Difference between revisions of "VPN server configuration"
Line 12: | Line 12: | ||
=Generic setup= | =Generic setup= | ||
+ | |||
+ | ==Installation== | ||
+ | |||
+ | <syntaxhighlight lang="bash"> | ||
+ | apt-get install openvpn easy-rsa | ||
+ | </syntaxhighlight> | ||
Line 198: | Line 204: | ||
* Very good document about IPv6 VPN: http://tomsalmon.eu/2013/04/openvpn-ipv6-with-tun-device/ | * Very good document about IPv6 VPN: http://tomsalmon.eu/2013/04/openvpn-ipv6-with-tun-device/ | ||
* Nice guide: http://the-technoholik.blogspot.com/2014/03/secure-ipv6-gateway-tunnelbroker-using.html | * Nice guide: http://the-technoholik.blogspot.com/2014/03/secure-ipv6-gateway-tunnelbroker-using.html | ||
+ | |||
+ | |||
+ | |||
Line 259: | Line 268: | ||
# Server mode and VPN subset | # Server mode and VPN subset | ||
server 192.168.15.0 255.255.255.0 | server 192.168.15.0 255.255.255.0 | ||
− | server-ipv6 2001:41d0:8:9318::/64 | + | server-ipv6 2001:41d0:8:9318::1/64 |
# Maintain a record of client <-> virtual IP address associations in this file. | # Maintain a record of client <-> virtual IP address associations in this file. | ||
ifconfig-pool-persist ipp.txt | ifconfig-pool-persist ipp.txt | ||
Line 302: | Line 311: | ||
− | ####### DNS | + | ####### Set the client DNS (optional) |
# Use alternate DNS server (OpenDNS + Google) | # Use alternate DNS server (OpenDNS + Google) | ||
## OpenDNS | ## OpenDNS | ||
− | push "dhcp-option DNS 208.67.222.222" | + | #push "dhcp-option DNS 208.67.222.222" |
− | push "dhcp-option DNS 208.67.220.220" | + | #push "dhcp-option DNS 208.67.220.220" |
− | push "dhcp-option DNS 2620:0:ccc::2" | + | #push "dhcp-option DNS 2620:0:ccc::2" |
− | push "dhcp-option DNS 2620:0:ccd::2" | + | #push "dhcp-option DNS 2620:0:ccd::2" |
## Google | ## Google | ||
#push "dhcp-option DNS 8.8.8.8" | #push "dhcp-option DNS 8.8.8.8" |
Revision as of 21:31, 10 September 2015
Contents
Generic setup
Installation
apt-get install openvpn easy-rsa
Prepare files
You can use an existing example or start from scratch, as you like. If you want to reuse one of the OpenVPN examples:
cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn
cd /etc/openvpn/
gzip -d server.conf.gz
Security algorithms and hash
Depending on your server and distribution you might not always have the same encryption and|or hash algorithms available. Choose your algorithms!
Cryptographic algorithms
openvpn --show-ciphers
Search for: AES-128-CBC, AES-256-CBC
Hash algorithms
openvpn --show-digests
Search for: MD5
Handshake algorithms
openvpn --show-tls
IPv4 configuration
This is how you configuration should look like (more or less, depending on your settings):
##################################################
# OpenVPN 2.0 config file #
# ---------------------------------------------- #
# version 1.0 - April 2011 - Guillaume Diaz #
# version 1.2 - June 2013 - Guillaume Diaz #
# conf update + chroot #
##################################################
# OpenVPN configuration
##########################
# Which local IP address should OpenVPN listen on? (optional)
local 192.168.1.2
# VPN interface
# Which TCP/UDP port should OpenVPN listen on?
# TCP or UDP server?
dev tun
proto udp
port 8080
# SECURITY - Crypto
########################
# SSL/TLS root certificate (ca)
# Server certificate and private key
# Diffie hellman parameters
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
dh /etc/openvpn/dh2048.pem
# Shared secret key by both server and clients
;tls-auth /etc/openvpn/ta.key 0
# Crypto settings
cipher AES-128-CBC
auth MD5
# Reduce OpenVPN daemon rights after application start
# To chroot OpenVPN to its own folder
user nobody
group nogroup
chroot /etc/openvpn/
# SERVER CONF
##########################
# Server mode and VPN subset
server 192.168.15.0 255.255.255.0
# Maintain a record of client <-> virtual IP address associations in this file.
ifconfig-pool-persist ipp.txt
# Keepalive (ping-like)
# 1 ping every 10s. 120s timeout = disconnect client
keepalive 10 120
# Keep server connection up and running
persist-key
persist-tun
# Compression of data exchange
comp-lzo
# CLIENTS CONF
##########################
# Maximum number of concurrently connected clients
;max-clients 100
# Allow different clients to be able to "see" each other.
client-to-client
# One certificate, multiple clients
# Do not use 'duplicate-cn' with 'ifconfig-pool-persist'
;duplicate-cn
# Fix for Microsoft Windows clients
mssfix
# Server security level
script-security 2
####### Client-to-Client communication
# Push routes to the client
# >> VPN route. required to allow connections
push "route 192.168.15.0 255.255.255.0"
# >> Set the VPN server as global gateway
push "redirect-gateway def1"
####### DNS
# Server as DNS server
;push "dhcp-option WINS 192.168.1.21"
;push "dhcp-option DNS 192.168.1.21"
# Use alternate DNS server (OpenDNS + Google)
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 8.8.8.8"
# >> Force windows clients to use the pushed DNS
push "register-dns"
####### VPN as gateway to other networks
# Set the VPN server to act as a gateway for remote network
# You must set 1 'push route <network> <mask>' per target network(s)
# >> Remote LAN route. Required to access internal stuff, locate in the VPN server's network
;push "route 192.168.1.0 255.255.255.0"
# LOGS
##########################
# Short status file showing current connections
# this is truncated and rewritten every minute.
status /etc/openvpn/openvpn-status.log
# Log in a dedicated file instead of /var/log/messages
log /etc/openvpn/openvpn.log
log-append /etc/openvpn/openvpn.log
# Log level
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 6
# Silence repeating messages.
# At most xx sequential same messages will be output to the log file.
mute 10
IPv6 + IPv4 configuration
This is a bit more advanced configuration. Notice the use of some *-ipv6
commands.
More details?
- Very good document about IPv6 VPN: http://tomsalmon.eu/2013/04/openvpn-ipv6-with-tun-device/
- Nice guide: http://the-technoholik.blogspot.com/2014/03/secure-ipv6-gateway-tunnelbroker-using.html
##################################################
# OpenVPN 2.0 config file #
# ---------------------------------------------- #
# version 1.0 - April 2011 - Guillaume Diaz #
# version 1.2 - June 2013 - Guillaume Diaz #
# conf update + chroot #
##################################################
# OpenVPN configuration
##########################
# Which local IP address should OpenVPN listen on? (optional)
# >> Put nothing to listen on ALL interfaces and IPs (v4 + v6)
# Or you have to put 1 line per IP to listen to
#local 192.168.1.2
# VPN interface
# Which TCP/UDP port should OpenVPN listen on?
# TCP or UDP server?
dev tun
# Enable IPv6 support
tun-ipv6
# Protocol and port
proto udp6
port 8080
# SECURITY - Crypto
########################
# SSL/TLS root certificate (ca)
# Server certificate and private key
# Diffie hellman parameters
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
dh /etc/openvpn/dh2048.pem
# Shared secret key by both server and clients
;tls-auth /etc/openvpn/ta.key 0
# Crypto settings
cipher AES-128-CBC
auth MD5
# Reduce OpenVPN daemon rights after application start
# To chroot OpenVPN to its own folder
user nobody
group nogroup
chroot /etc/openvpn/
# SERVER CONF
##########################
# Server mode and VPN subset
server 192.168.15.0 255.255.255.0
server-ipv6 2001:41d0:8:9318::1/64
# Maintain a record of client <-> virtual IP address associations in this file.
ifconfig-pool-persist ipp.txt
# Keepalive (ping-like)
# 1 ping every 10s. 120s timeout = disconnect client
keepalive 10 120
# Keep server connection up and running
persist-key
persist-tun
# Compression of data exchange
comp-lzo
# CLIENTS CONF
##########################
# Maximum number of concurrently connected clients
;max-clients 100
# Allow different clients to be able to "see" each other.
client-to-client
# One certificate, multiple clients
# Do not use 'duplicate-cn' with 'ifconfig-pool-persist'
;duplicate-cn
# Fix for Microsoft Windows clients
mssfix
# Server security level
script-security 2
####### Client-to-Client communication
# Push routes to the client
# >> VPN route. required to allow connections
push "route 192.168.15.0 255.255.255.0"
push "route-ipv6 2001:41d0:8:9318::/64"
# >> Set the VPN server as global gateway
push "redirect-gateway def1"
# The following line is mandatory!!
# Set openvpn the default route for ipv6 connectivity
push "route-ipv6 2000::/3"
####### Set the client DNS (optional)
# Use alternate DNS server (OpenDNS + Google)
## OpenDNS
#push "dhcp-option DNS 208.67.222.222"
#push "dhcp-option DNS 208.67.220.220"
#push "dhcp-option DNS 2620:0:ccc::2"
#push "dhcp-option DNS 2620:0:ccd::2"
## Google
#push "dhcp-option DNS 8.8.8.8"
#push "dhcp-option DNS 8.8.4.4"
#push "dhcp-option DNS 2001:4860:4860::8888"
#push "dhcp-option DNS 2001:4860:4860::8844"
# LOGS
##########################
# Short status file showing current connections
# this is truncated and rewritten every minute.
status /etc/openvpn/openvpn-status.log
# Log in a dedicated file instead of /var/log/messages
log /etc/openvpn/openvpn.log
log-append /etc/openvpn/openvpn.log
# Log level
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 6
# Silence repeating messages.
# At most xx sequential same messages will be output to the log file.
mute 10
See if it works
Start the service
service openvpn restart
Check that OpenVPN listen to port 8080
netstat -pl --numeric | grep 8080
You should have 1 entry per protocol
Check the OpenVPN logs
cat /var/log/openvpn.log
General notes
You can either use TCP or UDP. Performances are the same, UDP is a bit easier to install.
Be careful when you choose the port number! Common open ports:
- 80 (http)
- 443 (HTTPS)
- 8080 (Proxy / JEE servers)
[!] Reminder: for every network that you want to make it accessible through your VPN you must push a new route to it.