OpenVPN is a software package that allows you to protect user traffic from “interception” by providing encrypted data transmission from the client’s device to the server with OpenVPN installed. Great for using public wifi access points where information can be intercepted by third parties. Or in the case when your ip is blocked on a certain site and you need to safely bypass this restriction.
In addition to installing and configuring OpenVPN on the server, you must be able to configure the client for access from a computer where Windows will be used as the operating system.
Using the standard package manager, install openvpn.
# aptitude install openvpn
The content of the article:
Creation of certificates
OpenVPN necessarily requires the generation of certificates for the server and clients. This is logical, because the connection from the client to the server must be encrypted.
Navigate to the openvpn folder:
# cd / etc / openvpn
We will generate keys using easy-rsa.
Create a folder with configuration files and links to certificate generation scripts:
# make-cadir rsa # cd rsa
Open the vars configuration file and change the parameters:
export KEY_COUNTRY = "US" export KEY_PROVINCE = "CA" export KEY_CITY = "SanFrancisco" export KEY_ORG = "Fort-Funston" export KEY_EMAIL = "firstname.lastname@example.org"
KEY_COUNTRY - enter the country code (RU, UA, etc.);
KEY_PROVINCE - this item is not relevant if you do not live in the United States. :) You can replace the XX;
KEY_CITY - your city where you live;
KEY_EMAIL - your email address.
And also uncomment the export KEY_CN line, for the value for which specify the server name:
export KEY_CN = "example.com"
All variables are filled in Latin.
Save the file and run it:
Then start deleting old certificates:
Create a root certificate:
If, when generating the root certificate, you get the error
error:0E065068:configuration file routines:STR_COPY:variable has no value:conf_def.c:618:line 198 , add the line to the vars file:
export KEY_ALTNAMES = "something"
And then re-run the previous commands:. vars, ./clean-all, ./build-ca.
The next step is to create a key and server certificate.
# ./build-key-server server
Then create a certificate and key for the client:
# ./build-key client
Please note: for each client you should generate your own certificate and key. You just need to specify different names (instead of the client) and change the paths to them in the configuration files. At the same time, you can protect clients' keys with a password; for this, use the command build-key-pass instead of build-key.
Next, you need to create a Diffie-Hellman key to be able to use Forward Secrecy:
And the key for tls authentication:
# openvpn --genkey --secret /etc/openvpn/ta.key
Now you need to copy the server certificates and keys to the OpenVPN settings folder:
# cp keys / ca.crt keys / server.crt keys / server.key keys / dh2048.pem / etc / openvpn /
And also put on them the rights that allow reading and changing only for their owner.
# chmod 0600 /etc/openvpn/ca.crt /etc/openvpn/server.crt /etc/openvpn/server.key /etc/openvpn/dh2048.pem /etc/openvpn/ta.key
Be sure to copy to your computer, for example, the desktop, from the keys folder, the keys necessary for connecting the client: client.crt , client.key , ca.crt , ta.key .
This completes the certificate preparation process.
In the / usr / share / doc / openvpn / directory there is an example file for setting up an Openvpn server. Copy it to the / etc / openvpn / directory and unzip:
cd / etc / openvpn; cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz / etc / openvpn /; gunzip server.conf.gz
Now we will consider the necessary parameters for openvpn to work.
The port on which Openvpn will accept connections. By default, 1194. I recommend to change it in order to conceal it. You can even disguise openvpn under a Web-server, specifying port 80.
Register paths to certificate files and server key.
ca ca.crt cert server.crt key server.key
The path to the key Diffie-Hellman.
Both paths relative to the / etc / openvpn directory (if files are located in it) and absolute can be specified.
Find and uncomment the line:
push "redirect-gateway def1 bypass-dhcp"
It is needed to be able to access the Internet through the OpenVPN server. If it is not uncommented, only computers within the network will be available.
You also need to specify the DNS servers for connecting clients.
push "dhcp-option DNS 22.214.171.124" push "dhcp-option DNS 126.96.36.199"
Depending on the location of the server, you can pick up other dns-servers, for example, on the project OpenNIC .
Next, find and uncomment the tls-auth parameter.
tls-auth ta.key 0
Attention! In the client settings, the last digit of this parameter should be replaced by 1 - tls-auth ta.key 1 .
Just below in the configuration file follows the listing of available ciphers. Uncomment the AES-128-CBC cipher.
cipher AES-128-CBC # AES
If necessary, it can be replaced with AES-256-CBC . In the client's configuration file, the cipher must be identical to the server cipher.
Also add the auth parameter. By default, 160-bit sha1 keys are used for authentication, but the sha1 algorithm is recognized as vulnerable. When specifying the following parameter, SHA512 keys with a length of 512 bits will be used.
As well as the parameter tls-version-min, which determines the version of tls used. In this case, the latest version is 1.2. Attention! Network Manager does not support (at the time of writing) this parameter. Therefore, if you plan to connect to the VPN server through the Network Manager, then this parameter is NOT specified in the server settings.
OpenVPN should not be run as root. Therefore, uncomment the lines:
user nobody group nogroup
It will not be superfluous to enable logs for OpenVPN. Especially, at first use after tuning for searching for errors, etc.
Leave all other parameters of the /etc/openvpn/server.conf configuration file with default values. This completes the OpenVPN server setup.
Activate openvpn with the command:
# systemctl enable openvpn
# service openvpn restart
It is also useful to check the log for errors.
Redirect traffic through OpenVPN
To be able to access the Internet through the server openvpn, you need to do something for this.
1. Configure sysctl
In the console, run the command:
# sysctl net.ipv4.ip_forward
If the output of the command is equal to net.ipv4.ip_forward = 1 , then there is no need to change anything. If the value of the variable is 0, then the following line should be added to the /etc/sysctl.conf file:
net.ipv4.ip_forward = 1
And reload the rules with the command:
# sysctl -p
2. Configure iptables
Alternately, run the following commands in the console:
# iptables -A FORWARD -i eth0 -o tun0 -m state --state ESTABLISHED, RELATED -j ACCEPT # iptables -A FORWARD -s 10.8.0.0/24 -o eth0 -j ACCEPT # iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
Thus, we will allow traffic through the OpenVPN server for subnet 10.8.0.0 within the limits of already established connections.
If the openvpn client needs to assign a specific external ip address of the server, then instead of the last command from the list of previous ones for iptables, you need to run this:
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source 127.0.0.1
Where after the parameter –to-source, you should specify the external ip server.
OpenVPN client on Windows
Getting started setting up an Openvpn client on Windows. Everything is simple here: download the client from the official site, install, create the configuration file and launch it.
It should be noted that it is necessary to start openvpn on Windows with the rights of the administrator if control of accounts is active.
If you did not change the installation path, then the examples of the configuration files on your PC are located in the C: \ Program Files \ OpenVPN \ sample-config directory. Copy the client.ovpn file from here and place it in the C: \ Program Files \ OpenVPN \ config directory.
Remember the certificates created for the client? They should also be downloaded from the server and copied to this directory.
Open the client.ovpn configuration file and find the remote my-server-1 1194 parameter. Instead of my-server, specify the ip or domain name of your server. Then the port that we changed earlier. As a result, the line may look like this:
remote 192.168.0.1 20100
Next, you need to specify the path to the certificates that you generated on the server. For each client, a key is created with a unique name, which should be indicated below, instead of client .
ca ca.crt cert client.crt key client.key
You should also uncomment the parameter that specifies the path to the tls-key.
tls-auth ta.key 1
Earlier it was already said that the last digit on the server should be 0, on the client - 1.
And the last parameters are ciphers that you installed on the server.
cipher AES-128-CBC auth SHA512 tls-version-min 1.2
This is all that is required to configure the client. Try running the OpenVPN client and connect to your server. The necessary connection information will be displayed in the openvpn gui window.
OpenVPN with NetworkManager
Install the graphical interface for the Network Manager.
# aptitude install network-manager-openvpn-gnome
# service network-manager restart
We copy the certificates generated for the client into an arbitrary folder on the computer. For example, in /home/user/.openvpn/.
Click the right mouse button on the network manager icon, select the item “change connections”, add a new connection of the type “OpenVPN”.
- Connection name
- Gateway (domain or server ip)
- Type: Certificates
User certificate is a certificate that we generated at the beginning for the client (client.crt).
CA certificate - ca.crt file.
The private key is the client's key (client.key).
Click on the "Advanced" button. In the window that opens, in the "General" tab you will need to change a few items.
- Use a different gateway port (if you specified a non-standard when setting up the server)
- Use lzo compression
Switch to the "Security" tab. Select the cipher, as in the server settings. As the value of the hmac authentication parameter, you should specify an algorithm, as in the auth value of the server. In the article we chose SHA512.
Open the TLS Authentication tab and tick the following items:
- Verify peer ...
- Use additional TLS authentication
For the last parameter, specify the path to the ta.key file, and select 1. as the key direction from the drop-down list. Similarly to the configuration file for Windows.
Save the connection and try to connect. :)
Just in case, we look that NM writes when connecting to the system log:
# tail -f / var / log / syslog