Linux/OpenVPN: Unterschied zwischen den Versionen
Thomas (Diskussion | Beiträge) |
Thomas (Diskussion | Beiträge) |
||
(7 dazwischenliegende Versionen desselben Benutzers werden nicht angezeigt) | |||
Zeile 12: | Zeile 12: | ||
username-as-common-name | username-as-common-name | ||
Add this line for TLS Authentication (the client then also has to import '''ta.key'''): | Add this line for TLS Authentication (the client then also has to import '''ta.key''' and use direction '''1'''): | ||
tls-auth ta.key 0 | tls-auth ta.key 0 | ||
Zeile 33: | Zeile 33: | ||
modprobe iptable_nat # if compiled as module | modprobe iptable_nat # if compiled as module | ||
iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE | iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE | ||
For verifying, list nat rules: | |||
iptables -t nat -v -L -n --line-number | |||
Open port '''12112 UDP''' on your router. | Open port '''12112 UDP''' on your router. | ||
Zeile 38: | Zeile 41: | ||
Start OpenVPN: | Start OpenVPN: | ||
/etc/init.d/openvpn start | /etc/init.d/openvpn start | ||
If everything works, add OpenVPN to the default runlevel, so that it starts during boot: | If everything works, add OpenVPN to the default runlevel, so that it starts during boot: | ||
rc-update add openvpn | rc-update add openvpn | ||
Zeile 45: | Zeile 48: | ||
Use https://play.google.com/store/apps/details?id=de.blinkt.openvpn. | Use https://play.google.com/store/apps/details?id=de.blinkt.openvpn. | ||
Import client openvpn.conf. Enable | Import client '''openvpn.conf'''. Enable '''User/PW + Certificates''' and '''Use default route'''. | ||
Disable '''LZO Compression''', if you disabled it on the server because of simple ChromeOS clients. | |||
If you want to use TLA Authentication then import also ta.key. | If you want to use '''TLA Authentication''' then import also '''ta.key''' and choose TLS direction '''1'''. | ||
= ChromeOS = | = ChromeOS = | ||
== Simple == | == Simple == | ||
Restrictions of simple method: | |||
* no compression | |||
* no tlsauth | |||
* only UDP | |||
On the Linux server: | |||
openssl pkcs12 -export -in ./pki/issued/client1.crt -inkey ./pki/private/client1.key -certfile ./pki/ca.crt -name client1 -out client1.p12 | openssl pkcs12 -export -in ./pki/issued/client1.crt -inkey ./pki/private/client1.key -certfile ./pki/ca.crt -name client1 -out client1.p12 | ||
Zeile 72: | Zeile 83: | ||
= WiFi Hotspots = | = WiFi Hotspots = | ||
Some Hotspots (for example Telekom Germany) do not allow UDP packets. In that case, configure OpenVPN to use TCP. | Some Hotspots (for example Telekom Germany) do not allow '''UDP''' packets. In that case, configure OpenVPN to use '''TCP'''. | ||
= Multiple OpenVPN servers on one machine (Gentoo) = | = Multiple OpenVPN servers on one machine (Gentoo) = |
Aktuelle Version vom 27. Juni 2019, 16:24 Uhr
Setup for an OpenVPN server which handles ALL traffic
First install and configure OpenVPN: https://wiki.gentoo.org/wiki/OpenVPN
Do not forget to first setup the key infrastructure: https://wiki.gentoo.org/wiki/Create_a_Public_Key_Infrastructure_Using_the_easy-rsa_Scripts
Add these lines to /etc/openvpn/openvpn.conf for routing all traffic:
push "dhcp-option DNS 8.8.8.8" push "redirect-gateway def1"
Add these lines for user/password authentication in addition to the certificate:
plugin openvpn-plugin-auth-pam.so /etc/pam.d/login username-as-common-name
Add this line for TLS Authentication (the client then also has to import ta.key and use direction 1):
tls-auth ta.key 0
Check the necessary kernel options (can be set as Modul):
CONFIG_TUN CONFIG_IP_NF_CONNTRACK CONFIG_IP_NF_IPTABLES CONFIG_IP_NF_NAT
Allow IP forwarding in /etc/sysctl.conf:
net.ipv4.ip_forward = 1
Check that it is allowed:
cat /proc/sys/net/ipv4/ip_forward
Allow on the fly:
echo 1 > /proc/sys/net/ipv4/ip_forward
Activate IP forwarding/routing (necessary after each reboot, so put it for example in /etc/local.d/baselayout1.start):
modprobe iptable_nat # if compiled as module iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
For verifying, list nat rules:
iptables -t nat -v -L -n --line-number
Open port 12112 UDP on your router.
Start OpenVPN:
/etc/init.d/openvpn start
If everything works, add OpenVPN to the default runlevel, so that it starts during boot:
rc-update add openvpn
Android
Use https://play.google.com/store/apps/details?id=de.blinkt.openvpn.
Import client openvpn.conf. Enable User/PW + Certificates and Use default route.
Disable LZO Compression, if you disabled it on the server because of simple ChromeOS clients.
If you want to use TLA Authentication then import also ta.key and choose TLS direction 1.
ChromeOS
Simple
Restrictions of simple method:
- no compression
- no tlsauth
- only UDP
On the Linux server:
openssl pkcs12 -export -in ./pki/issued/client1.crt -inkey ./pki/private/client1.key -certfile ./pki/ca.crt -name client1 -out client1.p12
- import ca.crt and client1.p12 at chrome://settings/certificates and then use the OpenVPN connection wizard of ChromeOS.
- disable comp-lzo and tlsauth and use proto udp in /etc/openvpn/openvpn.conf and restart OpenVPN
- use servername:12112 in ChromeOS OpenVPN connection settings
Source: https://www.errietta.me/blog/openvpn-chromebook/
Advanced
For advanced configuration, you also have to import the certificates and then you have to create a .onc config file and import it at chrome://net-internals/#chromeos.
Advanced configuration is necessary for LZO compression or TLS Authentication or TCP protocol.
More info: https://darranboyd.wordpress.com/2017/03/24/chromeos-openvpn-tlsauth/ or https://docs.google.com/document/d/18TU22gueH5OKYHZVJ5nXuqHnk2GN6nDvfu2Hbrb4YLE/pub.
Note: If you want to import multiple config files for multiple connections, the UUIDs in the files must be unique.
Alternative method (did not work for me): https://unfix.org/projects/chromeos-openvpn-onc/
WiFi Hotspots
Some Hotspots (for example Telekom Germany) do not allow UDP packets. In that case, configure OpenVPN to use TCP.
Multiple OpenVPN servers on one machine (Gentoo)
Create 2 config files server1.conf and server2.conf in /etc/openvpn with the content from above. Then change the following lines:
server1.conf:
port 12112 proto udp dev tun0 server 10.100.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt
server2.conf:
port 3389 proto tcp dev tun1 server 10.200.0.0 255.255.255.0 ifconfig-pool-persist ipp2.txt
Open both ports on your router.
Link to OpenRC config:
ln -s /etc/init.d/openvpn /etc/init.d/openvpn.server1 ln -s /etc/init.d/openvpn /etc/init.d/openvpn.server2
Create 2 routes:
iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE iptables -t nat -A POSTROUTING -s 10.200.0.0/24 -o eth0 -j MASQUERADE
Start both servers:
/etc/init.d/openvpn.server1 start /etc/init.d/openvpn.server2 start
Configure autostart:
rc-update add openvpn.server1 rc-update add openvpn.server2