In our company we need to allow certain members access to our computer network from the outside. Therefore, we decided to get a VPN.
We choose OpenVPN, because it is Open Source and it is available for Linux, Windows and another OS.
You can let running VPN server on Linux and let blunt Windows client to connect to server.
For server-client configuration you need to generate keys and certificates, but configuration is very simple.
Server configuration
/etc/openvpn/server.conf
port 1194
proto tcp
dev tun
keepalive 10 60
comp-lzo
server 10.10.1.0 255.255.255.0
ifconfig-pool-persist /etc/openvpn/ipp.txt
max-clients 3
push "route 172.16.128.0 255.255.255.0"
push "dhcp-option DNS 172.16.128.1"
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/akela.crt
key /etc/openvpn/keys/akela.key
dh /etc/openvpn/keys/dh1024.pem
tls-auth /etc/openvpn/keys/static.key
log-append /var/log/openvpn.log
status /var/log/openvpn-status.log
mute 10
verb 5
All important you find out in man pages or on project documentation.
push "dhcp-option DNS 172.16.128.1"
get only Windows client. For Linux client you need script. See HOWTO
Generate certificates
You can use OpenSSL, but developers of OpenVPN prepare scripts for simply generate keys and certificates for server and clients.
You find out it: /user/share/doc/openvpn/examples/easy-rsa/2.0/
Scripts config file is vars
. There you can set same variables.
1. We load the config file to system, and create self-signed Certificate Authority
. ./vars
./clean-all
./build-ca
In folder keys
(depend on your vars files) you find out file:
ca.pem
- public certificateca.key
- private key of Certificate Authority
2. we create key and certificate for server.
./build-key-server akela
It creates file:
akela.pem
- certificate of your server signed of your CAakela.ctr
- request of sign (you don´t need that file)akela.key
- private key of your server
3. we create Deffie-Hellmann parameters for dynamic key encryption
./build-df
It creates file:
dh1024.pem
4. we create static TLS-AUTH key
openvpn --genkey --secret static.key
It creates file:
static.key
Client configuration
We need to create certificate for your client.
In your server use:
./build-key kibo
kibo.pem
- certificate of your client(notebook) signed of your CAkibo.ctr
- request of sign (you don´t need that file)kibo.key
- private key of your client(notebook)
In your client(notebook) save this file:
kibo.pem
kibo.key
ca.pem
static.key
Clinet configuration on /etc/openvpn/client.conf
in Linux client.
Clinet configuration on ..\ProgramFiles\OpenVPN\Config\client.ovpn
in Windows client.
client
pull
dev tun
proto tcp
remote ourServer.tld
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/kibo.crt
key /etc/openvpn/keys/kibo.key
tls-auth /etc/openvpn/keys/static.key
comp-lzo
verb 4
mute 10
ns-cert-type server
Start server and then try to connect from client.
openvpn /etc/openvpn/server.conf
- on Linux server (or as service)openvpn /etc/openvpn/client.conf
- on Linux client(notebook)
OpenVPN and IPTables
$IPTABLES -A INPUT -p tcp --dport 1194 -j ACCEPT # VPN new
$IPTABLES -A INPUT -i tun+ -j ACCEPT # VPN tun
$IPTABLES -A FORWARD -i tun+ -o $LAN_IFACE -j ACCEPT # VPN forward >
$IPTABLES -A FORWARD -i $LAN_IFACE -o tun+ -j ACCEPT # VPN forward <
Good Luck.