Difference between revisions of "VPN server configuration"
(Created page with "Category:Linux link=VPN|64px|caption|VPN introduction VPN introduction File:Ssl certificate icon.jpg|link=VPN certificates ma...") |
(No difference)
|
Revision as of 18:24, 15 August 2015
Contents
Generic setup
Prepare files
You can use an existing example or start from scratch, as you like. If you want to reuse one of the OpenVPN examples:
cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn
cd /etc/openvpn/
gzip -d server.conf.gz
Security algorithms and hash
Depending on your server and distribution you might not always have the same encryption and|or hash algorithms available. Choose your algorithms!
Cryptographic algorithms
openvpn --show-ciphersSearch for: AES-128-CBC, AES-256-CBC
Hash algorithms
openvpn --show-digestsSearch for: MD5
Handshake algorithms
openvpn --show-tls
IPv4 configuration
This is how you configuration should look like (more or less, depending on your settings):
##################################################
# OpenVPN 2.0 config file #
# ---------------------------------------------- #
# version 1.0 - April 2011 - Guillaume Diaz #
# version 1.2 - June 2013 - Guillaume Diaz #
# conf update + chroot #
##################################################
# OpenVPN configuration
##########################
# Which local IP address should OpenVPN listen on? (optional)
local 192.168.1.2
# VPN interface
# Which TCP/UDP port should OpenVPN listen on?
# TCP or UDP server?
dev tun
proto udp
port 8080
# SECURITY - Crypto
########################
# SSL/TLS root certificate (ca)
# Server certificate and private key
# Diffie hellman parameters
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
dh /etc/openvpn/dh2048.pem
# Shared secret key by both server and clients
;tls-auth /etc/openvpn/ta.key 0
# Crypto settings
cipher AES-128-CBC
auth MD5
# Reduce OpenVPN daemon rights after application start
# To chroot OpenVPN to its own folder
user nobody
group nogroup
chroot /etc/openvpn/
# SERVER CONF
##########################
# Server mode and VPN subset
server 192.168.15.0 255.255.255.0
# Maintain a record of client <-> virtual IP address associations in this file.
ifconfig-pool-persist ipp.txt
# Keepalive (ping-like)
# 1 ping every 10s. 120s timeout = disconnect client
keepalive 10 120
# Keep server connection up and running
persist-key
persist-tun
# Compression of data exchange
comp-lzo
# CLIENTS CONF
##########################
# Maximum number of concurrently connected clients
;max-clients 100
# Allow different clients to be able to "see" each other.
client-to-client
# One certificate, multiple clients
# Do not use 'duplicate-cn' with 'ifconfig-pool-persist'
;duplicate-cn
# Fix for Microsoft Windows clients
mssfix
# Server security level
script-security 2
# Push routes to the client
# >> VPN route. required to allow connections
push "route 192.168.15.0 255.255.255.0"
# >> Set the VPN server as global gateway
push "redirect-gateway def1"
### Set the VPN server to act as a gateway for remote network
### You must set 1 'push route <network> <mask>' per target network(s)
# >> Remote LAN route. Required to access internal stuff, locate in the VPN server's network
push "route 192.168.1.0 255.255.255.0"
# Server as DNS server
;push "dhcp-option WINS 192.168.1.21"
;push "dhcp-option DNS 192.168.1.21"
# Use alternate DNS server (OpenDNS + Google)
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 8.8.8.8"
# >> Force windows clients to use the pushed DNS
push "register-dns"
# LOGS
##########################
# Short status file showing current connections
# this is truncated and rewritten every minute.
status /etc/openvpn/openvpn-status.log
# Log in a dedicated file instead of /var/log/messages
log /etc/openvpn/openvpn.log
log-append /etc/openvpn/openvpn.log
# Log level
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 6
# Silence repeating messages.
# At most xx sequential same messages will be output to the log file.
mute 10
You can either use TCP or UDP. Performances are the same, UDP is a bit easier to install.
Be careful when you choose the port number! Common open ports:
- 80 (http)
- 443 (HTTPS)
- 8080 (Proxy / JEE servers)
More details
Push network information
You can push network information such as:
- route(s). The VPN route is mandatory. Then you can also push a reference to the remote server so the VPN server act as a "gateway".
- DNS
IPv4
### Push network settings to the client
# >> VPN route. required to allow connections
push "route 192.168.12.0 255.255.255.0"
# >> Set the VPN server as global gateway
push "redirect-gateway def1"
### Set the VPN server to act as a gateway for remote network
### You must set 1 'push route <network> <mask>' per target network(s)
# >> Remote LAN route. Required to access internal stuff, locate in the VPN server's network
push "route 192.168.1.0 255.255.255.0"
# >> Remote DNS server
push "dhcp-option WINS 192.168.1.21"
push "dhcp-option DNS 192.168.1.21"
# >> set alternate / failover DNS servers
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
# >> Force windows clients to use the pushed DNS
push "register-dns"
[!] Reminder: for every network that you want to make it accessible through your VPN you must push a new route to it.
