Developers Club geek daily blog

4 years, 9 months ago
So misters, came nearer the first of August, I therefore reflecting over that that zaimet to myself ip of the country in which are more simple with the legislation in sphere of p2p, namely the Netherlands. After enough long searches gigov of storage, 460 gigov of the screw and fine not limit (specially contacting support on this question — assured that the channel done not cut and after hundred terabyte) the gigabit channel for kakikhto 40 with copecks of dollars finding the provider who promising two kernels from E3-1230, pair. The only thing but — virtualization of OpenVZ — normally I adjusting OpenVPN on XEN or KVM, therefore all transiting not so smoothly as usual and consequently I deciding to share the receiv knowledge.

The distribution kit of OS — Debian 6
So we will begin:

We installed OpenVPN and dnsmasq

aptitude install openvpn udev dnsmasq


Further we copied scripts of key generation
cp -R /usr/share/doc/openvpn/examples/easy-rsa/ /etc/openvpn

Then to us normally suggested to correct file/etc/openvpn/easy-rsa/2.0/vars but if the gateway became «for itself» this point are absolutely optional. If it would be desirable beauty that in the end of the above-stated file we corrected the following:
export KEY_COUNTRY="XX"
export KEY_PROVINCE="XX"
export KEY_CITY="City"
export KEY_ORG="MyCompany"
export KEY_EMAIL="habr@habr.ru"


After editing of vars the root certificate are generat

cd /etc/openvpn/easy-rsa/2.0/
. /etc/openvpn/easy-rsa/2.0/vars
. /etc/openvpn/easy-rsa/2.0/clean-all
. /etc/openvpn/easy-rsa/2.0/build-ca


Further we generated certificates of the server and clients \clients (instead of cli1, cli2 it are possible to invent titles convenient for)

. /etc/openvpn/easy-rsa/2.0/build-key-server server
. /etc/openvpn/easy-rsa/2.0/build-key cli1
. /etc/openvpn/easy-rsa/2.0/build-key cli2


Then we generated parameters of Diffi Hellmana
. /etc/openvpn/easy-rsa/2.0/build-dh


We decomposed keys, on client side it are necessary to give files of ca.crt cli1.crt cli1.key, and in directory/etc/openvpn to suppose files of ca.crt ca.key dh1024.pem server.crt server.key

cd /etc/openvpn/easy-rsa/2.0/keys
cp ca.crt ca.key dh1024.pem server.crt server.key /etc/openvpn


Now we will copy in directory/etc/openvpn an example of a config who are deliver together with a software.
cd /usr/share/doc/openvpn/examples/sample-config-files
gunzip -d server.conf.gz
cp server.conf /etc/openvpn/


That our vpn the server distributing the Internet to the clients in / to etc/openvpn/server.conf we will add
push "redirect-gateway def1"
push "dhcp-option DNS 10.8.0.1"


Further we included ip-forwarding

in file/etc/sysctl.conf raskommentiruy line
net.ipv4.ip_forward=1

and in the console it are possible
echo 1 > /proc/sys/net/ipv4/ip_forward

that changes appl without reboot.

Further we adjusted iptables.
If you have a select server, or the virtual on Xen or KVM to consoles we written
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

If virtualization of OpenVZ normal NAT will not work, and it are necessary to use SNAT, for this purpose to consoles we written
iptables -t nat -A POSTROUTING -o venet0 -j SNAT --to <b>a.b.c.d</b>
iptables -A FORWARD -i venet0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i tun0 -o venet0 -j ACCEPT

Instead of a.b.c.d accordingly exterior ip of your server

That rules of iptables appl when loading OS, we will register them in / etc/rc.local, there, after application of rules of iptables we will add reboot of dnsmasq. An example of file/etc/rc.local after modification —
for dedicated\Xen\KVM:

#!/bin/sh -e
#
# [...]
#

iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

/etc/init.d/dnsmasq restart

exit 0


for OpenVZ:

#!/bin/sh -e
#
# [...]
#

iptables -t nat -A POSTROUTING -o venet0 -j SNAT --to <b>a.b.c.d</b>
iptables -A FORWARD -i venet0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i tun0 -o venet0 -j ACCEPT

/etc/init.d/dnsmasq restart

exit 0


Further we will adjust dnsmasq, for this purpose we will open file/etc/dnsmasq.conf and raskommentiruyem \it are reparable two lines
listen-address=127.0.0.1,10.8.0.1
bind-interfaces


On it adjustment of the server are finish, it are possible to restart services and to start to adjust clients.
service openvpn restart
service dnsmasq restart


In my case all clients on Windows 7, therefore I will tell only about adjustments of clients on Windows.

We downloaded a software — OpenVPN, we installed, in a case with Windows 7 it are launch on behalf of the manager of "Start-up \OpenVPN\OpenVPN Gui"
Further we created a file %imya %. ovpn with the following contents

push "redirect-gateway def1"
client 
dev tun 
proto udp 
remote <b>a.b.c.d</b> 1194 
resolv-retry infinite 
nobind 
persist-key 
persist-tun 
ca ca.crt 
cert <b>cli1.crt </b>
key <b>cli1.key</b> 
comp-lzo 
verb 3 

Instead of a.b.c.d — the address of the server.

We added a file %imya %. ovpn and earlier receiv ca.crt cli1.crt cli1.key in C:/Programm files (x86)/OpenVPN/config
That's all, in tree the right mouse on a tag of OpenVPN-> Connect and us transferred to other country.

This article is a translation of the original post at habrahabr.ru/post/188474/
If you have any questions regarding the material covered in the article above, please, contact the original author of the post.
If you have any complaints about this article or you want this article to be deleted, please, drop an email here: sysmagazine.com@gmail.com.

We believe that the knowledge, which is available at the most popular Russian IT blog habrahabr.ru, should be accessed by everyone, even though it is poorly translated.
Shared knowledge makes the world better.
Best wishes.

comments powered by Disqus