This article will guide you on creating a client-2-server OpenVPN instance. Our goal is to redirect all client traffic to VPN server. That means VPN server would serve as a gateway for local traffic. It’s useful to bypass some STUPID National firewalls,or to test IP-restricted applications.
The most important part for this installation is openvpn’s two config files, one is the server side configuration, and the other is for client side.
This is a server side configuration file:
$ cat /usr/local/openvpn/etc/server.conf # Which local IP address should OpenVPN listen on? (optional) ;local a.b.c.d port 1194 proto udp ;dev tap dev tun ;dev-node MyTap ca /usr/local/openvpn/etc/keys/ca.crt cert /usr/local/openvpn/etc/keys/server.crt key /usr/local/openvpn/etc/keys/server.key dh /usr/local/openvpn/etc/keys/dh1024.pem server 10.10.10.0 255.255.255.0 ifconfig-pool-persist ipp.txt ;server-bridge 10.10.10.2 255.255.255.0 10.10.10.30 10.10.10.40 ;push "route 10.10.10.0 255.255.255.0" ;push "route 192.168.20.0 255.255.255.0" ;client-config-dir ccd ;route 192.168.40.128 255.255.255.248 # First uncomment out these lines: ;client-config-dir ccd ;route 10.9.0.0 255.255.255.252 # Then add this line to ccd/Thelonious: # ifconfig-push 10.9.0.1 10.9.0.2 ;learn-address ./script ;push "redirect-gateway def1" # http://openvpn.net/faq.html#dhcpcaveats push "dhcp-option DNS 85.17.150.123" ;push "dhcp-option WINS 10.8.0.1" tls-auth /usr/local/openvpn/etc/keys/ta.key 0 client-to-client keepalive 10 120 # Select a cryptographic cipher. # This config item must be copied to the client config file as well. ;cipher BF-CBC # Blowfish (default) ;cipher AES-128-CBC # AES ;cipher DES-EDE3-CBC # Triple-DES # Enable compression on the VPN link. # If you enable it here, you must also enable it in the client config file. comp-lzo # The maximum number of concurrently connected clients we want to allow. ;max-clients 100 # It's a good idea to reduce the OpenVPN daemon's privileges after initialization. # You can uncomment this out on non-Windows systems. user nobody group nobody persist-key persist-tun status /usr/local/openvpn/logs/openvpn-status.log log /usr/local/openvpn/logs/openvpn.log ;log-append openvpn.log verb 4 ;mute 20
Here’s an example of the client side configuration file, it’s used by windows client:
$ cat netherlands.ovpn client ;dev tap dev tun proto udp remote openvpn.admon.org 1194 ;remote-random ;resolv-retry infinite ;nobind ;user nobody ;group nobody persist-key persist-tun ;http-proxy-retry # retry on connection failures ;http-proxy [proxy server] [proxy port #] ;mute-replay-warnings ca ca.crt cert joseph.crt key joseph.key tls-auth ta.key 1 ns-cert-type server ;cipher x comp-lzo verb 3 ;mute 20 redirect-gateway def1
Let’s start the deploying now. For a typic fresh installation, we need to install both lzo ( Real-time data compression library ) and OpenVPN, for the windows client side, we need its windows version, it’s available here: http://www.openvpn.se/
After created the applications, it’s time to generate key files, I simply listed the commands here:
$ openvpn-2.0.9/easy-rsa $ vi vars $ . vars $ ./clean-all $ ./build-ca $ ./build-key-server server $ ./build-dh #Diffie Hellman parameters $ openvpn --genkey --secret ta.key $ ./build-key joseph #Client key, keys/joseph.* $ ./build-key client0 #Client0's key files, they're stored in keys/client0.*
After finished creating client keys, we may need to modify the client
side configuration file, to make sure it uses correct key file. In the
above example, we’re using joseph.*. When these key files generated, there’re two additional modifications, they both are critical:
On OpenVPN server, we need to turn on ip_forward, in order to redirect VPN traffic on localhost.
$ echo 1 > /proc/sys/net/ipv4/ip_forward iptables -t nat -A POSTROUTING -s 10.10.10.0/255.255.255.0 -o eth0 -j SNAT --to-source 94.94.94.94
Now,all the configuratio is finished, let’s start the OpenVPN server now:
/usr/local/openvpn/sbin/openvpn --daemon --config /usr/local/openvpn/etc/server.conf
Related posts:
