From SemarkIT
Jump to: navigation, search

<google1></google1> Template:TOC right

Install OpenVPN

apt-get install openvpn

Firewall (iptables)

iptables -A INPUT -m state --state NEW -i $IVPN -j ACCEPT
iptables -A FORWARD -i $IVPN -j ACCEPT

Create the certificates

cp --preserve /usr/share/doc/openvpn/examples/easy-rsa/2.0/* . /etc/openvpn/
cd /etc/openvpn/
. ./vars

VPN Configuration

vi /etc/openvpn/1_some-VPN.conf
# TCP or UDP server?
proto tcp
;proto udp

dev tap
;dev tun

# IP adressen sættes til netværksadresse, og serveren vil få den første efterfølgende adresse

push "route"
;push "route"

push "dhcp-option DNS"
push "dhcp-option WINS"


plugin  /usr/lib/openvpn/ login

windows openVPN client config-file

ca ca.crt
tls-auth ta.key 1

A small Trick

A particularly cool feature is the possibility of sharing a port with Apache – this should make it harder for emcee network administrators to censor or filter your OpenVPN packages.

“Sharing” is, however, a bit misleading, since two applications can't listen to the same port at the same time. For instance, to share Port 443, you have to make Apache listen on a different port. We made Apache listen on Port 8443 instead, by doing so, and editing the ports.conf file to say:

nano /etc/apache2/ports.conf
# Normal HTTP
NameVirtualHost *:80
Listen 80

NameVirtualHost *:8443
Listen 8443

Now that Port 443 is no longer taken by another application, we can make OpenVPN listen there instead. non-OpenVPN traffic that goes to this port has to be forwarded to Apache by OpenVPN. After all, we still want to talk with Apache by using Port 443, from the "outside", as you would do normally. This can be accomplished by putting these lines into your openvpn config

nano /etc/openvpn/1_some-VPN.conf
proto tcp
port 443
port-share 8443

Explanation: This cool feature only works for TCP, that is why you need the “proto tcp” line. Only OpenVPN is listening on Port 443. However, any non-OpenVPN packets will be forwarded by OpenVPN to Apache on the "internal" port 8443, which in this case is running on the same server.