|
Copy the contents of the 'easy-rsa' directory from OpenVPN tar.gz file somewhere, e.g., to /usr/local/easy-rsa
Edit file 'vars' to have directory KEY_DIR, KEY_CONFIG...
Source it, using '. vars'
./clean-all
./build-ca, after this you have 'ca.crt' in KEY_DIR
./build-dh, to get 'dh1024.pem'
./build-key-server server, you should have then 'server.crt' and 'server.key' For server side, you need 'ca.crt', 'server.crt', server.key' and 'dh1024.pem' For each client, build its key
./build-key client, to get 'client.crt ' and 'client.key'. Each client needs those 2 files and the certificate, 'ca.crt' lso remember to have the 'Common Name' unique for each client in the question, e.e.
'client' Common Name (eg, your name or your server's hostname): client
port 443 #1194 is standard
proto tcp
dev tun
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh1024.pem
server 192.168.1.0 255.255.255.0 #network to make the tun0 devices in
ifconfig-pool-persist
ipp.txt
client-config-dir ccd
client-to-client
route 192.168.1.0 255.255.255.0 #not really necessary
route 10.0.0.0 255.255.255.0
keepalive 10 120
comp-lzo
max-clients 100
user nobody
group nobody
persist-key persist-tun
# For extra security beyond that provided
# by SSL/TLS, create an "HMAC firewall"
# to help block DoS attacks and UDP port flooding.
# # Generate with:
# openvpn --genkey --secret ta.key
# # The server and each client must have
# a copy of this key.
# The second parameter should be '0'
# on the server and '1' on the clients.
tls-auth ta.key 0 # This file is secret
status /var/log/openvpn-status.log
log-append /var/log/openvpn.log
verb 1
client
dev tun
proto tcp
#443 should be replaced with whatever port is specified
remote 123.124.125.126 443
resolv-retry infinite
nobind
user nobody
group nobody
ns-cert-type server
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key # This file should be kept secret comp-lzo
# For extra security beyond that provided
# by SSL/TLS, create an "HMAC firewall"
# to help block DoS attacks and UDP port flooding.
# # Generate with:
# openvpn --genkey --secret ta.key
# # The server and each client must have
# a copy of this key.
# The second parameter should be '0'
# on the server and '1' on the clients.
tls-auth ta.key 1 # This file is secret
#redirecting any traf through the tun device
#for openvpn2.0_r10 and later
#redirect-gateway
# #or prior openvpn2.0_r10
#route 192.168.254.0 255.255.255.0
log-append /var/log/openvpn.log
verb 4
If you want to allow all requests from clients behind a router, wich is connected to a vpn server, to the vpn do the following:
- create dir ccd in the server config folder
- create a file wit the routers name
- put this into the file: iroute 10.0.123.0 255.255.255.0
Thats it. Now all clients behind the router are allowed to access the vpn.
- Basic steps to connect with a windows client using openvpngui:
Get the latest windows openvpn 2 install package and install it
get the latest openvpn gui 2 (http://openvpn.se/) and install it
Put this example config file in C:\Program files\OpenVPN\config\
Name it like this: somename.ovpn
edit it to fit your suits.
- Windows Client config-file:
client
remote 123.124.125.126
port 443
proto tcp-client
dev tun
persist-key
persist-tun
ns-cert-type server
ping 10
comp-lzo
verb 4
mute 10
#redirect-gateway
ca K:\\vpn-keys\\ca.crt
cert K:\\vpn-keys\\freax-win\\client-win.crt
key K:\\vpn-keys\\freax-win\\client-win.key
tls-auth K:\\vpn\\ta.key 1
# If you have set up more than one TAP-Win32 adapter
# on your system, you must refer to it by name.
#;dev-node my-tap
# If this section is enabled and "myremote"
# above is a dynamic DNS name (i.e. dyndns.org),
# OpenVPN will dynamically "follow" the IP
# address of "myremote" if it changes.
#; ping-restart 60
#; ping-timer-rem
#; resolv-retry 86400
# If you have fragmentation issues or misconfigured
# routers in the path which block Path MTU discovery,
# lower the TCP MSS and internally fragment non-TCP
# protocols.
#;fragment 1300
#;mssfix
Start the GUI by double-clicking the openvpn-gui-XXX.XX.exe file
|
