Sample Configs für OpenVPN mit NAT für inet (redirect-gateway) auf einem Internet Server (+ OpenVZ)

OpenVPN Sampe Server Config:

port 1194

proto tcp
dev tun
tls-server
server 192.168.50.0 255.255.255.240 # NETZ ÄNDERN JE NACH BEDARF!

ca /etc/openvpn/certs/ca_cert_vpn.pem
cert /etc/openvpn/certs/server_cert_vpn.pem
key /etc/openvpn/certs/server_key_vpn.pem
dh /etc/openvpn/certs/dh2048.pem

#Routes the packages to the intern network, you should use iptables instead of this
#push "route 192.168.0.0 255.255.255.192"
#push "dhcp-option DNS 192.168.50.3"

#keepalive 10 120

auth SHA1

user root
group root

persist-key
persist-tun

verb 3
comp-lzo
client-to-client
status /etc/openvpn/openvpn-status.log
log-append /var/log/openvpn.log

Client Sample Config:

client
dev tup
proto tcp-client
remote example.net
resolv-retry infinite
nobind
persist-key
persist-tun
auth SHA1
ca certs/ca_cert_vpn.pem
cert certs/<USER>_cert_vpn.pem
key certs/<USER>_key_vpn.pem
comp-lzo
verb 0
port 143
#tls-remote VPNServer
persist-local-ip

Zertifikate bauen: (common name muss wie der Host heißen!)

#!/bin/bash


mkdir certs
cd certs
echo "CA Cert erstellen..."
openssl genrsa -aes256 -out ca_key_vpn.pem 2048
openssl req -new -x509 -days 3650 -key ca_key_vpn.pem -out ca_cert_vpn.pem -set_serial 1
chmod 700 ../certs
touch serial
echo "01" > serial


echo ""
echo "Server Cert erstellen..."
echo "Wichtig: Common Name einzigartig halten und merken - wird sp.eter im VPN Script gebraucht"
echo ""
openssl req -new -newkey rsa:2048 -out server_csr_vpn.pem -nodes -keyout server_key_vpn.pem -days 3650
openssl x509 -req -in server_csr_vpn.pem -out server_cert_vpn.pem -CA ca_cert_vpn.pem -CAkey ca_key_vpn.pem -CAserial serial -days 3650
rm server_csr_vpn.pem


echo ""
echo "Zufallszahlen erstellen..."
openssl dhparam -out dh2048.pem 2048
echo ""


echo "Client Certs mit folgendem Commando vorbereiten:"
echo "./clientcerts "

Clientcerts

#!/bin/bash


cd certs
echo "Client Cervorbvorbereiten..."
openssl req -new -newkey rsa:2048 -out $1_csr_vpn.pem -nodes -keyout $1_key_vpn.pem -days 3650


echo ""
echo "Client Certs erstellen..."
openssl x509 -req -in $1_csr_vpn.pem -out $1_cert_vpn.pem -CA ca_cert_vpn.pem -CAkey ca_key_vpn.pem -CAserial serial -days 3650
echo ""
echo "CSR Cert loeschen..."
rm $1_csr_vpn.pem
echo "Clientcert $1_cert_vpn.pem und Clientkey $1_key_vpn.pem erstellt..."
cd ..

iptables für routing:

#!/bin/bash

case $1 in
stop)
iptables -t filter -F INPUT
iptables -t filter -F OUTPUT
iptables -t filter -F FORWARD
iptables -t filter -P INPUT ACCEPT
iptables -t filter -P OUTPUT ACCEPT
iptables -t filter -P FORWARD ACCEPT
;;

start)
#$0 stop
iptables -t nat -F POSTROUTING

VPNDEV=tun0
EXTDEV=venet0 # ANPASSEN BEI BEDARF
VPNLAN=192.168.50.0/28 # BEI BEDARF ÄNDERN!
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/ip_dynaddr

iptables -t filter -A INPUT -i lo -s 0/0 -d 0/0 -j ACCEPT
iptables -t nat -A POSTROUTING -o $VPNDEV -j MASQUERADE

iptables -A INPUT -i $VPNDEV -s $VPNLAN -j ACCEPT
iptables -A FORWARD -i $VPNDEV -o $EXTDEV -s $VPNLAN -j ACCEPT
iptables -A FORWARD -i $EXTDEV -o $VPNDEV -d $VPNLAN -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -t nat -A POSTROUTING -s $VPNLAN -o $EXTDEV -j SNAT --to-source <IP DES SERVERS>
;;

restart)
$0 stop && $0 start
;;

esac