Being secure does not have to be expensive.

Abbreviated steps to set up an OpenVPN server that acts as expected, incuding routing to and from your local network.

Server configuration

Become root:

sudo su

Update apt and install OpenVPN

apt-get update  
apt-get install openvpn

Change to OpenVPN directory and copy easy-rsa data:

cd /etc/openvpn
cp -r /usr/share/easy-rsa /etc/openvpn/easy-rsa/

Edit vars:

vi easy-rsa/vars

Change export EASY_RSA="`pwd`" to export EASY_RSA="/etc/openvpn/easy-rsa". You can also change the default settings at the bottom of the file so you don't have to enter them over and over again while creating certificates.

Change the easy-rsa directory, source the file and get building:

cd easy-rsa
source vars
ln -s openssl-1.0.0.cnf openssl.cnf
./build-ca OpenVPN
./build-key-server server
./build-key client1
cd ..

Create OpenVPN config:

vi server.conf
dev tun  
proto udp  
port 1194  
ca /etc/openvpn/easy-rsa/keys/ca.crt  
cert /etc/openvpn/easy-rsa/keys/server.crt  
key /etc/openvpn/easy-rsa/keys/server.key  
dh /etc/openvpn/easy-rsa/keys/dh1024.pem  
user nobody  
group nogroup  
status /var/log/openvpn-status.log  
verb 3  
push "redirect-gateway def1"  
#set the dns servers  
push "dhcp-option DNS"  
push "dhcp-option DNS"  
log-append /var/log/openvpn  

Make sure IP4 forwarding and gateway routing is enabled:

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -s -o eth0 -j SNAT --to [IPADDRESS]
vi /etc/sysctl.conf

Uncomment net.ipv4.ip_forward=1.

vi /etc/rc.local

Add the following just above exit 0:

iptables -t nat -A INPUT -i eth0 -p udp -m udp --dport 1194 -j ACCEPT  
iptables -t nat -A POSTROUTING -s -o eth0 -j SNAT --to-source [IPADDRESS]

Start OpenVPN:

service openvpn start
Client configuration
vi client1.ovpn
dev tun  
proto udp  
remote [IPADDRESS] 1194  
resolv-retry infinite  
ca ca.crt  
cert client1.crt  
key client1.key  
verb 3

Copy ca.crt, client1.crt and client1.key to the same directory as the config file.

Next Post Previous Post