servers:openvpn
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
servers:openvpn [2018/04/08 03:45] – [Masquerade Rule] Sean Rhone | servers:openvpn [2018/04/29 16:47] (current) – [Custom Config] Sean Rhone | ||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ====== Information ====== | ||
+ | * OpenVPN ((https:// | ||
+ | * [[Information: | ||
+ | * vpn.realmofespionage.xyz ((OpenVPN)) | ||
+ | |||
+ | ===== Prerequisites ===== | ||
+ | |||
+ | * [[distros: | ||
+ | |||
+ | ====== Dependencies ====== | ||
+ | |||
+ | **** | ||
+ | |||
+ | sudo apt install openvpn easy-rsa | ||
+ | |||
+ | ====== Firewall ====== | ||
+ | |||
+ | ===== Kernel Parameter ===== | ||
+ | |||
+ | / | ||
+ | |||
+ | net.ipv4.ip_forward = 1 | ||
+ | |||
+ | ===== ufw ===== | ||
+ | |||
+ | ==== Forward Policy ==== | ||
+ | |||
+ | * Change '' | ||
+ | |||
+ | sudo -e '/ | ||
+ | |||
+ | # | ||
+ | DEFAULT_FORWARD_POLICY=" | ||
+ | |||
+ | ==== Masquerade Rule ==== | ||
+ | |||
+ | * https:// | ||
+ | |||
+ | * '' | ||
+ | * '' | ||
+ | |||
+ | sudo -e '/ | ||
+ | |||
+ | < | ||
+ | # Rule for OpenVPN | ||
+ | # Adapted from https:// | ||
+ | *nat | ||
+ | : | ||
+ | -A POSTROUTING -s 10.8.0.0/24 -o enp3s0 -j MASQUERADE | ||
+ | COMMIT</ | ||
+ | |||
+ | ==== OpenVPN Server Rule ==== | ||
+ | |||
+ | * 1194/udp is for OpenVPN clients to connect to the server | ||
+ | |||
+ | sudo -e '/ | ||
+ | |||
+ | < | ||
+ | [openvpn-custom] | ||
+ | title=openvpn-custom | ||
+ | description=OpenVPN Server | ||
+ | ports=1194/ | ||
+ | |||
+ | ====== Certificate Authority ====== | ||
+ | |||
+ | ===== Settings ===== | ||
+ | |||
+ | * Remove existing settings and copy/paste this block in place of it | ||
+ | * Be sure to finish the email at '' | ||
+ | |||
+ | cd ~ && rm -Rf ~/' | ||
+ | |||
+ | < | ||
+ | export KEY_COUNTRY=" | ||
+ | export KEY_PROVINCE=" | ||
+ | export KEY_CITY=" | ||
+ | export KEY_ORG=" | ||
+ | export KEY_EMAIL=" | ||
+ | export KEY_OU=" | ||
+ | export KEY_CN=" | ||
+ | #export KEY_CN=" | ||
+ | |||
+ | # X509 Subject Field | ||
+ | export KEY_NAME=" | ||
+ | export KEY_ALTNAMES=" | ||
+ | |||
+ | ===== Build CA ===== | ||
+ | |||
+ | **** | ||
+ | |||
+ | cd ~/' | ||
+ | |||
+ | ===== Build Key Server ===== | ||
+ | |||
+ | * '' | ||
+ | * No '' | ||
+ | * No '' | ||
+ | * Yes '' | ||
+ | * Yes '' | ||
+ | |||
+ | cd ~/' | ||
+ | |||
+ | ===== Build Diffie-Hellman Keys ===== | ||
+ | |||
+ | **** | ||
+ | |||
+ | cd ~/' | ||
+ | |||
+ | ===== Generate HMAC Signature ===== | ||
+ | |||
+ | **** | ||
+ | |||
+ | openvpn --genkey --secret ~/' | ||
+ | |||
+ | ===== Generate Client Keys ===== | ||
+ | |||
+ | * '' | ||
+ | * No '' | ||
+ | * No '' | ||
+ | * Yes '' | ||
+ | * Yes '' | ||
+ | |||
+ | cd ~/' | ||
+ | |||
+ | ===== Copy Keys to OpenVPN ===== | ||
+ | |||
+ | **** | ||
+ | |||
+ | sudo cp ~/' | ||
+ | |||
+ | ====== OpenVPN ====== | ||
+ | |||
+ | ===== Settings ===== | ||
+ | |||
+ | ==== Default Config ==== | ||
+ | |||
+ | **** | ||
+ | |||
+ | gunzip -c '/ | ||
+ | |||
+ | ==== Custom Config ==== | ||
+ | |||
+ | * Complete as of 2018/04/08 | ||
+ | |||
+ | sudo -e '/ | ||
+ | |||
+ | < | ||
+ | port 1194 | ||
+ | proto udp | ||
+ | dev tun | ||
+ | |||
+ | ca / | ||
+ | cert / | ||
+ | key / | ||
+ | dh / | ||
+ | |||
+ | server 10.8.0.0 255.255.255.0 | ||
+ | |||
+ | client-to-client | ||
+ | |||
+ | push " | ||
+ | push " | ||
+ | push " | ||
+ | |||
+ | keepalive 10 120 | ||
+ | |||
+ | tls-auth / | ||
+ | key-direction 0 | ||
+ | |||
+ | cipher AES-256-CBC | ||
+ | auth SHA512 | ||
+ | |||
+ | comp-lzo | ||
+ | |||
+ | user nobody | ||
+ | group nogroup | ||
+ | |||
+ | persist-key | ||
+ | persist-tun | ||
+ | |||
+ | status / | ||
+ | |||
+ | verb 0</ | ||
+ | |||
+ | ===== OpenVPN User ===== | ||
+ | |||
+ | **** | ||
+ | |||
+ | sudo adduser --system --shell '/ | ||
+ | |||
+ | ====== Client Profiles ====== | ||
+ | |||
+ | ===== Base ===== | ||
+ | |||
+ | mkdir -p ~/' | ||
+ | |||
+ | < | ||
+ | client | ||
+ | |||
+ | dev tun | ||
+ | |||
+ | proto udp | ||
+ | |||
+ | remote realmofespionage.xyz 1194 | ||
+ | |||
+ | resolv-retry infinite | ||
+ | |||
+ | nobind | ||
+ | |||
+ | user nobody | ||
+ | group nogroup | ||
+ | |||
+ | persist-key | ||
+ | persist-tun | ||
+ | |||
+ | remote-cert-tls server | ||
+ | |||
+ | cipher AES-256-CBC | ||
+ | auth SHA512 | ||
+ | key-direction 1 | ||
+ | |||
+ | comp-lzo | ||
+ | |||
+ | verb 0</ | ||
+ | |||
+ | ===== Client-specific ===== | ||
+ | |||
+ | * Be sure to [[# | ||
+ | |||
+ | ==== Izaro ==== | ||
+ | |||
+ | * Imports '' | ||
+ | |||
+ | cat ~/' | ||
+ | |||
+ | === scp === | ||
+ | |||
+ | **** | ||
+ | |||
+ | scp espionage724@192.168.1.155: | ||
+ | |||
+ | ==== Spinesnap ==== | ||
+ | |||
+ | * Imports '' | ||
+ | |||
+ | cat ~/' | ||
+ | |||
+ | === scp === | ||
+ | |||
+ | **** | ||
+ | |||
+ | scp espionage724@192.168.1.155: |
/var/www/wiki/data/pages/servers/openvpn.txt · Last modified: 2018/04/29 16:47 by Sean Rhone