OpenVPN: creating a full openVPN gateway
The main advantages of this model:
- Simple: setup takes less than an hour and does not require special knowledge.
- Economically: traffic is compressed by lzo.
- Secure: all traffic is encrypted, and clients are divided among themselves.
- Sometimes it’s just different in any way. :)
Despite these points, I did not find a normal article about configuring OpenVPN on Habrahabr. Well, I'll try to fix it on my own.
I specifically try not to delve into technical details, but I will not describe the principles of building the kernel and installing software in your distribution kit - this is beyond the scope of the article.
Let's take OpenVPN-2.0.9 and Gentoo Linux as a server and Linux or Windows as a client as the basis .
Decide what you want.
We take as a basis that our server is located in a remote data center. Those. We will get on it via the Internet.
After installing an encrypted tunnel between the client and the server, the server will NAT all our packets on the Internet. Also, the server will serve DNS and will be the firewall for the virtual local area network.
The external IP of our server (the one that will be openVPN): 212.212.212.212 The
internal IP of the server (visible from the tunnel): 10.10.0.1 The
pool of internal openVPN addresses: 10.10.0.2 - 10.10.0.128
Our network name: vpnet
Server name: vpsrv
Client name : vpclient
Why do I need an external IP, I think, understandably. Internal IP is needed to connect to the server afterraising the tunnel. The address pool is the addresses that the server issues to connected clients.
The network name is the name of the conf. files and server name in these conf. files. Client and server names = key file names.
Gentoo Linux 2008.0 is installed on the server, updated to the latest versions. The core is 2.6.29. All configuration will be done via SSH.
Kernel customization.
I note right away, at this stage you need to be extremely careful and attentive. If anyone forgot.
The kernel should contain the options below on the server. Only TUN and ipv4 are needed on the client.
In the kernel we need the following functionality, I quote an excerpt from the config: Well, of course, support for ipv4, a network card, and other hardware. We assemble and install the kernel. You can use genkernel . Reboot.
CONFIG_NF_NAT=m
CONFIG_NF_NAT_PPTP=m
CONFIG_NETFILTER=y
CONFIG_TUN=m
Server Tuning.
Software Installation
If :) the server returned from reboot, we proceed to the software installation. Waiting, sometimes for a long time. After installation, go to /etc/init.d/ and execute: Creating a symlink on ourselves, we told openvpn that we need to use the vpnet configuration . In the future, we launch it only like this: Now you do not need to start it, because there is nothing to start yet. :) In addition, we added iptables, named and openvpn to startup. Create the necessary directories and files:
emerge --sync
emerge openvpn bind bind-tools iptables
ln -s openvpn openvpn.vpnet
rc-update add openvpn.vpnet default
rc-update add named default
rc-update iptables default
./iptables save
/etc/init.d/openvpn.vpnet start
mkdir /etc/openvpn/vpnet/
mkdir /etc/openvpn/vpnet/keys
touch /var/log/openvpn.log
touch /etc/openvpn/vpnet.conf
Key Generation.
Go to / usr / share / openvpn / easy-rsa / . Open the vars file and enter the settings: Naturally, the values (company, path to keys and easy-rsa, email) need to be changed to suit your needs. We will imitate the variables: source ./vars Now we will create the keys. And move the leftovers to the right place: That's it, the keys are ready.
export EASY_RSA="/usr/share/openvpn/easy-rsa/" #Путь к easy-rsa.
export KEY_CONFIG="$EASY_RSA/openssl.cnf" #Конфиг OpenSSL
export KEY_DIR="/etc/openvpn/vpnet/keys" #Каталог, в котором мы будем держать ключи.
export KEY_SIZE=1024 # Размер ключа
export CA_EXPIRE=3650 # Срок действия CA
export KEY_EXPIRE=3650 # Срок действия ключа
export KEY_COUNTRY="RU" # Двухбуквенный код страны
export KEY_PROVINCE="XX" # Province, не актуально
export KEY_CITY="Town" # Город
export KEY_ORG="Companyname" # Компания
export KEY_EMAIL="[email protected]" # Email
./clean-all # Убиваем старые ключи, если они были.
openvpn --genkey --secret ta.key # Ключ TLS-auth
./build-dh #Ключ Диффи-Хеллмана.
./pkitool --initca # Certificate Authority для сервера.
./pkitool --server vpsrv # Сертификат сервера.
./pkitool vpclient # Сертификат клиента.
mv ./ta.key /etc/openvpn/vpnet/keys
Server Tuning.
Go to / etc / openvpn / , open vpnet.conf and write there: All options, in principle, are clear. I noted especially important comments. Ways and names, addresses - you need to fix it for yourself. Now the server can be started with the command /etc/init.d/openvpn.vpnet start If problems arise, details can be found in the log file.
mode server
tls-server
proto tcp-server
dev tap
port 5555 # Порт
daemon
tls-auth /etc/openvpn/vpnet/keys/ta.key 0
ca /etc/openvpn/vpnet/keys/ca.crt
cert /etc/openvpn/vpnet/keys/vpsrv.crt
key /etc/openvpn/vpnet/keys/vpsrv.key
dh /etc/openvpn/vpnet/keys/dh1024.pem
ifconfig 10.10.0.1 255.255.255.0 # Внутренний IP сервера
ifconfig-pool 10.10.0.2 10.10.0.128 # Пул адресов.
push "redirect-gateway def1" # Перенаправлять default gateway на vpn-сервер. Если не нужно - закомментировать.
push "route-gateway 10.10.0.1"
duplicate-cn
verb 3
cipher DES-EDE3-CBC # Тип шифрования.
persist-key
log-append /var/log/openvpn.log # Лог-файл.
persist-tun
comp-lzo
NAT
In order for the server to release our packets to the external network, we need to configure NAT. It's simple.
We prepare and launch iptables: Enable IP forwarding support: Add a firewall rule: replace EXTERNAL_IF, VPN_NET and SERVER_IP with an external interface, a VPN network and an external (!) IP server, respectively. Again, do /etc/init.d/iptables save so that the rule applies when the system boots. Everything, you can work.
/etc/init.d/iptables save
/etc/init.d/iptables start
sysctl net.ipv4.ip_forward=1
echo "sysctl net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
iptables -v -t nat -A POSTROUTING -o EXTERNAL_IF -s VPN_NET/24 -j SNAT --to-source SERVER_IP
Client setup
Install the software, create the paths: Take the files from the server: ca.crt vpclient.crt vpclient.key ta.key and drop them in / etc / openvpn / vpnet / client_keys / on the client. Editing /etc/openvpn/vpnet-client.conf : Encryption and compression options on the client and server must match . We start the client. A connection to the server will be automatically established, a tunnel will be created, default gateway - VPN server. If everything is done correctly, then you can go to the Internet. Setup is complete. I can answer the questions in the comments.
emerge openvpn
cd /etc/init.d/
ln -s openvpn openvpn.vpnet-client
rc-update add openvpn.vpnet-client default
mkdir /etc/openvpn/vpnet
mkdir /etc/openvpn/vpnet/client_keys
touch /etc/openvpn/vpnet-client.conf
tls-client
proto tcp-client
remote 212.212.212.212
dev tap
port 5555
cd /etc/openvpn/vpnet
pull
tls-auth /etc/openvpn/vpnet/client_keys/ta.key 1
ca /etc/openvpn/vpnet/client_keys/ca.crt
cert /etc/openvpn/vpnet/client_keys/vpclient.crt
key /etc/openvpn/vpnet/client_keys/vpclient.key
cipher DES-EDE3-CBC
log-append /var/log/openvpn.log
comp-lzo