also RedHat distributions might set this using:
#/etc/sysconfig/network:
FORWARD_IPV4=true
and again restart the network service.
Regardless the method you have used once you have completed this you can check it out using the same method shown above:
#sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1
#cat /proc/sys/net/ipv4/ip_forward
1
If the result is 1 then the Linux system will start forwarding IP packets even if they are not destined to any of its own network interfaces.
TUN/TAP forwarding:
Allow TUN interface connections to OpenVPN server
# iptables -A INPUT -i tun+ -j ACCEPT
Allow TUN interface connections to be forwarded through other interfaces
# iptables -A FORWARD -i tun+ -j ACCEPT
Allow TAP interface connections to OpenVPN server
# iptables -A INPUT -i tap+ -j ACCEPT
Allow TAP interface connections to be forwarded through other interfaces
# iptables -A FORWARD -i tap+ -j ACCEPT
18. Restart Networking and OpenVPN
#/etc/init.d/networking restart
#/etc/init.d/openvpn restart
On Windows client:
To enable TCP/IP forwarding, follow these steps:
1. Start Registry Editor (Regedit.exe).
2. In Registry Editor, locate the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
3. Set the following registry value:
Value Name: IPEnableRouter
Value type: REG_DWORD
Value Data: 1
A value of 1 enables TCP/IP forwarding for all network connections that are installed and used by this computer.
4. Quit Registry Editor.
19. Use IP address OpenVPN client as gateway on LAN . So that every workstation behind LAN Client can communicate each others.
-
Terkini
- Aptana Studio 3 SFTP Key Exchange
- Setting Domain At Ubuntu 12.04
- Remote access MySQL database
- Solution for missing apostrophe in php
- Fix Android USB driver on Ubuntu
- Installing the Android SDK
- Ubuntu error saat update dan install
- ssh without password
- Can’t connect to local MySQL server through socket ‘/var/run/mysqld/mysqld.sock’ (2)
- MySQL Tip
- Konfirm ok/cancel link PHP dengan javascript
- Solution ./start_navicat returns bash error in Linux
-
Tautan
-
Arsip
- Mei 2015 (1)
- Desember 2014 (1)
- Maret 2014 (1)
- Februari 2014 (1)
- Februari 2013 (2)
- April 2012 (1)
- September 2011 (2)
- Agustus 2011 (1)
- Juni 2011 (2)
- April 2011 (1)
- Januari 2011 (2)
- Desember 2010 (1)
-
Kategori
-
RSS
Entries RSS
Comments RSS