Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
This tutorial will teach you how to install & configure OpenVPN on debian server, and connect to windows client
1. Server
Preparation & installation:
Make sure your package repositories and installed programs are up to date by issuing the following commands:
#aptgetinstallopenvpn
The OpenVPN package provides a set of encryption-related tools called easy-rsa. These scripts are located by
default in the /usr/share/doc/openvpn/examples/easy-rsa/ directory. However, in order to function properly, these
scripts should be located in the /etc/openvpn directory. Copy these files with the following command:
#cpR/usr/share/doc/openvpn/examples/easyrsa//etc/openvpn
Most of the relevant configuration for the OpenVPN public key infrastructure is contained in /etc/openvpn/easyrsa/2.0/, and much of our configuration will be located in this directory.
#nano/etc/openvpn/easyrsa/2.0/vars
Alter the examples to reflect your configuration. This information will be included in certificates you create and it is
important that the information be accurate, particularly the KEY_ORG and KEY_EMAIL values.
exportKEY_COUNTRY=XXputvariablesuitsyoursettings
exportKEY_PROVINCE=XXputvariablesuitsyoursettings
exportKEY_CITY=XXXXXXputvariablesuitsyoursettings
exportKEY_ORG=XXXXXXXXXputvariablesuitsyoursettings
exportKEY_EMAIL=XXXX@XXXXX.XXXputanemailhere.Itcanbefakeoneif
youlike.
#cd/etc/openvpn/easyrsa/2.0/
#sourcevars
#./cleanall
#./buildca
With the certificate authority configured, you can generate the private key for the server. To accomplish this, issue the
following command, changing server to the name of your OpenVPN server.
#./buildkeyserverserver
This script will also prompt you for additional information. By default, the Common Name for this key will be server.
You can change these values in cases where it makes sense to use alternate values. The challenge password and
company names are optional and can be left blank. When youve completed the question section you can confirm the
signing of the certificate and the certificate requests certified by answering yes to these questions.
With the private keys generated, we can create certificates for all of the VPN clients. Issue the following command,
replacing client1 with the name of your first OpenVPN client.
#./buildkeyclient1
If you need to add users to your OpenVPN at any time, repeat this step to create additional keys.
#./buildkeyclient2
Replace the client1 parameter with a relevant identifier for each client. You will want to generate a unique key for
every user of the VPN. Each key should have its own unique identifier. All other information can remain the same.
#./builddh
ca.crt
Copy those 3 files to the client computer, which will be in c:/Program Files/OpenVPN/config with the .ovpn client
config file
The keys and certificates for the server need to be relocated to the /etc/openvpn directory so the OpenVPN server
process can access them. Copy those files to the same directory which server config file is located (/etc/openvpn)
#cpca.crtca.keyserver.crtserver.keydh1024.pem/etc/openvpn/
These files must not leave your server. Maintaining integrity and control over these files is of the utmost importance to
the integrity of your server. If you ever need to move or back up these keys, ensure that theyre encrypted and
secured. If these files are compromised, they will need to be re-created along with all client keys.
Server configuration:
create a file, named server.conf in /etc/openvpn/
#nano/etc/openvpn/server.conf
#Dontforgettomodifysettingtomatchyourneeds
#Connectionport:thisistheportthatOpenVPNwilllistento(forclientconnection)
port1194
#Connectionprotocol:chooseTCPorUDP(TCPisrecommendedifyouintendtouse
obfsproxyorstunnel)
prototcp
#Devicename:OpenVPNnetworkinterface
devtun
#Credentialfileslocation:wealreadyputthemin/etc/openvpn
ca/etc/openvpn/ca.crt
cert/etc/openvpn/server.crt
key/etc/openvpn/server.key
dh/etc/openvpn/dh1024.pem
#OpenVPNinternalIPsandrange:canchangethemasdesired
server10.9.8.0255.255.255.0
ifconfigpoolpersistipp.txt
#Nowweusethepushdirective,whichwillmaketheclientexecute.
#First,wemaketheclientaddtheserversIPtoitsdefaultroutes
pushroute<serversIP>255.255.255.0
pushdhcpoptionDNS8.8.8.8
keepalive10120
#Cipher:OpenVPNwayofencryption.Thereare3kindsofCiphers,butherewewill
chooseAES
cipherAES128CBC
#Compression:Addingsomecompressiontoyoudatapackets,butthisisoptional
complzo
usernobody
groupnogroup
persistkey
persisttun
verb3
#servicesopenvpnrestart
WARNING:
iptables (linux firewall command) is a dangerous tool Please think twice, and read twice before you execute.
Lets create a file, and put all the rules in it:
#nano/etc/openvpn/iptables.sh
#!/bin/sh
#
#First,weflushallcurrentrulesfromiptables,foracleanstart
iptablesF
iptablestnatF
iptablestmangleF
#Now,weallowthe3mainpolicies:input/output/forward
iptablesPINPUTACCEPT
iptablesPFORWARDACCEPT
iptablesPOUTPUTACCEPT
#Allowthesshport(bydefaultits22,butyouhavetochangeittothesamesshport)
iptablesAINPUTptcpdport22jACCEPT
#AllowOpenVPNconnectionport
#NOTE:RemembertochangeprotocolfromTCPtoUDPaccordingtoserver.conf
iptablesAINPUTptcpdport1194jACCEPT
#Allowlocalhostconnection
iptablesAINPUTilojACCEPT
iptablesAINPUTmstatestateESTABLISHED,RELATEDjACCEPT
#AllowOpenVPNinternalnetworkforwarding,andrejecteverythingelse
iptablesAFORWARDs10.9.8.0/24jACCEPT
iptablestnatAPOSTROUTINGs10.9.8.0/24oeth0jMASQUERADE
iptablesAFORWARDjREJECT
#Enableforwarding
echo1>/proc/sys/net/ipv4/ip_forward
#Listrules
iptablesLv
#chmod700/etc/openvpn/iptables.sh
Again: Please think twice, and read twice before you execute this file
Execute the iptables.sh file, to apply rules and forwarding:
#/etc/openvpn/iptables.sh
you should see a list of chains and policies you chose to apply. And by that, our work on the server is done.
For more information (if needed) please check the OpenVPN example page
2. Client
Download and install this version of OpenVPN client for windows
As we mentioned earlier, a four files should be located in C:\program Files\OpenVPN\config which they are:
ca.crt
client.crt
client.key
client
devtun
prototcp
remote<yourserversIP>1194
pull
route<yourserversIP>255.255.255.255net_gateway
resolvretryinfinite
nobind
persistkey
persisttun
scriptsecurity3
caca.crt
certclient1.crt
keyclient1.key
cipherAES128CBC
complzo
verb3
REMEMBER:
Most directives in server.conf and client.ovpn must be identical (like compression, cipher, protocol).
Connection port should be the same on client and server (Here we used the TCP 1194 port).
Make sure that the 4 files (client.ovpn, ca.crt, client1.crt, client1.key) are together in C:\Program
Files\OpenVPN\config directory
The client file may already exist, the you have to edit the contents instead of creating new one.
If you dont want to redirect all your traffic through OpenVPN, Remove the 6th line (route <ip> <subnet>
net_gateway) from client config file, and restart OpenVPN.
Special cases:
Service Block:
In case your ISP Blocks OpenVPN connection, you can use obfsproxy [click here for details] to proxy your
connection, or you can wrap it in stunnel [click here for details].
Proxify Service:
In case you chose to proxify your OpenVPN connection, or wrapping it with stunnel, remember that remote directive
in client should connect to 127.0.0.1 and designated port.
Port Block:
In case connection port is blocked by your ISP, you can simply choose another port (we suggest high port nubmers
like 63520). But make sure you change it in both client and server.
clientcertnotrequired
Note that client-cert-not-required will not obviate the need for a server certificate, so a client connecting to a server
which uses client-cert-not-required may remove the cert and key directives from the client configuration file, but not
the ca directive, because it is necessary for the client to verify the server certificate.
So On client, comment out (by adding ; ) the certificate/key directives:
;certclient1.crt
;keyclient1.key
authuserpass
And while connecting, you will prompted to enter username/password (but anything will work, since we didnt assign
any users/passwords on server). You can also put any username/password in a file (lets name it key.txt for example)
each on a single line, then the directive on client will be:
authuserpasskey.txt
Then, OpenVPN will read username/password from key.txt but remember to put the key.txt file in the same
directory C:\Program Files\OpenVPN\config\ or you have to assign the full path to the key.txt file