Being secure does not have to be expensive.

Abbreviated steps to set up an OpenVPN server that acts as expected, incuding routing to and from your local network.

Server configuration

Become root:

sudo su

Update apt and install OpenVPN

apt-get update  
apt-get install openvpn

Change to OpenVPN directory and copy easy-rsa data:

cd /etc/openvpn
cp -r /usr/share/easy-rsa /etc/openvpn/easy-rsa/

Edit vars:

vi easy-rsa/vars

Change export EASY_RSA="`pwd`" to export EASY_RSA="/etc/openvpn/easy-rsa". You can also change the default settings at the bottom of the file so you don't have to enter them over and over again while creating certificates.

Change the easy-rsa directory, source the file and get building:

cd easy-rsa
source vars
ln -s openssl-1.0.0.cnf openssl.cnf
./clean-all
./build-ca OpenVPN
./build-key-server server
./build-key client1
./build-dh
cd ..

Create OpenVPN config:

vi server.conf
dev tun  
proto udp  
port 1194  
ca /etc/openvpn/easy-rsa/keys/ca.crt  
cert /etc/openvpn/easy-rsa/keys/server.crt  
key /etc/openvpn/easy-rsa/keys/server.key  
dh /etc/openvpn/easy-rsa/keys/dh1024.pem  
user nobody  
group nogroup  
server 10.8.0.0 255.255.255.0  
persist-key  
persist-tun  
status /var/log/openvpn-status.log  
verb 3  
client-to-client  
push "redirect-gateway def1"  
#set the dns servers  
push "dhcp-option DNS 8.8.8.8"  
push "dhcp-option DNS 8.8.4.4"  
log-append /var/log/openvpn  
comp-lzo

Make sure IP4 forwarding and gateway routing is enabled:

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to [IPADDRESS]
vi /etc/sysctl.conf

Uncomment net.ipv4.ip_forward=1.

vi /etc/rc.local

Add the following just above exit 0:

iptables -t nat -A INPUT -i eth0 -p udp -m udp --dport 1194 -j ACCEPT  
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source [IPADDRESS]

Start OpenVPN:

service openvpn start
Client configuration
vi client1.ovpn
dev tun  
client  
proto udp  
remote [IPADDRESS] 1194  
resolv-retry infinite  
nobind  
persist-key  
persist-tun  
ca ca.crt  
cert client1.crt  
key client1.key  
comp-lzo  
verb 3

Copy ca.crt, client1.crt and client1.key to the same directory as the config file.

Next Post Previous Post