Linux/OpenVPN: Unterschied zwischen den Versionen
Thomas (Diskussion | Beiträge) |
Thomas (Diskussion | Beiträge) |
||
Zeile 11: | Zeile 11: | ||
plugin openvpn-plugin-auth-pam.so /etc/pam.d/login | plugin openvpn-plugin-auth-pam.so /etc/pam.d/login | ||
username-as-common-name | username-as-common-name | ||
Add this line for TLS Authentication (the client then also has to import ta.key): | |||
tls-auth ta.key 0 | |||
Check the necessary kernel options (can be set as M): | Check the necessary kernel options (can be set as M): |
Version vom 19. April 2018, 18:28 Uhr
Setup for an OpenVPN server which handles ALL traffic
First install and configure OpenVPN: https://wiki.gentoo.org/wiki/OpenVPN
Do not forget to first setup the key infrastructure: https://wiki.gentoo.org/wiki/Create_a_Public_Key_Infrastructure_Using_the_easy-rsa_Scripts
Add these lines to /etc/openvpn/openvpn.conf for routing all traffic:
push "dhcp-option DNS 8.8.8.8" push "redirect-gateway def1"
Add these lines for user/password authentication in addition to the certificate:
plugin openvpn-plugin-auth-pam.so /etc/pam.d/login username-as-common-name
Add this line for TLS Authentication (the client then also has to import ta.key):
tls-auth ta.key 0
Check the necessary kernel options (can be set as M):
CONFIG_TUN CONFIG_IP_NF_CONNTRACK CONFIG_IP_NF_IPTABLES CONFIG_IP_NF_NAT
Allow IP forwarding in /etc/sysctl.conf:
net.ipv4.ip_forward = 1
Check that it is allowed:
cat /proc/sys/net/ipv4/ip_forward
Allow on the fly:
echo 1 > /proc/sys/net/ipv4/ip_forward
Activate IP forwarding/routing (necessary after each reboot, so put it for example in /etc/local.d/baselayout1.start):
modprobe iptable_nat # if compiled as module iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
Open port 12112 UDP on your router.
Start OpenVPN:
/etc/init.d/openvpn start
If everything works, add OpenVPN to the default runlevel, so that it starts during boot:
rc-update add openvpn
Android
Use https://play.google.com/store/apps/details?id=de.blinkt.openvpn.
Import client openvpn.conf. Enable "User/PW + Certificates" and "Use default route". Disable "LZO Compression", if you disabled it on the server because of ChromeOS clients.
ChromeOS
Source: https://www.errietta.me/blog/openvpn-chromebook/
openssl pkcs12 -export -in ./pki/issued/client1.crt -inkey ./pki/private/client1.key -certfile ./pki/ca.crt -name client1 -out client1.p12
When using the simple (UI) configuration for ChromeOS:
- disable comp-lzo in /etc/openvpn/openvpn.conf and restart OpenVPN
- use servername:12112 in ChromeOS OpenVPN connection settings
WiFi Hotspots
Some Hotspots (for example Telekom Germany) do not allow UDP packets. In that case, configure OpenVPN to use TCP.
Multiple OpenVPN servers on one machine (Gentoo)
Create 2 config files server1.conf and server2.conf in /etc/openvpn with the content from above. Then change the following lines:
server1.conf:
port 12112 proto udp dev tun0 server 10.100.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt
server2.conf:
port 3389 proto tcp dev tun1 server 10.200.0.0 255.255.255.0 ifconfig-pool-persist ipp2.txt
Open both ports on your router.
Link to OpenRC config:
ln -s /etc/init.d/openvpn /etc/init.d/openvpn.server1 ln -s /etc/init.d/openvpn /etc/init.d/openvpn.server2
Create 2 routes:
iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE iptables -t nat -A POSTROUTING -s 10.200.0.0/24 -o eth0 -j MASQUERADE
Start both servers:
/etc/init.d/openvpn.server1 start /etc/init.d/openvpn.server2 start
Configure autostart:
rc-update add openvpn.server1 rc-update add openvpn.server2