Difference between revisions of "VPN server configuration"
(Created page with "Category:Linux link=VPN|64px|caption|VPN introduction VPN introduction File:Ssl certificate icon.jpg|link=VPN certificates ma...") |
|||
| Line 153: | Line 153: | ||
script-security 2 | script-security 2 | ||
| − | + | ####### Client-to-Client communication | |
# Push routes to the client | # Push routes to the client | ||
# >> VPN route. required to allow connections | # >> VPN route. required to allow connections | ||
| Line 160: | Line 160: | ||
push "redirect-gateway def1" | push "redirect-gateway def1" | ||
| − | ### | + | |
| − | ### | + | ####### DNS |
| − | # | ||
| − | |||
# Server as DNS server | # Server as DNS server | ||
;push "dhcp-option WINS 192.168.1.21" | ;push "dhcp-option WINS 192.168.1.21" | ||
| Line 172: | Line 170: | ||
# >> Force windows clients to use the pushed DNS | # >> Force windows clients to use the pushed DNS | ||
push "register-dns" | push "register-dns" | ||
| + | |||
| + | |||
| + | ####### VPN as gateway to other networks | ||
| + | # Set the VPN server to act as a gateway for remote network | ||
| + | # You must set 1 'push route <network> <mask>' per target network(s) | ||
| + | # >> Remote LAN route. Required to access internal stuff, locate in the VPN server's network | ||
| + | ;push "route 192.168.1.0 255.255.255.0" | ||
| Line 197: | Line 202: | ||
</syntaxhighlight> | </syntaxhighlight> | ||
| + | |||
| + | |||
| + | =IPv6 + IPv4= | ||
| + | |||
| + | This is a bit more advanced configuration. Notice the use of some <code>*-ipv6</code> commands. | ||
| + | |||
| + | More details? | ||
| + | * Very good document about IPv6 VPN: http://tomsalmon.eu/2013/04/openvpn-ipv6-with-tun-device/ | ||
| + | |||
| + | |||
| + | |||
| + | <syntaxhighlight lang="bash"> | ||
| + | ################################################## | ||
| + | # OpenVPN 2.0 config file # | ||
| + | # ---------------------------------------------- # | ||
| + | # version 1.0 - April 2011 - Guillaume Diaz # | ||
| + | # version 1.2 - June 2013 - Guillaume Diaz # | ||
| + | # conf update + chroot # | ||
| + | ################################################## | ||
| + | |||
| + | |||
| + | # OpenVPN configuration | ||
| + | ########################## | ||
| + | # Which local IP address should OpenVPN listen on? (optional) | ||
| + | # >> Put nothing to listen on ALL interfaces and IPs (v4 + v6) | ||
| + | # Or you have to put 1 line per IP to listen to | ||
| + | #local 192.168.1.2 | ||
| + | |||
| + | |||
| + | # VPN interface | ||
| + | # Which TCP/UDP port should OpenVPN listen on? | ||
| + | # TCP or UDP server? | ||
| + | dev tun | ||
| + | # Enable IPv6 support | ||
| + | tun-ipv6 | ||
| + | # Protocol and port | ||
| + | proto udp | ||
| + | port 8080 | ||
| + | |||
| + | |||
| + | # SECURITY - Crypto | ||
| + | ######################## | ||
| + | # SSL/TLS root certificate (ca) | ||
| + | # Server certificate and private key | ||
| + | # Diffie hellman parameters | ||
| + | ca /etc/openvpn/ca.crt | ||
| + | cert /etc/openvpn/server.crt | ||
| + | key /etc/openvpn/server.key | ||
| + | dh /etc/openvpn/dh2048.pem | ||
| + | |||
| + | # Shared secret key by both server and clients | ||
| + | ;tls-auth /etc/openvpn/ta.key 0 | ||
| + | |||
| + | # Crypto settings | ||
| + | cipher AES-128-CBC | ||
| + | auth MD5 | ||
| + | |||
| + | # Reduce OpenVPN daemon rights after application start | ||
| + | # To chroot OpenVPN to its own folder | ||
| + | user nobody | ||
| + | group nogroup | ||
| + | chroot /etc/openvpn/ | ||
| + | |||
| + | |||
| + | |||
| + | # SERVER CONF | ||
| + | ########################## | ||
| + | # Server mode and VPN subset | ||
| + | server 192.168.15.0 255.255.255.0 | ||
| + | server-ipv6 2001:41d0:8:9318::/64 | ||
| + | # Maintain a record of client <-> virtual IP address associations in this file. | ||
| + | ifconfig-pool-persist ipp.txt | ||
| + | # Keepalive (ping-like) | ||
| + | # 1 ping every 10s. 120s timeout = disconnect client | ||
| + | keepalive 10 120 | ||
| + | # Keep server connection up and running | ||
| + | persist-key | ||
| + | persist-tun | ||
| + | # Compression of data exchange | ||
| + | comp-lzo | ||
| + | |||
| + | |||
| + | |||
| + | # CLIENTS CONF | ||
| + | ########################## | ||
| + | # Maximum number of concurrently connected clients | ||
| + | ;max-clients 100 | ||
| + | |||
| + | # Allow different clients to be able to "see" each other. | ||
| + | client-to-client | ||
| + | # One certificate, multiple clients | ||
| + | # Do not use 'duplicate-cn' with 'ifconfig-pool-persist' | ||
| + | ;duplicate-cn | ||
| + | # Fix for Microsoft Windows clients | ||
| + | mssfix | ||
| + | # Server security level | ||
| + | script-security 2 | ||
| + | |||
| + | |||
| + | ####### Client-to-Client communication | ||
| + | # Push routes to the client | ||
| + | # >> VPN route. required to allow connections | ||
| + | push "route 192.168.15.0 255.255.255.0" | ||
| + | push "route-ipv6 2001:41d0:8:9318::/64" | ||
| + | |||
| + | # >> Set the VPN server as global gateway | ||
| + | push "redirect-gateway def1" | ||
| + | # Make openvpn the default route for ipv6 connectivity | ||
| + | push "route-ipv6 2000::/3" | ||
| + | |||
| + | |||
| + | ####### DNS | ||
| + | # Use alternate DNS server (OpenDNS + Google) | ||
| + | push "dhcp-option DNS 208.67.222.222" | ||
| + | push "dhcp-option DNS 8.8.8.8" | ||
| + | # >> Force windows clients to use the pushed DNS | ||
| + | push "register-dns" | ||
| + | |||
| + | |||
| + | ####### VPN as gateway to other networks | ||
| + | # Set the VPN server to act as a gateway for remote network | ||
| + | # You must set 1 'push route <network> <mask>' per target network(s) | ||
| + | # >> Remote LAN route. Required to access internal stuff, locate in the VPN server's network | ||
| + | ;push "route 192.168.1.0 255.255.255.0" | ||
| + | # Server as DNS server | ||
| + | ;push "dhcp-option WINS 192.168.1.21" | ||
| + | ;push "dhcp-option DNS 192.168.1.21" | ||
| + | |||
| + | |||
| + | |||
| + | # LOGS | ||
| + | ########################## | ||
| + | # Short status file showing current connections | ||
| + | # this is truncated and rewritten every minute. | ||
| + | status /etc/openvpn/openvpn-status.log | ||
| + | |||
| + | # Log in a dedicated file instead of /var/log/messages | ||
| + | log /etc/openvpn/openvpn.log | ||
| + | log-append /etc/openvpn/openvpn.log | ||
| + | |||
| + | # Log level | ||
| + | # 0 is silent, except for fatal errors | ||
| + | # 4 is reasonable for general usage | ||
| + | # 5 and 6 can help to debug connection problems | ||
| + | # 9 is extremely verbose | ||
| + | verb 6 | ||
| + | |||
| + | # Silence repeating messages. | ||
| + | # At most xx sequential same messages will be output to the log file. | ||
| + | mute 10 | ||
| + | </syntaxhighlight> | ||
| + | |||
| + | |||
| + | |||
| + | =General notes= | ||
You can either use TCP or UDP. Performances are the same, UDP is a bit easier to install. | You can either use TCP or UDP. Performances are the same, UDP is a bit easier to install. | ||
| Line 205: | Line 365: | ||
* 443 (HTTPS) | * 443 (HTTPS) | ||
* 8080 (Proxy / JEE servers) | * 8080 (Proxy / JEE servers) | ||
| + | |||
Revision as of 18:31, 15 August 2015
Contents
Generic setup
Prepare files
You can use an existing example or start from scratch, as you like. If you want to reuse one of the OpenVPN examples:
cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn
cd /etc/openvpn/
gzip -d server.conf.gz
Security algorithms and hash
Depending on your server and distribution you might not always have the same encryption and|or hash algorithms available. Choose your algorithms!
Cryptographic algorithms
openvpn --show-ciphersSearch for: AES-128-CBC, AES-256-CBC
Hash algorithms
openvpn --show-digestsSearch for: MD5
Handshake algorithms
openvpn --show-tls
IPv4 configuration
This is how you configuration should look like (more or less, depending on your settings):
##################################################
# OpenVPN 2.0 config file #
# ---------------------------------------------- #
# version 1.0 - April 2011 - Guillaume Diaz #
# version 1.2 - June 2013 - Guillaume Diaz #
# conf update + chroot #
##################################################
# OpenVPN configuration
##########################
# Which local IP address should OpenVPN listen on? (optional)
local 192.168.1.2
# VPN interface
# Which TCP/UDP port should OpenVPN listen on?
# TCP or UDP server?
dev tun
proto udp
port 8080
# SECURITY - Crypto
########################
# SSL/TLS root certificate (ca)
# Server certificate and private key
# Diffie hellman parameters
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
dh /etc/openvpn/dh2048.pem
# Shared secret key by both server and clients
;tls-auth /etc/openvpn/ta.key 0
# Crypto settings
cipher AES-128-CBC
auth MD5
# Reduce OpenVPN daemon rights after application start
# To chroot OpenVPN to its own folder
user nobody
group nogroup
chroot /etc/openvpn/
# SERVER CONF
##########################
# Server mode and VPN subset
server 192.168.15.0 255.255.255.0
# Maintain a record of client <-> virtual IP address associations in this file.
ifconfig-pool-persist ipp.txt
# Keepalive (ping-like)
# 1 ping every 10s. 120s timeout = disconnect client
keepalive 10 120
# Keep server connection up and running
persist-key
persist-tun
# Compression of data exchange
comp-lzo
# CLIENTS CONF
##########################
# Maximum number of concurrently connected clients
;max-clients 100
# Allow different clients to be able to "see" each other.
client-to-client
# One certificate, multiple clients
# Do not use 'duplicate-cn' with 'ifconfig-pool-persist'
;duplicate-cn
# Fix for Microsoft Windows clients
mssfix
# Server security level
script-security 2
####### Client-to-Client communication
# Push routes to the client
# >> VPN route. required to allow connections
push "route 192.168.15.0 255.255.255.0"
# >> Set the VPN server as global gateway
push "redirect-gateway def1"
####### DNS
# Server as DNS server
;push "dhcp-option WINS 192.168.1.21"
;push "dhcp-option DNS 192.168.1.21"
# Use alternate DNS server (OpenDNS + Google)
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 8.8.8.8"
# >> Force windows clients to use the pushed DNS
push "register-dns"
####### VPN as gateway to other networks
# Set the VPN server to act as a gateway for remote network
# You must set 1 'push route <network> <mask>' per target network(s)
# >> Remote LAN route. Required to access internal stuff, locate in the VPN server's network
;push "route 192.168.1.0 255.255.255.0"
# LOGS
##########################
# Short status file showing current connections
# this is truncated and rewritten every minute.
status /etc/openvpn/openvpn-status.log
# Log in a dedicated file instead of /var/log/messages
log /etc/openvpn/openvpn.log
log-append /etc/openvpn/openvpn.log
# Log level
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 6
# Silence repeating messages.
# At most xx sequential same messages will be output to the log file.
mute 10
IPv6 + IPv4
This is a bit more advanced configuration. Notice the use of some *-ipv6 commands.
More details?
- Very good document about IPv6 VPN: http://tomsalmon.eu/2013/04/openvpn-ipv6-with-tun-device/
##################################################
# OpenVPN 2.0 config file #
# ---------------------------------------------- #
# version 1.0 - April 2011 - Guillaume Diaz #
# version 1.2 - June 2013 - Guillaume Diaz #
# conf update + chroot #
##################################################
# OpenVPN configuration
##########################
# Which local IP address should OpenVPN listen on? (optional)
# >> Put nothing to listen on ALL interfaces and IPs (v4 + v6)
# Or you have to put 1 line per IP to listen to
#local 192.168.1.2
# VPN interface
# Which TCP/UDP port should OpenVPN listen on?
# TCP or UDP server?
dev tun
# Enable IPv6 support
tun-ipv6
# Protocol and port
proto udp
port 8080
# SECURITY - Crypto
########################
# SSL/TLS root certificate (ca)
# Server certificate and private key
# Diffie hellman parameters
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
dh /etc/openvpn/dh2048.pem
# Shared secret key by both server and clients
;tls-auth /etc/openvpn/ta.key 0
# Crypto settings
cipher AES-128-CBC
auth MD5
# Reduce OpenVPN daemon rights after application start
# To chroot OpenVPN to its own folder
user nobody
group nogroup
chroot /etc/openvpn/
# SERVER CONF
##########################
# Server mode and VPN subset
server 192.168.15.0 255.255.255.0
server-ipv6 2001:41d0:8:9318::/64
# Maintain a record of client <-> virtual IP address associations in this file.
ifconfig-pool-persist ipp.txt
# Keepalive (ping-like)
# 1 ping every 10s. 120s timeout = disconnect client
keepalive 10 120
# Keep server connection up and running
persist-key
persist-tun
# Compression of data exchange
comp-lzo
# CLIENTS CONF
##########################
# Maximum number of concurrently connected clients
;max-clients 100
# Allow different clients to be able to "see" each other.
client-to-client
# One certificate, multiple clients
# Do not use 'duplicate-cn' with 'ifconfig-pool-persist'
;duplicate-cn
# Fix for Microsoft Windows clients
mssfix
# Server security level
script-security 2
####### Client-to-Client communication
# Push routes to the client
# >> VPN route. required to allow connections
push "route 192.168.15.0 255.255.255.0"
push "route-ipv6 2001:41d0:8:9318::/64"
# >> Set the VPN server as global gateway
push "redirect-gateway def1"
# Make openvpn the default route for ipv6 connectivity
push "route-ipv6 2000::/3"
####### DNS
# Use alternate DNS server (OpenDNS + Google)
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 8.8.8.8"
# >> Force windows clients to use the pushed DNS
push "register-dns"
####### VPN as gateway to other networks
# Set the VPN server to act as a gateway for remote network
# You must set 1 'push route <network> <mask>' per target network(s)
# >> Remote LAN route. Required to access internal stuff, locate in the VPN server's network
;push "route 192.168.1.0 255.255.255.0"
# Server as DNS server
;push "dhcp-option WINS 192.168.1.21"
;push "dhcp-option DNS 192.168.1.21"
# LOGS
##########################
# Short status file showing current connections
# this is truncated and rewritten every minute.
status /etc/openvpn/openvpn-status.log
# Log in a dedicated file instead of /var/log/messages
log /etc/openvpn/openvpn.log
log-append /etc/openvpn/openvpn.log
# Log level
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 6
# Silence repeating messages.
# At most xx sequential same messages will be output to the log file.
mute 10
General notes
You can either use TCP or UDP. Performances are the same, UDP is a bit easier to install.
Be careful when you choose the port number! Common open ports:
- 80 (http)
- 443 (HTTPS)
- 8080 (Proxy / JEE servers)
More details
Push network information
You can push network information such as:
- route(s). The VPN route is mandatory. Then you can also push a reference to the remote server so the VPN server act as a "gateway".
- DNS
IPv4
### Push network settings to the client
# >> VPN route. required to allow connections
push "route 192.168.12.0 255.255.255.0"
# >> Set the VPN server as global gateway
push "redirect-gateway def1"
### Set the VPN server to act as a gateway for remote network
### You must set 1 'push route <network> <mask>' per target network(s)
# >> Remote LAN route. Required to access internal stuff, locate in the VPN server's network
push "route 192.168.1.0 255.255.255.0"
# >> Remote DNS server
push "dhcp-option WINS 192.168.1.21"
push "dhcp-option DNS 192.168.1.21"
# >> set alternate / failover DNS servers
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
# >> Force windows clients to use the pushed DNS
push "register-dns"
[!] Reminder: for every network that you want to make it accessible through your VPN you must push a new route to it.
