Linux/OpenVPN: Unterschied zwischen den Versionen

Aus VivaLV
Zur Navigation springen Zur Suche springen
Keine Bearbeitungszusammenfassung
Keine Bearbeitungszusammenfassung
Zeile 38: Zeile 38:
If everything works, add OpenVPN to the default runlevel, so that it starts during boot:
If everything works, add OpenVPN to the default runlevel, so that it starts during boot:
  rc-update add openvpn
  rc-update add openvpn
= Android =
Use https://play.google.com/store/apps/details?id=de.blinkt.openvpn.
Import client openvpn.conf. Enable "User/PW + Certificates" and "Use default route". Disable "LZO Compression", if you disabled it on the server because of ChromeOS clients.


= ChromeOS =
= ChromeOS =
Source: https://www.errietta.me/blog/openvpn-chromebook/
Source: https://www.errietta.me/blog/openvpn-chromebook/
  openssl pkcs12 -export -in ./pki/issued/thomas.crt -inkey ./pki/private/thomas.key -certfile ./pki/ca.crt -name thomas -out thomas.p12
  openssl pkcs12 -export -in ./pki/issued/client1.crt -inkey ./pki/private/client1.key -certfile ./pki/ca.crt -name client1 -out client1.p12
 
Disable '''comp-lzo''' in /etc/openvpn/openvpn.conf and restart OpenVPN.
 
Use servername:12112 in ChromeOS OpenVPN connection settings.
Use servername:12112 in ChromeOS OpenVPN connection settings.

Version vom 15. April 2018, 09:15 Uhr

Setup for an OpenVPN server which routes all traffic ("road-warrior")

First install and configure OpenVPN: https://wiki.gentoo.org/wiki/OpenVPN

Do not forget to first setup the key infrastructure: https://wiki.gentoo.org/wiki/Create_a_Public_Key_Infrastructure_Using_the_easy-rsa_Scripts

Add these lines to /etc/openvpn/openvpn.conf for routing all traffic:

push "dhcp-option DNS 8.8.8.8"
push "redirect-gateway def1"

Add these lines for user/password authentication in addition to the certificate:

plugin openvpn-plugin-auth-pam.so /etc/pam.d/login
username-as-common-name

Check the necessary kernel options (can be set as M):

CONFIG_TUN
CONFIG_IP_NF_CONNTRACK 
CONFIG_IP_NF_IPTABLES 
CONFIG_IP_NF_NAT

Allow IP forwarding in /etc/sysctl.conf:

net.ipv4.ip_forward = 1

Check that it is allowed:

cat /proc/sys/net/ipv4/ip_forward

Allow on the fly:

echo 1 > /proc/sys/net/ipv4/ip_forward

Activate IP forwarding (necessary after each reboot):

modprobe iptable_nat # if compiled as module
iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE

Open port 12112 UDP on your router.

Start OpenVPN:

/etc/init.d/openvpn restart

If everything works, add OpenVPN to the default runlevel, so that it starts during boot:

rc-update add openvpn

Android

Use https://play.google.com/store/apps/details?id=de.blinkt.openvpn.

Import client openvpn.conf. Enable "User/PW + Certificates" and "Use default route". Disable "LZO Compression", if you disabled it on the server because of ChromeOS clients.

ChromeOS

Source: https://www.errietta.me/blog/openvpn-chromebook/

openssl pkcs12 -export -in ./pki/issued/client1.crt -inkey ./pki/private/client1.key -certfile ./pki/ca.crt -name client1 -out client1.p12

Disable comp-lzo in /etc/openvpn/openvpn.conf and restart OpenVPN.

Use servername:12112 in ChromeOS OpenVPN connection settings.