OpenVPN

From CSLabsWiki
Revision as of 01:25, 28 February 2017 by Milton (talk | contribs) (Added main information)

Jump to: navigation, search
OpenVPN
IP Address(es): 128.153.145.248
Contact Person: Milton Griffin
Last Update: Late Febuary 2017
Services: OpenVPN


This service provides a VPN tunnel into COSI. The configuration file is available for any member of COSI in my home folder.

How To Run a Client

Install OpenVPN-gui (Windows) or the OpenVPN package (Linux). Move the configuration file to:

"C:/Program Files/OpenVPN/config/" in Windows
"/etc/openvpn/" for Linux service 

or anywhere for Linux general use. To start the VPN on Windows: start OpenVPN-gui, right click the icon in the notification area, click connect. To start the VPN on Linux: run

sudo openvpn --config /location/of/cosi.ovpn

As a Linux service that will start when the computer boots: run

sudo systemctl enable openvpn@cosi.service

NOTE: The configuration is plug and play for anything but Windows. For Windows clients, run (Win + r) regedit. Change

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\IPEnableRouter 

from 0 to 1. Next run services.msc, right click 'Routing and Remote Access', select properties, change it to automatic, then restart.

Server Management

This section is for initial configuration

To make a new pki       : easyrsa init-pki
To make the revoke list : easyrsa gen-crl
To make the new CA      : easyrsa build-ca

This section explains how to make server and client certificates

To make the server      : easyrsa build-server-full servername nopass
To make the client      : easyrsa build-client-full clientname nopass

Move the needed files to the server's folder

The system CA   : cp -a /etc/easyrsa/pki/ca.crt /etc/openvpn/server/pyxis.ca
The server crt  : cp -a /etc/easyrsa/pki/issued/servername.crt /etc/openvpn/server/server.crt
The server key  : cp -a /etc/easyrsa/pki/private/openvpn-server.key /etc/openvpn/server/server.key

The encryption uses a Diffie-Hellman

Go to the server folder : cd /etc/openvpn/main/
Generate the DH         : openssl dhparam -out dh2048.pem 2048

Server Configuration

To allow the system to forward traffic, modify /etc/sysctl.conf/network.conf to include:

net.ipv4.ip_forward = 1

and run:

iptables -t nat -I POSTROUTING -o ens3 -s 10.200.0.0/24 -j MASQUERADE
iptables-save > /etc/iptables/iptables.rules

Server configuration file:

proto udp
port 1194
dev tun
server 10.200.0.0 255.255.255.0
topology subnet
persist-key
persist-tun
keepalive 10 60
push "redirect-gateway def1"
push "0.0.0.0 0.0.0.0 10.200.0.1 999"
push "dhcp-option DNS 128.153.145.3" 
dh      [inline]
ca      [inline]
cert    [inline]
key     [inline]
duplicate-cn
user nobody
group nobody
verb 3
daemon
log-append /var/log/openvpn.log
**dh ca cert and key omitted**

Client Configuration

Client configuration file:

client
proto udp
remote 128.153.145.248
port 1194
dev tun
nobind
topology subnet
pull
**ca, cert, and key omitted**