X-Git-Url: https://git.deb.at/?p=debienna.git;a=blobdiff_plain;f=OpenVPN%2Findex.mdwn;h=7d4d6e3cf79b0effa34b3ab739b8feba081db9ed;hp=21fab26d6240022583279aa5c085b00b9d861cc9;hb=f1d9d6f2df40b7572314c01cc715ab3378a21a6b;hpb=bb58b440ee60e34e1c961060195598787087c131 diff --git a/OpenVPN/index.mdwn b/OpenVPN/index.mdwn index 21fab26..7d4d6e3 100644 --- a/OpenVPN/index.mdwn +++ b/OpenVPN/index.mdwn @@ -1,153 +1,148 @@ -Sample Configs für OpenVPN mit NAT für inet (redirect-gateway) auf einem Internet Server (+ OpenVZ) - -OpenVPN Sampe Server Config: -{{{ -port 1194 - -proto tcp -dev tun -tls-server -server 192.168.50.0 255.255.255.240 # NETZ ÄNDERN JE NACH BEDARF! - -ca /etc/openvpn/certs/ca_cert_vpn.pem -cert /etc/openvpn/certs/server_cert_vpn.pem -key /etc/openvpn/certs/server_key_vpn.pem -dh /etc/openvpn/certs/dh2048.pem - -#Routes the packages to the intern network, you should use iptables instead of this -#push "route 192.168.0.0 255.255.255.192" -#push "dhcp-option DNS 192.168.50.3" - -#keepalive 10 120 - -auth SHA1 - -user root -group root - -persist-key -persist-tun - -verb 3 -comp-lzo -client-to-client -status /etc/openvpn/openvpn-status.log -log-append /var/log/openvpn.log -}}} - -Client Sample Config: -{{{ -client -dev tup -proto tcp-client -remote example.net -resolv-retry infinite -nobind -persist-key -persist-tun -auth SHA1 -ca certs/ca_cert_vpn.pem -cert certs/_cert_vpn.pem -key certs/_key_vpn.pem -comp-lzo -verb 0 -port 143 -#tls-remote VPNServer -persist-local-ip -}}} - - -Zertifikate bauen: (common name muss wie der Host heißen!) -{{{ -#!/bin/bash - - -mkdir certs -cd certs -echo "CA Cert erstellen..." -openssl genrsa -aes256 -out ca_key_vpn.pem 2048 -openssl req -new -x509 -days 3650 -key ca_key_vpn.pem -out ca_cert_vpn.pem -set_serial 1 -chmod 700 ../certs -touch serial -echo "01" > serial - - -echo "" -echo "Server Cert erstellen..." -echo "Wichtig: Common Name einzigartig halten und merken - wird sp.eter im VPN Script gebraucht" -echo "" -openssl req -new -newkey rsa:2048 -out server_csr_vpn.pem -nodes -keyout server_key_vpn.pem -days 3650 -openssl x509 -req -in server_csr_vpn.pem -out server_cert_vpn.pem -CA ca_cert_vpn.pem -CAkey ca_key_vpn.pem -CAserial serial -days 3650 -rm server_csr_vpn.pem - - -echo "" -echo "Zufallszahlen erstellen..." -openssl dhparam -out dh2048.pem 2048 -echo "" - - -echo "Client Certs mit folgendem Commando vorbereiten:" -echo "./clientcerts " -}}} - -Clientcerts -{{{ -#!/bin/bash - - -cd certs -echo "Client Cervorbvorbereiten..." -openssl req -new -newkey rsa:2048 -out $1_csr_vpn.pem -nodes -keyout $1_key_vpn.pem -days 3650 - - -echo "" -echo "Client Certs erstellen..." -openssl x509 -req -in $1_csr_vpn.pem -out $1_cert_vpn.pem -CA ca_cert_vpn.pem -CAkey ca_key_vpn.pem -CAserial serial -days 3650 -echo "" -echo "CSR Cert loeschen..." -rm $1_csr_vpn.pem -echo "Clientcert $1_cert_vpn.pem und Clientkey $1_key_vpn.pem erstellt..." -cd .. -}}} - - -iptables für routing: -{{{ -#!/bin/bash - -case $1 in -stop) -iptables -t filter -F INPUT -iptables -t filter -F OUTPUT -iptables -t filter -F FORWARD -iptables -t filter -P INPUT ACCEPT -iptables -t filter -P OUTPUT ACCEPT -iptables -t filter -P FORWARD ACCEPT -;; - -start) -#$0 stop -iptables -t nat -F POSTROUTING - -VPNDEV=tun0 -EXTDEV=venet0 # ANPASSEN BEI BEDARF -VPNLAN=192.168.50.0/28 # BEI BEDARF ÄNDERN! -echo 1 > /proc/sys/net/ipv4/ip_forward -echo 1 > /proc/sys/net/ipv4/ip_dynaddr - -iptables -t filter -A INPUT -i lo -s 0/0 -d 0/0 -j ACCEPT -iptables -t nat -A POSTROUTING -o $VPNDEV -j MASQUERADE - -iptables -A INPUT -i $VPNDEV -s $VPNLAN -j ACCEPT -iptables -A FORWARD -i $VPNDEV -o $EXTDEV -s $VPNLAN -j ACCEPT -iptables -A FORWARD -i $EXTDEV -o $VPNDEV -d $VPNLAN -m state --state RELATED,ESTABLISHED -j ACCEPT -iptables -t nat -A POSTROUTING -s $VPNLAN -o $EXTDEV -j SNAT --to-source -;; - -restart) -$0 stop && $0 start -;; - -esac -}}} \ No newline at end of file + +Sample Configs für OpenVPN mit NAT für inet (redirect-gateway) auf einem Internet Server (+ OpenVZ) + +OpenVPN Sampe Server Config: +[[!format txt """ +port 1194 + +proto tcp +dev tun +tls-server +server 192.168.50.0 255.255.255.240 # NETZ ÄNDERN JE NACH BEDARF! + +ca /etc/openvpn/certs/ca_cert_vpn.pem +cert /etc/openvpn/certs/server_cert_vpn.pem +key /etc/openvpn/certs/server_key_vpn.pem +dh /etc/openvpn/certs/dh2048.pem + +#Routes the packages to the intern network, you should use iptables instead of this +#push "route 192.168.0.0 255.255.255.192" +#push "dhcp-option DNS 192.168.50.3" + +#keepalive 10 120 + +auth SHA1 + +user root +group root + +persist-key +persist-tun + +verb 3 +comp-lzo +client-to-client +status /etc/openvpn/openvpn-status.log +log-append /var/log/openvpn.log +"""]] +Client Sample Config: +[[!format txt """ +client +dev tup +proto tcp-client +remote example.net +resolv-retry infinite +nobind +persist-key +persist-tun +auth SHA1 +ca certs/ca_cert_vpn.pem +cert certs/_cert_vpn.pem +key certs/_key_vpn.pem +comp-lzo +verb 0 +port 143 +#tls-remote VPNServer +persist-local-ip +"""]] +Zertifikate bauen: (common name muss wie der Host heißen!) +[[!format txt """ +#!/bin/bash + + +mkdir certs +cd certs +echo "CA Cert erstellen..." +openssl genrsa -aes256 -out ca_key_vpn.pem 2048 +openssl req -new -x509 -days 3650 -key ca_key_vpn.pem -out ca_cert_vpn.pem -set_serial 1 +chmod 700 ../certs +touch serial +echo "01" > serial + + +echo "" +echo "Server Cert erstellen..." +echo "Wichtig: Common Name einzigartig halten und merken - wird sp.eter im VPN Script gebraucht" +echo "" +openssl req -new -newkey rsa:2048 -out server_csr_vpn.pem -nodes -keyout server_key_vpn.pem -days 3650 +openssl x509 -req -in server_csr_vpn.pem -out server_cert_vpn.pem -CA ca_cert_vpn.pem -CAkey ca_key_vpn.pem -CAserial serial -days 3650 +rm server_csr_vpn.pem + + +echo "" +echo "Zufallszahlen erstellen..." +openssl dhparam -out dh2048.pem 2048 +echo "" + + +echo "Client Certs mit folgendem Commando vorbereiten:" +echo "./clientcerts " +"""]] +Clientcerts +[[!format txt """ +#!/bin/bash + + +cd certs +echo "Client Cervorbvorbereiten..." +openssl req -new -newkey rsa:2048 -out $1_csr_vpn.pem -nodes -keyout $1_key_vpn.pem -days 3650 + + +echo "" +echo "Client Certs erstellen..." +openssl x509 -req -in $1_csr_vpn.pem -out $1_cert_vpn.pem -CA ca_cert_vpn.pem -CAkey ca_key_vpn.pem -CAserial serial -days 3650 +echo "" +echo "CSR Cert loeschen..." +rm $1_csr_vpn.pem +echo "Clientcert $1_cert_vpn.pem und Clientkey $1_key_vpn.pem erstellt..." +cd .. +"""]] +iptables für routing: +[[!format txt """ +#!/bin/bash + +case $1 in +stop) +iptables -t filter -F INPUT +iptables -t filter -F OUTPUT +iptables -t filter -F FORWARD +iptables -t filter -P INPUT ACCEPT +iptables -t filter -P OUTPUT ACCEPT +iptables -t filter -P FORWARD ACCEPT +;; + +start) +#$0 stop +iptables -t nat -F POSTROUTING + +VPNDEV=tun0 +EXTDEV=venet0 # ANPASSEN BEI BEDARF +VPNLAN=192.168.50.0/28 # BEI BEDARF ÄNDERN! +echo 1 > /proc/sys/net/ipv4/ip_forward +echo 1 > /proc/sys/net/ipv4/ip_dynaddr + +iptables -t filter -A INPUT -i lo -s 0/0 -d 0/0 -j ACCEPT +iptables -t nat -A POSTROUTING -o $VPNDEV -j MASQUERADE + +iptables -A INPUT -i $VPNDEV -s $VPNLAN -j ACCEPT +iptables -A FORWARD -i $VPNDEV -o $EXTDEV -s $VPNLAN -j ACCEPT +iptables -A FORWARD -i $EXTDEV -o $VPNDEV -d $VPNLAN -m state --state RELATED,ESTABLISHED -j ACCEPT +iptables -t nat -A POSTROUTING -s $VPNLAN -o $EXTDEV -j SNAT --to-source +;; + +restart) +$0 stop && $0 start +;; + +esac +"""]] \ No newline at end of file