os:linux:debian:openvpn
Differences
This shows you the differences between two versions of the page.
| Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
| os:linux:debian:openvpn [2017/12/21 12:42] – ebaer | os:linux:debian:openvpn [2017/12/21 14:12] (current) – ebaer | ||
|---|---|---|---|
| Line 33: | Line 33: | ||
| ./build-key client1 | ./build-key client1 | ||
| </ | </ | ||
| + | |||
| + | |||
| + | <file bash ufw> | ||
| + | ufw allow 1194/udp | ||
| + | |||
| + | nano / | ||
| + | -> DEFAULT_FORWARD_POLICY=" | ||
| + | |||
| + | nano / | ||
| + | # START OPENVPN RULES | ||
| + | # NAT table rules | ||
| + | *nat | ||
| + | : | ||
| + | # Allow traffic from OpenVPN client to eth0 | ||
| + | -A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE | ||
| + | COMMIT | ||
| + | # END OPENVPN RULES | ||
| + | |||
| + | </ | ||
| + | |||
| + | |||
| + | <file bash server.conf> | ||
| + | dev tun | ||
| + | persist-key | ||
| + | persist-tun | ||
| + | topology subnet | ||
| + | port 1194 | ||
| + | proto udp | ||
| + | keepalive 10 120 | ||
| + | |||
| + | # Location of certificate authority' | ||
| + | ca / | ||
| + | |||
| + | # Location of VPN server' | ||
| + | cert / | ||
| + | |||
| + | # Location of server' | ||
| + | key / | ||
| + | |||
| + | # Location of DH parameter file. | ||
| + | dh / | ||
| + | |||
| + | # The VPN's address block starts here. | ||
| + | server 10.8.0.0 255.255.255.0 | ||
| + | |||
| + | explicit-exit-notify 1 | ||
| + | |||
| + | # Drop root privileges and switch to the `ovpn` user after startup. | ||
| + | user ovpn | ||
| + | |||
| + | # OpenVPN process is exclusive member of ovpn group. | ||
| + | group ovpn | ||
| + | |||
| + | # Cryptography options. We force these onto clients by | ||
| + | # setting them here and not in client.ovpn. See | ||
| + | # `openvpn --show-tls`, | ||
| + | #`openvpn --show-digests` for all supported options. | ||
| + | tls-crypt / | ||
| + | auth SHA512 | ||
| + | tls-version-min 1.2 | ||
| + | tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384: | ||
| + | ncp-ciphers AES-256-GCM: | ||
| + | |||
| + | # Logging options. | ||
| + | ifconfig-pool-persist ipp.txt | ||
| + | status openvpn-status.log | ||
| + | log / | ||
| + | verb 3 | ||
| + | |||
| + | </ | ||
| + | |||
| + | <file bash client.ovpn> | ||
| + | # No cryptography options are specified here because we want | ||
| + | # the VPN server to push those settings to clients rather than | ||
| + | # allow clients to dictate their crypto. | ||
| + | |||
| + | client | ||
| + | dev tun | ||
| + | persist-key | ||
| + | persist-tun | ||
| + | proto udp | ||
| + | nobind | ||
| + | #user ovpn | ||
| + | #group ovpn | ||
| + | remote-cert-tls server | ||
| + | auth SHA512 | ||
| + | verb 3 | ||
| + | |||
| + | # Remote server' | ||
| + | # preferable over hostname so as not to rely | ||
| + | # on DNS lookups. | ||
| + | remote < | ||
| + | |||
| + | # To successfully import this profile, you | ||
| + | # want the client device' | ||
| + | # client certificate and key, and HMAC signature | ||
| + | # all in the same location as this .ovpn file. | ||
| + | ca ca.crt | ||
| + | cert client1.crt | ||
| + | key client1.key | ||
| + | tls-crypt ta.key | ||
| + | |||
| + | </ | ||
| + | |||
| + | < | ||
| + | journalctl -f | grep vpn | ||
| + | journalctl -xe | grep vpn | ||
| + | </ | ||
| + | |||
| + | ===== Tunnel ===== | ||
| + | |||
| + | <file bash tunnel> | ||
| + | # | ||
| + | push " | ||
| + | |||
| + | push " | ||
| + | push " | ||
| + | </ | ||
| + | |||
os/linux/debian/openvpn.1513856552.txt.gz · Last modified: 2017/12/21 12:42 by ebaer