Sample Configs für OpenVPN mit NAT für inet (redirect-gateway) auf einem Internet Server (+ OpenVZ)
OpenVPN Sampe Server Config:
port 1194 proto tcp dev tun tls-server server 192.168.50.0 255.255.255.240 # NETZ ÄNDERN JE NACH BEDARF! ca /etc/openvpn/certs/ca_cert_vpn.pem cert /etc/openvpn/certs/server_cert_vpn.pem key /etc/openvpn/certs/server_key_vpn.pem dh /etc/openvpn/certs/dh2048.pem #Routes the packages to the intern network, you should use iptables instead of this #push "route 192.168.0.0 255.255.255.192" #push "dhcp-option DNS 192.168.50.3" #keepalive 10 120 auth SHA1 user root group root persist-key persist-tun verb 3 comp-lzo client-to-client status /etc/openvpn/openvpn-status.log log-append /var/log/openvpn.log
Client Sample Config:
client dev tup proto tcp-client remote example.net resolv-retry infinite nobind persist-key persist-tun auth SHA1 ca certs/ca_cert_vpn.pem cert certs/<USER>_cert_vpn.pem key certs/<USER>_key_vpn.pem comp-lzo verb 0 port 143 #tls-remote VPNServer persist-local-ip
Zertifikate bauen: (common name muss wie der Host heißen!)
#!/bin/bash mkdir certs cd certs echo "CA Cert erstellen..." openssl genrsa -aes256 -out ca_key_vpn.pem 2048 openssl req -new -x509 -days 3650 -key ca_key_vpn.pem -out ca_cert_vpn.pem -set_serial 1 chmod 700 ../certs touch serial echo "01" > serial echo "" echo "Server Cert erstellen..." echo "Wichtig: Common Name einzigartig halten und merken - wird sp.eter im VPN Script gebraucht" echo "" openssl req -new -newkey rsa:2048 -out server_csr_vpn.pem -nodes -keyout server_key_vpn.pem -days 3650 openssl x509 -req -in server_csr_vpn.pem -out server_cert_vpn.pem -CA ca_cert_vpn.pem -CAkey ca_key_vpn.pem -CAserial serial -days 3650 rm server_csr_vpn.pem echo "" echo "Zufallszahlen erstellen..." openssl dhparam -out dh2048.pem 2048 echo "" echo "Client Certs mit folgendem Commando vorbereiten:" echo "./clientcerts "
Clientcerts
#!/bin/bash cd certs echo "Client Cervorbvorbereiten..." openssl req -new -newkey rsa:2048 -out $1_csr_vpn.pem -nodes -keyout $1_key_vpn.pem -days 3650 echo "" echo "Client Certs erstellen..." openssl x509 -req -in $1_csr_vpn.pem -out $1_cert_vpn.pem -CA ca_cert_vpn.pem -CAkey ca_key_vpn.pem -CAserial serial -days 3650 echo "" echo "CSR Cert loeschen..." rm $1_csr_vpn.pem echo "Clientcert $1_cert_vpn.pem und Clientkey $1_key_vpn.pem erstellt..." cd ..
iptables für routing:
#!/bin/bash case $1 in stop) iptables -t filter -F INPUT iptables -t filter -F OUTPUT iptables -t filter -F FORWARD iptables -t filter -P INPUT ACCEPT iptables -t filter -P OUTPUT ACCEPT iptables -t filter -P FORWARD ACCEPT ;; start) #$0 stop iptables -t nat -F POSTROUTING VPNDEV=tun0 EXTDEV=venet0 # ANPASSEN BEI BEDARF VPNLAN=192.168.50.0/28 # BEI BEDARF ÄNDERN! echo 1 > /proc/sys/net/ipv4/ip_forward echo 1 > /proc/sys/net/ipv4/ip_dynaddr iptables -t filter -A INPUT -i lo -s 0/0 -d 0/0 -j ACCEPT iptables -t nat -A POSTROUTING -o $VPNDEV -j MASQUERADE iptables -A INPUT -i $VPNDEV -s $VPNLAN -j ACCEPT iptables -A FORWARD -i $VPNDEV -o $EXTDEV -s $VPNLAN -j ACCEPT iptables -A FORWARD -i $EXTDEV -o $VPNDEV -d $VPNLAN -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -t nat -A POSTROUTING -s $VPNLAN -o $EXTDEV -j SNAT --to-source <IP DES SERVERS> ;; restart) $0 stop && $0 start ;; esac