User Tools

Site Tools


services:vpn

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
services:vpn [2016/05/06 12:48]
buben
services:vpn [2016/05/09 10:24] (current)
Line 1: Line 1:
 +====== VPN ======
  
 +First step is install VPN daemon. Best choice for me is to use [[https://​openvpn.net/​|OpenVPN]]. It is open source and well known VPN solution with huge community. To install OpenVPN issue following command:
 +
 +<​code>​
 +# apt-get install openvpn
 +</​code>​
 +
 +And that's it. VPN server software is installed.
 +
 +===== Configure OpenVPN =====
 +
 +To configure OpenVPN server you have to setup following files:
 +  * CA file.
 +  * Diffie-Hellman parameters file.
 +  * Server certificate request file.
 +  * Key file.
 +  * Main configuration file.
 +
 +First four components are generated cryptography materials. Bow to build them is described in [[brokers:​certificates|certificates]] page.
 +
 +OpenVPN configuration files can be stored anywhere. Best practice is store it in ''/​etc/​openvpn''​ directory. I like to create separate directories for CA, keys and configuration files (both server and client, if necessary).
 +
 +<​code>​
 +# mkdir /​etc/​openvpn/​ca_certificates /​etc/​openvpn/​certs /​etc/​openvpn/​server
 +</​code>​
 +
 +From easyrsa directory, copy CA, DH and key files to VPN server:
 +
 +<​code>​
 +easy-rsa/​easyrsa3$ scp pki/ca.crt pki/dh.pem root@<​server IP>:/​etc/​openvpn/​ca_certificates
 +easy-rsa/​easyrsa3$ scp pki/​issued/<​server-cert.crt>​ pki/​private/<​server-cert.key>​ root@<​server IP>:/​etc/​openvpn/​certs
 +</​code>​
 +
 +Adjust following values:
 +  * ''<​server IP>''​ - Actual IP address of your server.
 +  * ''<​server-cert.crt>''​ - Your ''​.crt''​ request file.
 +  * ''<​server-cert.key>''​ - Your ''​.key''​ key file.
 +
 +Now create configuration file ''/​etc/​openvpn/​server/​central-broker.conf''​ with following content:
 +
 +<code - /​etc/​openvpn/​server/​central-broker.conf>​
 +port 1194
 +proto tcp
 +dev tun
 + 
 +ca <​cafile>​
 +cert <​crtfile>​
 +key <​keyfile>​
 +dh <​dhfile>​
 + 
 +server <network ip address> <network mask>
 +ifconfig-pool-persist ipp.txt
 + 
 +keepalive 10 120
 +comp-lzo
 +persist-key
 +persist-tun
 +verb 4
 +</​code>​
 +
 +Adjust configuration options based on your needs:
 +  * ''​ca''​ - Path to your CA file. For example: ''/​etc/​openvpn/​ca_certificates/​ca.crt''​.
 +  * ''​cert''​ - Path to your certificate request file. For example: ''/​etc/​openvpn/​certs/​central-broker.crt''​.
 +  * ''​key''​ - Path to your key file. For example: ''/​etc/​openvpn/​certs/​central-broker.key''​
 +  * ''​dh''​ - Path to your Diffie-Hellman parameters file. For example: ''/​etc/​openvpn/​ca_certificates/​dh.pem''​.
 +  * ''​server''​ - Address and mask of your virtual network. For example: ''​10.9.0.0 255.255.255.0''​.
 +
 +To test that OpenVPN is correctly configured, you can run it from console:
 +
 +<​code>​
 +# openvpn --cd /​etc/​openvpn/​server --config central-broker.conf
 +</​code>​
 +
 +===== systemd unit =====
 +
 +Now you need to configure OpenVPN to automatically establish a connection when your computer boots up. Let's create systemd unit to do this task.
 +
 +Create [[https://​fedoramagazine.org/​systemd-template-unit-files/​|template]] system unit configuration file ''/​etc/​systemd/​system/​openvpn-server@.service''​ with following content:
 +
 +<code - /​etc/​systemd/​system/​openvpn-server@.service>​
 +[Unit]
 +Description=OpenVPN service for %I
 +After=network.target
 +Documentation=man:​openvpn(8)
 +Documentation=https://​community.openvpn.net/​openvpn/​wiki/​Openvpn23ManPage
 +Documentation=https://​community.openvpn.net/​openvpn/​wiki/​HOWTO
 +
 +[Service]
 +Type=simple
 +ExecStart=/​usr/​sbin/​openvpn --cd /​etc/​openvpn/​server --config %i.conf ​
 +Restart=always
 +RestartSec=5
 +
 +[Install]
 +WantedBy=multi-user.target
 +</​code>​
 +
 +This is generic description how to start OpenVPN server process. Template units use ''​%i''​ placeholder for agruments, which creates unit instance. To initiate unit, issue following command:
 +
 +<​code>​
 +# systemctl daemon-reload
 +# systemctl enable openvpn-server\@central-broker.service
 +# systemctl start openvpn-server\@central-broker.service
 +</​code>​
 +
 +If you just created the unit file, don't forget to call ''​daemon-reload''​ command lo load it. Then enable ''​central-broker''​ instance of the template unit to instruct systemd to start it at computer boot. Finally, start the OpenVPN manually with ''​start''​ command.
 +
 +Note that ''​central-broker''​ is not only name of the instance, but also is used as name of configuration file. If your configuration file has different name, change unit instance name accordingly.
services/vpn.txt ยท Last modified: 2016/05/09 10:24 (external edit)