OpenVPN

Fra SemarkIT
Skift til: Navigation, Søgning

Skabelon:TOC right

Indholdsfortegnelse

Install OpenVPN

apt-get install openvpn

Firewall (iptables)

IVPN='tap0'
iptables -A INPUT -m state --state NEW -i $IVPN -j ACCEPT
iptables -A FORWARD -i $IVPN -j ACCEPT

Create the certificates

cp --preserve /usr/share/doc/openvpn/examples/easy-rsa/2.0/* . /etc/openvpn/
cd /etc/openvpn/
. ./vars
./clean-all
./build-ca

VPN Configuration

vi /etc/openvpn/1_some-VPN.conf
# TCP or UDP server?
proto tcp
;proto udp

dev tap
;dev tun

# IP adressen sættes til netværksadresse, og serveren vil få den første efterfølgende adresse
server 172.16.202.0 255.255.255.0

push "route 172.16.0.0 255.255.0.0"
;push "route 192.168.20.0 255.255.255.0"

push "dhcp-option DNS 172.16.2.1"
push "dhcp-option WINS 172.16.2.3"

client-to-client

plugin  /usr/lib/openvpn/openvpn-auth-pam.so login
client-cert-not-required
username-as-common-name

windows openVPN client config-file

ca ca.crt
auth-user-pass
tls-auth ta.key 1

A small Trick

A particularly cool feature is the possibility of sharing a port with Apache – this should make it harder for emcee network administrators to censor or filter your OpenVPN packages.

“Sharing” is, however, a bit misleading, since two applications can't listen to the same port at the same time. For instance, to share Port 443, you have to make Apache listen on a different port. We made Apache listen on Port 8443 instead, by doing so, and editing the ports.conf file to say:

nano /etc/apache2/ports.conf
# Normal HTTP
NameVirtualHost *:80
Listen 80

#SSL HTTPS
NameVirtualHost *:8443
Listen 8443

Now that Port 443 is no longer taken by another application, we can make OpenVPN listen there instead. non-OpenVPN traffic that goes to this port has to be forwarded to Apache by OpenVPN. After all, we still want to talk with Apache by using Port 443, from the "outside", as you would do normally. This can be accomplished by putting these lines into your openvpn config

nano /etc/openvpn/1_some-VPN.conf
proto tcp
port 443
port-share 127.0.0.1 8443

Explanation: This cool feature only works for TCP, that is why you need the “proto tcp” line. Only OpenVPN is listening on Port 443. However, any non-OpenVPN packets will be forwarded by OpenVPN to Apache on the "internal" port 8443, which in this case is running on the same server.

Personlige værktøjer
Navnerum

Varianter
Handlinger
Navigation
Værktøjer