========= =========
========= OpenVPN Server =========
yum install openssl
yum install openssl-devel
yum install libssl-devel
cd /usr/local/src/
wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.06.tar.gz
wget http://swupdate.openvpn.org/community/releases/openvpn-2.2.2.tar.gz
cd /usr/local/src/
tar -zxvf /usr/local/src/lzo-2.06.tar.gz
cd lzo-2.06/
ls
./configure
make
make install
cd ..
tar -zxvf /usr/local/src/openvpn-2.2.2.tar.gz
ls
cd openvpn-2.2.2/
./configure
make
make install
mkdir /etc/openvpn
cd /usr/local/src/openvpn-2.1.1/easy-rsa/2.0
vi vars
64 export KEY_COUNTRY="BD"
65 export KEY_PROVINCE="DH"
66 export KEY_CITY="Dhaka"
67 export KEY_ORG="nixproo"
68 export KEY_EMAIL="bashar@nixproo.com"
[root@nixproo 2.0]# . ./vars
[root@nixproo 2.0]# ./clean-all
[root@nixproo 2.0]# ./build-ca
Generating a 1024 bit RSA private key
...................................++++++
..++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [BD]:
State or Province Name (full name) [DH]:.
Locality Name (eg, city) [Dhaka]:
Organization Name (eg, company) [nixproo]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [nixproo CA]:nixproo-CA
Name []:Bashar
Email Address [bashar@nixproo.com]:bashar@nixproo.com
[root@nixproo 2.0]#
[root@nixproo 2.0]# ./build-key-server server
Generating a 1024 bit RSA private key
...........................................++++++
...............++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [BD]:
State or Province Name (full name) [DH]:
Locality Name (eg, city) [Dhaka]:
Organization Name (eg, company) [nixproo]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [server]:
Name []:Bashar
Email Address [bashar@nixproo.com]:bashar@nixproo.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:nixproo
An optional company name []:test
Using configuration from /root/openvpn-2.1.1/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'BD'
stateOrProvinceName :PRINTABLE:'DH'
localityName :PRINTABLE:'Dhaka'
organizationName :PRINTABLE:'nixproo'
commonName :PRINTABLE:'server'
name :PRINTABLE:'Bashar'
emailAddress :IA5STRING:'bashar@nixproo.com'
Certificate is to be certified until Dec 24 04:58:46 2021 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@nixproo 2.0]# ./build-key client1
Generating a 1024 bit RSA private key
.++++++
........++++++
writing new private key to 'client1.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [BD]:
State or Province Name (full name) [DH]:
Locality Name (eg, city) [Dhaka]:
Organization Name (eg, company) [nixproo]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [client1]:
Name []:Bashar
Email Address [bashar@nixproo.com]:bashar@nixproo.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:nixproo
An optional company name []:test
Using configuration from /root/openvpn-2.1.1/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'BD'
stateOrProvinceName :PRINTABLE:'DH'
localityName :PRINTABLE:'Dhaka'
organizationName :PRINTABLE:'nixproo'
commonName :PRINTABLE:'client1'
name :PRINTABLE:'Bashar'
emailAddress :IA5STRING:'bashar@nixproo.com'
Certificate is to be certified until Dec 24 05:01:19 2021 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@nixproo 2.0]# ./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
............................+.......................................................
make
make install
mkdir /etc/openvpn
cd /usr/local/src/openvpn-2.1.1/easy-rsa/2.0
vi vars
64 export KEY_COUNTRY="BD"
65 export KEY_PROVINCE="DH"
66 export KEY_CITY="Dhaka"
67 export KEY_ORG="nixproo"
68 export KEY_EMAIL="bashar@nixproo.com"
[root@nixproo 2.0]# . ./vars
[root@nixproo 2.0]# ./clean-all
[root@nixproo 2.0]# ./build-ca
Generating a 1024 bit RSA private key
...................................++++++
..++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [BD]:
State or Province Name (full name) [DH]:.
Locality Name (eg, city) [Dhaka]:
Organization Name (eg, company) [nixproo]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [nixproo CA]:nixproo-CA
Name []:Bashar
Email Address [bashar@nixproo.com]:bashar@nixproo.com
[root@nixproo 2.0]#
[root@nixproo 2.0]# ./build-key-server server
Generating a 1024 bit RSA private key
...........................................++++++
...............++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [BD]:
State or Province Name (full name) [DH]:
Locality Name (eg, city) [Dhaka]:
Organization Name (eg, company) [nixproo]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [server]:
Name []:Bashar
Email Address [bashar@nixproo.com]:bashar@nixproo.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:nixproo
An optional company name []:test
Using configuration from /root/openvpn-2.1.1/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'BD'
stateOrProvinceName :PRINTABLE:'DH'
localityName :PRINTABLE:'Dhaka'
organizationName :PRINTABLE:'nixproo'
commonName :PRINTABLE:'server'
name :PRINTABLE:'Bashar'
emailAddress :IA5STRING:'bashar@nixproo.com'
Certificate is to be certified until Dec 24 04:58:46 2021 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@nixproo 2.0]# ./build-key client1
Generating a 1024 bit RSA private key
.++++++
........++++++
writing new private key to 'client1.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [BD]:
State or Province Name (full name) [DH]:
Locality Name (eg, city) [Dhaka]:
Organization Name (eg, company) [nixproo]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [client1]:
Name []:Bashar
Email Address [bashar@nixproo.com]:bashar@nixproo.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:nixproo
An optional company name []:test
Using configuration from /root/openvpn-2.1.1/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'BD'
stateOrProvinceName :PRINTABLE:'DH'
localityName :PRINTABLE:'Dhaka'
organizationName :PRINTABLE:'nixproo'
commonName :PRINTABLE:'client1'
name :PRINTABLE:'Bashar'
emailAddress :IA5STRING:'bashar@nixproo.com'
Certificate is to be certified until Dec 24 05:01:19 2021 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@nixproo 2.0]# ./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
............................+.......................................................
....+........................................................+...............+.............+........
................+...................................................................................
.............................+....................+....................................+.+.....+.........++*++*++*
Copy all the client key files into the local VPN client PC and paste on /etc/openvpn/keys/
[root@nixproo 2.0]# openvpn --genkey --secret ta.key
cp -r /usr/local/src/openvpn-2.1.1/easy-rsa/2.0/keys /etc/openvpn/
Copy also ta.key files into the local VPN client PC and paste on /etc/openvpn/keys/
vi /etc/openvpn/ipp.txt
client1,192.168.50.4
client2,192.168.50.12
client3,192.168.50.20
vi /etc/openvpn/server.conf //With line number
26 local <Server IP>
34 port 1194
38 proto udp
55 dev tun
80 ca /etc/openvpn/keys/ca.crt
81 cert /etc/openvpn/keys/server.crt
82 key /etc/openvpn/keys/server.key
91 dh /etc/openvpn/keys/dh1024.pem
100 server 10.8.0.0 255.255.255.0
107 ifconfig-pool-persist ipp.txt
128 push "route 192.168.18.0 255.255.255.0" //Added block for push route
129 push "route 192.168.0.0 255.255.255.0"
130 push "route 192.168.10.0 255.255.255.0"
224 keepalive 10 120
237 tls-auth /etc/openvpn/keys/ta.key 0 # This file is secret
249 comp-lzo
292 verb 6
297 mute 20
== Run OpenVPN Server ==
cp /usr/local/src/openvpn-2.1.1/openvpn /etc/init.d/ // copy the binary into the service dir.
/usr/local/src/openvpn-2.1.1/openvpn /etc/openvpn/server.conf
Or
/etc/init.d/openvpn /etc/openvpn/server.conf
// tun0 created with 10.8.0.1 IP
========== =========================
========== Open VPN Client =========================
cd /usr/local/src/
yum install openssl
yum install openssl-devel
yum install libssl-devel
wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.06.tar.gz
wget http://swupdate.openvpn.org/community/releases/openvpn-2.2.2.tar.gz
cd /usr/local/src/
tar -zxvf /home/lzo-2.06.tar.gz
cd lzo-2.06/
ls
./configure
make
make install
cd ..
tar -zxvf /home/openvpn-2.2.2.tar.gz
ls
cd openvpn-2.2.2/
ls
./configure
make
make install
mkdir /etc/openvpn
cd /etc/openvpn/ // copy keys folder form server and past in /etc/openvpn/
vi /etc/openvpn/client.con // With line number
16 client
24 dev tun
37 proto udp
42 remote <Server IP>
58 nobind
65 persist-key
66 persist-tun
91 ca /etc/openvpn/keys/ca.crt
92 cert /etc/openvpn/keys/client1.crt
93 key /etc/openvpn/keys/client1.key
106 ns-cert-type server
111 tls-auth /etc/openvpn/keys/ta.key 1
121 comp-lzo
124 verb 3
cp /usr/local/src/openvpn-2.2.2/openvpn /etc/init.d/
===== run openVPN Client ====
/etc/init.d/openvpn /etc/openvpn/client.conf // tun0 created with 10.8.0.5 IP <ip taken from ipp
cd /usr/local/src/
yum install openssl
yum install openssl-devel
yum install libssl-devel
wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.06.tar.gz
wget http://swupdate.openvpn.org/community/releases/openvpn-2.2.2.tar.gz
cd /usr/local/src/
tar -zxvf /home/lzo-2.06.tar.gz
cd lzo-2.06/
ls
./configure
make
make install
cd ..
tar -zxvf /home/openvpn-2.2.2.tar.gz
ls
cd openvpn-2.2.2/
ls
./configure
make
make install
mkdir /etc/openvpn
cd /etc/openvpn/ // copy keys folder form server and past in /etc/openvpn/
vi /etc/openvpn/client.con // With line number
16 client
24 dev tun
37 proto udp
42 remote <Server IP>
58 nobind
65 persist-key
66 persist-tun
91 ca /etc/openvpn/keys/ca.crt
92 cert /etc/openvpn/keys/client1.crt
93 key /etc/openvpn/keys/client1.key
106 ns-cert-type server
111 tls-auth /etc/openvpn/keys/ta.key 1
121 comp-lzo
124 verb 3
cp /usr/local/src/openvpn-2.2.2/openvpn /etc/init.d/
===== run openVPN Client ====
/etc/init.d/openvpn /etc/openvpn/client.conf // tun0 created with 10.8.0.5 IP <ip taken from ipp
============ ========================
============ Routing ========================
=== VPN server ===
iptables -t nat -F
echo 1 > /proc/sys/net/ipv4/ip_forward
route add -net 192.168.18.0 netmask 255.255.255.0 dev tun0 // Add Clients block (18)
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
Or
iptables -t nat -F
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A PREROUTING -i eth0 -d <Server IP> -j DNAT --to 10.8.0.6
iptables -t nat -A POSTROUTING -s 10.8.0.6 -o eth0 -j SNAT --to <Server IP>
route add -net 10.8.0.0 netmask 255.255.255.0 dev tun0
=== Local VPN PC (Local VPN GW PC) ===
iptables -t nat -F
echo 1 > /proc/sys/net/ipv4/ip_forward
route add -net <Server IP> netmask 255.255.255.255 gw <Local GW IP> // route -n <Local gw>
route del default gw <Local GW IP>
route del -net 192.168.18.0 netmask 255.255.255.0 dev tun0
route add -net 10.8.0.0 netmask 255.255.255.0 dev tun0
=== Local VPN PC (Local VPN GW PC) ===
iptables -t nat -F
echo 1 > /proc/sys/net/ipv4/ip_forward
route add -net <Server IP> netmask 255.255.255.255 gw <Local GW IP> // route -n <Local gw>
route del default gw <Local GW IP>
route del -net 192.168.18.0 netmask 255.255.255.0 dev tun0
route add default dev tun0
iptables -A POSTROUTING -t nat -o tun0 -j MASQUERADE
iptables -A POSTROUTING -t nat -o tun0 -j MASQUERADE
// Local VPN Client work as a local VPN GW
============================= ===================================
============================= Testing ====================================
ping -I tun0 8.8.8.8 // ping from VPN-Client PC
No comments:
Post a Comment