Home

Openvpn copy-past Howto

Server side

(become root or sudo everything)

aptitude install openvpn
cp -rp /usr/share/doc/openvpn/examples/easy-rsa/2.0 /etc/openvpn/easy-rsa2
cd /etc/openvpn/easy-rsa2

Now you can first generate some certificates

. ./vars			# to set the env variables
./build-dh
./build-ca			# answer some questions
./build-key-server Foo		# server
./build-key Bar			# client

Create a server config /etc/openvpn/Foo.conf

proto tcp
port 443		# https port
dev tun
ca /etc/openvpn/easy-rsa2/keys/ca.crt
cert /etc/openvpn/easy-rsa2/keys/Foo.crt
key /etc/openvpn/easy-rsa2/keys/Foo.key
dh /etc/openvpn/easy-rsa2/keys/dh1024.pem

server 192.168.99.0 255.255.255.0
client-config-dir /etc/openvpn/ccd    # only if you need fix ip's or other client stuff
client-to-client	# only if clients may connect to other clients

push "route 10.0.0.0 255.255.255.0"    # push a route to the client

keepalive 10 60	# keep your connection alive (needed for some firewalls)
comp-lzo		# compress the traffic
ping-timer-rem		# This will end lost peer connections
persist-tun		# keep the tun interface up, even when connection lost
			# then you don't lose your active sessions like ssh
persist-key		# Don’t re-read key files across SIGUSR1 or --ping-restart
max-clients 10		# you need limits ...
status /var/log/openvpn-status.log    # loggin ...
mute 5			# mute the loggin a bit in case of probs
daemon			# comment out for debug, then all 
#verb 3			# for verbose logging when problems

Now also a sample ccd for the client Bar
Edit /etc/openvpn/ccd/Bar 

ifconfig-push 192.168.99.3 192.168.99.1

Don't use ip 1 and 2 for clients
.1 is used for the server
.2 is used as gateway for the clients (point-to-point)

Start the server

/usr/sbin/openvpn /etc/openvpn/Foo.conf

Client side

(become root or sudo everything)

aptitude install openvpn

copy the keys you need for client Bar (from Foo:/etc/openvpn/easy-rsa2/keys/...)
edit /etc/openvpn/Bar.conf

client
dev tun
proto tcp
remote Foo.domain.com 443
nobind
persist-key
persist-tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/Bar.crt
key /etc/openvpn/Bar.key

comp-lzo
keepalive 10 30

#verb 5
daemon

Start the server

/usr/sbin/openvpn /etc/openvpn/Bar.conf
  • By mario at 10/28/2008 - 10:46