Now, we are ready to set OpenVPN up in both sides of the connection: the client and server. First up, let's begin with the server by installing OpenVPN directly from the Ubuntu repositories. Then, we have to copy the appropiate certificates made up by easy-rsa into the openvpn directory, and finally, edit the OpenVPN configuration file for the server.
root@javi-pc:/home/javi/tmp/2.0# aptitude install openvpn
root@javi-pc:/home/javi/tmp/2.0/keys# cp ca.crt server.crt server.key dh1024.pem /etc/openvpn/
root@javi-pc:/home/javi# cat /etc/openvpn/server.conf
# Use a dynamic TUN device
dev tun
# Set virtual point-to-point IP addresses
ifconfig 10.0.0.1 10.0.0.2
# Use TCP for communicating with client
proto tcp-server
# Enable TLS and assume server role during TLS handshake
tls-server
# File containing Diffie Hellman parameters
dh /etc/openvpn/dh1024.pem
# Certificate authority (CA) file
ca /etc/openvpn/ca.crt
# Local peer's signed certificate
cert /etc/openvpn/server.crt
# Local peer's private key
key /etc/openvpn/server.key
# Use fast LZO compression
comp-lzo
# Ping remote every 10sg and restart after 60sg passed without sign of life from remote
keepalive 10 60
# Output logging messages to openvpn.log file
log /var/log/openvpn.log
# Set output verbosity to normal usage range
verb 3
Now we only have to start the OpenVPN daemon and afterwards, we will be able to appreciate that the service is running on TCP port 1194. A final task will be to open that port on the router and redirect all that traffic to the server.
root@javi-pc:/home/javi# /etc/init.d/openvpn start
root@javi-pc:/home/javi# netstat -natp | grep openvpn
tcp 0 0 0.0.0.0:1194 0.0.0.0:* LISTEN 19781/openvpn
Let's undertake now the other side of the tunnel: the client. It will be necessary as well to install OpenVPN from the Ubuntu repositories and move into the openvpn directory the adequate digital certificates.
root@javi-laptop:~# aptitude install openvpn
root@javi-laptop:~# cat /etc/openvpn/client.conf
# Use a dynamic TUN device
dev tun
# Connect to server
remote test.dnsdynamic.com
# Set virtual point-to-point IP addresses
ifconfig 10.0.0.2 10.0.0.1
# Use TCP for communicating with server
proto tcp-client
# Enable TLS and assume client role during TLS handshake
tls-client
# Certificate designed as a server-only certificate
remote-cert-tls server
# Certificate authority (CA) file
ca /etc/openvpn/ca.crt
# Local peer's signed certificate
cert /etc/openvpn/client.crt
# Local peer's private key
key /etc/openvpn/client.key
# Use fast LZO compression
comp-lzo
# Ping remote every 10sg and restart after 60sg passed without sign of life from remote
keepalive 10 60
# Output logging messages to openvpn.log file
log /var/log/openvpn.log
# Set output verbosity to normal usage range
verb 3
Lastly, we must remove any link in the runlevel directory for the OpenVPN script, so as to launch it manually whenever we want.
root@javi-laptop:~# update-rc.d -f openvpn remove
root@javi-laptop:~# /etc/init.d/openvpn start
No comments:
Post a Comment