Linux/OpenVPN: Unterschied zwischen den Versionen

Aus VivaLV
Zur Navigation springen Zur Suche springen
Keine Bearbeitungszusammenfassung
Zeile 57: Zeile 57:


== Simple ==
== Simple ==
On the Linux server:
  openssl pkcs12 -export -in ./pki/issued/client1.crt -inkey ./pki/private/client1.key -certfile ./pki/ca.crt -name client1 -out client1.p12
  openssl pkcs12 -export -in ./pki/issued/client1.crt -inkey ./pki/private/client1.key -certfile ./pki/ca.crt -name client1 -out client1.p12



Version vom 15. Juli 2018, 12:58 Uhr

Setup for an OpenVPN server which handles ALL traffic

First install and configure OpenVPN: https://wiki.gentoo.org/wiki/OpenVPN

Do not forget to first setup the key infrastructure: https://wiki.gentoo.org/wiki/Create_a_Public_Key_Infrastructure_Using_the_easy-rsa_Scripts

Add these lines to /etc/openvpn/openvpn.conf for routing all traffic:

push "dhcp-option DNS 8.8.8.8"
push "redirect-gateway def1"

Add these lines for user/password authentication in addition to the certificate:

plugin openvpn-plugin-auth-pam.so /etc/pam.d/login
username-as-common-name

Add this line for TLS Authentication (the client then also has to import ta.key and use direction 1):

tls-auth ta.key 0

Check the necessary kernel options (can be set as Modul):

CONFIG_TUN
CONFIG_IP_NF_CONNTRACK 
CONFIG_IP_NF_IPTABLES 
CONFIG_IP_NF_NAT

Allow IP forwarding in /etc/sysctl.conf:

net.ipv4.ip_forward = 1

Check that it is allowed:

cat /proc/sys/net/ipv4/ip_forward

Allow on the fly:

echo 1 > /proc/sys/net/ipv4/ip_forward

Activate IP forwarding/routing (necessary after each reboot, so put it for example in /etc/local.d/baselayout1.start):

modprobe iptable_nat # if compiled as module
iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE

For verifying, list nat rules:

iptables -t nat -v -L -n --line-number

Open port 12112 UDP on your router.

Start OpenVPN:

/etc/init.d/openvpn start

If everything works, add OpenVPN to the default runlevel, so that it starts during boot:

rc-update add openvpn

Android

Use https://play.google.com/store/apps/details?id=de.blinkt.openvpn.

Import client openvpn.conf. Enable User/PW + Certificates and Use default route.

Disable LZO Compression, if you disabled it on the server because of simple ChromeOS clients.

If you want to use TLA Authentication then import also ta.key.

ChromeOS

Simple

On the Linux server:

openssl pkcs12 -export -in ./pki/issued/client1.crt -inkey ./pki/private/client1.key -certfile ./pki/ca.crt -name client1 -out client1.p12
  • import ca.crt and client1.p12 at chrome://settings/certificates and then use the OpenVPN connection wizard of ChromeOS.
  • disable comp-lzo and tlsauth and use proto udp in /etc/openvpn/openvpn.conf and restart OpenVPN
  • use servername:12112 in ChromeOS OpenVPN connection settings

Source: https://www.errietta.me/blog/openvpn-chromebook/

Advanced

For advanced configuration, you also have to import the certificates and then you have to create a .onc config file and import it at chrome://net-internals/#chromeos.

Advanced configuration is necessary for LZO compression or TLS Authentication or TCP protocol.

More info: https://darranboyd.wordpress.com/2017/03/24/chromeos-openvpn-tlsauth/ or https://docs.google.com/document/d/18TU22gueH5OKYHZVJ5nXuqHnk2GN6nDvfu2Hbrb4YLE/pub.

Note: If you want to import multiple config files for multiple connections, the UUIDs in the files must be unique.

Alternative method (did not work for me): https://unfix.org/projects/chromeos-openvpn-onc/

WiFi Hotspots

Some Hotspots (for example Telekom Germany) do not allow UDP packets. In that case, configure OpenVPN to use TCP.

Multiple OpenVPN servers on one machine (Gentoo)

Create 2 config files server1.conf and server2.conf in /etc/openvpn with the content from above. Then change the following lines:

server1.conf:

port 12112
proto udp
dev tun0
server 10.100.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt

server2.conf:

port 3389
proto tcp
dev tun1
server 10.200.0.0 255.255.255.0
ifconfig-pool-persist ipp2.txt

Open both ports on your router.

Link to OpenRC config:

ln -s /etc/init.d/openvpn /etc/init.d/openvpn.server1
ln -s /etc/init.d/openvpn /etc/init.d/openvpn.server2

Create 2 routes:

iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.200.0.0/24 -o eth0 -j MASQUERADE

Start both servers:

/etc/init.d/openvpn.server1 start
/etc/init.d/openvpn.server2 start

Configure autostart:

rc-update add openvpn.server1
rc-update add openvpn.server2