Openvpn

= OpenVPN =

For more information, see http://www.openvpn.net/.

Working with systemd
With the transition to systemd, OpenVPN no longer has a single monolithic init script, where every connection with a configuration file in  is started automatically. Instead, individual connections can be started and stopped with.

For example, to start a connection, run foo, where the connection is defined in  foo.

For more information, see Systemd.

Setting up an OpenVPN server

 * 1) Copy   somewhere (like root's home directory with  ).
 * 2) Edit   appropriately.
 * 3) Before continuing, make sure the system time is correct.  Preferably, set up NTP.
 * 4) Edit   appropriately to set your configuration and key paths, which are found in /etc/openvpn/keys/.
 * 5) Fix selinux context of files:
 * 6) restorecon -Rv /etc/openvpn
 * 7) If you have feodra 14 or earlier:
 * 8) If you have fedora 15 or later (Note that 'server' corresponds with the configuration name in /etc/openvpn/ such as server.conf):
 * 9) Verify that firewall rules allow traffic in from , out from the LAN to  , and in from the outside on UDP port 1194.
 * 1) Edit   appropriately to set your configuration and key paths, which are found in /etc/openvpn/keys/.
 * 2) Fix selinux context of files:
 * 3) restorecon -Rv /etc/openvpn
 * 4) If you have feodra 14 or earlier:
 * 5) If you have fedora 15 or later (Note that 'server' corresponds with the configuration name in /etc/openvpn/ such as server.conf):
 * 6) Verify that firewall rules allow traffic in from , out from the LAN to  , and in from the outside on UDP port 1194.
 * 1) restorecon -Rv /etc/openvpn
 * 2) If you have feodra 14 or earlier:
 * 3) If you have fedora 15 or later (Note that 'server' corresponds with the configuration name in /etc/openvpn/ such as server.conf):
 * 4) Verify that firewall rules allow traffic in from , out from the LAN to  , and in from the outside on UDP port 1194.
 * 1) If you have fedora 15 or later (Note that 'server' corresponds with the configuration name in /etc/openvpn/ such as server.conf):
 * 2) Verify that firewall rules allow traffic in from , out from the LAN to  , and in from the outside on UDP port 1194.
 * 1) Verify that firewall rules allow traffic in from , out from the LAN to  , and in from the outside on UDP port 1194.
 * 1) Verify that firewall rules allow traffic in from , out from the LAN to  , and in from the outside on UDP port 1194.
 * 1) Verify that firewall rules allow traffic in from , out from the LAN to  , and in from the outside on UDP port 1194.

The following should work (assuming an outside interface is eth1 and an inside interface is eth0): iptables -A INPUT -i eth1 -p udp --dport 1194 -j ACCEPT iptables -A INPUT -i tun+ -j ACCEPT iptables -A FORWARD -i tun+ -j ACCEPT iptables -A FORWARD -i eth0 -o tun+ -j ACCEPT iptables -A FORWARD -i eth1 -o tun+ -m state --state ESTABLISHED,RELATED -j ACCEPT

Or for genfw (my firewall-generation script, not currently available in Fedora), this in  : append INPUT -i eth1 -p udp --dport 1194 -j ACCEPT append INPUT -i tun+ -j ACCEPT append FORWARD -i tun+ -j ACCEPT append FORWARD -i eth0 -o tun+ -j ACCEPT append FORWARD -i eth1 -o tun+ -j established

Or for system-config-firewall, you can add these custom rules: -A INPUT -i eth1 -p udp --dport 1194 -j ACCEPT -A INPUT -i tun+ -j ACCEPT -A FORWARD -i tun+ -j ACCEPT -A FORWARD -i eth0 -o tun+ -j ACCEPT -A FORWARD -i eth1 -o tun+ -m state --state ESTABLISHED,RELATED -j ACCEPT Create a file iptables-rules in /etc/sysconfig and add the above contents, then in system-config-firewall, choose the "Custom Rules" choice, click "Add", choose IPV4 for the protocol type, and filter for the firewall table. Then select /etc/sysconfig/iptables-rules for the File: choice. Then Apply the changes.

Setting up a Linux OpenVPN client
You need to generate new keys (or use existing other client/username keys) for the new client/username

On the server:
 * 1)   username
 * 1)   username
 * 1)   username

On the client:
 * 1) Copy username.key, username.crt and ca.crt from server to.
 * 2) Edit   appropriately to set your configuration (just like server configuration, port, compression,..) and key paths.
 * 1) Edit   appropriately to set your configuration (just like server configuration, port, compression,..) and key paths.

check  if things didn't work as expected

Alternatively, on the client, after copying the keys onto the client machine, you can use NetworkManager to add a vpn connection. Make sure you have the NetworkManager-openvpn package installed. Then just add a new VPN connection.

Setting up a Windows OpenVPN client
On the server:
 * 1)   username
 * 1)   username
 * 1)   username

On the client:
 * 1) Install the OpenVPN GUI  or the stand-alone OpenVPN  client.
 * 2) Copy username.crt, username.key, and ca.crt to   on the client.
 * 3) Drop roadwarrior-client.conf into   as whatever.ovpn and edit appropriately.
 * 4) Either use the GUI to start the connection, start the OpenVPN service manually, or set the OpenVPN service to start automatically.

Ideally the client should do some verification on the server key with  in the whatever.ovpn configuration file.