[2024-feb-29] Sad news: Eric Layton aka Nocturnal Slacker aka vtel57 passed away on Feb 26th, shortly after hospitalization. He was one of our Wiki's most prominent admins. He will be missed.
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision | ||
howtos:network_services:openvpn [2013/12/27 19:45 (UTC)] – Extensive update for openvpn-2.3.2 on Slackware 14.1 chrisabela | howtos:network_services:openvpn [2018/03/02 00:04 (UTC)] – Add a note that 'daemon' can initially be left out. bifferos | ||
---|---|---|---|
Line 15: | Line 15: | ||
The emphasis is to provide a reliable method that can be easily followed to set-up OpenVPN on Slackware Servers and Clients. Nevertheless the process is still not free from pitfalls and require some attention and determination. | The emphasis is to provide a reliable method that can be easily followed to set-up OpenVPN on Slackware Servers and Clients. Nevertheless the process is still not free from pitfalls and require some attention and determination. | ||
- | This article comprises of a selection of other similar tutorials found on Internet particularly (2) and (3) and the documents contained in the downloaded source files. However these are reformatted to satisfy the objective. | + | This article comprises of a selection of other similar tutorials found on the Internet particularly (2) and (3) and the documents contained in the downloaded source files. However these are reformatted to satisfy the objective. |
===== 3. Installation ===== | ===== 3. Installation ===== | ||
Line 70: | Line 70: | ||
< | < | ||
# cd | # cd | ||
- | # git clone git:// | + | # git clone http:// |
</ | </ | ||
Line 144: | Line 144: | ||
=== 5.2.1 Sign the Client' | === 5.2.1 Sign the Client' | ||
- | For the purpose of this article, it is assumed that the Client' | + | For the purpose of this article, it is assumed that the Client' |
< | < | ||
- | # cd /root/ | + | # cd $HOME/ |
- | # ./easyrsa import-req | + | # ./easyrsa import-req |
# ./easyrsa sign-req client client1 | # ./easyrsa sign-req client client1 | ||
</ | </ | ||
Line 154: | Line 154: | ||
When prompted enter “yes” and the server1 CA PEM pass phrase. | When prompted enter “yes” and the server1 CA PEM pass phrase. | ||
- | Copy the generated | + | Copy the generated |
back to the client. | back to the client. | ||
Line 162: | Line 162: | ||
< | < | ||
- | # cp /root/ | + | # cp $HOME/ |
> / | > / | ||
- | # cp /root/ | + | # cp $HOME/ |
> / | > / | ||
- | # cp /root/ | + | # cp $HOME/ |
> / | > / | ||
+ | </ | ||
+ | |||
+ | If you want to run the server as a daemon on system boot, it's necessary to remove the pass-phrase from the server1.key file first. | ||
+ | |||
+ | < | ||
+ | # cd / | ||
+ | # openssl rsa -in server1.key -out tmp.key | ||
+ | # mv tmp.key server1.key | ||
+ | # chmod 600 server1.key | ||
</ | </ | ||
Line 183: | Line 192: | ||
< | < | ||
- | # cp openvpn-2.3.2/ | + | # cp openvpn-*/ |
> / | > / | ||
</ | </ | ||
Line 230: | Line 239: | ||
daemon | daemon | ||
</ | </ | ||
+ | |||
+ | < | ||
My full server.conf is the following: | My full server.conf is the following: | ||
Line 539: | Line 550: | ||
</ | </ | ||
- | < | + | < |
- | Copy the rc.openvpn listed hereunder and place under /etc/rc.d/</ | + | |
+ | Copy the rc.openvpn listed hereunder and place under /etc/rc.d/ | ||
< | < | ||
Line 596: | Line 608: | ||
===== 7. Port Forwarding ===== | ===== 7. Port Forwarding ===== | ||
- | YYou will need to forward traffic from the port you have chosen for Openvpn to be routed to the Server. To accomplish this you will need to provide your Server with a fixed IP and you will need to configure your router. You may use netconfig, wicd or network-manager to set the fixed IP on Slackware. Then you also need to consult the documentation provided with your router to set up the selected IP address reserved for the Server, and the port forwarding. For our default Openvpn set up, the UDP Port would be 1194. | + | You will need to forward traffic from the port you have chosen for Openvpn to be routed to the Server. To accomplish this you will need to provide your Server with a fixed IP and you will need to configure your router. You may use netconfig, wicd or network-manager to set the fixed IP on Slackware. Then you also need to consult the documentation provided with your router to set up the selected IP address reserved for the Server, and the port forwarding. For our default Openvpn set up, the UDP Port would be 1194. |
In case if you have misplaced such documentation, | In case if you have misplaced such documentation, | ||
Line 643: | Line 655: | ||
< | < | ||
- | You will need the this files that were generated by the Client' | + | You will need this file that were generated by the Client' |
< | < | ||
- | /root/ | + | $HOME/ |
</ | </ | ||
Line 861: | Line 873: | ||
</ | </ | ||
- | To start the openvpn service automatically on boot-up from the Server, include these lines in / | + | ===== 10. Storing the PEM pass phrase in a secure file and Automatic start of service after booting ===== |
+ | |||
+ | To start the Openvpn service on boot, an entry in / | ||
+ | |||
+ | < | ||
+ | # chmod 600 / | ||
+ | </ | ||
+ | |||
+ | On the Server, edit /etc/openvpn/ | ||
+ | |||
+ | < | ||
+ | askpass / | ||
+ | auth-nocache | ||
+ | </ | ||
+ | |||
+ | This may be repeated also on the Client, just edit / | ||
+ | |||
+ | To start the Openvpn | ||
< | < | ||
- | # Start the OpenVPN | + | # Start the OpenVPN |
- | if [ -x / | + | if [ -x / |
- | / | + | / |
fi | fi | ||
</ | </ | ||
- | ===== 10. IP Routing ===== | + | ===== 11. IP Routing ===== |
Up to now we have created a tunnel device on both the Server and the Client called tun0 which is visible only to these two machines. However more work is needed to route the Client' | Up to now we have created a tunnel device on both the Server and the Client called tun0 which is visible only to these two machines. However more work is needed to route the Client' | ||
- | ==== 10.1 Server Configuration ==== | + | ==== 11.1 Server Configuration ==== |
Enable IP forwarding: | Enable IP forwarding: | ||
Line 904: | Line 933: | ||
push "route 192.168.200.0 255.255.255.0" | push "route 192.168.200.0 255.255.255.0" | ||
- | client-config-dir ccd | + | client-config-dir |
route 192.168.1.0 255.255.255.0 | route 192.168.1.0 255.255.255.0 | ||
Line 914: | Line 943: | ||
Naturally replace 192.168.200.0 255.255.255.0 with the Server' | Naturally replace 192.168.200.0 255.255.255.0 with the Server' | ||
+ | 208.67.222.222 and 208.67.220.220 are the OpenDNS IP addresses. | ||
- | 208.67.222.222 and 208.67.220.220 are the OpenDNS IP addresses. | + | <note warning>Up to now the DNS push configuration has not been successful.</ |
+ | |||
+ | You can either use the original Client DNS servers or else you may rewrite | ||
+ | |||
+ | < | ||
+ | # OpenDNS Servers | ||
+ | nameserver 208.67.222.222 | ||
+ | nameserver 208.67.220.220 | ||
+ | </ | ||
+ | |||
+ | According to your routing table however, | ||
+ | |||
+ | Some users have reported that their Client' | ||
Next you will have to configure some iptables NAT forwarding on the Server (only). You can do this by first flushing the iptables: | Next you will have to configure some iptables NAT forwarding on the Server (only). You can do this by first flushing the iptables: | ||
Line 981: | Line 1023: | ||
#$IPT -A SERVICES -p tcp --dport 22 -j ACCEPT # Uncomment to allow sshd | #$IPT -A SERVICES -p tcp --dport 22 -j ACCEPT # Uncomment to allow sshd | ||
- | # allow openvpn for the non-default | + | # allow openvpn for the default |
- | $IPT -A SERVICES -p tcp --dport | + | $IPT -A SERVICES -p udp --dport |
| | ||
echo " | echo " | ||
Line 1050: | Line 1092: | ||
</ | </ | ||
- | ===== 11. Firewalls ===== | + | ===== 12. Firewalls ===== |
In the previous chapter we referred to a firewall you may include to protect your Openvpn Server. | In the previous chapter we referred to a firewall you may include to protect your Openvpn Server. | ||
Line 1100: | Line 1142: | ||
You also have to modify your Router' | You also have to modify your Router' | ||
- | ===== 12. Sources ===== | + | ===== 13. Sources ===== |
(1) http:// | (1) http:// | ||
Line 1109: | Line 1151: | ||
(4) http:// | (4) http:// | ||
+ | |||
+ | (5) http:// | ||
* Originally written by [[wiki: | * Originally written by [[wiki: |