Script to Install openvpn on fedora 20 with the transition to systemd, OpenVPN no longer has a single monolithic init script, where every connection with a configuration file in/etc/openvpn/ is started automatically. Instead, individual connections can be started and stopped with systemctl.
For example, to start a connection, run systemctl start openvpn@foo.service, where the connection is defined in/etc/openvpn/foo.conf.
Setting up an OpenVPN server
1.yum install openvpn easy-rsa
2.Copy /usr/share/easy-rsa/2.0 somewhere (like root’s home directory with cp -ai /usr/share/easy-rsa/2.0 ~/easy-rsa).
3.cd ~/easy-rsa
4.Edit vars appropriately.
5.. vars
6../clean-all
7.Before continuing, make sure the system time is correct. Preferably, set up NTP .
8../build-ca
9../build-key-server $( hostname | cut -d. -f1 )
10../build-dh
11.mkdir /etc/openvpn/keys
12.cp -ai keys/$( hostname | cut -d. -f1 ).{crt,key} keys/ca.crt keys/dh*.pem /etc/openvpn/keys/
13.cp -ai /usr/share/doc/openvpn*/sample/sample-config-files/roadwarrior-server.conf /etc/openvpn/server.conf
14.Edit /etc/openvpn/server.conf appropriately to set your configuration and key paths, which are found in /etc/openvpn/keys/.
15.Fix selinux context of files: restorecon -Rv /etc/openvpn
16.ln -s /lib/systemd/system/openvpn\@.service /etc/systemd/system/multi-user.target.wants/openvpn\@server.service (Note that ‘server’ corresponds with the configuration name in /etc/openvpn/ such as server.conf)
17.systemctl -f enable openvpn@server.service
18.systemctl start openvpn@server.service
19.Verify that firewall rules allow traffic in from tun+, out from the LAN to tun+, and in from the outside on UDP port 1194.
The following should work (assuming an outside interface is eth1 and an inside interface is eth0):
iptables -A INPUT -i eth1 -p udp –dport 1194 -j ACCEPT
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A FORWARD -i eth0 -o tun+ -j ACCEPT
iptables -A FORWARD -i eth1 -o tun+ -m state –state ESTABLISHED,RELATED -j ACCEPT
Or for genfw (my firewall-generation script, not currently available in Fedora), this in /etc/sysconfig/genfw/rules:
append INPUT -i eth1 -p udp –dport 1194 -j ACCEPT
append INPUT -i tun+ -j ACCEPT
append FORWARD -i tun+ -j ACCEPT
append FORWARD -i eth0 -o tun+ -j ACCEPT
append FORWARD -i eth1 -o tun+ -j established
Or for system-config-firewall, you can add these custom rules:
-A INPUT -i eth1 -p udp –dport 1194 -j ACCEPT
-A INPUT -i tun+ -j ACCEPT
-A FORWARD -i tun+ -j ACCEPT
-A FORWARD -i eth0 -o tun+ -j ACCEPT
-A FORWARD -i eth1 -o tun+ -m state –state ESTABLISHED,RELATED -j ACCEPT
Create a file iptables-rules in /etc/sysconfig and add the above contents, then in system-config-firewall, choose the “Custom Rules” choice, click “Add”, choose IPV4 for the protocol type, and filter for the firewall table. Then select /etc/sysconfig/iptables-rules for the File: choice. Then Apply the changes.
Setting up a Linux OpenVPN client
Remember that we have already installed the openvpn package in client, and we have “ca.crt”, “vpnclient1.key”, vpnclient1.crt” in /etc/openvpn/. And copy the sample client.conf to /etc/openvpn.
You need to generate new keys (or use existing other client/username keys) for the new client/username
On the server:
1.cd easy-rsa
2.. vars
3../build-key username
On the client:
In the following, replace MyClient with a descriptive vpn connection name.
1.Copy username.key, username.crt and ca.crt from server to /etc/openvpn/keys/.
2.cp -ai /usr/share/doc/openvpn-*/sample-config-files/client.conf /etc/openvpn/MyClient.conf
3.Edit /etc/openvpn/MyClient.conf appropriately to set your configuration (just like server configuration, port, compression,..) and key paths.
4.cd /lib/systemd/system
5.ln openvpn@.service openvpn@MyClient.service
6.systemctl enable openvpn@MyClient.service
7.systemctl start openvpn@MyClient.service
check /var/log/messages if things didn’t work as expected
Alternatively, on the client, after copying the keys onto the client machine, you can use NetworkManager to add a vpn connection. Make sure you have the NetworkManager-openvpn package installed. Then just add a new VPN connection.
Should also test automatic starting at boot up, with password protected key files and maybe even –auth-user-pass. OpenVPN supports systemd’s password passing if build with –enable-systemd via ./configure
Setting up a Windows OpenVPN client
On the server:
1.cd easy-rsa
2.. vars
3../build-key username
On the client:
1.Install the OpenVPN GUI or the stand-alone OpenVPN client. (http://openvpn.net/index.php/open-source/downloads.html and Tap-windows version )
2.Copy username.crt, username.key, and ca.crt to C:\Program Files\OpenVPN\config\ on the client.
3.Drop roadwarrior-client.conf into C:\Program Files\OpenVPN\config\ as whatever.ovpn and edit appropriately.
4.Either use the GUI to start the connection, start the OpenVPN service manually, or set the OpenVPN service to start automatically.
Ideally the client should do some verification on the server key with tls-remote in the whatever.ovpn configuration file.
Introduction
Static key configurations offer the simplest setup, and are ideal for point-to-point VPNs or proof-of-concept testing.
Static Key advantages
– Simple Setup
– No X509 PKI (Public Key Infrastructure) to maintain
Static Key disadvantages
– Limited scalability — one client, one server
– Lack of perfect forward secrecy — key compromise results in total disclosure of previous sessions
– Secret key must exist in plaintext form on each VPN peer
– Secret key must be exchanged using a pre-existing secure channel
Simple Example
This example demonstrates a bare-bones point-to-point OpenVPN configuration. A VPN tunnel will be created with a server endpoint of 10.8.0.1 and a client endpoint of 10.8.0.2. Encrypted communication between client and server will occur over UDP port 1194, the default OpenVPN port.
Generate a static key:
openvpn –genkey –secret static.key
Copy the static key to both client and server, over a pre-existing secure channel.
Server configuration file
dev tun
ifconfig 10.8.0.1 10.8.0.2
secret static.key
Client configuration file
remote myremote.mydomain
dev tun
ifconfig 10.8.0.2 10.8.0.1
secret static.key
Firewall configuration
Make sure that:
UDP port 1194 is open on the server, and the virtual TUN interface used by OpenVPN is not blocked on either the client or server (on Linux, the TUN interface will probably be called tun0 while on Windows it will probably be called something like Local Area Connection n unless you rename it in the Network Connections control panel).
Bear in mind that 90% of all connection problems encountered by new OpenVPN users are firewall-related.
Testing the VPN
Run OpenVPN using the respective configuration files on both server and client, changing myremote.mydomain in the client configuration to the domain name or public IP address of the server.
To verify that the VPN is running, you should be able to ping 10.8.0.2 from the server and 10.8.0.1 from the client.
Expanding on the Simple Example
Use compression on the VPN link
Add the following line to both client and server configuration files:
comp-lzo
Make the link more resistent to connection failures
Deal with:
keeping a connection through a NAT router/firewall alive, and follow the DNS name of the server if it changes its IP address.
Add the following to both client and server configuration files:
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
Run OpenVPN as a daemon (Linux/BSD/Solaris/MacOSX only)
Run OpenVPN as a daemon and drop privileges to user/group nobody.
Add to configuration file (client and/or server):
user nobody
group nobody
daemon
Allow client to reach entire server subnet
Suppose the OpenVPN server is on a subnet 192.168.4.0/24. Add the following to client configuration:
route 192.168.4.0 255.255.255.0
Then on the server side, add a route to the server’s LAN gateway that routes 10.8.0.2 to the OpenVPN server machine (only necessary if the OpenVPN server machine is not also the gateway for the server-side LAN). Also, don’t forget to enable IP Forwarding on the OpenVPN server machine.