tips:vpn:openvpn

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision		 Previous revision
tips:vpn:openvpn [2015/07/24 12:13] – created scipiotips:vpn:openvpn [2018/06/14 17:54] (current) – [Linux client] scipio
Line 15: Line 15:
 source vars source vars
 ./clean-all ./clean-all
 +./build-dh
 ./pkitool --initca ./pkitool --initca
 </code> </code>
Line 22: Line 23:
 <code> <code>
 NAME=legnago-gw NAME=legnago-gw
-./pkitool --pass --server $NAME +./pkitool --pass --server $NAME # create passphrase here 
-openssl rsa -in keys/$NAME.key -out keys/$NAME.pem+openssl rsa -in keys/$NAME.key -out keys/$NAME.pem # give passphrase here 
 +chmod 600 keys/$NAME.pem
 </code> </code>
  
Line 44: Line 46:
 </code> </code>
  
 +<del>Simplier method</del>
 +<code bash>
 +openssl genrsa -des3 -out ca.key 4096
 +
 +# specify dns name of mikrotik server in common name
 +openssl req -new -x509 -days 3650 -key ca.key -out ca.crt
 +
 +# now import in mikrotik ca.crt and after ca.key
 +</code>
 +
 +ip pool
 +<code>
 +/ip pool add name=ovpn-pool ranges=10.15.32.34-10.15.32.38
 +</code>
 +
 +profile and vpn user
 +<code>
 +/ppp profile 
 +add change-tcp-mss=default comment="" local-address=10.15.32.33 \
 +name="your_profile" only-one=default remote-address=ovpn-pool \
 +use-compression=default use-encryption=required use-vj-compression=default
 +</code>
 +
 +define vpn user
 +<code>
 +/ppp secret 
 +add caller-id="" comment="" disabled=no limit-bytes-in=0 \
 +limit-bytes-out=0 name="username" password="password" \
 +routes="" service=any
 +</code>
 +
 +openvpn instance
 +<code>
 +/interface ovpn-server server 
 +set auth=sha1,md5 certificate=router_cert \
 +cipher=blowfish128,aes128,aes192,aes256 default-profile=your_profile \
 +enabled=yes keepalive-timeout=disabled max-mtu=1500 mode=ip netmask=29 \
 +port=1194 require-client-certificate=no
 +</code>
 +
 +===== Linux client =====
 +
 +<code>
 +apt-get install openvpn
 +</code>
 +
 +/etc/openvpn/client1.conf
 +<code>
 +dev tun
 +proto tcp-client
 +
 +remote legnago.csgalileo.org 1194 
 +
 +ca  /etc/easy-rsa-legnago/keys/ca.crt
 +cert /etc/easy-rsa-legnago/keys/nms.crt
 +key  /etc/easy-rsa-legnago/keys/nms.pem
 +
 +tls-client
 +port 1194 
 +
 +user nobody
 +group nogroup
 +
 +#comp-lzo # Do not use compression. It doesn't work with RouterOS (at least up to RouterOS 3.0rc9)
 +
 +# More reliable detection when a system loses its connection.
 +ping 15
 +ping-restart 45
 +ping-timer-rem
 +persist-tun
 +persist-key
 +
 +# Silence  the output of replay warnings, which are a common false
 +# alarm on WiFi networks.  This option preserves the  security  of
 +# the replay protection code without the verbosity associated with
 +# warnings about duplicate packets.
 +mute-replay-warnings
 +
 +# Verbosity level.
 +# 0 = quiet, 1 = mostly quiet, 3 = medium output, 9 = verbose
 +verb 3
 +
 +cipher AES-256-CBC
 +auth SHA1
 +pull
 +
 +auth-user-pass auth.cfg 
 +script-security 2
 +up /etc/openvpn/up.sh
 +</code>
 +
 +/etc/openvpn/up.sh (chmod +x)
 +<code>
 +#!/bin/sh
 +
 +ip route add 10.90.0.0/16 via 10.15.32.33
 +</code>
 +
 +/etc/openvpn/auth.cfg
 +<code>
 +username
 +password
 +</code>
 +
 +Start service with systemd
 +<code>
 +systemctl start openvpn@client1
 +systemctl enable openvpn@client1
 +</code>
 +
 +===== Linux server =====
 +
 +<file txt /etc/openvpn/server.conf>
 +proto tcp
 +dev tun
 +
 +ca /etc/easy-rsa/keys/ca.crt
 +cert /etc/easy-rsa/keys/captive.crt
 +key /etc/easy-rsa/keys/captive.pem
 +dh /etc/easy-rsa/keys/dh2048.pem
 +
 +server 10.4.0.0 255.255.255.0
 +ifconfig-pool-persist ipp.txt
 +keepalive 10 120
 +cipher BF-CBC
 +max-clients 100
 +client-config-dir ccd
 +
 +# It's a good idea to reduce the OpenVPN
 +# daemon's privileges after initialization.
 +#
 +# You can uncomment this out on
 +# non-Windows systems.
 +user nobody
 +group nogroup
 +
 +persist-key
 +persist-tun
 +
 +# Output a short status file showing
 +# current connections, truncated
 +# and rewritten every minute.
 +#status /var/log/openvpn/captive.stats
 +log /var/log/openvpn/captive.log
 +
 +
 +# 0 is silent, except for fatal errors
 +# 4 is reasonable for general usage
 +# 5 and 6 can help to debug connection problems
 +# 9 is extremely verbose
 +#log         openvpn.log
 +#log-append  openvpn.log
 +verb 0
 +
 +# Silence repeating messages.  At most 20
 +# sequential messages of the same message
 +# category will be output to the log.
 +mute 20
 +
 +#fragment 1300
 +mssfix 1300
 +#link-mtu 1503
 +#tun-mtu 1460
 +
 +
 +#client-connect /etc/openvpn/on-client-connect
 +script-security 2
 +push "explicit-exit-notify"
 +
 +management localhost 7505
 +
 +client-to-client
 +
 +</file>
 +
 +===== Mikrotik client =====
 +
 +Import certificates
 +<code>
 +import file-name=ca.crt
 +import file-name=galileo.crt
 +import file-name=galileo.pem
 +</code>
 +
 +
 +===== LXD =====
 +
 +To enable tun inside container
 +<code>
 +lxc config device add <NAME> tun unix-char path=/dev/net/tun
 +</code>
  • tips/vpn/openvpn.1437732825.txt.gz
  • Last modified: 2015/07/24 12:13
  • by scipio