www.linuxexpert.ro

Tutorials

  • Home
  • BGP Tutorials
    • Remove private AS
  • cPanel Tutorials
    • Install ImageMagick on cPanel
    • Install Softaculous
  • Linux Tutorials
    • Auto-reboot Linux after kernel panic
    • Building a firewall with Iptables
    • Change array RAID 1 disk order
    • Configure ntfs-3g on Linux Slackware
    • DHCP Option Codes
    • DansGuardian with Squid and ClamAV
    • Fetchmail for Gmail accounts
    • Install Zend & APC PHP Optimizers
    • Install Atheros AR242x PCI Express Adapter
    • Install awstats with DirectAdmin
    • Install DBD::mysql via CPAN shell
    • Install DjbDNS on Ubuntu
    • Installing fail2ban on Centos 5
    • Install GoDaddy SSL Certificate
    • Install i386 packages under x86_64
    • Install Linux via USB flashdrive
    • Install ModSecurity2 on Apache2.0.x
    • Install Nginx on CentOS
    • Install webalizer with ispconfig
    • Install intel A/B/G/N wireless on linux
    • Kernel Upgrade
    • Mobile phone access via bluetooth
    • Optimize MySQL
    • Optimize Qmail
    • Optimize server load
    • Optimize and Tune Apache for performance
    • Optimize and Tune Nginx for performance
    • Perfect Mailserver on Debian
    • Pidgin "Now Playing" Status Message
    • PHP hardening
    • PHP hardening with Suhosin
    • PHP5 Support allong with PHP4
    • Previewing your site before making DNS changes
    • Proxy Auto Configuration
    • PXE boot install rescue
    • Setup awstats on CentOS
    • Setup EC2 Amazon L2TP IPSec VPN
    • Setup email piping with Qmail
    • Setup Exim with DKIM
    • Setup Exim smart relay with cPanel
    • Setup OpenVPN
    • Setup postfix on nonstandard port
    • Setup SS5 Socks Proxy
    • Setup vsftp with no shell access
    • Sendmail smart relay with gmail auth
    • Squid proxy NCSA authentication
    • Tcpdump filters
    • Upgrade PHP to 5.3 in Plesk 10
    • Useful regular expressions
    • X with [SiS] 771/671 VGA controller
  • Joomla Tutorials
    • Hardening Joomla
    • Module Positions
    • Remove Joomla description meta tag
  • Looking Glasses
  • Optimize Firefox
  • Security
    • Crack WiFi WEP passwords
    • Defend against UDP isc.org DNS query DDOS
    • Detect DDoS attack
    • Remove malware from web sites
    • Sniff SSL passwords with ettercap
    • Snort2BGP
    • Track Hackers
    • What Is My IP
  • Troubleshooting
    • Grub error no such disk
    • named dumping master file: tmp-XXXXXXXXXX: open: permission denied
    • Nginx 413 Request Entity Too Large
    • SSH conection closed by remote host
    • Troubleshooting sis190.c
  • Unix Tutorials
    • FreeBSD reset root password
    • Installing snort on OpenBSD
    • Unix Toolbox
  • Virtualization Tutorials
    • Convert VirtualBox image to VMWare
    • VMware SNMP Enable
  • VoIP Tutorials
    • Install Elastix
    • Qos for Asterisk

Who's Online

We have 20 guests and no members online

Most Read

  • Setup SS5 Socks Proxy
  • Install webalizer with ispconfig
  • Sniff SSL passwords with ettercap
  • __404__
  • Optimize and Tune Apache for performance

Products and Services

  • Home
  • Linux Products and Services
  • Buy VPN Account
  • Privacy Policy for Linuxexpert
  • Remove malware

Setup OpenVPN

  • Print
  • Email
Details
Parent Category: Tutorials
Published: 16 April 2009
Hits: 7265

 

Here is a short tutorial that will help you to have a working vpn server.
First you need to install OpenVPN from sources or precompiled distro packet.
Then you need to setup of the Certificate Authority (CA)
Keep in mind that the CA should be on client not on the the server. OpenVPN install comes with scripts that can easy create certificates. You should copy them in to /etc/openvpn:
cp -a /usr/share/doc/openvpn/examples/easy-rsa /etc/openvpn
cd /etc/openvpn/easy-rsa
Edit the file called vars and adapt the last KEY_xxx vars to your needs. For my Slackware install the path is: export KEY_DIR=$D/../keys. After that run: 
. vars
./clean-all
./build-ca
To create a certificate and sign it in one single step (do that only if the certificate can be transferred to the client via a secure channel, otherwise generate the certificate and the request on the client and sign it on the CA), without password:
For the server, use (don't forget to give a Common Name):
./build-key-server server
For a client: (don't forget to give a Common Name)
./build-key Hercule
We also need to make Diffie Hellman key:
./build-dh
For other situations, see easy-rsa/README
To see content of a certificate:
openssl x509 -in server.crt -text
Next you need to configure the server:
# cat server.conf
port 1194
proto udp
dev tap

ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key # This file should be kept secret
dh /etc/openvpn/keys/dh1024.pem
client-to-client # To allow clients to see each other
server 192.168.10.0 255.255.255.0 # Set to virtual network and subnet mask
client-config-dir /etc/openvpn/ccd
ifconfig-pool-persist ipp.txt

#push "dhcp-option DNS x.x.x.x"
#push "dhcp-option DNS x.x.x.x"
#push "redirect-gateway def1"

keepalive 10 120
#cipher AES-128-CBC # AES
cipher none
comp-lzo
persist-key
persist-tun
user nobody
group nobody
status openvpn-status.log
verb 3

Start the server:
openvpn --config server.conf

Next set up the client:
Copy from server to client files: ca.crt, Hercule.crt, Hercule.key, Hercule.csr
cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf Hercule.ovpn
Edit the lines like this:
diff /usr/share/doc/openvpn/examples/sample-config-files/client.conf Hercule.ovpn
23,24c23,24
< ;dev tap
< dev tun
---
> dev tap
> ;dev tun
42c42
< remote my-server-1 1194
---
> remote x.x.x.x 1194
89,90c89,90
< cert client.crt
< key client.key
---
> cert Hercule.crt
> key Hercule.key
112c112
< ;cipher x
---
> cipher none

Start the client:
openvpn --config /etc/openvpn/Hercule/Hercule.ovpn --cd /etc/openvpn/Hercule/
That's it, you should have the setup working.
If you use diffrent type of version of openvpn of server and client don't forget to set up the mtu:
tun-mtu 1500  
tun-mtu-extra 32
link-mtu 1590  
mssfix

Note:

We use Hosting and VPS Hosting, from: www.star-host.org

We like and trust them.

Good prices, high security.

fShare
Tweet