[2024-feb-29] Sad news: Eric Layton aka Nocturnal Slacker aka vtel57 passed away on Feb 26th, shortly after hospitalization. He was one of our Wiki's most prominent admins. He will be missed.

Welcome to the Slackware Documentation Project

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
Next revisionBoth sides next revision
howtos:network_services:openvpn [2013/12/31 11:38 (UTC)] chrisabelahowtos:network_services:openvpn [2018/03/02 00:01 (UTC)] – User needs to remove server key passphrase in order to avoid OpenVPN prompting for it (or erroring if run as daemon) bifferos
Line 70: Line 70:
 <code> <code>
 # cd # cd
-# git clone git://github.com/OpenVPN/easy-rsa+# git clone http://github.com/OpenVPN/easy-rsa
 </code> </code>
  
Line 144: Line 144:
 === 5.2.1 Sign the Client's request on the Server === === 5.2.1 Sign the Client's request on the Server ===
  
-For the purpose of this article, it is assumed that the Client's request file (client1.req) been transferred to the $HOME/openvpn/ directory of the Server. Now you can proceed to import and sign the client1 request:+For the purpose of this article, it is assumed that the Client's request file (client1.req) has been transferred to the $HOME/openvpn/ directory of the Server. Now you can proceed to import and sign the client1 request:
  
 <code> <code>
Line 168: Line 168:
 # cp $HOME/easy-rsa/easyrsa3/pki/private/server1.key \ # cp $HOME/easy-rsa/easyrsa3/pki/private/server1.key \
 > /etc/openvpn/keys/ > /etc/openvpn/keys/
 +</code>
 +
 +If you want to run the server as a daemon on system boot, it's necessary to remove the pass-phrase from the server1.key file first.  Don't forget to set permissions on the key to avoid it being world-readable.
 +
 +<code>
 +# cd /etc/openvpn/keys
 +# openssl rsa -in server1.key -out tmp.key
 +# mv tmp.key server1.key
 +# chmod 600 server1.key
 </code> </code>
  
Line 183: Line 192:
  
 <code> <code>
-# cp openvpn-2.3.2/sample/sample-config-files/server.conf \+# cp openvpn-*/sample/sample-config-files/server.conf \
 > /etc/openvpn/ > /etc/openvpn/
 </code> </code>
Line 597: Line 606:
 ===== 7. Port Forwarding ===== ===== 7. Port Forwarding =====
  
-YYou will need to forward traffic from the port you have chosen for Openvpn to be routed to the Server. To accomplish this you will need to provide your Server with a fixed IP and you will need to configure your router. You may use netconfig, wicd or network-manager to set the fixed IP on Slackware. Then you also need to consult the documentation provided with your router to set up the selected IP address reserved for the Server, and the port forwarding. For our default Openvpn set up, the UDP Port would be 1194. +You will need to forward traffic from the port you have chosen for Openvpn to be routed to the Server. To accomplish this you will need to provide your Server with a fixed IP and you will need to configure your router. You may use netconfig, wicd or network-manager to set the fixed IP on Slackware. Then you also need to consult the documentation provided with your router to set up the selected IP address reserved for the Server, and the port forwarding. For our default Openvpn set up, the UDP Port would be 1194. 
  
 In case if you have misplaced such documentation, you may search on the Internet on how this may be achieved. A good place to start is http://portforward.com/. In case if you have misplaced such documentation, you may search on the Internet on how this may be achieved. A good place to start is http://portforward.com/.
Line 644: Line 653:
 <note>Note that comments in client.conf may be either # or ; The former are used to comment out text while the latter are for commented out configuration lines. This should help you a lot in the configuration process.</note> <note>Note that comments in client.conf may be either # or ; The former are used to comment out text while the latter are for commented out configuration lines. This should help you a lot in the configuration process.</note>
  
-You will need the this files that were generated by the Client's easy-rsa scripts:+You will need this file that were generated by the Client's easy-rsa scripts:
  
 <code> <code>
Line 922: Line 931:
 push "route 192.168.200.0 255.255.255.0" push "route 192.168.200.0 255.255.255.0"
  
-client-config-dir ccd +client-config-dir /etc/openvpn/ccd 
 route 192.168.1.0 255.255.255.0  route 192.168.1.0 255.255.255.0 
  
Line 932: Line 941:
  
 Naturally replace 192.168.200.0 255.255.255.0 with the Server's Network Route, and  192.168.1.0 255.255.255.0 with the Client's Network Route. Naturally replace 192.168.200.0 255.255.255.0 with the Server's Network Route, and  192.168.1.0 255.255.255.0 with the Client's Network Route.
 +208.67.222.222 and 208.67.220.220 are the OpenDNS IP addresses.
  
-208.67.222.222 and 208.67.220.220 are the OpenDNS IP addresses. Up to now the DNS push configuration has not been successful. You can either use the original Client DNS servers or else you may edit /etc/resolv.conf manually. However it is still worth trying to use the DNS servers listed by the Client, I find that they are generally still be available from the Server's Network, so you would not need to do anything.+<note warning>Up to now the DNS push configuration has not been successful.</note> 
 + 
 +You can either use the original Client DNS servers or else you may rewrite /etc/resolv.conf manually
 + 
 +<code> 
 +# OpenDNS Servers 
 +nameserver 208.67.222.222 
 +nameserver 208.67.220.220 
 +</code> 
 + 
 +According to your routing table however, it is still worth trying to use the DNS servers listed by the Client, I find that they are generally still available, so you would not need to do anything. However do be aware of possible DNS leaks if you are concerned about your privacy. 
 + 
 +Some users have reported that their Client's Network Manager, (or any other similar application) re-wrote the original /etc/resolv.conf back after their manual editing. This could not be reproduced by the author of this article (yet), but you may consider installing and configuring openresolv(5) if this actually happens to you. A SlackBuild for openresolv may be found on http://slackbuilds.org. Openresolv is currently out of the scope of this article.
  
 Next you will have to configure some iptables NAT forwarding on the Server (only). You can do this by first flushing the iptables: Next you will have to configure some iptables NAT forwarding on the Server (only). You can do this by first flushing the iptables:
Line 999: Line 1021:
   #$IPT -A SERVICES -p tcp --dport 22 -j ACCEPT # Uncomment to allow sshd   #$IPT -A SERVICES -p tcp --dport 22 -j ACCEPT # Uncomment to allow sshd
  
-  # allow openvpn for the non-default tcp port 443 +  # allow openvpn for the default udp port 1194 
-  $IPT -A SERVICES -p tcp --dport 443 -j ACCEPT+  $IPT -A SERVICES -p udp --dport 1194 -j ACCEPT
      
   echo "done."   echo "done."
Line 1127: Line 1149:
  
 (4) http://www.no-ip.com (4) http://www.no-ip.com
 +
 +(5) http://roy.marples.name/projects/openresolv/index
  
   * Originally written by [[wiki:user:chrisabela | Chris Abela]]   * Originally written by [[wiki:user:chrisabela | Chris Abela]]
 howtos:network_services:openvpn ()