Difference between revisions of "OpenVPN Checklist Guide"

From ArchWiki
Jump to: navigation, search
m (Setting up the Clients: Fix daemon style)
m (fixing detals)
(2 intermediate revisions by the same user not shown)
Line 10: Line 10:
  
 
* Copy {{ic|/usr/share/openvpn/easy-rsa}} to {{ic|/etc/openvpn/easy-rsa}} and cd there
 
* Copy {{ic|/usr/share/openvpn/easy-rsa}} to {{ic|/etc/openvpn/easy-rsa}} and cd there
* Edit {{ic|vars}} with the information you want, then source it. See [[OpenVPN#Creating_keys_and_certificates|here]] for details.
+
* Edit the {{ic|vars}} file with the information you want, then source it. Read [[Create a Public Key Infrastructure Using the easy-rsa Scripts]] for details.
  . ./vars
+
{{bc|# source ./vars}}
 
* Clean up any previous keys:
 
* Clean up any previous keys:
  ./clean-all
+
{{bc|# ./clean-all}}
  
 
==Generate the certificates==
 
==Generate the certificates==
 
* Create the "certificate authority" key  
 
* Create the "certificate authority" key  
  ./build-ca
+
{{bc|#  ./build-ca}}
 
* Create certificate and private key for the server
 
* Create certificate and private key for the server
  ./build-key-server <server-name>
+
{{bc|#  ./build-key-server ''<server-name>''}}
 
* Create the Diffie-Hellman pem file for the server. Don't enter a challenge password or company name when you set these up.
 
* Create the Diffie-Hellman pem file for the server. Don't enter a challenge password or company name when you set these up.
  ./build-dh
+
{{bc|#  ./build-dh}}
 
* Create a certificate for each client.  
 
* Create a certificate for each client.  
./build-key <client-name>
+
{{bc|# ./build-key ''<client-name>''}}
 
All certificates are stored in {{ic|keys}} directory.  If you mess up, you can start all over by doing a {{ic|./clean-all}}
 
All certificates are stored in {{ic|keys}} directory.  If you mess up, you can start all over by doing a {{ic|./clean-all}}
  
Line 30: Line 30:
 
==Setting up the Server==
 
==Setting up the Server==
 
* Create {{ic|/etc/openvpn/myvpnserver.conf}} with a content like this:
 
* Create {{ic|/etc/openvpn/myvpnserver.conf}} with a content like this:
{{bc|
+
{{hc|/etc/openvpn/myvpnserver.conf|
port <port>
+
port ''<port>''
 
proto tcp
 
proto tcp
 
dev tun0
 
dev tun0
  
 
ca /etc/openvpn/easy-rsa/keys/ca.crt
 
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/<server-name>.crt
+
cert /etc/openvpn/easy-rsa/keys/''<server-name>''.crt
key /etc/openvpn/easy-rsa/keys/<server-name>.key
+
key /etc/openvpn/easy-rsa/keys/''<server-name>''.key
dh /etc/openvpn/easy-rsa/keys/<your pem file>
+
dh /etc/openvpn/easy-rsa/keys/''<your pem file>''
  
server <desired base ip> 255.255.255.0
+
server ''<desired base ip>'' 255.255.255.0
 
ifconfig-pool-persist ipp.txt
 
ifconfig-pool-persist ipp.txt
 
keepalive 10 120
 
keepalive 10 120
Line 54: Line 54:
 
status /tmp/vpn.status 10
 
status /tmp/vpn.status 10
 
}}
 
}}
* Enable and start the {{ic|openvpn}} daemon:
+
* Start and, optionally, enable for autostart on boot, the daemon. (In this example, is {{ic|openvpn@myvpnserver.service}})
{{bc|# systemctl enable openvpn@myvpnserver.service
+
 
# systemctl start openvpn@myvpnserver.service}}
+
Read [[Daemon]] for more information.
  
 
==Setting up the Clients==
 
==Setting up the Clients==
Line 62: Line 62:
 
{{hc|a-client-conf-file.conf|
 
{{hc|a-client-conf-file.conf|
 
client
 
client
remote <server> <port>
+
remote ''<server>'' ''<port>''
 
dev tun0
 
dev tun0
 
proto tcp
 
proto tcp
Line 71: Line 71:
 
verb 2
 
verb 2
 
ca ca.crt
 
ca ca.crt
cert <client crt file>
+
cert ''<client crt file with full path>''
key <client key file>
+
key ''<client key file with full path>''
 
comp-lzo
 
comp-lzo
 
}}
 
}}

Revision as of 19:54, 8 January 2013


This article summarizes the install process required for OpenVPN. See OpenVPN instead for a walkthrough.

Install

Install the package openvpn from the official repositories.

Prepare data

# source ./vars
  • Clean up any previous keys:
# ./clean-all

Generate the certificates

  • Create the "certificate authority" key
#  ./build-ca
  • Create certificate and private key for the server
#  ./build-key-server <server-name>
  • Create the Diffie-Hellman pem file for the server. Don't enter a challenge password or company name when you set these up.
#  ./build-dh
  • Create a certificate for each client.
# ./build-key <client-name>

All certificates are stored in keys directory. If you mess up, you can start all over by doing a ./clean-all

Copy to each client the ca.crt, and their respective crt and key files.

Setting up the Server

  • Create /etc/openvpn/myvpnserver.conf with a content like this:
/etc/openvpn/myvpnserver.conf
port <port>
proto tcp
dev tun0

ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/<server-name>.crt
key /etc/openvpn/easy-rsa/keys/<server-name>.key
dh /etc/openvpn/easy-rsa/keys/<your pem file>

server <desired base ip> 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status /var/log/openvpn-status.log
verb 3

log-append /var/log/openvpn
status /tmp/vpn.status 10
  • Start and, optionally, enable for autostart on boot, the daemon. (In this example, is openvpn@myvpnserver.service)

Read Daemon for more information.

Setting up the Clients

  • Create a .conf file for each client like this:
a-client-conf-file.conf
client
remote <server> <port>
dev tun0
proto tcp
resolv-retry infinite
nobind
persist-key
persist-tun
verb 2
ca ca.crt
cert <client crt file with full path>
key <client key file with full path>
comp-lzo
  • Start the connection with
# openvpn a-client-conf-file.conf &

Optionally, enable for autostart on boot the daemon. (In this example, is openvpn@a-client-conf-file.service)

Read Daemon for more information.