Linux/OpenVPN: Unterschied zwischen den Versionen
Thomas (Diskussion | Beiträge) Keine Bearbeitungszusammenfassung |
Thomas (Diskussion | Beiträge) |
||
| (21 dazwischenliegende Versionen desselben Benutzers werden nicht angezeigt) | |||
| Zeile 1: | Zeile 1: | ||
=Setup for an OpenVPN server which | =Setup for an OpenVPN server which handles ALL traffic= | ||
First install and configure OpenVPN: https://wiki.gentoo.org/wiki/OpenVPN | First install and configure OpenVPN: https://wiki.gentoo.org/wiki/OpenVPN | ||
Do not forget to first setup the key infrastructure: https://wiki.gentoo.org/wiki/Create_a_Public_Key_Infrastructure_Using_the_easy-rsa_Scripts | Do not forget to first setup the key infrastructure: https://wiki.gentoo.org/wiki/Create_a_Public_Key_Infrastructure_Using_the_easy-rsa_Scripts | ||
Add these lines to /etc/openvpn/openvpn.conf for routing all traffic: | Add these lines to '''/etc/openvpn/openvpn.conf''' for routing all traffic: | ||
push "dhcp-option DNS 8.8.8.8" | push "dhcp-option DNS 8.8.8.8" | ||
push "redirect-gateway def1" | push "redirect-gateway def1" | ||
| Zeile 12: | Zeile 12: | ||
username-as-common-name | username-as-common-name | ||
Check the necessary kernel options (can be set as M): | Add this line for TLS Authentication (the client then also has to import '''ta.key''' and use direction '''1'''): | ||
tls-auth ta.key 0 | |||
Check the necessary kernel options (can be set as '''M'''odul): | |||
CONFIG_TUN | CONFIG_TUN | ||
CONFIG_IP_NF_CONNTRACK | CONFIG_IP_NF_CONNTRACK | ||
| Zeile 18: | Zeile 21: | ||
CONFIG_IP_NF_NAT | CONFIG_IP_NF_NAT | ||
Allow IP forwarding in /etc/sysctl.conf: | Allow IP forwarding in '''/etc/sysctl.conf''': | ||
net.ipv4.ip_forward = 1 | net.ipv4.ip_forward = 1 | ||
| Zeile 27: | Zeile 30: | ||
echo 1 > /proc/sys/net/ipv4/ip_forward | echo 1 > /proc/sys/net/ipv4/ip_forward | ||
Activate IP forwarding (necessary after each reboot): | Activate IP forwarding/routing (necessary after each reboot, so put it for example in '''/etc/local.d/baselayout1.start'''): | ||
modprobe iptable_nat # if compiled as module | modprobe iptable_nat # if compiled as module | ||
iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE | iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE | ||
Open port 12112 UDP on your router. | For verifying, list nat rules: | ||
iptables -t nat -v -L -n --line-number | |||
Open port '''12112 UDP''' on your router. | |||
Start OpenVPN: | Start OpenVPN: | ||
/etc/init.d/openvpn | /etc/init.d/openvpn start | ||
If everything works, add OpenVPN to the default runlevel, so that it starts during boot: | If everything works, add OpenVPN to the default runlevel, so that it starts during boot: | ||
rc-update add openvpn | rc-update add openvpn | ||
| Zeile 42: | Zeile 48: | ||
Use https://play.google.com/store/apps/details?id=de.blinkt.openvpn. | Use https://play.google.com/store/apps/details?id=de.blinkt.openvpn. | ||
Import client openvpn.conf. Enable | Import client '''openvpn.conf'''. Enable '''User/PW + Certificates''' and '''Use default route'''. | ||
Disable '''LZO Compression''', if you disabled it on the server because of simple ChromeOS clients. | |||
If you want to use '''TLA Authentication''' then import also '''ta.key''' and choose TLS direction '''1'''. | |||
= ChromeOS = | = ChromeOS = | ||
== Simple == | |||
Restrictions of simple method: | |||
* no compression | |||
* no tlsauth | |||
* only UDP | |||
On the Linux server: | |||
openssl pkcs12 -export -in ./pki/issued/client1.crt -inkey ./pki/private/client1.key -certfile ./pki/ca.crt -name client1 -out client1.p12 | |||
* import '''ca.crt''' and '''client1.p12''' at '''chrome://settings/certificates''' and then use the OpenVPN connection wizard of ChromeOS. | |||
* disable '''comp-lzo''' and '''tlsauth''' and use '''proto udp''' in '''/etc/openvpn/openvpn.conf''' and restart OpenVPN | |||
* use '''servername:12112''' in ChromeOS OpenVPN connection settings | |||
Source: https://www.errietta.me/blog/openvpn-chromebook/ | Source: https://www.errietta.me/blog/openvpn-chromebook/ | ||
== Advanced == | |||
For advanced configuration, you also have to import the certificates and then you have to create a '''.onc''' config file and import it at '''chrome://net-internals/#chromeos'''. | |||
Advanced configuration is necessary for LZO compression or TLS Authentication or TCP protocol. | |||
More info: https://darranboyd.wordpress.com/2017/03/24/chromeos-openvpn-tlsauth/ or https://docs.google.com/document/d/18TU22gueH5OKYHZVJ5nXuqHnk2GN6nDvfu2Hbrb4YLE/pub. | |||
Note: If you want to import multiple config files for multiple connections, the UUIDs in the files must be unique. | |||
Alternative method (did not work for me): https://unfix.org/projects/chromeos-openvpn-onc/ | |||
= WiFi Hotspots = | = WiFi Hotspots = | ||
Some Hotspots (for example Telekom Germany) do not allow UDP packets. In that case, configure OpenVPN to use TCP. | Some Hotspots (for example Telekom Germany) do not allow '''UDP''' packets. In that case, configure OpenVPN to use '''TCP'''. | ||
= Multiple OpenVPN servers on one machine (Gentoo) = | |||
Create 2 config files '''server1.conf''' and '''server2.conf''' in '''/etc/openvpn''' with the content from above. Then change the following lines: | |||
server1.conf: | |||
port 12112 | |||
proto udp | |||
dev tun0 | |||
server 10.100.0.0 255.255.255.0 | |||
ifconfig-pool-persist ipp.txt | |||
server2.conf: | |||
port 3389 | |||
proto tcp | |||
dev tun1 | |||
server 10.200.0.0 255.255.255.0 | |||
ifconfig-pool-persist ipp2.txt | |||
Open both ports on your router. | |||
Link to OpenRC config: | |||
ln -s /etc/init.d/openvpn /etc/init.d/openvpn.server1 | |||
ln -s /etc/init.d/openvpn /etc/init.d/openvpn.server2 | |||
Create 2 routes: | |||
iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE | |||
iptables -t nat -A POSTROUTING -s 10.200.0.0/24 -o eth0 -j MASQUERADE | |||
Start both servers: | |||
/etc/init.d/openvpn.server1 start | |||
/etc/init.d/openvpn.server2 start | |||
Configure autostart: | |||
rc-update add openvpn.server1 | |||
rc-update add openvpn.server2 | |||
Aktuelle Version vom 27. Juni 2019, 16:24 Uhr
Setup for an OpenVPN server which handles ALL traffic
First install and configure OpenVPN: https://wiki.gentoo.org/wiki/OpenVPN
Do not forget to first setup the key infrastructure: https://wiki.gentoo.org/wiki/Create_a_Public_Key_Infrastructure_Using_the_easy-rsa_Scripts
Add these lines to /etc/openvpn/openvpn.conf for routing all traffic:
push "dhcp-option DNS 8.8.8.8" push "redirect-gateway def1"
Add these lines for user/password authentication in addition to the certificate:
plugin openvpn-plugin-auth-pam.so /etc/pam.d/login username-as-common-name
Add this line for TLS Authentication (the client then also has to import ta.key and use direction 1):
tls-auth ta.key 0
Check the necessary kernel options (can be set as Modul):
CONFIG_TUN CONFIG_IP_NF_CONNTRACK CONFIG_IP_NF_IPTABLES CONFIG_IP_NF_NAT
Allow IP forwarding in /etc/sysctl.conf:
net.ipv4.ip_forward = 1
Check that it is allowed:
cat /proc/sys/net/ipv4/ip_forward
Allow on the fly:
echo 1 > /proc/sys/net/ipv4/ip_forward
Activate IP forwarding/routing (necessary after each reboot, so put it for example in /etc/local.d/baselayout1.start):
modprobe iptable_nat # if compiled as module iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
For verifying, list nat rules:
iptables -t nat -v -L -n --line-number
Open port 12112 UDP on your router.
Start OpenVPN:
/etc/init.d/openvpn start
If everything works, add OpenVPN to the default runlevel, so that it starts during boot:
rc-update add openvpn
Android
Use https://play.google.com/store/apps/details?id=de.blinkt.openvpn.
Import client openvpn.conf. Enable User/PW + Certificates and Use default route.
Disable LZO Compression, if you disabled it on the server because of simple ChromeOS clients.
If you want to use TLA Authentication then import also ta.key and choose TLS direction 1.
ChromeOS
Simple
Restrictions of simple method:
- no compression
- no tlsauth
- only UDP
On the Linux server:
openssl pkcs12 -export -in ./pki/issued/client1.crt -inkey ./pki/private/client1.key -certfile ./pki/ca.crt -name client1 -out client1.p12
- import ca.crt and client1.p12 at chrome://settings/certificates and then use the OpenVPN connection wizard of ChromeOS.
- disable comp-lzo and tlsauth and use proto udp in /etc/openvpn/openvpn.conf and restart OpenVPN
- use servername:12112 in ChromeOS OpenVPN connection settings
Source: https://www.errietta.me/blog/openvpn-chromebook/
Advanced
For advanced configuration, you also have to import the certificates and then you have to create a .onc config file and import it at chrome://net-internals/#chromeos.
Advanced configuration is necessary for LZO compression or TLS Authentication or TCP protocol.
More info: https://darranboyd.wordpress.com/2017/03/24/chromeos-openvpn-tlsauth/ or https://docs.google.com/document/d/18TU22gueH5OKYHZVJ5nXuqHnk2GN6nDvfu2Hbrb4YLE/pub.
Note: If you want to import multiple config files for multiple connections, the UUIDs in the files must be unique.
Alternative method (did not work for me): https://unfix.org/projects/chromeos-openvpn-onc/
WiFi Hotspots
Some Hotspots (for example Telekom Germany) do not allow UDP packets. In that case, configure OpenVPN to use TCP.
Multiple OpenVPN servers on one machine (Gentoo)
Create 2 config files server1.conf and server2.conf in /etc/openvpn with the content from above. Then change the following lines:
server1.conf:
port 12112 proto udp dev tun0 server 10.100.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt
server2.conf:
port 3389 proto tcp dev tun1 server 10.200.0.0 255.255.255.0 ifconfig-pool-persist ipp2.txt
Open both ports on your router.
Link to OpenRC config:
ln -s /etc/init.d/openvpn /etc/init.d/openvpn.server1 ln -s /etc/init.d/openvpn /etc/init.d/openvpn.server2
Create 2 routes:
iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE iptables -t nat -A POSTROUTING -s 10.200.0.0/24 -o eth0 -j MASQUERADE
Start both servers:
/etc/init.d/openvpn.server1 start /etc/init.d/openvpn.server2 start
Configure autostart:
rc-update add openvpn.server1 rc-update add openvpn.server2