Tarotoast’s Stuff

Server

1. yum install openvpn
2. cp -R /usr/share/openvpn/easy-rsa /etc/openvpn
3. cd /etc/openvpn/easy-rsa
4. vim vars:

   # easy-rsa parameter settings
   # NOTE: If you installed from an RPM,
   # don't edit this file in place in
   # /usr/share/openvpn/easy-rsa --
   # instead, you should copy the whole
   # easy-rsa directory to another location
   # (such as /etc/openvpn) so that your
   # edits will not be wiped out by a future
   # OpenVPN package upgrade.
   # This variable should point to
   # the top level of the easy-rsa
   # tree.
   
   export D=`pwd`
   
   # This variable should point to
   # the openssl.cnf file included
   # with easy-rsa.
   
   export KEY_CONFIG=$D/openssl.cnf
   
   # Edit this variable to point to
   # your soon-to-be-created key
   # directory.
   #
   # WARNING: clean-all will do
   # a rm -rf on this directory
   # so make sure you define
   # it correctly!
   
   export KEY_DIR="/etc/openvpn/keys"
   
   # Issue rm -rf warning
   
   echo NOTE: when you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
   
   # Increase this to 2048 if you
   # are paranoid.  This will slow
   # down TLS negotiation performance
   # as well as the one-time DH parms
   # generation process.
   
   export KEY_SIZE=1024
   
   # These are the default values for fields
   # which will be placed in the certificate.
   # Don't leave any of these fields blank.
   
   export KEY_COUNTRY=US
   export KEY_PROVINCE=CA
   export KEY_CITY=SANDIEGO
   export KEY_ORG="TAROTOAST.COM"
   export KEY_EMAIL="chang.peter@gmail.com"

5. chmod 700 *
6. mkdir /etc/openvpn/keys
7. make sure in Bash shell (still at /etc/openvpn/easy-rsa directory)
8. ./vars
9. ./clean-all
10. ./build-ca
    Enter ROOTCA for common name
11. ./build-key-server server
    Enter ROOT for common name
12. ./build-key [computername] <– repeat for # of computers want to allow connect
    Enter [computername] as common name
    EX: ./build-key AMD64
    EX: ./build-key X40
13. ./build-dh
14. vim /etc/openvpn/server.conf:

    port 1194
    proto tcp
    dev tun
    ca keys/ca.crt
    cert keys/server.crt
    key keys/server.key
    dh keys/dh1024.pem
    server 10.11.12.0 255.255.255.0
    client-config-dir ccd
    push "dhcp-option DNS SERVERIP"
    push "dhcp-option DNS SERVERDNS"
    ifconfig-pool-persist ipp.txt
    push "redirect-gateway"
    keepalive 10 120
    comp-lzo
    persist-key
    persist-tun
    status server-tcp.log
    verb 3

15. Create log files: touch /etc/openvpn/server-tcp.log /etc/openvpn/ipp.txt
16. vim /etc/init.d/openvpn:
    Uncomment line 114

    /sbin/modprobe tun >/dev/null 2>&1

    Insert after line 115

    iptables -t nat -A POSTROUTING -s 10.11.12.3 -j SNAT --to SERVERIP
    iptables -t nat -A POSTROUTING -s 10.11.12.4 -j SNAT --to SERVERIP
    iptables -t nat -A POSTROUTING -s 10.11.12.5 -j SNAT --to SERVERIP
    iptables -t nat -A POSTROUTING -s 10.11.12.6 -j SNAT --to SERVERIP
    iptables -t nat -A POSTROUTING -s 10.11.12.7 -j SNAT --to SERVERIP
    iptables -t nat -A POSTROUTING -s 10.11.12.8 -j SNAT --to SERVERIP
    iptables -t nat -A POSTROUTING -s 10.11.12.9 -j SNAT --to SERVERIP
    iptables -t nat -A POSTROUTING -s 10.11.12.10 -j SNAT --to SERVERIP

17. service openvpn start

Client (Windows Vista with UAC on)

1. Download and install OpenVPN Gui 1.0.3 with OpenVPN 2.0.9 [Here]
2. Scary warning will pop up telling you the driver will not work, install it anyway. OpenVPN’s developers fixed it already.
3. Make a shortcut on desktop to GUI executable “C:\Program Files\OpenVPN\bin\openvpn-gui-1.0.3.exe”
4. Use WinSCP to download these files onto the client computer:
   /etc/openvpn/keys/ca.crt
   /etc/openvpn/keys/AMD64.key
   /etc/openvpn/keys/AMD64.crt
5. Put above files along with this VPNServer.ovpn in C:\Program Files\OpenVPN\config
   VPNServer.ovpn

   client
   dev tun
   proto tcp
   remote SERVERIP 1194
   resolv-retry infinite
   nobind
   persist-key
   persist-tun
   ca ca.crt
   cert AMD64.crt
   key AMD64.key
   ns-cert-type server
   push "dhcp-option DNS SERVERIP"
   push "dhcp-option DNS SERVERDNSIP"
   comp-lzo
   verb 3
   route-method exe
   route-delay 2
   

6. Right click on the shortcut to openvpn-gui-1.0.3.exe, select Run As Administrator
7. On the taskbar, right click the openvpn gui icon, select connect

DONE [aha

The above mostly follows [this thread] except some minor changes in client side config.

Tags: code, fc4, howto, openvpn

This entry was posted on Sunday, April 15th, 2007 at 2:19 pm and is filed under BSD+Linux, Internet, Server Diary. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.