From Fedora Project Wiki

m (1 revision(s))
m (fixed formatting from conversion from moin)
Line 5: Line 5:
== Setting up an OpenVPN server ==
== Setting up an OpenVPN server ==


1. <code>yum install openvpn.$HOSTTYPE</code>
# <code>yum install openvpn.$HOSTTYPE</code>
1. Copy <code>/usr/share/openvpn/easy-rsa/</code> somewhere (like root's home directory with <code>cp -ai /usr/share/openvpn/easy-rsa ~</code>).
# Copy <code>/usr/share/openvpn/easy-rsa/</code> somewhere (like root's home directory with <code>cp -ai /usr/share/openvpn/easy-rsa ~</code>).
1. <code>cd ~/easy-rsa</code>
# <code>cd ~/easy-rsa</code>
1. Edit <code>vars</code> appropriately.
# Edit <code>vars</code> appropriately.
1. <code>. vars</code>
# <code>. vars</code>
1. <code>./clean-all</code>
# <code>./clean-all</code>
1. Before continuing, make sure the system time is correct.  Preferably, set up [http://www.ntp.org/ NTP] .
# Before continuing, make sure the system time is correct.  Preferably, set up [http://www.ntp.org/ NTP] .
1. <code>./build-ca</code>
# <code>./build-ca</code>
1. <code>./build-inter $( hostname | cut -d. -f1 )</code>
# <code>./build-inter $( hostname | cut -d. -f1 )</code>
1. <code>./build-dh</code>
# <code>./build-dh</code>
1. <code>mkdir /etc/openvpn/keys</code>
# <code>mkdir /etc/openvpn/keys</code>
1. <code>cp -ai keys/$( hostname | cut -d. -f1 ).{crt,key} keys/ca.crt keys/dh1024.pem /etc/openvpn/keys/</code>
# <code>cp -ai keys/$( hostname | cut -d. -f1 ).{crt,key} keys/ca.crt keys/dh1024.pem /etc/openvpn/keys/</code>
1. <code>cp -ai /usr/share/doc/openvpn-*/sample-config-files/roadwarrior-server.conf /etc/openvpn/server.conf</code>
# <code>cp -ai /usr/share/doc/openvpn-*/sample-config-files/roadwarrior-server.conf /etc/openvpn/server.conf</code>
1. Edit <code>/etc/openvpn/server.conf</code> appropriately.
# Edit <code>/etc/openvpn/server.conf</code> appropriately.
1. <code>chkconfig --level 2345 openvpn on</code>
# <code>chkconfig --level 2345 openvpn on</code>
1. <code>service openvpn start</code>
# <code>service openvpn start</code>
1. Verify that firewall rules allow traffic in from <code>tun+</code>, out from the LAN to <code>tun+</code>, and in from the outside on UDP port 1194.  The following should work:<code>
# Verify that firewall rules allow traffic in from <code>tun+</code>, out from the LAN to <code>tun+</code>, and in from the outside on UDP port 1194.   
 
The following should work:
<pre>
iptables -A INPUT -i eth1 -p udp --dport 1194 -j ACCEPT
iptables -A INPUT -i eth1 -p udp --dport 1194 -j ACCEPT
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A INPUT -i tun+ -j ACCEPT
Line 27: Line 30:
iptables -A FORWARD -i eth0 -o tun+ -j ACCEPT
iptables -A FORWARD -i eth0 -o tun+ -j ACCEPT
iptables -A FORWARD -i eth1 -o tun+ -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth1 -o tun+ -m state --state ESTABLISHED,RELATED -j ACCEPT
</code>  Or for [http://www.kspei.com/projects/genfw/ genfw]  (my firewall-generation script, not currently available in Fedora), this in <code>/etc/sysconfig/genfw/rules</code>:<code>
</pre>   
 
Or for [http://www.kspei.com/projects/genfw/ genfw]  (my firewall-generation script, not currently available in Fedora), this in <code>/etc/sysconfig/genfw/rules</code>:<code>
<pre>
append INPUT -i eth1 -p udp --dport 1194 -j ACCEPT
append INPUT -i eth1 -p udp --dport 1194 -j ACCEPT
append INPUT -i tun+ -j ACCEPT
append INPUT -i tun+ -j ACCEPT

Revision as of 00:08, 5 June 2008

OpenVPN

For more information, see http://www.openvpn.net/. Send suggestions/corrections/additions to this page to [[MailTo(steve@kspei.com)] .

Setting up an OpenVPN server

  1. yum install openvpn.$HOSTTYPE
  2. Copy /usr/share/openvpn/easy-rsa/ somewhere (like root's home directory with cp -ai /usr/share/openvpn/easy-rsa ~).
  3. cd ~/easy-rsa
  4. Edit vars appropriately.
  5. . vars
  6. ./clean-all
  7. Before continuing, make sure the system time is correct. Preferably, set up NTP .
  8. ./build-ca
  9. ./build-inter $( hostname | cut -d. -f1 )
  10. ./build-dh
  11. mkdir /etc/openvpn/keys
  12. cp -ai keys/$( hostname | cut -d. -f1 ).{crt,key} keys/ca.crt keys/dh1024.pem /etc/openvpn/keys/
  13. cp -ai /usr/share/doc/openvpn-*/sample-config-files/roadwarrior-server.conf /etc/openvpn/server.conf
  14. Edit /etc/openvpn/server.conf appropriately.
  15. chkconfig --level 2345 openvpn on
  16. service openvpn start
  17. Verify that firewall rules allow traffic in from tun+, out from the LAN to tun+, and in from the outside on UDP port 1194.

The following should work: 

iptables -A INPUT -i eth1 -p udp --dport 1194 -j ACCEPT
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A FORWARD -i eth0 -o tun+ -j ACCEPT
iptables -A FORWARD -i eth1 -o tun+ -m state --state ESTABLISHED,RELATED -j ACCEPT

Or for genfw (my firewall-generation script, not currently available in Fedora), this in /etc/sysconfig/genfw/rules: 

append INPUT -i eth1 -p udp --dport 1194 -j ACCEPT
append INPUT -i tun+ -j ACCEPT
append FORWARD -i tun+ -j ACCEPT
append FORWARD -i eth0 -o tun+ -j ACCEPT
append FORWARD -i eth1 -o tun+ -j established

Setting up a Windows OpenVPN client

On the server: 1. cd easy-rsa 1. . vars 1. ./build-key username On the client: 1. Install the OpenVPN GUI or the stand-alone OpenVPN client. 1. Copy username.crt, username.key, and ca.crt to C:\Program Files\OpenVPN\config\ on the client. 1. Drop roadwarrior-client.conf into C:\Program Files\OpenVPN\config\ as whatever.ovpn and edit appropriately. 1. Either use the GUI to start the connection, start the OpenVPN service manually, or set the OpenVPN service to start automatically.

Ideally the client should do some verification on the server key with tls-remote in the whatever.ovpn configuration file.

[[Category:Documentation

Retrieved from "https://fedoraproject.org/w/index.php?title=OpenVPN&oldid=32120"