initial import from moinmoin

[debienna.git] / OpenVPN / index.mdwn

Sample Configs für OpenVPN mit NAT für inet (redirect-gateway) auf einem Internet Server (+ OpenVZ)\r
\r
OpenVPN Sampe Server Config:\r
{{{\r
port 1194\r
\r
proto tcp \r
dev tun \r
tls-server\r
server 192.168.50.0 255.255.255.240 # NETZ ÄNDERN JE NACH BEDARF!\r
\r
ca /etc/openvpn/certs/ca_cert_vpn.pem\r
cert /etc/openvpn/certs/server_cert_vpn.pem\r
key /etc/openvpn/certs/server_key_vpn.pem\r
dh /etc/openvpn/certs/dh2048.pem\r
\r
#Routes the packages to the intern network, you should use iptables instead of this\r
#push "route 192.168.0.0 255.255.255.192"\r
#push "dhcp-option DNS 192.168.50.3"\r
\r
#keepalive 10 120 \r
\r
auth SHA1\r
\r
user root\r
group root\r
\r
persist-key\r
persist-tun\r
\r
verb 3 \r
comp-lzo\r
client-to-client\r
status /etc/openvpn/openvpn-status.log\r
log-append /var/log/openvpn.log\r
}}}\r
\r
Client Sample Config:\r
{{{\r
client\r
dev tup \r
proto tcp-client\r
remote example.net\r
resolv-retry infinite\r
nobind\r
persist-key\r
persist-tun\r
auth SHA1\r
ca certs/ca_cert_vpn.pem\r
cert certs/<USER>_cert_vpn.pem\r
key certs/<USER>_key_vpn.pem\r
comp-lzo\r
verb 0\r
port 143 \r
#tls-remote VPNServer\r
persist-local-ip\r
}}}\r
\r
\r
Zertifikate bauen: (common name muss wie der Host heißen!)\r
{{{\r
#!/bin/bash\r
\r
\r
mkdir certs\r
cd certs\r
echo "CA Cert erstellen..."\r
openssl genrsa -aes256 -out ca_key_vpn.pem 2048\r
openssl req -new -x509 -days 3650 -key ca_key_vpn.pem -out ca_cert_vpn.pem -set_serial 1\r
chmod 700 ../certs\r
touch serial\r
echo "01" > serial\r
\r
\r
echo ""\r
echo "Server Cert erstellen..."\r
echo "Wichtig: Common Name einzigartig halten und merken - wird sp.eter im VPN Script gebraucht"\r
echo ""\r
openssl req -new -newkey rsa:2048 -out server_csr_vpn.pem -nodes -keyout server_key_vpn.pem -days 3650\r
openssl x509 -req -in server_csr_vpn.pem -out server_cert_vpn.pem -CA ca_cert_vpn.pem -CAkey ca_key_vpn.pem -CAserial serial -days 3650\r
rm server_csr_vpn.pem\r
\r
\r
echo ""\r
echo "Zufallszahlen erstellen..."\r
openssl dhparam -out dh2048.pem 2048\r
echo ""\r
\r
\r
echo "Client Certs mit folgendem Commando vorbereiten:"\r
echo "./clientcerts "\r
}}}\r
\r
Clientcerts\r
{{{\r
#!/bin/bash\r
\r
\r
cd certs\r
echo "Client Cervorbvorbereiten..."\r
openssl req -new -newkey rsa:2048 -out $1_csr_vpn.pem -nodes -keyout $1_key_vpn.pem -days 3650\r
\r
\r
echo ""\r
echo "Client Certs erstellen..."\r
openssl x509 -req -in $1_csr_vpn.pem -out $1_cert_vpn.pem -CA ca_cert_vpn.pem -CAkey ca_key_vpn.pem -CAserial serial -days 3650\r
echo ""\r
echo "CSR Cert loeschen..."\r
rm $1_csr_vpn.pem\r
echo "Clientcert $1_cert_vpn.pem und Clientkey $1_key_vpn.pem erstellt..."\r
cd ..\r
}}}\r
\r
\r
iptables für routing:\r
{{{\r
#!/bin/bash\r
\r
case $1 in\r
stop)\r
iptables -t filter -F INPUT\r
iptables -t filter -F OUTPUT\r
iptables -t filter -F FORWARD\r
iptables -t filter -P INPUT ACCEPT\r
iptables -t filter -P OUTPUT ACCEPT\r
iptables -t filter -P FORWARD ACCEPT\r
;;\r
\r
start)\r
#$0 stop\r
iptables -t nat -F POSTROUTING\r
\r
VPNDEV=tun0\r
EXTDEV=venet0 # ANPASSEN BEI BEDARF\r
VPNLAN=192.168.50.0/28 # BEI BEDARF ÄNDERN!\r
echo 1 > /proc/sys/net/ipv4/ip_forward\r
echo 1 > /proc/sys/net/ipv4/ip_dynaddr\r
\r
iptables -t filter -A INPUT -i lo -s 0/0 -d 0/0 -j ACCEPT\r
iptables -t nat -A POSTROUTING -o $VPNDEV -j MASQUERADE\r
\r
iptables -A INPUT -i $VPNDEV -s $VPNLAN -j ACCEPT\r
iptables -A FORWARD -i $VPNDEV -o $EXTDEV -s $VPNLAN -j ACCEPT\r
iptables -A FORWARD -i $EXTDEV -o $VPNDEV -d $VPNLAN -m state --state RELATED,ESTABLISHED -j ACCEPT\r
iptables -t nat -A POSTROUTING -s $VPNLAN -o $EXTDEV -j SNAT --to-source <IP DES SERVERS> \r
;;\r
\r
restart)\r
$0 stop && $0 start\r
;;\r
\r
esac\r
}}}