The distribution kit of OS — Debian 6
So we will begin:
We installed OpenVPN and dnsmasq
aptitude install openvpn udev dnsmasq
Further we copied scripts of key generation
cp -R /usr/share/doc/openvpn/examples/easy-rsa/ /etc/openvpn
Then to us normally suggested to correct file/etc/openvpn/easy-rsa/2.0/vars but if the gateway became «for itself» this point are absolutely optional. If it would be desirable beauty that in the end of the above-stated file we corrected the following:
export KEY_COUNTRY="XX" export KEY_PROVINCE="XX" export KEY_CITY="City" export KEY_ORG="MyCompany" export KEY_EMAIL="email@example.com"
After editing of vars the root certificate are generat
cd /etc/openvpn/easy-rsa/2.0/ . /etc/openvpn/easy-rsa/2.0/vars . /etc/openvpn/easy-rsa/2.0/clean-all . /etc/openvpn/easy-rsa/2.0/build-ca
Further we generated certificates of the server and clients \clients (instead of cli1, cli2 it are possible to invent titles convenient for)
. /etc/openvpn/easy-rsa/2.0/build-key-server server . /etc/openvpn/easy-rsa/2.0/build-key cli1 . /etc/openvpn/easy-rsa/2.0/build-key cli2
Then we generated parameters of Diffi Hellmana
We decomposed keys, on client side it are necessary to give files of ca.crt cli1.crt cli1.key, and in directory/etc/openvpn to suppose files of ca.crt ca.key dh1024.pem server.crt server.key
cd /etc/openvpn/easy-rsa/2.0/keys cp ca.crt ca.key dh1024.pem server.crt server.key /etc/openvpn
Now we will copy in directory/etc/openvpn an example of a config who are deliver together with a software.
cd /usr/share/doc/openvpn/examples/sample-config-files gunzip -d server.conf.gz cp server.conf /etc/openvpn/
That our vpn the server distributing the Internet to the clients in / to etc/openvpn/server.conf we will add
push "redirect-gateway def1" push "dhcp-option DNS 10.8.0.1"
Further we included ip-forwarding
in file/etc/sysctl.conf raskommentiruy line
and in the console it are possible
echo 1 > /proc/sys/net/ipv4/ip_forward
that changes appl without reboot.
Further we adjusted iptables.
If you have a select server, or the virtual on Xen or KVM to consoles we written
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT iptables -A FORWARD -j REJECT iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
If virtualization of OpenVZ normal NAT will not work, and it are necessary to use SNAT, for this purpose to consoles we written
iptables -t nat -A POSTROUTING -o venet0 -j SNAT --to <b>a.b.c.d</b> iptables -A FORWARD -i venet0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -i tun0 -o venet0 -j ACCEPT
Instead of a.b.c.d accordingly exterior ip of your server
That rules of iptables appl when loading OS, we will register them in / etc/rc.local, there, after application of rules of iptables we will add reboot of dnsmasq. An example of file/etc/rc.local after modification —
#!/bin/sh -e # # [...] # iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT iptables -A FORWARD -j REJECT iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE /etc/init.d/dnsmasq restart exit 0
#!/bin/sh -e # # [...] # iptables -t nat -A POSTROUTING -o venet0 -j SNAT --to <b>a.b.c.d</b> iptables -A FORWARD -i venet0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -i tun0 -o venet0 -j ACCEPT /etc/init.d/dnsmasq restart exit 0
Further we will adjust dnsmasq, for this purpose we will open file/etc/dnsmasq.conf and raskommentiruyem \it are reparable two lines
On it adjustment of the server are finish, it are possible to restart services and to start to adjust clients.
service openvpn restart service dnsmasq restart
In my case all clients on Windows 7, therefore I will tell only about adjustments of clients on Windows.
We downloaded a software — OpenVPN, we installed, in a case with Windows 7 it are launch on behalf of the manager of "Start-up \OpenVPN\OpenVPN Gui"
Further we created a file %imya %. ovpn with the following contents
push "redirect-gateway def1" client dev tun proto udp remote <b>a.b.c.d</b> 1194 resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert <b>cli1.crt </b> key <b>cli1.key</b> comp-lzo verb 3
Instead of a.b.c.d — the address of the server.
We added a file %imya %. ovpn and earlier receiv ca.crt cli1.crt cli1.key in C:/Programm files (x86)/OpenVPN/config
That's all, in tree the right mouse on a tag of OpenVPN-> Connect and us transferred to other country.
This article is a translation of the original post at habrahabr.ru/post/188474/
If you have any questions regarding the material covered in the article above, please, contact the original author of the post.
If you have any complaints about this article or you want this article to be deleted, please, drop an email here: firstname.lastname@example.org.
We believe that the knowledge, which is available at the most popular Russian IT blog habrahabr.ru, should be accessed by everyone, even though it is poorly translated.
Shared knowledge makes the world better.