Difference between revisions of "Install openvpn in Ubuntu 14.04"
| (29 intermediate revisions by the same user not shown) | |||
| Line 14: | Line 14: | ||
echo 1 > /proc/sys/net/ipv4/ip_forward<br> | echo 1 > /proc/sys/net/ipv4/ip_forward<br> | ||
In sysctl.conf uncomment below<br> | In sysctl.conf uncomment below<br> | ||
| − | net.ipv4.ip_forward=1 | + | net.ipv4.ip_forward=1<br> |
| + | |||
| + | '''Firewall stuff'''<br> | ||
| + | ufw allow 1194/udp<br> | ||
| + | vim /etc/default/ufw<br> | ||
| + | Change drop to accept<br> | ||
| + | DEFAULT_FORWARD_POLICY="ACCEPT"<br><br> | ||
| + | '''Next we will add additional ufw rules for network address translation and IP masquerading of connected clients.'''<br> | ||
| + | vim /etc/ufw/before.rules<br> | ||
| + | Add the below to top of file :<br> | ||
| + | <source lang="text"> | ||
| + | # START OPENVPN RULES | ||
| + | # NAT table rules | ||
| + | *nat | ||
| + | :POSTROUTING ACCEPT [0:0] | ||
| + | # Allow traffic from OpenVPN client to eth0 | ||
| + | -A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE | ||
| + | COMMIT | ||
| + | # END OPENVPN RULES | ||
| + | </source> | ||
| + | ufw status<br> | ||
| + | '''Creating a Certificate Authority and Server-Side Certificate & Key'''<br> | ||
| + | First copy over the Easy-RSA generation scripts.<br> | ||
| + | cp -r /usr/share/easy-rsa/ /etc/openvpn<br> | ||
| + | vim /etc/openvpn/easy-rsa/vars<br> | ||
| + | Edit all of below appropriately<br> | ||
| + | <source lang="text"> | ||
| + | export KEY_COUNTRY="US" | ||
| + | export KEY_PROVINCE="TX" | ||
| + | export KEY_CITY="Dallas" | ||
| + | export KEY_ORG="My Company Name" | ||
| + | export KEY_EMAIL="sammy@example.com" | ||
| + | export KEY_OU="MYOrganizationalUnit" | ||
| + | </source> | ||
| + | In the same vars file, also edit this one line shown below. For simplicity, we will use server as the key name. If you want to use a different name, you would also need to update the OpenVPN configuration files that reference server.key and server.crt.<br> | ||
| + | export KEY_NAME='''''server'''''<br><br> | ||
| + | openssl dhparam -out /etc/openvpn/dh2048.pem 2048<br> | ||
| + | cd /etc/openvpn/easy-rsa<br> | ||
| + | . ./vars <br> | ||
| + | ./clean-all<br> | ||
| + | ./build-ca<br> | ||
| + | |||
| + | '''Generate a Certificate and Key for the Server'''<br> | ||
| + | ./build-key-server '''''server'''''<br> | ||
| + | Answer y to everything<br> | ||
| + | cp /etc/openvpn/easy-rsa/keys/{server.crt,server.key,ca.crt} /etc/openvpn<br> | ||
| + | '''Ready to go'''<br> | ||
| + | <source lang="text"> | ||
| + | service openvpn start | ||
| + | service openvpn status | ||
| + | </source> | ||
| + | '''Generate Certificates and Keys for Clients'''<br> | ||
Latest revision as of 15:43, 26 July 2016
Reference - https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-14-04
apt-get update
apt-get install openvpn easy-rsa
gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz > /etc/openvpn/server.conf
vim /etc/openvpn/server.conf
Edit dh1024.pem to say:
dh2048.pem
Uncomment push "redirect-gateway def1 bypass-dhcp" so the VPN server passes on clients' web traffic to its destination.
Uncomment push "dhcp-option DNS 208.67.222.222" and push "dhcp-option DNS 208.67.220.220".
The dns servers should be configured in the clients dns as well.
Uncomment both user nobody and group nogroup.
Packet Forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
In sysctl.conf uncomment below
net.ipv4.ip_forward=1
Firewall stuff
ufw allow 1194/udp
vim /etc/default/ufw
Change drop to accept
DEFAULT_FORWARD_POLICY="ACCEPT"
Next we will add additional ufw rules for network address translation and IP masquerading of connected clients.
vim /etc/ufw/before.rules
Add the below to top of file :
# START OPENVPN RULES # NAT table rules *nat :POSTROUTING ACCEPT [0:0] # Allow traffic from OpenVPN client to eth0 -A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE COMMIT # END OPENVPN RULES
ufw status
Creating a Certificate Authority and Server-Side Certificate & Key
First copy over the Easy-RSA generation scripts.
cp -r /usr/share/easy-rsa/ /etc/openvpn
vim /etc/openvpn/easy-rsa/vars
Edit all of below appropriately
export KEY_COUNTRY="US" export KEY_PROVINCE="TX" export KEY_CITY="Dallas" export KEY_ORG="My Company Name" export KEY_EMAIL="sammy@example.com" export KEY_OU="MYOrganizationalUnit"
In the same vars file, also edit this one line shown below. For simplicity, we will use server as the key name. If you want to use a different name, you would also need to update the OpenVPN configuration files that reference server.key and server.crt.
export KEY_NAME=server
openssl dhparam -out /etc/openvpn/dh2048.pem 2048
cd /etc/openvpn/easy-rsa
. ./vars
./clean-all
./build-ca
Generate a Certificate and Key for the Server
./build-key-server server
Answer y to everything
cp /etc/openvpn/easy-rsa/keys/{server.crt,server.key,ca.crt} /etc/openvpn
Ready to go
service openvpn start service openvpn status
Generate Certificates and Keys for Clients
