OpenVPN on FC4 note
Sunday, April 15th, 2007Server
- yum install openvpn
- cp -R /usr/share/openvpn/easy-rsa /etc/openvpn
- cd /etc/openvpn/easy-rsa
- vim vars:
# easy-rsa parameter settings # NOTE: If you installed from an RPM, # don't edit this file in place in # /usr/share/openvpn/easy-rsa -- # instead, you should copy the whole # easy-rsa directory to another location # (such as /etc/openvpn) so that your # edits will not be wiped out by a future # OpenVPN package upgrade. # This variable should point to # the top level of the easy-rsa # tree. export D=`pwd` # This variable should point to # the openssl.cnf file included # with easy-rsa. export KEY_CONFIG=$D/openssl.cnf # Edit this variable to point to # your soon-to-be-created key # directory. # # WARNING: clean-all will do # a rm -rf on this directory # so make sure you define # it correctly! export KEY_DIR="/etc/openvpn/keys" # Issue rm -rf warning echo NOTE: when you run ./clean-all, I will be doing a rm -rf on $KEY_DIR # Increase this to 2048 if you # are paranoid. This will slow # down TLS negotiation performance # as well as the one-time DH parms # generation process. export KEY_SIZE=1024 # These are the default values for fields # which will be placed in the certificate. # Don't leave any of these fields blank. export KEY_COUNTRY=US export KEY_PROVINCE=CA export KEY_CITY=SANDIEGO export KEY_ORG="TAROTOAST.COM" export KEY_EMAIL="chang.peter@gmail.com"
- chmod 700 *
- mkdir /etc/openvpn/keys
- make sure in Bash shell (still at /etc/openvpn/easy-rsa directory)
- ./vars
- ./clean-all
- ./build-ca
Enter ROOTCA for common name - ./build-key-server server
Enter ROOT for common name - ./build-key [computername] <– repeat for # of computers want to allow connect
Enter [computername] as common name
EX: ./build-key AMD64
EX: ./build-key X40 - ./build-dh
- vim /etc/openvpn/server.conf:
port 1194 proto tcp dev tun ca keys/ca.crt cert keys/server.crt key keys/server.key dh keys/dh1024.pem server 10.11.12.0 255.255.255.0 client-config-dir ccd push "dhcp-option DNS SERVERIP" push "dhcp-option DNS SERVERDNS" ifconfig-pool-persist ipp.txt push "redirect-gateway" keepalive 10 120 comp-lzo persist-key persist-tun status server-tcp.log verb 3
- Create log files: touch /etc/openvpn/server-tcp.log /etc/openvpn/ipp.txt
- vim /etc/init.d/openvpn:
Uncomment line 114/sbin/modprobe tun >/dev/null 2>&1
Insert after line 115
iptables -t nat -A POSTROUTING -s 10.11.12.3 -j SNAT --to SERVERIP iptables -t nat -A POSTROUTING -s 10.11.12.4 -j SNAT --to SERVERIP iptables -t nat -A POSTROUTING -s 10.11.12.5 -j SNAT --to SERVERIP iptables -t nat -A POSTROUTING -s 10.11.12.6 -j SNAT --to SERVERIP iptables -t nat -A POSTROUTING -s 10.11.12.7 -j SNAT --to SERVERIP iptables -t nat -A POSTROUTING -s 10.11.12.8 -j SNAT --to SERVERIP iptables -t nat -A POSTROUTING -s 10.11.12.9 -j SNAT --to SERVERIP iptables -t nat -A POSTROUTING -s 10.11.12.10 -j SNAT --to SERVERIP
- service openvpn start
Client (Windows Vista with UAC on)
- Download and install OpenVPN Gui 1.0.3 with OpenVPN 2.0.9 [Here]
- Scary warning will pop up telling you the driver will not work, install it anyway. OpenVPN’s developers fixed it already.
- Make a shortcut on desktop to GUI executable “C:\Program Files\OpenVPN\bin\openvpn-gui-1.0.3.exe”
- Use WinSCP to download these files onto the client computer:
/etc/openvpn/keys/ca.crt
/etc/openvpn/keys/AMD64.key
/etc/openvpn/keys/AMD64.crt - Put above files along with this VPNServer.ovpn in C:\Program Files\OpenVPN\config
VPNServer.ovpnclient dev tun proto tcp remote SERVERIP 1194 resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert AMD64.crt key AMD64.key ns-cert-type server push "dhcp-option DNS SERVERIP" push "dhcp-option DNS SERVERDNSIP" comp-lzo verb 3 route-method exe route-delay 2
- Right click on the shortcut to openvpn-gui-1.0.3.exe, select Run As Administrator
- On the taskbar, right click the openvpn gui icon, select connect
DONE [aha
The above mostly follows [this thread] except some minor changes in client side config.
Recent Comments