VPN
Contents
Create PKI
Follow the PKI guide to set up a Certificate Authority and use it to generate and sign a server key/certificate pair and any number of client key/certificate pairs. Copy the CA certificate and server certificate to /etc/ssl/certs/ on the OpenVPN server. Similarly, copy (over a secure channel) the server (not CA) key file to /etc/ssl/private/. Ensure that only root can read the key file.
Additionally, generate Diffie-Hellman parameters and copy the resulting dh2048.pem file to the OpenVPN server in /etc/openvpn/. (This assumes 2048-bit keys.)
Server
Allow IP forwarding
As root, create the file /etc/sysctl.d/60-openvpn.conf:
# Enable IP forwarding for VPN net.ipv4.ip_forward=1
Then, to make the setting immediately take effect, run sudo service procps start
Add NAT rule to iptables
The following rule will need to be added to iptables, where the VPN network is 10.211.164.0/24 and the OpenVPN server's IP is 192.168.1.10:
iptables -t nat -A POSTROUTING -s 10.211.164.0/24 -o eth0 -j SNAT --to-source 192.168.1.10
Install and configure OpenVPN
Install the openvpn package. Create the file /etc/openvpn/server.conf, assuming the following:
- The VPN network is 10.211.164.0/24
- The internal network is 192.168.1.0/24
- The internal DNS server is at 192.168.1.2
- The local domain is mydomain.local
port 1194 proto udp dev tun ca /etc/ssl/certs/<CA cert file> cert /etc/ssl/certs/<VPN server cert file> key /etc/ssl/private/<VPN server key file> dh /etc/openvpn/dh2048.pem server 10.211.164.0 255.255.255.0 push "route 192.168.1.0 255.255.255.0" push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 192.168.1.2" push "dhcp-option DOMAIN mydomain.local" keepalive 10 120 comp-lzo persist-key persist-tun ifconfig-pool-persist ipp.txt status openvpn-status.log verb 3
Router
Set a static route on the gateway router:
- Network: 10.211.164.0/24 (Network for VPN clients)
- Gateway: 192.168.1.10 (IP of OpenVPN server)
