Internet providers are collecting more and more data about our internet activities, but what can we do about it ?
You want to have secure access to your home servers, nas, devices ?
Virtual Private Network aka VPN is a solution for your needs!
1.Instalation
apt-get install openvpn easy-rsa
2.openvpn configuration
touch /etc/openvpn/server.conf #edit /etc/openvpn/server.conf port 1194 proto udp dev tun ca ca.crt cert server.crt key server.key dh dh2048.pem server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 208.67.222.222" push "dhcp-option DNS 208.67.220.220" keepalive 10 120 cipher AES-256-CBC comp-lzo user nobody group nogroup persist-key persist-tun status openvpn-status.log verb 3
3.some system tweaks
echo 1 > /proc/sys/net/ipv4/ip_foward #edit /etc/sysctl.conf net.ipv4.ip_forward=1
4.Instalation and configuration firewall tool (so you don’t need to be iptables ninja)
apt-get install ufw ufw allow 1194/udp #edit /etc/default/ufw DEFAULT_FORWARD_POLICY="ACCEPT" #edit /etc/ufw/before.rules # # rules.before # # Rules that should be run before the ufw command line added rules. Custom # rules should be added to one of these chains: # ufw-before-input # ufw-before-output # ufw-before-forward # # START OPENVPN RULES # NAT table rules *nat :POSTROUTING ACCEPT [0:0] # Allow traffic from OpenVPN client to eth0 -A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE COMMIT # END OPENVPN RULES # Don't delete these required lines, otherwise there will be errors *filter ufw enable ufw status | grep '1194/udp'
5.generate CA, certs and keys for server
cp -r /usr/share/easy-rsa/ /etc/openvpn mkdir /etc/openvpn/easy-rsa/keys #edit /etc/openvpn/easy-rsa/vars export KEY_COUNTRY="COUNTRY" export KEY_PROVINCE="PROVINCE" export KEY_CITY="CITY" export KEY_ORG="ORGANIZATION" export KEY_EMAIL="email@" export KEY_OU="Organization Unit" # X509 Subject Field (key name) export KEY_NAME="server" openssl dhparam -out /etc/openvpn/dh2048.pem 2048 cd /etc/openvpn/easy-rsa . ./vars ./clean-all ./build-ca
Just now we prepeared system envirement to generate, sign and distribute our certs thanks to CA (Certificate Authority).
Lets finish the fun with certs:
cd /etc/openvpn/easy-rsa ./build-key-server server # leave password and 'company name' empty Sign the certificate? Y
Move created certs and keys created for server:
cp /etc/openvpn/easy-rsa/keys/{server.crt,server.key,ca.crt} /etc/openvpn
and check if openvpn still starts (if not be sure there is no typo in config file or you moved correct files to correct location):
service openvpn start service openvpn status
6.Creating certs and keys for clients:
cd /etc/openvpn/easy-rsa ./build-key client1 # leave password and 'company name' empty Sign the certificate? Y cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/easy-rsa/keys/client.ovpn #edit /etc/openvpn/easy-rsa/keys/client.ovpn client dev tun proto udp remote ip_serwera 1194 resolv-retry infinite nobind user nobody group nogroup persist-key persist-tun remote-cert-tls server cipher AES-256-CBC comp-lzo verb 3
Attention: user/group setting is not compatible with Windows
Client config file is still missing the paths for cert/key combo 🙂 but we will overcome this with one of two ways:
7a. Unified config file (one file to rule them all)
echo '<ca>' >> /etc/openvpn/easy-rsa/keys/client.ovpn cat /etc/openvpn/ca.crt >> /etc/openvpn/easy-rsa/keys/client.ovpn echo '</ca>' >> /etc/openvpn/easy-rsa/keys/client.ovpn echo '<cert>' >> /etc/openvpn/easy-rsa/keys/client.ovpn cat /etc/openvpn/easy-rsa/keys/client.crt >> /etc/openvpn/easy-rsa/keys/client.ovpn echo '</cert>' >> /etc/openvpn/easy-rsa/keys/client.ovpn echo '<key>' >> /etc/openvpn/easy-rsa/keys/client.ovpn cat /etc/openvpn/easy-rsa/keys/client.key >> /etc/openvpn/easy-rsa/keys/client.ovpn echo '</key>' >> /etc/openvpn/easy-rsa/keys/client.ovpn
7b. Maybe you dont want to include cert inside profile file then we need to add this and copy needed files:
ca ca.crt cert klient.crt key klient.key