Back to Home

OpenVPN: creating a full openVPN gateway

openvpn · vpn · pptp · gateway

OpenVPN: creating a full openVPN gateway

    OpenVPN is a system that allows you to create encrypted tunnels between computers using VPN technology(Virtual Private Network, Virtual Private Network).

    The main advantages of this model:

    • Simple: setup takes less than an hour and does not require special knowledge.
    • Economically: traffic is compressed by lzo.
    • Secure: all traffic is encrypted, and clients are divided among themselves.
    • Sometimes it’s just different in any way. :)


    Despite these points, I did not find a normal article about configuring OpenVPN on Habrahabr. Well, I'll try to fix it on my own.

    I specifically try not to delve into technical details, but I will not describe the principles of building the kernel and installing software in your distribution kit - this is beyond the scope of the article.

    Let's take OpenVPN-2.0.9 and Gentoo Linux as a server and Linux or Windows as a client as the basis .



    Decide what you want.



    We take as a basis that our server is located in a remote data center. Those. We will get on it via the Internet.

    After installing an encrypted tunnel between the client and the server, the server will NAT all our packets on the Internet. Also, the server will serve DNS and will be the firewall for the virtual local area network.

    The external IP of our server (the one that will be openVPN): 212.212.212.212 The
    internal IP of the server (visible from the tunnel): 10.10.0.1 The
    pool of internal openVPN addresses: 10.10.0.2 - 10.10.0.128
    Our network name: vpnet
    Server name: vpsrv
    Client name : vpclient

    Why do I need an external IP, I think, understandably. Internal IP is needed to connect to the server afterraising the tunnel. The address pool is the addresses that the server issues to connected clients.
    The network name is the name of the conf. files and server name in these conf. files. Client and server names = key file names.

    Gentoo Linux 2008.0 is installed on the server, updated to the latest versions. The core is 2.6.29. All configuration will be done via SSH.

    Kernel customization.



    I note right away, at this stage you need to be extremely careful and attentive. If anyone forgot.

    The kernel should contain the options below on the server. Only TUN and ipv4 are needed on the client.

    In the kernel we need the following functionality, I quote an excerpt from the config: Well, of course, support for ipv4, a network card, and other hardware. We assemble and install the kernel. You can use genkernel . Reboot.

    CONFIG_NF_NAT=m
    CONFIG_NF_NAT_PPTP=m
    CONFIG_NETFILTER=y
    CONFIG_TUN=m




    Server Tuning.



    Software Installation

    If :) the server returned from reboot, we proceed to the software installation. Waiting, sometimes for a long time. After installation, go to /etc/init.d/ and execute: Creating a symlink on ourselves, we told openvpn that we need to use the vpnet configuration . In the future, we launch it only like this: Now you do not need to start it, because there is nothing to start yet. :) In addition, we added iptables, named and openvpn to startup. Create the necessary directories and files:

    emerge --sync
    emerge openvpn bind bind-tools iptables




    ln -s openvpn openvpn.vpnet
    rc-update add openvpn.vpnet default
    rc-update add named default
    rc-update iptables default
    ./iptables save




    /etc/init.d/openvpn.vpnet start







    mkdir /etc/openvpn/vpnet/
    mkdir /etc/openvpn/vpnet/keys
    touch /var/log/openvpn.log
    touch /etc/openvpn/vpnet.conf


    Key Generation.


    Go to / usr / share / openvpn / easy-rsa / . Open the vars file and enter the settings: Naturally, the values ​​(company, path to keys and easy-rsa, email) need to be changed to suit your needs. We will imitate the variables: source ./vars Now we will create the keys. And move the leftovers to the right place: That's it, the keys are ready.

    export EASY_RSA="/usr/share/openvpn/easy-rsa/" #Путь к easy-rsa.
    export KEY_CONFIG="$EASY_RSA/openssl.cnf" #Конфиг OpenSSL
    export KEY_DIR="/etc/openvpn/vpnet/keys" #Каталог, в котором мы будем держать ключи.
    export KEY_SIZE=1024 # Размер ключа
    export CA_EXPIRE=3650 # Срок действия CA
    export KEY_EXPIRE=3650 # Срок действия ключа
    export KEY_COUNTRY="RU" # Двухбуквенный код страны
    export KEY_PROVINCE="XX" # Province, не актуально
    export KEY_CITY="Town" # Город
    export KEY_ORG="Companyname" # Компания
    export KEY_EMAIL="[email protected]" # Email








    ./clean-all # Убиваем старые ключи, если они были.
    openvpn --genkey --secret ta.key # Ключ TLS-auth
    ./build-dh #Ключ Диффи-Хеллмана.
    ./pkitool --initca # Certificate Authority для сервера.
    ./pkitool --server vpsrv # Сертификат сервера.
    ./pkitool vpclient # Сертификат клиента.




    mv ./ta.key /etc/openvpn/vpnet/keys




    Server Tuning.


    Go to / etc / openvpn / , open vpnet.conf and write there: All options, in principle, are clear. I noted especially important comments. Ways and names, addresses - you need to fix it for yourself. Now the server can be started with the command /etc/init.d/openvpn.vpnet start If problems arise, details can be found in the log file.

    mode server
    tls-server
    proto tcp-server
    dev tap
    port 5555 # Порт
    daemon
    tls-auth /etc/openvpn/vpnet/keys/ta.key 0
    ca /etc/openvpn/vpnet/keys/ca.crt
    cert /etc/openvpn/vpnet/keys/vpsrv.crt
    key /etc/openvpn/vpnet/keys/vpsrv.key
    dh /etc/openvpn/vpnet/keys/dh1024.pem
    ifconfig 10.10.0.1 255.255.255.0 # Внутренний IP сервера
    ifconfig-pool 10.10.0.2 10.10.0.128 # Пул адресов.
    push "redirect-gateway def1" # Перенаправлять default gateway на vpn-сервер. Если не нужно - закомментировать.
    push "route-gateway 10.10.0.1"
    duplicate-cn
    verb 3
    cipher DES-EDE3-CBC # Тип шифрования.
    persist-key
    log-append /var/log/openvpn.log # Лог-файл.
    persist-tun
    comp-lzo







    NAT


    In order for the server to release our packets to the external network, we need to configure NAT. It's simple.

    We prepare and launch iptables: Enable IP forwarding support: Add a firewall rule: replace EXTERNAL_IF, VPN_NET and SERVER_IP with an external interface, a VPN network and an external (!) IP server, respectively. Again, do /etc/init.d/iptables save so that the rule applies when the system boots. Everything, you can work.

    /etc/init.d/iptables save
    /etc/init.d/iptables start




    sysctl net.ipv4.ip_forward=1
    echo "sysctl net.ipv4.ip_forward = 1" >> /etc/sysctl.conf




    iptables -v -t nat -A POSTROUTING -o EXTERNAL_IF -s VPN_NET/24 -j SNAT --to-source SERVER_IP








    Client setup



    Install the software, create the paths: Take the files from the server: ca.crt vpclient.crt vpclient.key ta.key and drop them in / etc / openvpn / vpnet / client_keys / on the client. Editing /etc/openvpn/vpnet-client.conf : Encryption and compression options on the client and server must match . We start the client. A connection to the server will be automatically established, a tunnel will be created, default gateway - VPN server. If everything is done correctly, then you can go to the Internet. Setup is complete. I can answer the questions in the comments.

    emerge openvpn
    cd /etc/init.d/
    ln -s openvpn openvpn.vpnet-client
    rc-update add openvpn.vpnet-client default

    mkdir /etc/openvpn/vpnet
    mkdir /etc/openvpn/vpnet/client_keys
    touch /etc/openvpn/vpnet-client.conf














    tls-client
    proto tcp-client
    remote 212.212.212.212
    dev tap
    port 5555
    cd /etc/openvpn/vpnet
    pull
    tls-auth /etc/openvpn/vpnet/client_keys/ta.key 1
    ca /etc/openvpn/vpnet/client_keys/ca.crt
    cert /etc/openvpn/vpnet/client_keys/vpclient.crt
    key /etc/openvpn/vpnet/client_keys/vpclient.key
    cipher DES-EDE3-CBC
    log-append /var/log/openvpn.log
    comp-lzo








    Read Next