Differences

This shows you the differences between two versions of the page.

--- linux:ubuntu:openvpn [2018/02/20 17:50] – created lunetikk
+++ linux:ubuntu:openvpn [2021/05/14 17:14] (current) – lunetikk
@@ Line 1: / Line 1: @@
 ====== OpenVPN Server ======
-===== Installation =====
 You can find a similar documentation to install and configure almost everywhere.
+This guide is for a connection between my Icingaserver and my QNAP, which I wanted to monitor.
+I dont configure this VPN for browsing the web or anything.
+===== Installation =====
 <code>apt-get install openvpn easy-rsa</code>
@@ Line 20: / Line 22: @@
 </code>
-in work FIXME
+Edit and uncomment
+<code>
+user nobody
+group nogroup
+</code>
-<code></code>
+==== Create the Certificate Authority ====
-<code></code>
+<code>
+cp -r /usr/share/easy-rsa/ /etc/openvpn
+mkdir /etc/openvpn/easy-rsa/keys
+</code>
+Edit the default vars in "/etc/openvpn/easy-rsa/vars"
+<code>
+export KEY_COUNTRY="YOUR COUNTRY eg. DE"
+export KEY_PROVINCE="YOUR PROVINCE eg. BW"
+export KEY_CITY="YOUR CITY eg. Karlsruhe"
+export KEY_ORG="YOUR ORG eg. Lunetikk"
+export KEY_EMAIL="YOUR MAILADDRESS"
+export KEY_OU="YOUR OU eg. lunetikk"
+export KEY_NAME="ANY IDENTIFIER eg. openvpn"
+</code>
+Execute the following and if asked say "y" and enter
+<code>
+openssl dhparam -out /etc/openvpn/dh2048.pem 2048
+cd /etc/openvpn/easy-rsa
+. ./vars
+./clean-all
+./build-ca
+</code>
+Build the cert, if asked say "y" and enter
+<code>./build-key-server openvpn</code>
+Copy your cert and keys
+<code>cp /etc/openvpn/easy-rsa/keys/{server.crt,server.key,ca.crt} /etc/openvpn</code>
+and start the service
+<code>service openvpn start</code>
+==== Create client certificate ====
+execute the following, if asked say "y" and enter
+<code>./build-key qnap</code>
+copy the client sampleconfig
+<code>cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/easy-rsa/keys/qnap.ovpn</code>
+edit "/etc/openvpn/easy-rsa/keys/qnap.ovpn" and change the following
+<code>
+remote YOUROPENVPNSERVER 1194
+#use these on qnap, make sure they exist
+user nobody
+group everyone
+#comment the 3 lines
+#ca ca.crt
+#cert client.crt
+#key client.key
+#at the end of the file, add your ca, client-cert and client-key
+<ca>
+-----BEGIN CERTIFICATE-----
+...
+-----END CERTIFICATE-----
+</ca>
+<cert>
+Certificate:
+...
+-----END CERTIFICATE-----
+...
+-----END CERTIFICATE-----
+</cert>
+<key>
+-----BEGIN PRIVATE KEY-----
+...
+-----END PRIVATE KEY-----
+</key>
+</code>
+===== Commands =====
+^  Command  ^  Function  ^
+|   nmap -sL 10.8.0.*   |  shows all connected clients in the given IP range  |
+===== Connecting a QNAP as client =====
+Edit the file "/etc/config/vpn.conf" and add the following
+<code>
+[OPENVPN_CLIENT1]
+Enable = TRUE
+Status = 1
+Index = 1
+Gateway = 0
+Allow Connect = 0
+Reconnect = 1
+Server Address = lunetikk.de
+Profile File = OpenVPN4
+VPN Proto Type = udp
+VPN Port = 1194
+Compress = 1
+Re-direct gateway = 1
+Encryption = 1
+AccessCode = AAA
+Time Stamp = 0
+</code>
+Start your client (parameter 1 is the index in your config)
+<code>/etc/init.d/vpn_openvpn_client.sh start 1 &</code>
+Check if your connection is up with ifconfig and ping your gateway (OpenVPN server)
+<code>
+# ifconfig
+tun0      Link encap:UNSPEC  Hardware Adresse 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
+          inet Adresse:10.8.0.6  P-z-P:10.8.0.2  Maske:255.255.255.255
+# ping 10.8.0.1
+PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.
+bytes from 10.8.0.1: icmp_seq=1 ttl=64 time=38.6 ms
+bytes from 10.8.0.1: icmp_seq=2 ttl=64 time=37.9 ms
+</code>
+===== Connecting an Ubuntu 16 as client =====
+Install the client
+<code>
+apt-get update
+apt-get install openvpn
+</code>
+Copy the .ovpn file from your server to your client into /etc/openvpn/ \\
+Rename it to .conf, for example client.conf
+<code>
+mv client.ovpn client.conf
+</code>
+If you run OpenVPN with systemd you need to configure your configfiles in "/etc/default/openvpn"
+Add your filename (client) if you only want the single file to be recognized, add "all" if you want any .conf files to be loaded
+<code>
+AUTOSTART="client"
+#or
+AUTOSTART="all"</code>
+Reload the "/etc/default/" configs
+<code>systemctl daemon-reload </code>
+Restart the OpenVPN
+<code>systemctl restart openvpn</code>
+Check if your connection is up with ifconfig and ping your gateway (OpenVPN server)
+<code>
+# ifconfig
+tun0      Link encap:UNSPEC  Hardware Adresse 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
+          inet Adresse:10.8.0.6  P-z-P:10.8.0.2  Maske:255.255.255.255
+# ping 10.8.0.1
+PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.
+bytes from 10.8.0.1: icmp_seq=1 ttl=64 time=38.6 ms
+bytes from 10.8.0.1: icmp_seq=2 ttl=64 time=37.9 ms
+</code>
+===== Connecting a Raspbian 9 as client =====
+Install the client
+<code>
+apt-get update
+apt-get install openvpn
+</code>
+Copy the .ovpn file from your server to your client into /etc/openvpn/ \\
+Rename it to .conf, for example client.conf
+<code>
+mv client.ovpn client.conf
+</code>
+If you run OpenVPN with systemd you need to configure your configfiles in "/etc/default/openvpn"
+Add your filename (client) if you only want the single file to be recognized, add "all" if you want any .conf files to be loaded
+<code>
+AUTOSTART="client"
+#or
+AUTOSTART="all"</code>
+Reload the "/etc/default/" configs
+<code>systemctl daemon-reload</code>
+Restart the OpenVPN
+<code>systemctl restart openvpn</code>
+Check if your connection is up with ifconfig and ping your gateway (OpenVPN server)
+<code>
+# ifconfig
+tun0      Link encap:UNSPEC  Hardware Adresse 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
+          inet Adresse:10.8.0.6  P-z-P:10.8.0.2  Maske:255.255.255.255
+# ping 10.8.0.1
+PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.
+bytes from 10.8.0.1: icmp_seq=1 ttl=64 time=38.6 ms
+bytes from 10.8.0.1: icmp_seq=2 ttl=64 time=37.9 ms
+</code>
+and with systemctl
+<code>
+# systemctl status [email protected]
+● [email protected] - OpenVPN connection to client
+   Loaded: loaded (/lib/systemd/system/[email protected]; disabled; vendor preset: enabled)
+   Active: active (running) since Mon 2019-01-21 12:56:38 CET; 3min 6s ago
+     Docs: man:openvpn(8)
+           https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage
+           https://community.openvpn.net/openvpn/wiki/HOWTO
+  Process: 1684 ExecStart=/usr/sbin/openvpn --daemon ovpn-client --status /run/openvpn/client.status 10 --cd /etc/openvpn --config /etc/openvpn/client.conf --writepid /run/openvpn/client.pid (code=exited, status=0/SUCCESS)
+ Main PID: 1686 (openvpn)
+   CGroup: /system.slice/system-openvpn.slice/[email protected]
+           └─1686 /usr/sbin/openvpn --daemon ovpn-client --status /run/openvpn/client.status 10 --cd /etc/openvpn --config /etc/openvpn/client.conf --writepid /run/openvpn/client.pid
+Jan 21 12:56:40 raspbian ovpn-client[1686]: ROUTE_GATEWAY 192.168.178.1/255.255.255.0 IFACE=wlan0 HWADDR=xx:xx:xx:xx:xx:xx
+Jan 21 12:56:40 raspbian ovpn-client[1686]: TUN/TAP device tun0 opened
+Jan 21 12:56:40 raspbian ovpn-client[1686]: TUN/TAP TX queue length set to 100
+Jan 21 12:56:40 raspbian ovpn-client[1686]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
+Jan 21 12:56:40 raspbian ovpn-client[1686]: /sbin/ip link set dev tun0 up mtu 1500
+Jan 21 12:56:40 raspbian ovpn-client[1686]: /sbin/ip addr add dev tun0 local 10.8.0.6 peer 10.8.0.1
+Jan 21 12:56:40 raspbian ovpn-client[1686]: /sbin/ip route add 10.8.0.1/32 via 10.8.0.1
+Jan 21 12:56:40 raspbian ovpn-client[1686]: GID set to nogroup
+Jan 21 12:56:40 raspbian ovpn-client[1686]: UID set to nobody
+Jan 21 12:56:40 raspbian ovpn-client[1686]: Initialization Sequence Completed
+</code>

Lunetikk's IT Wiki

User Tools

Site Tools

Differences

Page Tools