sudo apt-get install openvpn bridge-utils
Setting up the Bridge
Edit /etc/network/interfaces
When a Linux server is behind a NAT firewall, the /etc/network/interfaces file commonly looks like
Edit /etc/network/interfaces
When a Linux server is behind a NAT firewall, the /etc/network/interfaces file commonly looks like
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
# The loopback network interface
auto lo eth0
iface lo inet loopback
# The primary network interface
## This device provides internet access.
iface eth0 inet
static address 192.168.1.10
netmask 255.255.255.0
gateway 192.168.1.1
Edit this and add a bridge interface:
sudo vi /etc/network/interfacesso that it look similar to:
## This is the network bridge declaration
## Start these interfaces on bootauto lo br0
iface lo inet loopback
iface br0 inet static
address 192.168.1.10
netmask 255.255.255.0
gateway 192.168.1.1
bridge_ports eth0
iface eth0 inet manual
up ip link set $IFACE up promisc on
down ip link set $IFACE down promisc off
If you are running Linux inside a virtual machine, you may want to add the following parameters to the bridge connection:
bridge_fd 9 ## from the libvirt docs (forward delay time)
bridge_hello 2 ## from the libvirt docs (hello time)
bridge_maxage 12 ## from the libvirt docs (maximum message age)
bridge_stp off ## from the libvirt docs (spanning tree protocol)
Restart networking:
Generating Certificates
Generate certificates for the server. In order to do this I will setup my own Certificate Authority using the provided easy-rsa scripts in the /usr/share/doc/openvpn/examples/easy-rsa/ directory.
Copy files to the /etc/openvpn/easy-rsa/ directory:
sudo /etc/init.d/networking restartThe bridging declarations come from the libvirt documentation.
Generating Certificates
Generate certificates for the server. In order to do this I will setup my own Certificate Authority using the provided easy-rsa scripts in the /usr/share/doc/openvpn/examples/easy-rsa/ directory.
Copy files to the /etc/openvpn/easy-rsa/ directory:
sudo mkdir /etc/openvpn/easy-rsa/
sudo cp -R /usr/share/doc/openvpn/examples/easy-rsa/2.0/*
sudo cp -R /usr/share/doc/openvpn/examples/easy-rsa/2.0/*
sudo cp -R /usr/share/doc/openvpn/examples/easy-rsa/2.0/*/etc/openvpn/easy-rsa/
Than edit /etc/openvpn/easy-rsa/vars
sudo vi /etc/openvpn/easy-rsa/varsAnd change these lines at the bottom so that they reflect your new CA.
export KEY_COUNTRY="US"export KEY_PROVINCE="CA"export KEY_CITY="SanFrancisco"export KEY_ORG="Fort-Funston"export KEY_EMAIL="me@myhost.mydomain"Finally setup the CA and create the first server certificate
cd /etc/openvpn/easy-rsa/ ## move to the easy-rsa directory
sudo chown -R root:admin . ## make this directory writable by the system administrators
sudo chmod g+w . ## make this directory writable by the system administrators
source ./vars ## execute your new vars file
./clean-all ## Setup the easy-rsa directory (Deletes all keys)
./build-dh ## takes a while consider backgrounding
./pkitool --initca ## creates ca cert and key
./pkitool --server server ## creates a server cert and key
cd keys
openvpn --genkey --secret ta.key ## Build a TLS key
sudo cp server.crt server.key ca.crt dh1024.pem ta.key ../../
sudo chown -R root:admin . ## make this directory writable by the system administrators
sudo chmod g+w . ## make this directory writable by the system administrators
source ./vars ## execute your new vars file
./clean-all ## Setup the easy-rsa directory (Deletes all keys)
./build-dh ## takes a while consider backgrounding
./pkitool --initca ## creates ca cert and key
./pkitool --server server ## creates a server cert and key
cd keys
openvpn --genkey --secret ta.key ## Build a TLS key
sudo cp server.crt server.key ca.crt dh1024.pem ta.key ../../
sudo chown -R root:admin . ## make this directory writable by the system administrators
sudo chmod g+w . ## make this directory writable by the system administrators
source ./vars ## execute your new vars file
./clean-all ## Setup the easy-rsa directory (Deletes all keys)
./build-dh ## takes a while consider backgrounding
./pkitool --initca ## creates ca cert and key
./pkitool --server server ## creates a server cert and keycd keys
openvpn --genkey --secret ta.key ## Build a TLS key
sudo cp server.crt server.key ca.crt dh1024.pem ta.key ../../
The Certificate Authority is now setup and the needed keys are in /etc/openvpn/
Configuring the Server
By default all servers specified in *.conf files in the /etc/openvpn/ directory are started on boot. Therefore, all we have to do is creating a new file named server.conf in the /etc/openvpn/ directory.
First, we're going to create a couple of new scripts to be used by the openvpn server.
Configuring the Server
By default all servers specified in *.conf files in the /etc/openvpn/ directory are started on boot. Therefore, all we have to do is creating a new file named server.conf in the /etc/openvpn/ directory.
First, we're going to create a couple of new scripts to be used by the openvpn server.
sudo vi /etc/openvpn/up.shThis script should contain the following
#!/bin/sh
BR=$1
DEV=$2
MTU=$3
/sbin/ip link set "$DEV" up promisc on mtu "$MTU"
/usr/sbin/brctl
/usr/sbin/brctl/usr/sbin/brctl addif $BR $DEV
Now, we'll create a "down" script.
sudo vi /etc/openvpn/down.shIt should contain the following.
#!/bin/shNow, make both scripts executable.
BR=$1DEV=$2
/usr/sbin/brctl delif $BR $DEV
/sbin/ip/sbin/ip link set "$DEV" down
sudo chmod +x /etc/openvpn/up.sh/etc/openvpn/down.shAnd finally on to configuring openvpn itself.
sudo vi /etc/openvpn/server.conf
mode server
tls-server
local <your ip address> ## ip/hostname of server
port 1194 ## default openvpn portproto udp
#bridging directive
dev tap0 ## If you need multiple tap devices, add them here
up "/etc/openvpn/up.sh br0 tap0 1500"
down "/etc/openvpn/down.sh br0 tap0"
persist-keypersist-tun
#certificates and encryption
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh1024.pem
tls-auth ta.key 0 # This file is secret
cipher BF-CBC # Blowfish (default)
comp-lzo
#DHCP Information
ifconfig-pool-persist ipp.txt
server-bridge 192.168.1.10 255.255.255.0 192.168.1.100 192.168.1.110
push "dhcp-option DNS your.dns.ip.here"
push "dhcp-option DOMAIN yourdomain.com"
max-clients 10 ## set this to the max number of clients that should be connected at a time
#log and security
user nobody
group nogroup
keepalive 10 120
status openvpn-status.log
verb 3
If the server initialization script will complain about WARN: could not open database for 4096 bits. Skipped, you can work around it by running this command:
touch /usr/share/openssl-blacklist/blacklist.RSA-4096Now you will need to restart openvpn and load the new config with:
sudo /etc/init.d/openvpn restartIn case you run a firewall like ufw, please consider enabling ip forwarding, otherwise the clients will only be able to connect to the server, but not to other LAN servers.
No comments:
Post a Comment