Set up VPN for UNix servers

Hi,

I have had great difficulty in setting up OpenVPN, so I thought, when I finally do get it to work, I will write a HOWTO, so other can hopefully benefit…

This guide was done using a FC4 VPS, running on Xen, it will work on OpenVZ, all you need to do is ask your VPS provider to install “tun support”.

1. First of all get a few additional repos, If you already have your repos setup, skip this step

If you have Fedora 3, follow these steps,

http://stanton-finley.net/fedora_cor...notes.html#Yum

If you have Fedora 4, follow these steps,

http://stanton-finley.net/fedora_cor...notes.html#Yum

If you have Fedora 5, follow these steps,

http://stanton-finley.net/fedora_cor...notes.html#Yum

If you have CentOS, follow the “additional third party CentOS repos”


http://www.osresources.com/11_6_en.html

Then issue these commands, each line is a new command, anything beginning with "#" are comments so dont try to execute those.

Code:

yum update

yum install openssl openssl-devel
# openssl and openssl-devel may be installed already… so don’t worry




2. Right, now you want to install OpenVPN, here are the commands,

Code:

yum install openvpn -y

#Now check that it works

service openvpn start
service openvpn stop


3. A few things to setup before you can make certificates, issue these commands,

Code:

find / -name "easy-rsa"

#you should get an output like this…

/usr/share/doc/openvpn-2.0.7/easy-rsa

#Now, make a copy of the easy-rsa directory, to /etc/openvpn/ ( make sure you #have put the right version number in i.e. mine was -2.0.7, change if needed)

cp -R /usr/share/doc/openvpn-2.0.7/easy-rsa /etc/openvpn/

cd /etc/openvpn/easy-rsa

chmod 777 *

mkdir /etc/openvpn/keys



4. You need to edit the vars file, located in /etc/openvpn/easy-rsa
You can use any editor you like, I used vi.

Change the line
Code:

export KEY_DIR=$D/keys

to

Code:

export KEY_DIR=/etc/openvpn/keys

Also at the bottom of this file you will see something similar to this,

Code:

export KEY_COUNTRY=US
export KEY_PROVINCE=CA
export KEY_CITY=SOMEWHERE
export KEY_ORG="My Org"
export KEY_EMAIL=me@mydomain.com

Change this to your own values.

5. Now its time to make the certificates, enter these commands

Code:

. ./vars

Code:

./clean-all

Code:

./build-ca

# just hit enter to the defaults apart from Common Name, this must be unique
# call it something like mydomain-ca

Code:

./build-key-server server

Code:

./build-key client1

# remember that common name must be unique e.g. use mydomain-client1
# and YES you want to sign the keys

Code:

./build-key client2

# do this step for as many clients as you need.

Code:

./build-dh


6. We are almost done now… right we need to create a few config files, you can download my template from here,

Code:

cd /etc/openvpn

Code:

wget www.designpc.co.uk/downloads/server.conf

# make sure you change a few things in the server.conf file, like DNS
# servers

Code:

touch server-tcp.log

~ this makes the log file..

Code:

touch ipp.txt

this makes the IP reservation list.


7. You need to make a few changes to OpenVPN itself. Go to..

Code:

cd /etc/init.d/

edit the openvpn file

#Uncomment this line (line 119)
Code:

echo 1 > /proc/sys/net/ipv4/ip_forward

Add these lines below it, changing 123.123.123.123 to your public IP address,

Code:

iptables -t nat -A POSTROUTING -s 192.168.2.3 -j SNAT --to 123.123.123.123
iptables -t nat -A POSTROUTING -s 192.168.2.4 -j SNAT --to 123.123.123.123
iptables -t nat -A POSTROUTING -s 192.168.2.5 -j SNAT --to 123.123.123.123
iptables -t nat -A POSTROUTING -s 192.168.2.6 -j SNAT --to 123.123.123.123
iptables -t nat -A POSTROUTING -s 192.168.2.7 -j SNAT --to 123.123.123.123
iptables -t nat -A POSTROUTING -s 192.168.2.8 -j SNAT --to 123.123.123.123
iptables -t nat -A POSTROUTING -s 192.168.2.9 -j SNAT --to 123.123.123.123
iptables -t nat -A POSTROUTING -s 192.168.2.10 -j SNAT --to 123.123.123.123

Now install iptables if you don’t have it already,

Code:

yum install iptables

#test it

service iptables start
service iptables stop


8. Now for the client config files. If your client is a Windows machine, make sure you have installed OpenVPN, use the gui version, downloadable from here;

http://www.designpc.co.uk/downloads/....3-install.exe

You need to copy a few files from the server to your client machine, here is the list, located in /etc/openvpn/keys/

## WARNING ## Use a secure way of transferring these files off the server, something like WinSCP.

ca.crt
client1.csr
client1.key
client1.crt

Put these files in this directory C:\Program Files\OpenVPN\config\

Now you need to make a client config, here is an example..


PHP Code:
client
dev tun
proto tcp

#Change my.publicdomain.com to your public domain or IP address
remote my.publicdomain.com 1194

resolv-retry infinite
nobind
persist-key
persist-tun


ca ca.crt
cert client1.crt
key client1.key

ns-cert-type server

#DNS Options here, CHANGE THESE !!
push "dhcp-option DNS 123.123.123.123"
push "dhcp-option DNS 123.123.123.124"

comp-lzo

verb 3
Make sure you edit any of the lines with comments above them.

Call this file client1.opvn and put it in C:\Program Files\OpenVPN\config\

Make sure the file extension is .opvn not .txt

To connect right click on OpenVPN in the taskbar >> Connect

To test ping 192.168.2.1

If you get a response, you in business