19029
Comment: Update the titles and move Autostart in configuration section
|
19084
Move Firewall info in the new prerequisites section, at the beginning of the page
|
Deletions are marked like this. | Additions are marked like this. |
Line 24: | Line 24: |
= Prerequisites = On the server's firewall, open up UDP 1194 (default port). If you are using [[shorewall]], on both devices, add a new VPN zone to represent tun0 and create a default policy for it. This means adding something to the following files in /etc/shorewall: * zone * interfaces * policy Bear in mind that 90% of all connection problems encountered by new OpenVPN users are firewall-related. |
|
Line 81: | Line 92: |
=== Static-Key VPN server configuration === |
|
Line 97: | Line 110: |
=== Static-Key VPN client configuration === | |
Line 106: | Line 119: |
On the server's firewall, open up UDP 1194 (default port). If you are using [[shorewall]], on both devices, add a new VPN zone to represent tun0 and create a default policy for it. This means adding something to the following files in /etc/shorewall: * zone * interfaces * policy Bear in mind that 90% of all connection problems encountered by new OpenVPN users are firewall-related. |
|
Line 120: | Line 125: |
You should probably configure your route at this step. |
Translation(s): English - Français - Русский - Polski
Contents
- OpenVPN Overview
- Installation
- Prerequisites
- Configuration
- Forward traffic via VPN to provide access to the Internet
- Application to a VPN passing through a http proxy
- See also
OpenVPN Overview
OpenVPN is an SSL/TLS VPN solution. It is able to traverse NAT connections and firewalls. This page explains briefly how to configure a VPN with OpenVPN, from both server-side and client-side for different setups: from a simple raw connexion for testing purpose up to a TLS enabled connexion.
Installation
Install the openvpn package on both client and server.
# apt-get install openvpn
To enable OpenVPN in the Gnome NetworkManager applet for the taskbar notification area, the additional package network-manager-openvpn-gnome has to be installed:
# apt-get install network-manager-openvpn-gnome
Prerequisites
On the server's firewall, open up UDP 1194 (default port).
If you are using ?shorewall, on both devices, add a new VPN zone to represent tun0 and create a default policy for it. This means adding something to the following files in /etc/shorewall:
- zone
- interfaces
- policy
Bear in mind that 90% of all connection problems encountered by new OpenVPN users are firewall-related.
Configuration
OpenVPN can authenticate users via user/pass, pre-shared key, certificates, etc.
Raw (unsecured) VPN connection for test
server test
From a server shell, run
# openvpn --remote CLIENT_IP --dev tun1 --ifconfig 10.9.8.1 10.9.8.2
if your client has a static IP#; otherwise, run
# openvpn --dev tun1 --ifconfig 10.9.8.1 10.9.8.2
You should see console output resembling
2021-09-03 21:22:18 library versions: OpenSSL 1.1.1k 25 Mar 2021, LZO 2.10 2021-09-03 21:22:18 ******* WARNING *******: All encryption and authentication features disabled -- All data will be tunnelled as clear text and will not be protected against man-in-the-middle changes. PLEASE DO RECONSIDER THIS CONFIGURATION! 2021-09-03 21:22:18 TUN/TAP device tun1 opened ...
While openvpn is running, check your network configuration with ip a. Output should include
9: tun1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 500 link/none inet 10.9.8.1 peer 10.9.8.2/32 scope global tun1 valid_lft forever preferred_lft forever inet6 fe80::dc71:3707:693c:5017/64 scope link stable-privacy valid_lft forever preferred_lft forever
Note that, if you kill openvpn (e.g., with Control-c in its console), you will not see the above network interface.
client test
# openvpn --remote SERVER_IP --dev tun1 --ifconfig 10.9.8.2 10.9.8.1 ... 2021-09-03 21:32:32 Peer Connection Initiated with [AF_INET]SERVER_IP:PORT 2021-09-03 21:32:32 2012 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this 2021-09-03 21:32:32 Initialization Sequence Completed ...
You may also ping the server to test it can be reached: ping 10.9.8.1.
Static-Key VPN connection
Static-Key VPN server configuration
In the server's /etc/openvpn directory, run the following command to generate a static key:
# openvpn --genkey secret static.key
Copy this static key to the clients /etc/openvpn directory using a secure channel like scp or sftp.
On the server, create a new /etc/openvpn/tun0.conf file and add the following:
dev tun0 ifconfig 10.9.8.1 10.9.8.2 secret /etc/openvpn/static.key
Where 10.9.8.x is your VPN subnetwork, 10.9.8.1 will be IP of the server, 10.9.8.2 is IP of client.
Static-Key VPN client configuration
On the client, copy /etc/openvpn/static.key from server and create a new /etc/openvpn/tun0.conf file and add the following:
remote your-server.org dev tun0 ifconfig 10.9.8.2 10.9.8.1 secret /etc/openvpn/static.key
Start OpenVPN by hand on both sides with the following command (verbose output at 6):
# openvpn --config /etc/openvpn/tun0.conf --verb 6
To verify that the VPN is running, you should be able to ping 10.9.8.2 from the server and 10.9.8.1 from the client.
TLS-enabled VPN connection
In Jessie and above, easy-rsa is a separate package. So you'll have to ensure this package is installed (should be pulled along with openvpn).
# cd /etc/openvpn # make-cadir easy-rsa/
Edit /etc/openvpn/easy-rsa/vars bottom according to your organization.
export KEY_COUNTRY="US" export KEY_PROVINCE="CA" export KEY_CITY="SanFrancisco" export KEY_ORG="Fort-Funston" export KEY_EMAIL="mail@domain"
Execute the following command:
# cd easy-rsa/ # . ./vars # set environment variables # ./clean-all
Create a symbolic link of the OpenSSL config file with the correct version, so it can be used by the commands of Easy-RSA. In Debian Stretch, it can be done by executing the following command:
# ln -s openssl-1.0.0.cnf openssl.cnf
On Debian Buster, with easy-rsa 3.0, the usage is a bit different. To initialize the environment, just use the following command:
cd easy-rsa/ ./easyrsa init-pki
All the commands that were previously run from the easy-rsa dir (e.g. ./clean-all are now to be executed as argument of the ./easyrsa command. The name can change sometimes, refer to ./easyrsa help for a detailed description of the available commands.
Remember:
- only .key files should be kept confidential.
- .crt and .csr files can be sent over insecure channels such as plaintext email.
- do not need to copy a .key file between computers.
- each computer will have its own certificate/key pair.
Generate CERTIFICATE AUTHORITY (CA) CERTIFICATE/KEY:
# ./build-ca # with easy-rsa < 3 # ./easyrsa build-ca # with easy-rsa = 3
It will generate ca.crt and ca.key in /etc/openvpn/easy-rsa/keys/ directory.
Generate BUILD AN INTERMEDIATE CERTIFICATE AUTHORITY CERTIFICATE/KEY (optional):
# ./build-key-server server # with easy-rsa < 3 # ./easyrsa build-server-full server # with easy-rsa = 3
It will generate server.crt and server.key in /etc/openvpn/easy-rsa/keys/ (for easy-rsa < 3) and in /etc/openvpn/easy-rsa/pki/{issued/server.crt,private/server.key} (for easy-rsa < 3) , and signed with your root certificate.
Generate BUILD DIFFIE-HELLMAN PARAMETERS (necessary for the server end of a SSL/TLS connection):
./build-dh # with easy-rsa < 3 ./easyrsa gen-dh # with easy-rsa = 3
Generate key for each client: Use one of the two (build-key or build-key-pass). You'll be asked for "Enter PEM pass phrase", this is the passphrase you'll need to login at the client.
./build-key clientname # with easy-rsa < 3 ./easyrsa build-client-full clientname nopass # with easy-rsa = 3
Generate key with password (this protect the key and request the password every time that you connect to the server), for each client:
./build-key-pass clientname # with easy-rsa < 3 ./easyrsa build-client-full clientname # with easy-rsa = 3
It will generate keys in /etc/openvpn/easy-rsa/keys/ (or /etc/openvpn/easy-rsa/pki/{issued/clientname.crt,private/clientname.key} for easyrsa 3)
Copy the ca.crt, clientname.crt, clientname.key from Server to Client /etc/openvpn/easy-rsa/keys/ directory.
Check OpenVPN RSA Key and code.mixpanel.com VPN for details.
Test the connectivity from command line.
Server:
openvpn --dev tun1 --ifconfig 10.9.8.1 10.9.8.2 --tls-server --dh /etc/openvpn/easy-rsa/keys/dh2048.pem --ca /etc/openvpn/easy-rsa/keys/ca.crt --cert /etc/openvpn/easy-rsa/keys/server.crt --key /etc/openvpn/easy-rsa/keys/server.key --reneg-sec 60 --verb 5
Client:
openvpn --remote SERVER_IP --dev tun1 --ifconfig 10.9.8.2 10.9.8.1 --tls-client --ca /etc/openvpn/easy-rsa/keys/ca.crt --cert /etc/openvpn/easy-rsa/keys/clientname.crt --key /etc/openvpn/easy-rsa/keys/clientname.key --reneg-sec 60 --verb 5
If the connection is successful create file configuration.
In Server create /etc/openvpn/server.conf as follows:
port 1194 proto udp dev tun ca /etc/openvpn/easy-rsa/keys/ca.crt # generated keys cert /etc/openvpn/easy-rsa/keys/server.crt key /etc/openvpn/easy-rsa/keys/server.key # keep secret dh /etc/openvpn/easy-rsa/keys/dh2048.pem server 10.9.8.0 255.255.255.0 # internal tun0 connection IP ifconfig-pool-persist ipp.txt keepalive 10 120 comp-lzo # Compression - must be turned on at both end persist-key persist-tun status log/openvpn-status.log verb 3 # verbose mode client-to-client
Check code.mixpanel.com VPN and rackspace OpenVPN for details.
Create log directory:
# cd /etc/openvpn # mkdir -p log/ # touch log/openvpn-status.log
Restart OpenVPN.
# service openvpn restart
Note that the /etc/init.d/openvpn script will start an openvpn server for every .conf file in /etc/openvpn/, so if you still have the tun0.conf file from above, rename it to something else than *.conf. In the case of systemd only one openvpn server is started by default.
In Client create /etc/openvpn/client.conf as follows:
(note: you may use graphical vpn tool network-manager UI by providing the key and certificates)
client dev tun port 1194 proto udp remote VPNSERVER_IP 1194 # VPN server IP : PORT nobind ca /etc/openvpn/easy-rsa/keys/ca.crt cert /etc/openvpn/easy-rsa/keys/clientname.crt key /etc/openvpn/easy-rsa/keys/clientname.key comp-lzo persist-key persist-tun verb 3
Restart OpenVPN:
# service openvpn restart
VPN connection started as a Systemd service
On Debian the systemd service expects the server and client configuration files to be, respectively, in /etc/openvpn/server and /etc/openvpn/client. Once you created the config file in the correct folder, you can use it with systemctl. For example, suppose you created the configuration in /etc/openvpn/server/myserver.conf:
systemctl start openvpn-server@myserver systemctl enable openvpn-server@myserver
Auto-start configuration
By default, all configured VPNs are started during system boot. Edit /etc/default/openvpn to start specific VPNs or to disable this behavior. Systemd users may need to run systemctl daemon-reload once to enable new VPNs.
openvpn ifupdown hooks are also available for starting/stopping tunnels using /etc/network/interfaces, e.g.:
auto dsl iface dsl inet ppp provider dsl-provider openvpn work_vpn
See /usr/share/doc/openvpn/README.Debian.gz for more information.
To automatically start a VPN located in /etc/openvpn/client/ or /etc/openvpn/server/, enable openvpn-client@<name>.service or openvpn-server@<name>.service. For instance, a client configuration located in /etc/openvpn/client/vpn0.conf would be automatically started by enabling openvpn-client@vpn0.service.
Android / iOS devices certificate generation
OpenVPN Debian Server can be configured to use with Android / iOS devices.
In Debian Server, create required certificates if you have a fresh installation of ?OpenVpn:
# apt-get install easy-rsa # or add sid to your sources.list and install from there if on Debian stable # cd /etc/openvpn # make-cadir ca # cd ca # ./easyrsa init-pki # ./easyrsa build-ca nopass # ./easyrsa build-server-full server nopass # ./easyrsa build-client-full YOUR_CLIENT_NAME nopass # ./easyrsa gen-dh # cd .. # should now be in /etc/openvpn # gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz > server.conf # # Below filenames are all based on things in server.conf. If things don't work, read that file and make sure the filenames match up. # openvpn --genkey --secret ta.key # ln -s ca/pki/ca.crt ca/pki/private/ca.key ca/pki/issued/server.crt ca/pki/private/server.key . # ln ca/pki/dh.pem dh2048.pem
Modify below lines in /etc/openvpn/server.conf:
... proto tcp push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 8.8.8.8" user nobody group nogroup ...
8.8.8.8 is Google DNS server. You may change to your preferred DNS server.
Test that the configuration works:
# openvpn --config server.conf
If it does, Ctrl-C out of this and restart OpenVPN server to use the new configuration:
# /etc/init.d/openvpn restart
Or on systems using systemd:
# service openvpn restart
Create client profile file /etc/openvpn/client.ovpn and attach certificates to it:
# cd /etc/openvpn # cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf client.ovpn # echo "key-direction 1" >> client.ovpn # echo "<ca>" >> client.ovpn # sed -n '/BEGIN CERTIFICATE/,/END CERTIFICATE/p' < ca.crt >> client.ovpn # echo "</ca>" >> client.ovpn # echo "<cert>" >> client.ovpn # sed -n '/BEGIN CERTIFICATE/,/END CERTIFICATE/p' < ca/pki/issued/YOUR_CLIENT_NAME.crt >> client.ovpn # echo "</cert>" >> client.ovpn # echo "<key>" >> client.ovpn # sed -n '/BEGIN PRIVATE KEY/,/END PRIVATE KEY/p' < ca/pki/private/YOUR_CLIENT_NAME.key >> client.ovpn # echo "</key>" >> client.ovpn # echo "<tls-auth>" >> client.ovpn # sed -n '/BEGIN OpenVPN Static key V1/,/END OpenVPN Static key V1/p' < ta.key >> client.ovpn # echo "</tls-auth>" >> client.ovpn
Modify below lines in client profile file /etc/openvpn/client.ovpn:
... proto tcp remote YourServerIp YourServerPort mute-replay-warnings # ca ca.crt # cert client.crt # key client.key key-direction 1 ...
where ?YourServerIp and ?YourServerPort should be changed to your server. Three lines (#ca, #cert, #key) are remarked as the required certificates were attached to the profile file instead of individual files.
e-mail or upload the client configuration file /etc/openvpn/client.ovpn to google drive in order to download to iPhone.
For iOS devices, install OpenVPN Connect client. Then transfer the client configuration file /etc/openvpn/client.ovpn to the device by e-mail or by Google Drive. Open the configuration file in Mail apps or Google Drive apps.
For Android devices, install OpenVPN Connect client. Then copy the client configuration file /etc/openvpn/client.ovpn to the storage of the device. Open the configuration file in OpenVPN apps.
You'll also want to run the server parts of the "Forward traffic via VPN" steps below. Your phone OpenVPN client should take care of the client parts automatically.
Forward traffic via VPN to provide access to the Internet
In Server enable runtime IP forwarding:
echo 1 > /proc/sys/net/ipv4/ip_forward
Edit /etc/sysctl.conf uncomment the following line to make it permanent:
net.ipv4.ip_forward = 1
Execute the following command in server for testing:
IF_MAIN=eth0 IF_TUNNEL=tun0 YOUR_OPENVPN_SUBNET=10.9.8.0/24 #YOUR_OPENVPN_SUBNET=10.8.0.0/16 # if using server.conf from sample-server-config iptables -A FORWARD -i $IF_MAIN -o $IF_TUNNEL -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -s $YOUR_OPENVPN_SUBNET -o $IF_MAIN -j ACCEPT iptables -t nat -A POSTROUTING -s $YOUR_OPENVPN_SUBNET -o $IF_MAIN -j MASQUERADE
You may also use the rc.firewall-iptables script from TLDP Masquerade as an alternative.
In client:
# ip route add VPNSERVER_IP via LOCALGATEWAY_IP dev eth0 proto static # ip route change default via 10.9.8.5 dev tun0 proto static //client tun0 10.9.8.5
If you use graphical client generally you may not need to execute these command.
If everying is working fine, save the iptables rules:
# iptables-save > /etc/iptables.up.rules
To restore:
# iptables-restore < /etc/iptables.up.rules
add this to startup script. Debian wiki iptables page for details.
Application to a VPN passing through a http proxy
This part describe how to configure a VPN to pass through a http proxy, which allow only trafic on port 443 (and 80). This use the http_proxy of OpenVPN.
- First of all, check that the port 443 isn't already used by another service on your server.
Configure OpenVPN on server side by adding port 443 and proto tcp-server to the configuration file.
Configure OpenVPN on the client side by adding port 443, proto tcp-client and http-proxy 1.1.1.1 8080 to the configuration file.
Where 1.1.1.1 and 8080 are IP and port of your proxy.
- Now you should launch OpenVPN on the server and next on the client.
- At this time, you should configure routes to use the VPN tunnel:
Remove the default route through the proxy: route del default eth0
Add default route through your VPN: route add default gw 10.9.8.1 dev tun0
You should keep the route to the proxy with: route add 1.1.1.1 eth0
Update your /etc/resolv.conf according to your needs.
TODO
Explain how to enable the management interface (http://openvpn.net/index.php/open-source/documentation/miscellaneous/79-management-interface.html)