First, a little history:
I’ve installed OpenVPN NUMEROUS times on various OSes. It’s usually a lesson in tearing my hair out. Don’t get me wrong. OpenVPN is fucking AWESOME!
My problem is that all the guides etc to get it going are either 4 years old, not applicable or missing some things. I’ve built and rebuilt servers over and over and EVERY time I fucking forget something. So I’m documenting it so I don’t have to swear as much next time.

Here’s how to build a server yourself:

Shit you’ll need:
-A server. Doesn’t matter what kind of server. Unless you have over 9000 people, this should be a VPS. I used a Xen VPS because OpenVZ sucks ass.
-Debian Lenny on said server. I used 64bit. You should too.
-OpenVPN (duh)
-A public IP. You can probably get away with NAT, but I have a real VPS. You should too. They’re cheap. And will pwn anything hosted locally in terms of speed.

Protip: Make a user so you don’t have to do all this in root. I’m too lazy to add in “sudo” to all my code here, but you should be. I’m not typing out more characters than I need. Oh and I do understand the irony of typing all this but not an extra 4 letters. Do as I say, not as I do.
Oh and replace anything in [] with appropriate info.

apt-get update && apt-get upgrade
apt-get install liblzo2-dev and libssl-dev
wget http://swupdate.openvpn.net/community/releases/openvpn-2.2-beta3.tar.gz

Protip: Don’t forget to change the version number to the latest one. This is the one I built with. If you’re not comfortable forging new territory, the one above works. Oh and change all the dirs below if you do change the version.

tar zxvf openvpn-2.2-beta3.tar.gz
cd openvpn-2.2-beta3
./configure
make
make install

make may take a while. Go grab a donut.

Now, copy the contents [where you downloaded openvpn]/easy-rsa/2.0/ to /etc/openvpn/ca/
Edit the last bunch of lines in

vars

to reflect your info. I also used 2048 for KEY_SIZE, but that’s optional.

Now do:

. ./vars
./clean-all
./build-ca
./build-key-server server
./build-dh

Now, copy [where you downloaded openvpn]/sample-config-files/server.conf to /etc/openvpn/server.conf

Uncomment the following

;local a.b.c.d
;client-config-dir ccd
;client-to-client (optional) 
;tls-auth ta.key 0 # This file is secret
;user nobody
;group nobody
;mute 20

and change the following:

"local a.b.c.d" to "local [server ip]"
"dh dh1024.pem" to "dh dh2048.pem"

Now, create some symlinks to your keys directory:
Protip: You don’t have to do this, it’s just easier than keeping 2 copies of keys. This way everything is in the keys directory.

ln -s /etc/openvpn/ca/keys/ca.crt ca.crt 
ln -s /etc/openvpn/ca/keys/dh2048.pem dh2048.pem 
ln -s /etc/openvpn/ca/keys/server.crt server.crt 
ln -s /etc/openvpn/ca/keys/server.key server.key 
ln -s /etc/openvpn/ca/keys/ta.key ta.key

Now, build a set of certs for your user(s).

./build-key [user] 

Now, copy [where you downloaded openvpn]/sample-config-files/client.conf to somewhere local. To make things easier, name it the same thing you named it above. Open it up and do the following:

Change:

"remote my-server-1 1194" to "remote [server ip] 1194"
"ca ca.crt" to ";ca ca.crt"
"cert client.crt" to ";cert client.crt"
"key client.key" to ";key client.key"

Now, replace the stuff in [] with the appropriate file.
Protip: Don’ copy the entire cert, just the stuff between the BEGIN and END.

Add:

key-direction 1

<ca>
-----BEGIN CERTIFICATE-----
[ca.crt]
-----END CERTIFICATE-----
</ca>

<cert>
-----BEGIN CERTIFICATE-----
[client1.crt]
-----END CERTIFICATE-----
</cert>

<key>
-----BEGIN RSA PRIVATE KEY-----
[client1.key]
-----END RSA PRIVATE KEY-----
</key>

<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1---
[ta.key]
-----END OpenVPN Static key V1-----
</tls-auth>

Ok, now it’s time to start the server. Change to

/etc/openvpn/

and

openvpn server.conf

Start your client with the above config. Now ping 10.8.0.1.
If it works, you’re in. If you want to do more, keep reading.

Now, I don’t know what you use your VPN for, but mine is for when I travel. I don’t want people snooping on mah traffic. Here’s how you do it.

First off:

cat /proc/sys/net/ipv4/ip_forward

If it displays as 1, you’re golden. If not, edit /etc/sysctl.conf and look for

net.ipv4.ip_forward=0

and make it look like

net.ipv4.ip_forward=1

And then:

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

Since iptables doesn’t save between reboots, we’ll make it:

iptables-save > /etc/iptables.rule

Stuff this into /etc/rc.local

cat /etc/iptables.rules | iptables-restore -c

Since we’ve set up client config dirs, it makes giving “User A” and “User B” different configs.
You can just uncomment

push "redirect-gateway def1"

in server.conf and be done with it, but we may as well do it right the first time.

now make the directory:

/etc/openvpn/ccd/

Make a file in it named [user] and shove this in it:

push redirect-gateway def1
push "dhcp-option DNS 4.2.2.1"
push "dhcp-option DNS 4.2.2.2"

This way when [user] connects, he gets speshul privileges that no one else does.
Now rinse and repeat for additional users.

Oh and if you want to be REALLY lazy, you could just

apt-get install openvpn

, but building it from scratch isn’t that hard.

 Leave a Reply

(required)

(required)

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

 
 
© 2012 The Mind of DH Suffusion theme by Sayontan Sinha