Running OpenVPN on Ubuntu 8.10 Server By niels | Published: February 13, 2009 When I’m attending classes i can access the internet using the wireless network at my school. Unfortunately you can only do generic tasks like browsing the web, receiving and sending e-mail and MSN chat, everything else is blocked: no RDP, VNC, secure SMTP (port 587), games or anything that uses custom ports/protocols. I can’t get to my servers unless i run SSH on allowed ports like 25, 80, 443, etc. To get around this I’ve been looking into running my own OpenVPN server on an allowed port so i can get unrestricted access to the internet using my server as a gateway. I’ll be connecting to the OpenVPN server using Viscosity. OpenVPN Get the OpenVPN binaries using the apt-get command: 1.$ apt-get install openvpn openssl You’ll find everything you need in/usr/share/doc/openvpn/examples/ 1.$ cd /usr/share/doc/openvpn/examples Copy ./sample-config-files/server.conf.gz and ./easy-rsa/2.0/ to /etc/openvpn 1.$ cp ./sample-config-files/server.conf.gz /etc/openvpn 2.$ cp -r ./easy-rsa/2.0 /etc/openvpn Go to /etc/openvpn Rename the 2.0 folder into easy-rsa and unpack the config file: 1.$ mv 2.0 easy-rsa 2.$ gzip -d server.conf.gz Certificates OpenVPN needs a number of certificates, you can create them using the easy-rsa tools. 1.$ cd /etc/openvpn/easy-rsa Optional: Edit the vars file so it contains the correct default fields, this will save some time later. Edit the values at the bottom of the file to whatever you want. 1.# These are the default values for fields 2.# which will be placed in the certificate. 3.# Don't leave any of these fields blank. 4.export KEY_COUNTRY="US" 5.export KEY_PROVINCE="CA" 6.export KEY_CITY="SanFrancisco" 7.export KEY_ORG="Fort-Funston" 8.export KEY_EMAIL="
This e-mail address is being protected from spam bots, you need JavaScript enabled to view it
" Save the vars file. Generate the master Certificate Authority (CA) certificate and keys 1.$ . ./vars 2.$ ./clean-all 3.$ ./build-ca Generate the certificate and key for the server 1.$ ./build-key-server server Leave the common name set to its default value (server) Generate the certificates and keys for clients 1.$ ./build-key client1 2.$ ./build-key client2 Leave the common name set to its default value. Generate Diffie Hellman parameters Creating the server configuration file Edit /etc/openvpn/server.conf 1.$ vim /etc/openvpn/server.conf This is what i use (# = comment): 01.port 1194 # change this to whatever you need it to be 02.proto udp # tcp or udp, never use both in the same config 03.dev tun #routed VPN 04.# Certificates 05.ca ca.crt 06.cert server.crt 07.key server.key # This file should be kept secret 08.dh dh1024.pem 09.# Server settings 10.server 10.8.0.0 255.255.255.0 # Default VPN ip range. 11.push "redirect-gateway" 12.# OpenDNS settings 13.push "dhcp-option DNS 208.67.222.222" 14.push "dhcp-option DNS 208.67.220.220" 15.# Allow clients to see eachother 16.client-to-client 17.# Reduce the OpenVPN daemon's privileges 18.user nobody 19.group nogroup Copy the server certificates and keys to /etc/openvpn 1.$ cd /etc/openvpn/easy-rsa/keys 2.$ cp ca.crt server.crt server.key dh1024.pem /etc/openvpn Copy the client certificates and keys to wherever you want (you need them on your clients) 1.$ cp client1.crt client1.key ca.crt /home/client1 # Change the target folder to whatever you need it to be Restart the OpenVPN service 1.$ /etc/init.d/openvpn restart Any .conf file in /etc/openvpn will be automatically loaded. Making routes work Before you can actually access the internet over your VPN you need to enable IPv4 forwarding and add some iptables rules. Edit /etc/sysctl.conf Uncomment net.ipv4.ip_forward=1 and save your changes.
At this point you can either reboot or run the following command. 1.$ sysctl -w net.ipv4.ip_forward=1 Confirm that ip_forward is actually enabled. 1.$ sysctl net.ipv4.ip_forward Add the following rules to /etc/rc.local before the exit 0 statement 1.iptables -P FORWARD ACCEPT 2.iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE The address (10.8.0.0/24) is the default network used by the OpenVPN sample config, eth0 is the interface connected to the internet (change this if needed).
Run the rules manually, restart or /etc/init.d/rc.local start. You’re done configuring the OpenVPN server. Make sure its running: 1.$ ps ax | grep openvpn 2.14454 ? Ss 0:00 /usr/sbin/openvpn --writepid /var/run/openvpn.server.pid --daemon ovpn-server --cd /etc/openvpn --config /etc/openvpn/server.conf --script-security 2 Thanks to Author, source http://nielsvz.com/2009/02/running-openvpn-on-ubuntu-810-server/
|
Articles 
