OpenVPN : Configure VPN Server2024/09/23 |
Install OpenVPN to Configure Virtual Private Network.
This example is based on the environment like follows. On this example, it needs to set IP Masquerading on Router, too. +----------------------+ | [ OpenVPN Server ] |172.16.100.1 | dlp.srv.world +--------+ | |tun | +-----------+----------+ | vtnet0|10.0.0.30 | | | | Local Network | 10.0.0.1| | +------+-----+ | -------| Router |-------------|----- +------+-----+ | | | | Internet | --------------+-------------------|----- | | | Local Network | 192.168.0.30| | +-----------+----------+ | | |tun | | VPN Client +--------+ | |172.16.100.x +----------------------+ |
[1] | Install OpenVPN. |
root@dlp:~ # pkg install -y openvpn easy-rsa
|
[2] | Create CA and Certificates. |
root@dlp:~ # easyrsa init-pki Notice ------ 'init-pki' complete; you may now create a CA or requests. Your newly created PKI dir is: * /root/pki Using Easy-RSA configuration: * undefined # create CA root@dlp:~ # easyrsa build-ca
No Easy-RSA 'vars' configuration file exists!
Using SSL:
* openssl OpenSSL 3.0.13 30 Jan 2024 (Library: OpenSSL 3.0.13 30 Jan 2024)
# set any pass-phrase
Enter New CA Key Passphrase:
Re-Enter New CA Key Passphrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:Server-CA
Notice
------
CA creation complete. Your new CA certificate is at:
* /root/pki/ca.crt
# create server certificates # any name is OK for [server1] name # (it is set for file name of certs or commonName) root@dlp:~ # easyrsa build-server-full server1 nopass No Easy-RSA 'vars' configuration file exists! Using SSL: * openssl OpenSSL 3.0.13 30 Jan 2024 (Library: OpenSSL 3.0.13 30 Jan 2024) ..... ..... Notice ------ Private-Key and Public-Certificate-Request files created. Your files are: * req: /root/pki/reqs/server1.req * key: /root/pki/private/server1.key You are about to sign the following certificate: Request subject, to be signed as a server certificate for '825' days: subject= commonName = server1 Type the word 'yes' to continue, or any other input to abort. Confirm request details: yes Using configuration from /root/pki/openssl-easyrsa.cnf # answer with pass-phrase set on CA Enter pass phrase for /root/pki/private/ca.key: Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :ASN.1 12:'server1' Certificate is to be certified until Dec 27 00:25:48 2026 GMT (825 days) Write out database with 1 new entries Database updated Notice ------ Certificate created at: * /root/pki/issued/server1.crt Notice ------ Inline file created: * /root/pki/inline/server1.inline # create client certificates # any name is OK for [client1] name # (it is set for file name of certs or commonName) root@dlp:~ # easyrsa build-client-full client1 nopass No Easy-RSA 'vars' configuration file exists! Using SSL: * openssl OpenSSL 3.0.13 30 Jan 2024 (Library: OpenSSL 3.0.13 30 Jan 2024) ..... ..... Notice ------ Private-Key and Public-Certificate-Request files created. Your files are: * req: /root/pki/reqs/client1.req * key: /root/pki/private/client1.key You are about to sign the following certificate: Request subject, to be signed as a client certificate for '825' days: subject= commonName = client1 Type the word 'yes' to continue, or any other input to abort. Confirm request details: yes Using configuration from /root/pki/openssl-easyrsa.cnf # answer with pass-phrase set on CA Enter pass phrase for /root/pki/private/ca.key: Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :ASN.1 12:'client1' Certificate is to be certified until Dec 27 00:27:59 2026 GMT (825 days) Write out database with 1 new entries Database updated Notice ------ Certificate created at: * /root/pki/issued/client1.crt Notice ------ Inline file created: * /root/pki/inline/client1.inline # generate Diffie Hellman ( DH ) parameter root@dlp:~ # easyrsa gen-dh No Easy-RSA 'vars' configuration file exists! Using SSL: * openssl OpenSSL 3.0.13 30 Jan 2024 (Library: OpenSSL 3.0.13 30 Jan 2024) Generating DH parameters, 2048 bit long safe prime ..... ..... DH parameters appear to be ok. Notice ------ DH parameters of size 2048 created at: * /root/pki/dh.pem # create TLS-Auth key root@dlp:~ # openvpn --genkey secret ./pki/ta.key
# copy generated certs root@dlp:~ # mkdir /usr/local/etc/openvpn root@dlp:~ # cp -pR ./pki/issued /usr/local/etc/openvpn/ root@dlp:~ # cp -pR ./pki/private /usr/local/etc/openvpn/ root@dlp:~ # cp -pR ./pki/ca.crt /usr/local/etc/openvpn/ root@dlp:~ # cp -pR ./pki/dh.pem /usr/local/etc/openvpn/ root@dlp:~ # cp -pR ./pki/ta.key /usr/local/etc/openvpn/
|
[3] | Configure OpenVPN. |
# copy sample configuration root@dlp:~ # cp /usr/local/share/examples/openvpn/sample-config-files/server.conf /usr/local/etc/openvpn/openvpn.conf
root@dlp:~ #
vi /usr/local/etc/openvpn/openvpn.conf # line 32 : change if need (listening port of OpenVPN) port 1194 # line 35 : change if need (use udp on this example) ;proto tcp proto udp # line 53 : change if need (use tun on this example) ;dev tap dev tun # line 86 : specify certificates ca ca.crt cert issued/server1.crt key private/server1.key
# line 93 : specify DH file dh dh.pem
# line 115 : specify network to be used on VPN # any network are OK except your local network server 172.16.100.0 255.255.255.0
# line 156 : uncomment and change to your local network push "route 10.0.0.0 255.255.255.0 "
# line 245 : keepalive settings keepalive 10 120 # line 258 : uncomment and specify TLS-Auth key tls-auth ta.key 0
# line 276 : enable persist options persist-key persist-tun # line 301 : specify log level (0 - 9, 9 means debug level) verb 3 service openvpn enable openvpn enabled in /etc/rc.conf root@dlp:~ # service openvpn start Starting openvpn. |
[4] |
Transfer certificates below to VPN client host.
* /usr/local/etc/openvpn/ca.crt |
[5] | Configure packet filters to allow VPN clients to access to local network. |
root@dlp:~ #
sysctl net.inet.ip.forwarding=1 net.inet.ip.forwarding: 0 -> 1 root@dlp:~ # echo 'net.inet.ip.forwarding=1' >> /etc/sysctl.conf
root@dlp:~ #
vi /etc/pf.conf # create new ext_if = "vtnet0" wg_net = "172.16.100.0/24" set skip on lo scrub in on $ext_if all fragment reassemble nat on $ext_if from $wg_net to any -> ($ext_if)
root@dlp:~ #
service pflog enable pflog enabled in /etc/rc.conf root@dlp:~ # service pf enable pf enabled in /etc/rc.conf root@dlp:~ # service pf start root@dlp:~ # service pflog start
# if your WireGuard server is running on virtual machine, disable checksum offload root@dlp:~ # ifconfig vtnet0 -rxcsum -txcsum -rxcsum6 -txcsum6 -tso -lro root@dlp:~ # echo "ifconfig vtnet0 -rxcsum -txcsum -rxcsum6 -txcsum6 -tso -lro" >> /etc/rc.conf
|
Sponsored Link |