VPN server configuration

Revision as of 21:31, 10 September 2015 by WikiFreak (talk | contribs)


IPv4 only

IPv4 only

IPv6

IPv6 + IPv4


Generic setup

Installation

apt-get install openvpn easy-rsa


Prepare files

You can use an existing example or start from scratch, as you like. If you want to reuse one of the OpenVPN examples:

cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn
cd /etc/openvpn/
gzip -d server.conf.gz


Security algorithms and hash

Depending on your server and distribution you might not always have the same encryption and|or hash algorithms available. Choose your algorithms!


Cryptographic algorithms

openvpn --show-ciphers

Search for: AES-128-CBC, AES-256-CBC


Hash algorithms

openvpn --show-digests

Search for: MD5


Handshake algorithms

openvpn --show-tls


IPv4 configuration

This is how you configuration should look like (more or less, depending on your settings):


##################################################
# OpenVPN 2.0 config file                        #
# ---------------------------------------------- #
# version 1.0 - April 2011 - Guillaume Diaz      #
# version 1.2 - June 2013 - Guillaume Diaz       #
#                           conf update + chroot #
##################################################


# OpenVPN configuration
##########################
# Which local IP address should OpenVPN listen on? (optional)
local 192.168.1.2

# VPN interface
# Which TCP/UDP port should OpenVPN listen on?
# TCP or UDP server?
dev tun
proto udp
port 8080


# SECURITY - Crypto
########################
# SSL/TLS root certificate (ca)
# Server certificate and private key
# Diffie hellman parameters
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
dh /etc/openvpn/dh2048.pem

# Shared secret key by both server and clients
;tls-auth /etc/openvpn/ta.key 0

# Crypto settings
cipher AES-128-CBC
auth MD5

# Reduce OpenVPN daemon rights after application start
# To chroot OpenVPN to its own folder
user nobody
group nogroup
chroot /etc/openvpn/



# SERVER CONF
##########################
# Server mode and VPN subset
server 192.168.15.0 255.255.255.0
# Maintain a record of client <-> virtual IP address associations in this file.  
ifconfig-pool-persist ipp.txt
# Keepalive (ping-like) 
# 1 ping every 10s. 120s timeout = disconnect client
keepalive 10 120
# Keep server connection up and running
persist-key
persist-tun
# Compression of data exchange
comp-lzo



# CLIENTS CONF
##########################
# Maximum number of concurrently connected clients
;max-clients 100

# Allow different clients to be able to "see" each other.
client-to-client
# One certificate, multiple clients
#  Do not use 'duplicate-cn' with 'ifconfig-pool-persist'
;duplicate-cn
# Fix for Microsoft Windows clients
mssfix
# Server security level
script-security 2

####### Client-to-Client communication
# Push routes to the client
#  >> VPN route. required to allow connections
push "route 192.168.15.0 255.255.255.0"
#  >> Set the VPN server as global gateway
push "redirect-gateway def1"


####### DNS
# Server as DNS server
;push "dhcp-option WINS 192.168.1.21"
;push "dhcp-option DNS 192.168.1.21"
# Use alternate DNS server (OpenDNS + Google)
push "dhcp-option DNS 208.67.222.222" 
push "dhcp-option DNS 8.8.8.8"
# >> Force windows clients to use the pushed DNS
push "register-dns"


####### VPN as gateway to other networks
# Set the VPN server to act as a gateway for remote network
# You must set 1 'push route <network> <mask>' per target network(s)
#  >> Remote LAN route. Required to access internal stuff, locate in the VPN server's network
;push "route 192.168.1.0 255.255.255.0"



# LOGS
##########################
# Short status file showing current connections
# this is truncated and rewritten every minute.
status /etc/openvpn/openvpn-status.log

# Log in a dedicated file instead of /var/log/messages
log         /etc/openvpn/openvpn.log
log-append  /etc/openvpn/openvpn.log

# Log level
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 6

# Silence repeating messages.  
# At most xx sequential same messages will be output to the log file.
mute 10


IPv6 + IPv4 configuration

This is a bit more advanced configuration. Notice the use of some *-ipv6 commands.

More details?




##################################################
# OpenVPN 2.0 config file                        #
# ---------------------------------------------- #
# version 1.0 - April 2011 - Guillaume Diaz      #
# version 1.2 - June 2013 - Guillaume Diaz       #
#                           conf update + chroot #
##################################################


# OpenVPN configuration
##########################
# Which local IP address should OpenVPN listen on? (optional)
# >> Put nothing to listen on ALL interfaces and IPs (v4 + v6)
#    Or you have to put 1 line per IP to listen to
#local 192.168.1.2


# VPN interface
# Which TCP/UDP port should OpenVPN listen on?
# TCP or UDP server?
dev tun
# Enable IPv6 support
tun-ipv6
# Protocol and port
proto udp6
port 8080


# SECURITY - Crypto
########################
# SSL/TLS root certificate (ca)
# Server certificate and private key
# Diffie hellman parameters
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
dh /etc/openvpn/dh2048.pem

# Shared secret key by both server and clients
;tls-auth /etc/openvpn/ta.key 0

# Crypto settings
cipher AES-128-CBC
auth MD5

# Reduce OpenVPN daemon rights after application start
# To chroot OpenVPN to its own folder
user nobody
group nogroup
chroot /etc/openvpn/



# SERVER CONF
##########################
# Server mode and VPN subset
server 192.168.15.0 255.255.255.0
server-ipv6 2001:41d0:8:9318::1/64
# Maintain a record of client <-> virtual IP address associations in this file.  
ifconfig-pool-persist ipp.txt
# Keepalive (ping-like) 
# 1 ping every 10s. 120s timeout = disconnect client
keepalive 10 120
# Keep server connection up and running
persist-key
persist-tun
# Compression of data exchange
comp-lzo



# CLIENTS CONF
##########################
# Maximum number of concurrently connected clients
;max-clients 100

# Allow different clients to be able to "see" each other.
client-to-client
# One certificate, multiple clients
#  Do not use 'duplicate-cn' with 'ifconfig-pool-persist'
;duplicate-cn
# Fix for Microsoft Windows clients
mssfix
# Server security level
script-security 2


####### Client-to-Client communication
# Push routes to the client
#  >> VPN route. required to allow connections
push "route 192.168.15.0 255.255.255.0"
push "route-ipv6 2001:41d0:8:9318::/64"

#  >> Set the VPN server as global gateway
push "redirect-gateway def1"
# The following line is mandatory!! 
# Set openvpn the default route for ipv6 connectivity
push "route-ipv6 2000::/3"


####### Set the client DNS (optional)
# Use alternate DNS server (OpenDNS + Google)
## OpenDNS
#push "dhcp-option DNS 208.67.222.222"
#push "dhcp-option DNS 208.67.220.220"
#push "dhcp-option DNS 2620:0:ccc::2"
#push "dhcp-option DNS 2620:0:ccd::2"
## Google
#push "dhcp-option DNS 8.8.8.8"
#push "dhcp-option DNS 8.8.4.4"
#push "dhcp-option DNS 2001:4860:4860::8888"
#push "dhcp-option DNS 2001:4860:4860::8844"


# LOGS
##########################
# Short status file showing current connections
# this is truncated and rewritten every minute.
status /etc/openvpn/openvpn-status.log

# Log in a dedicated file instead of /var/log/messages
log         /etc/openvpn/openvpn.log
log-append  /etc/openvpn/openvpn.log

# Log level
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 6

# Silence repeating messages.  
# At most xx sequential same messages will be output to the log file.
mute 10

See if it works

Start the service

service openvpn restart


Check that OpenVPN listen to port 8080

netstat -pl --numeric | grep 8080

You should have 1 entry per protocol


Check the OpenVPN logs

cat /var/log/openvpn.log



General notes

You can either use TCP or UDP. Performances are the same, UDP is a bit easier to install.

Be careful when you choose the port number! Common open ports:

  • 80 (http)
  • 443 (HTTPS)
  • 8080 (Proxy / JEE servers)



[!] Reminder: for every network that you want to make it accessible through your VPN you must push a new route to it.

Source: http://blog.remibergsma.com/2013/01/13/howto-connect-to-hosts-on-a-remote-network-using-openvpn-and-some-routing/