You can find a similar documentation to install and configure almost everywhere. This guide is for a connection between my Icingaserver and my QNAP, which I wanted to monitor. I dont configure this VPN for browsing the web or anything.
apt-get install openvpn easy-rsa
Create your configuration
gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz > /etc/openvpn/server.conf
Edit the following in “/etc/openvpn/server.conf
#from dh dh1024.pem #to dh dh2048.pem
Edit and uncomment
user nobody group nogroup
cp -r /usr/share/easy-rsa/ /etc/openvpn mkdir /etc/openvpn/easy-rsa/keys
Edit the default vars in ”/etc/openvpn/easy-rsa/vars“
export KEY_COUNTRY="YOUR COUNTRY eg. DE" export KEY_PROVINCE="YOUR PROVINCE eg. BW" export KEY_CITY="YOUR CITY eg. Karlsruhe" export KEY_ORG="YOUR ORG eg. Lunetikk" export KEY_EMAIL="YOUR MAILADDRESS" export KEY_OU="YOUR OU eg. lunetikk" export KEY_NAME="ANY IDENTIFIER eg. openvpn"
Execute the following and if asked say “y” and enter
openssl dhparam -out /etc/openvpn/dh2048.pem 2048 cd /etc/openvpn/easy-rsa . ./vars ./clean-all ./build-ca
Build the cert, if asked say “y” and enter
./build-key-server openvpn
Copy your cert and keys
cp /etc/openvpn/easy-rsa/keys/{server.crt,server.key,ca.crt} /etc/openvpn
and start the service
service openvpn start
execute the following, if asked say “y” and enter
./build-key qnap
copy the client sampleconfig
cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/easy-rsa/keys/qnap.ovpn
edit ”/etc/openvpn/easy-rsa/keys/qnap.ovpn“ and change the following
remote YOUROPENVPNSERVER 1194 #use these on qnap, make sure they exist user nobody group everyone #comment the 3 lines #ca ca.crt #cert client.crt #key client.key #at the end of the file, add your ca, client-cert and client-key <ca> -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- </ca> <cert> Certificate: ... -----END CERTIFICATE----- ... -----END CERTIFICATE----- </cert> <key> -----BEGIN PRIVATE KEY----- ... -----END PRIVATE KEY----- </key>
Command | Function |
---|---|
nmap -sL 10.8.0.* | shows all connected clients in the given IP range |
Edit the file ”/etc/config/vpn.conf“ and add the following
[OPENVPN_CLIENT1] Enable = TRUE Status = 1 Index = 1 Gateway = 0 Allow Connect = 0 Reconnect = 1 Server Address = lunetikk.de Profile File = OpenVPN4 VPN Proto Type = udp VPN Port = 1194 Compress = 1 Re-direct gateway = 1 Encryption = 1 AccessCode = AAA Time Stamp = 0
Start your client (parameter 1 is the index in your config)
/etc/init.d/vpn_openvpn_client.sh start 1 &
Check if your connection is up with ifconfig and ping your gateway (OpenVPN server)
# ifconfig tun0 Link encap:UNSPEC Hardware Adresse 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet Adresse:10.8.0.6 P-z-P:10.8.0.2 Maske:255.255.255.255 # ping 10.8.0.1 PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data. 64 bytes from 10.8.0.1: icmp_seq=1 ttl=64 time=38.6 ms 64 bytes from 10.8.0.1: icmp_seq=2 ttl=64 time=37.9 ms
Install the client
apt-get update apt-get install openvpn
Copy the .ovpn file from your server to your client into /etc/openvpn/
Rename it to .conf, for example client.conf
mv client.ovpn client.conf
If you run OpenVPN with systemd you need to configure your configfiles in ”/etc/default/openvpn“ Add your filename (client) if you only want the single file to be recognized, add “all” if you want any .conf files to be loaded
AUTOSTART="client" #or AUTOSTART="all"
Reload the ”/etc/default/“ configs
systemctl daemon-reload
Restart the OpenVPN
systemctl restart openvpn
Check if your connection is up with ifconfig and ping your gateway (OpenVPN server)
# ifconfig tun0 Link encap:UNSPEC Hardware Adresse 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet Adresse:10.8.0.6 P-z-P:10.8.0.2 Maske:255.255.255.255 # ping 10.8.0.1 PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data. 64 bytes from 10.8.0.1: icmp_seq=1 ttl=64 time=38.6 ms 64 bytes from 10.8.0.1: icmp_seq=2 ttl=64 time=37.9 ms
Install the client
apt-get update apt-get install openvpn
Copy the .ovpn file from your server to your client into /etc/openvpn/
Rename it to .conf, for example client.conf
mv client.ovpn client.conf
If you run OpenVPN with systemd you need to configure your configfiles in ”/etc/default/openvpn“ Add your filename (client) if you only want the single file to be recognized, add “all” if you want any .conf files to be loaded
AUTOSTART="client" #or AUTOSTART="all"
Reload the ”/etc/default/“ configs
systemctl daemon-reload
Restart the OpenVPN
systemctl restart openvpn
Check if your connection is up with ifconfig and ping your gateway (OpenVPN server)
# ifconfig tun0 Link encap:UNSPEC Hardware Adresse 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet Adresse:10.8.0.6 P-z-P:10.8.0.2 Maske:255.255.255.255 # ping 10.8.0.1 PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data. 64 bytes from 10.8.0.1: icmp_seq=1 ttl=64 time=38.6 ms 64 bytes from 10.8.0.1: icmp_seq=2 ttl=64 time=37.9 ms
and with systemctl
# systemctl status [email protected] ● [email protected] - OpenVPN connection to client Loaded: loaded (/lib/systemd/system/[email protected]; disabled; vendor preset: enabled) Active: active (running) since Mon 2019-01-21 12:56:38 CET; 3min 6s ago Docs: man:openvpn(8) https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage https://community.openvpn.net/openvpn/wiki/HOWTO Process: 1684 ExecStart=/usr/sbin/openvpn --daemon ovpn-client --status /run/openvpn/client.status 10 --cd /etc/openvpn --config /etc/openvpn/client.conf --writepid /run/openvpn/client.pid (code=exited, status=0/SUCCESS) Main PID: 1686 (openvpn) CGroup: /system.slice/system-openvpn.slice/[email protected] └─1686 /usr/sbin/openvpn --daemon ovpn-client --status /run/openvpn/client.status 10 --cd /etc/openvpn --config /etc/openvpn/client.conf --writepid /run/openvpn/client.pid Jan 21 12:56:40 raspbian ovpn-client[1686]: ROUTE_GATEWAY 192.168.178.1/255.255.255.0 IFACE=wlan0 HWADDR=xx:xx:xx:xx:xx:xx Jan 21 12:56:40 raspbian ovpn-client[1686]: TUN/TAP device tun0 opened Jan 21 12:56:40 raspbian ovpn-client[1686]: TUN/TAP TX queue length set to 100 Jan 21 12:56:40 raspbian ovpn-client[1686]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0 Jan 21 12:56:40 raspbian ovpn-client[1686]: /sbin/ip link set dev tun0 up mtu 1500 Jan 21 12:56:40 raspbian ovpn-client[1686]: /sbin/ip addr add dev tun0 local 10.8.0.6 peer 10.8.0.1 Jan 21 12:56:40 raspbian ovpn-client[1686]: /sbin/ip route add 10.8.0.1/32 via 10.8.0.1 Jan 21 12:56:40 raspbian ovpn-client[1686]: GID set to nogroup Jan 21 12:56:40 raspbian ovpn-client[1686]: UID set to nobody Jan 21 12:56:40 raspbian ovpn-client[1686]: Initialization Sequence Completed