From b42a35b1a71555543b476dc615470663189b859a Mon Sep 17 00:00:00 2001 From: Christoph Date: Sun, 12 Mar 2017 12:27:09 +0100 Subject: [PATCH] Initial Import --- .gitignore | 5 + README.lxc | 6 + conf/server-gw-ckubu.conf.sample | 316 +++++++++++ conf/server-home.conf.sample | 311 ++++++++++ install_openvpn.txt | 942 +++++++++++++++++++++++++++++++ 5 files changed, 1580 insertions(+) create mode 100644 .gitignore create mode 100644 README.lxc create mode 100644 conf/server-gw-ckubu.conf.sample create mode 100644 conf/server-home.conf.sample create mode 100644 install_openvpn.txt diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..b34ecd4 --- /dev/null +++ b/.gitignore @@ -0,0 +1,5 @@ +/BAK/* +*.log +*.swp +conf/*.conf +conf/*.conf diff --git a/README.lxc b/README.lxc new file mode 100644 index 0000000..89aa460 --- /dev/null +++ b/README.lxc @@ -0,0 +1,6 @@ + +# - Add to LXC configuration of the host (/var/lib/lxc//config): +# - +# - # For OpenVPN +# - lxc.mount.entry = /dev/net dev/net none bind,create=dir +# - lxc.cgroup.devices.allow = c 10:200 rwm diff --git a/conf/server-gw-ckubu.conf.sample b/conf/server-gw-ckubu.conf.sample new file mode 100644 index 0000000..3b06bd9 --- /dev/null +++ b/conf/server-gw-ckubu.conf.sample @@ -0,0 +1,316 @@ +################################################# +# Sample OpenVPN 2.0 config file for # +# multi-client server. # +# # +# This file is for the server side # +# of a many-clients <-> one-server # +# OpenVPN configuration. # +# # +# OpenVPN also supports # +# single-machine <-> single-machine # +# configurations (See the Examples page # +# on the web site for more info). # +# # +# This config should work on Windows # +# or Linux/BSD systems. Remember on # +# Windows to quote pathnames and use # +# double backslashes, e.g.: # +# "C:\\Program Files\\OpenVPN\\config\\foo.key" # +# # +# Comments are preceded with '#' or ';' # +################################################# + +# Which local IP address should OpenVPN +# listen on? (optional) +;local a.b.c.d + +# Which TCP/UDP port should OpenVPN listen on? +# If you want to run multiple OpenVPN instances +# on the same machine, use a different port +# number for each one. You will need to +# open up this port on your firewall. +port + +# TCP or UDP server? +;proto tcp +proto udp + + +topology subnet +route 192.168.63.0 255.255.255.0 > +route 192.168.64.0 255.255.255.0 + +# "dev tun" will create a routed IP tunnel, +# "dev tap" will create an ethernet tunnel. +# Use "dev tap" if you are ethernet bridging. +# If you want to control access policies +# over the VPN, you must create firewall +# rules for the the TUN/TAP interface. +# On non-Windows systems, you can give +# an explicit unit number, such as tun0. +# On Windows, use "dev-node" for this. +# On most systems, the VPN will not function +# unless you partially or fully disable +# the firewall for the TUN/TAP interface. +;dev tap +dev tun + +# Windows needs the TAP-Win32 adapter name +# from the Network Connections panel if you +# have more than one. On XP SP2 or higher, +# you may need to selectively disable the +# Windows firewall for the TAP adapter. +# Non-Windows systems usually don't need this. +;dev-node MyTap + +# SSL/TLS root certificate (ca), certificate +# (cert), and private key (key). Each client +# and the server must have their own cert and +# key file. The server and all clients will +# use the same ca file. +# +# See the "easy-rsa" directory for a series +# of scripts for generating RSA certificates +# and private keys. Remember to use +# a unique Common Name for the server +# and each of the client certificates. +# +# Any X509 key management system can be used. +# OpenVPN can also use a PKCS #12 formatted key file +# (see "pkcs12" directive in man page). +ca keys/ca.crt +cert keys/server.crt +key keys/server.key # This file should be kept secret + +# Diffie hellman parameters. +# Generate your own with: +# openssl dhparam -out dh1024.pem 1024 +# Substitute 2048 for 1024 if you are using +# 2048 bit keys. +dh keys/dh2048.pem + +# Configure server mode and supply a VPN subnet +# for OpenVPN to draw client addresses from. +# The server will take 10.8.0.1 for itself, +# the rest will be made available to clients. +# Each client will be able to reach the server +# on 10.8.0.1. Comment this line out if you are +# ethernet bridging. See the man page for more info. +server 255.255.255.0 + +# Maintain a record of client <-> virtual IP address +# associations in this file. If OpenVPN goes down or +# is restarted, reconnecting clients can be assigned +# the same virtual IP address from the pool that was +# previously assigned. +ifconfig-pool-persist /etc/openvpn/ipp.txt + +# Configure server mode for ethernet bridging. +# You must first use your OS's bridging capability +# to bridge the TAP interface with the ethernet +# NIC interface. Then you must manually set the +# IP/netmask on the bridge interface, here we +# assume 10.8.0.4/255.255.255.0. Finally we +# must set aside an IP range in this subnet +# (start=10.8.0.50 end=10.8.0.100) to allocate +# to connecting clients. Leave this line commented +# out unless you are ethernet bridging. +;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100 + +# Push routes to the client to allow it +# to reach other private subnets behind +# the server. Remember that these +# private subnets will also need +# to know to route the OpenVPN client +# address pool (10.8.0.0/255.255.255.0) +# back to the OpenVPN server. +;push "route 10.8.0.0 255.255.255.0" +push "route 255.255.255.0" + +# To assign specific IP addresses to specific +# clients or if a connecting client has a private +# subnet behind it that should also have VPN access, +# use the subdirectory "ccd" for client-specific +# configuration files (see man page for more info). + +client-config-dir /etc/openvpn/ccd/server-gw-ckubu + +# --- +# EXAMPLE: Suppose the client +# having the certificate common name "Thelonious" +# also has a small subnet behind his connecting +# machine, such as 192.168.40.128/255.255.255.248. +# First, uncomment out these lines: +;client-config-dir /etc/openvpn/ccd +;route 192.168.40.128 255.255.255.248 + +# Then create a file ccd/Thelonious with this line: +# iroute 192.168.40.128 255.255.255.248 +# This will allow Thelonious' private subnet to +# access the VPN. This example will only work +# if you are routing, not bridging, i.e. you are +# using "dev tun" and "server" directives. +# --- + +# --- +# EXAMPLE: Suppose you want to give +# Thelonious a fixed VPN IP address of 10.9.0.1. +# First uncomment out these lines: +;client-config-dir ccd +;route 10.9.0.0 255.255.255.252 + +# Then add this line to ccd/Thelonious: +# ifconfig-push 10.9.0.1 10.9.0.2 +# --- + +# --- +# Suppose that you want to enable different +# firewall access policies for different groups +# of clients. There are two methods: +# (1) Run multiple OpenVPN daemons, one for each +# group, and firewall the TUN/TAP interface +# for each group/daemon appropriately. +# (2) (Advanced) Create a script to dynamically +# modify the firewall in response to access +# from different clients. See man +# page for more info on learn-address script. +;learn-address ./script +# --- + +# If enabled, this directive will configure +# all clients to redirect their default +# network gateway through the VPN, causing +# all IP traffic such as web browsing and +# and DNS lookups to go through the VPN +# (The OpenVPN server machine may need to NAT +# the TUN/TAP interface to the internet in +# order for this to work properly). +# CAVEAT: May break client's network config if +# client's local DHCP server packets get routed +# through the tunnel. Solution: make sure +# client's local DHCP server is reachable via +# a more specific route than the default route +# of 0.0.0.0/0.0.0.0. +;push "redirect-gateway" + +# Certain Windows-specific network settings +# can be pushed to clients, such as DNS +# or WINS server addresses. CAVEAT: +# http://openvpn.net/faq.html#dhcpcaveats +;push "dhcp-option WINS 10.8.0.1" + +# - Do NOT push DNS settings in THIS configuration. We use +# - this VPN tunnel as a static line, and the remote host +# - should user his own dns settings. +# - +;push "dhcp-option DNS " +;push "dhcp-option DOMAIN " + +# Uncomment this directive to allow different +# clients to be able to "see" each other. +# By default, clients will only see the server. +# To force clients to only see the server, you +# will also need to appropriately firewall the +# server's TUN/TAP interface. +client-to-client + +# Uncomment this directive if multiple clients +# might connect with the same certificate/key +# files or common names. This is recommended +# only for testing purposes. For production use, +# each client should have its own certificate/key +# pair. +# +# IF YOU HAVE NOT GENERATED INDIVIDUAL +# CERTIFICATE/KEY PAIRS FOR EACH CLIENT, +# EACH HAVING ITS OWN UNIQUE "COMMON NAME", +# UNCOMMENT THIS LINE OUT. +;duplicate-cn + +# The keepalive directive causes ping-like +# messages to be sent back and forth over +# the link so that each side knows when +# the other side has gone down. +# Ping every 10 seconds, assume that remote +# peer is down if no ping received during +# a 120 second time period. +keepalive 10 120 + +# For extra security beyond that provided +# by SSL/TLS, create an "HMAC firewall" +# to help block DoS attacks and UDP port flooding. +# +# Generate with: +# openvpn --genkey --secret ta.key +# +# The server and each client must have +# a copy of this key. +# The second parameter should be '0' +# on the server and '1' on the clients. +;tls-auth ta.key 0 # This file is secret +tls-auth keys/ta.key 0 + +# Select a cryptographic cipher. +# This config item must be copied to +# the client config file as well. +;cipher BF-CBC # Blowfish (default) +;cipher AES-128-CBC # AES +;cipher DES-EDE3-CBC # Triple-DES +cipher AES-256-CBC + +# Enable compression on the VPN link. +# If you enable it here, you must also +# enable it in the client config file. +comp-lzo + +# The maximum number of concurrently connected +# clients we want to allow. +;max-clients 100 + +# It's a good idea to reduce the OpenVPN +# daemon's privileges after initialization. +# +# You can uncomment this out on +# non-Windows systems. +user nobody +group nogroup + +# The persist options will try to avoid +# accessing certain resources on restart +# that may no longer be accessible because +# of the privilege downgrade. +persist-key +persist-tun +persist-local-ip +persist-remote-ip + +# Output a short status file showing +# current connections, truncated +# and rewritten every minute. +status /var/log/openvpn/status-server-gw-ckubu.log + +# By default, log messages will go to the syslog (or +# on Windows, if running as a service, they will go to +# the "\Program Files\OpenVPN\log" directory). +# Use log or log-append to override this default. +# "log" will truncate the log file on OpenVPN startup, +# while "log-append" will append to it. Use one +# or the other (but not both). +log /var/log/openvpn/server-gw-ckubu.log +;log-append openvpn.log + +# Set the appropriate level of log +# file verbosity. +# +# 0 is silent, except for fatal errors +# 4 is reasonable for general usage +# 5 and 6 can help to debug connection problems +# 9 is extremely verbose +verb 4 + +# Silence repeating messages. At most 20 +# sequential messages of the same message +# category will be output to the log. +;mute 20 + +crl-verify /etc/openvpn/keys/crl.pem diff --git a/conf/server-home.conf.sample b/conf/server-home.conf.sample new file mode 100644 index 0000000..621a333 --- /dev/null +++ b/conf/server-home.conf.sample @@ -0,0 +1,311 @@ +################################################# +# Sample OpenVPN 2.0 config file for # +# multi-client server. # +# # +# This file is for the server side # +# of a many-clients <-> one-server # +# OpenVPN configuration. # +# # +# OpenVPN also supports # +# single-machine <-> single-machine # +# configurations (See the Examples page # +# on the web site for more info). # +# # +# This config should work on Windows # +# or Linux/BSD systems. Remember on # +# Windows to quote pathnames and use # +# double backslashes, e.g.: # +# "C:\\Program Files\\OpenVPN\\config\\foo.key" # +# # +# Comments are preceded with '#' or ';' # +################################################# + +# Which local IP address should OpenVPN +# listen on? (optional) +;local a.b.c.d + +# Which TCP/UDP port should OpenVPN listen on? +# If you want to run multiple OpenVPN instances +# on the same machine, use a different port +# number for each one. You will need to +# open up this port on your firewall. +port + +# TCP or UDP server? +;proto tcp +proto udp + + +topology subnet +#route 192.168.63.0 255.255.255.0 10.1.72.1 +#route 192.168.64.0 255.255.255.0 10.1.72.1 + +# "dev tun" will create a routed IP tunnel, +# "dev tap" will create an ethernet tunnel. +# Use "dev tap" if you are ethernet bridging. +# If you want to control access policies +# over the VPN, you must create firewall +# rules for the the TUN/TAP interface. +# On non-Windows systems, you can give +# an explicit unit number, such as tun0. +# On Windows, use "dev-node" for this. +# On most systems, the VPN will not function +# unless you partially or fully disable +# the firewall for the TUN/TAP interface. +;dev tap +dev tun + +# Windows needs the TAP-Win32 adapter name +# from the Network Connections panel if you +# have more than one. On XP SP2 or higher, +# you may need to selectively disable the +# Windows firewall for the TAP adapter. +# Non-Windows systems usually don't need this. +;dev-node MyTap + +# SSL/TLS root certificate (ca), certificate +# (cert), and private key (key). Each client +# and the server must have their own cert and +# key file. The server and all clients will +# use the same ca file. +# +# See the "easy-rsa" directory for a series +# of scripts for generating RSA certificates +# and private keys. Remember to use +# a unique Common Name for the server +# and each of the client certificates. +# +# Any X509 key management system can be used. +# OpenVPN can also use a PKCS #12 formatted key file +# (see "pkcs12" directive in man page). +ca keys/ca.crt +cert keys/server.crt +key keys/server.key # This file should be kept secret + +# Diffie hellman parameters. +# Generate your own with: +# openssl dhparam -out dh1024.pem 1024 +# Substitute 2048 for 1024 if you are using +# 2048 bit keys. +dh keys/dh2048.pem + +# Configure server mode and supply a VPN subnet +# for OpenVPN to draw client addresses from. +# The server will take 10.8.0.1 for itself, +# the rest will be made available to clients. +# Each client will be able to reach the server +# on 10.8.0.1. Comment this line out if you are +# ethernet bridging. See the man page for more info. +server 255.255.255.0 + +# Maintain a record of client <-> virtual IP address +# associations in this file. If OpenVPN goes down or +# is restarted, reconnecting clients can be assigned +# the same virtual IP address from the pool that was +# previously assigned. +ifconfig-pool-persist /etc/openvpn/ipp.txt + +# Configure server mode for ethernet bridging. +# You must first use your OS's bridging capability +# to bridge the TAP interface with the ethernet +# NIC interface. Then you must manually set the +# IP/netmask on the bridge interface, here we +# assume 10.8.0.4/255.255.255.0. Finally we +# must set aside an IP range in this subnet +# (start=10.8.0.50 end=10.8.0.100) to allocate +# to connecting clients. Leave this line commented +# out unless you are ethernet bridging. +;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100 + +# Push routes to the client to allow it +# to reach other private subnets behind +# the server. Remember that these +# private subnets will also need +# to know to route the OpenVPN client +# address pool (10.8.0.0/255.255.255.0) +# back to the OpenVPN server. +;push "route 10.8.0.0 255.255.255.0" +push "route 255.255.255.0" + +# To assign specific IP addresses to specific +# clients or if a connecting client has a private +# subnet behind it that should also have VPN access, +# use the subdirectory "ccd" for client-specific +# configuration files (see man page for more info). + +client-config-dir + +# --- +# EXAMPLE: Suppose the client +# having the certificate common name "Thelonious" +# also has a small subnet behind his connecting +# machine, such as 192.168.40.128/255.255.255.248. +# First, uncomment out these lines: +;client-config-dir /etc/openvpn/ccd +;route 192.168.40.128 255.255.255.248 + +# Then create a file ccd/Thelonious with this line: +# iroute 192.168.40.128 255.255.255.248 +# This will allow Thelonious' private subnet to +# access the VPN. This example will only work +# if you are routing, not bridging, i.e. you are +# using "dev tun" and "server" directives. +# --- + +# --- +# EXAMPLE: Suppose you want to give +# Thelonious a fixed VPN IP address of 10.9.0.1. +# First uncomment out these lines: +;client-config-dir ccd +;route 10.9.0.0 255.255.255.252 + +# Then add this line to ccd/Thelonious: +# ifconfig-push 10.9.0.1 10.9.0.2 +# --- + +# --- +# Suppose that you want to enable different +# firewall access policies for different groups +# of clients. There are two methods: +# (1) Run multiple OpenVPN daemons, one for each +# group, and firewall the TUN/TAP interface +# for each group/daemon appropriately. +# (2) (Advanced) Create a script to dynamically +# modify the firewall in response to access +# from different clients. See man +# page for more info on learn-address script. +;learn-address ./script +# --- + +# If enabled, this directive will configure +# all clients to redirect their default +# network gateway through the VPN, causing +# all IP traffic such as web browsing and +# and DNS lookups to go through the VPN +# (The OpenVPN server machine may need to NAT +# the TUN/TAP interface to the internet in +# order for this to work properly). +# CAVEAT: May break client's network config if +# client's local DHCP server packets get routed +# through the tunnel. Solution: make sure +# client's local DHCP server is reachable via +# a more specific route than the default route +# of 0.0.0.0/0.0.0.0. +;push "redirect-gateway" + +# Certain Windows-specific network settings +# can be pushed to clients, such as DNS +# or WINS server addresses. CAVEAT: +# http://openvpn.net/faq.html#dhcpcaveats +;push "dhcp-option WINS 10.8.0.1" +push "dhcp-option DNS " +push "dhcp-option DOMAIN " + +# Uncomment this directive to allow different +# clients to be able to "see" each other. +# By default, clients will only see the server. +# To force clients to only see the server, you +# will also need to appropriately firewall the +# server's TUN/TAP interface. +client-to-client + +# Uncomment this directive if multiple clients +# might connect with the same certificate/key +# files or common names. This is recommended +# only for testing purposes. For production use, +# each client should have its own certificate/key +# pair. +# +# IF YOU HAVE NOT GENERATED INDIVIDUAL +# CERTIFICATE/KEY PAIRS FOR EACH CLIENT, +# EACH HAVING ITS OWN UNIQUE "COMMON NAME", +# UNCOMMENT THIS LINE OUT. +;duplicate-cn + +# The keepalive directive causes ping-like +# messages to be sent back and forth over +# the link so that each side knows when +# the other side has gone down. +# Ping every 10 seconds, assume that remote +# peer is down if no ping received during +# a 120 second time period. +keepalive 10 120 + +# For extra security beyond that provided +# by SSL/TLS, create an "HMAC firewall" +# to help block DoS attacks and UDP port flooding. +# +# Generate with: +# openvpn --genkey --secret ta.key +# +# The server and each client must have +# a copy of this key. +# The second parameter should be '0' +# on the server and '1' on the clients. +;tls-auth ta.key 0 # This file is secret +tls-auth keys/ta.key 0 + +# Select a cryptographic cipher. +# This config item must be copied to +# the client config file as well. +;cipher BF-CBC # Blowfish (default) +;cipher AES-128-CBC # AES +;cipher DES-EDE3-CBC # Triple-DES +cipher AES-256-CBC + +# Enable compression on the VPN link. +# If you enable it here, you must also +# enable it in the client config file. +comp-lzo + +# The maximum number of concurrently connected +# clients we want to allow. +;max-clients 100 + +# It's a good idea to reduce the OpenVPN +# daemon's privileges after initialization. +# +# You can uncomment this out on +# non-Windows systems. +user nobody +group nogroup + +# The persist options will try to avoid +# accessing certain resources on restart +# that may no longer be accessible because +# of the privilege downgrade. +persist-key +persist-tun +persist-local-ip +persist-remote-ip + +# Output a short status file showing +# current connections, truncated +# and rewritten every minute. +status /var/log/openvpn/status-server-home.log + +# By default, log messages will go to the syslog (or +# on Windows, if running as a service, they will go to +# the "\Program Files\OpenVPN\log" directory). +# Use log or log-append to override this default. +# "log" will truncate the log file on OpenVPN startup, +# while "log-append" will append to it. Use one +# or the other (but not both). +log /var/log/openvpn/server-home.log +;log-append openvpn.log + +# Set the appropriate level of log +# file verbosity. +# +# 0 is silent, except for fatal errors +# 4 is reasonable for general usage +# 5 and 6 can help to debug connection problems +# 9 is extremely verbose +verb 4 + +# Silence repeating messages. At most 20 +# sequential messages of the same message +# category will be output to the log. +;mute 20 + +crl-verify /etc/openvpn/keys/crl.pem diff --git a/install_openvpn.txt b/install_openvpn.txt new file mode 100644 index 0000000..bfac6cf --- /dev/null +++ b/install_openvpn.txt @@ -0,0 +1,942 @@ +## - Configuration/Initialization OpenVPN +## - + +# ==================== +# - Some Parameter Settings for using this installation howto +# ==================== + +# --- +# - Parameters OpenVPN Configuration / KEY Creation +# --- + +OPENVPN_BASE_DIR=/etc/openvpn +EASY_RSA_DIR=${OPENVPN_BASE_DIR}/easy-rsa + +# - (3*365+366)*8 = 11688 = 32 Jahre +CA_EXPIRE=11688 +# - (3*365+366)*5 = 7305 = 20 Jahre +KEY_EXPIRE=7305 + +KEY_COUNTRY="DE" +KEY_PROVINCE="Berlin" +KEY_CITY="Berlin" +KEY_ORG="O.OPEN" +KEY_EMAIL="ckubu-adm\@oopen.de" +KEY_OU="Network Services" + +KEY_NAME="VPN 123Comics" +KEY_CN="VPN-123Comics" + +KEY_ALTNAMES="VPN 123Comics" + + +# --- +# - Parameters for Server Configurations ( server-home.conf / server-gw-ckubu.conf) +# --- + +SERVER_PORT_HOME=1194 +OPENVPN_NETWORK_HOME="10.0.142.0" +CCD_HOME="/etc/openvpn/ccd/server-home" + +SERVER_PORT_GW_CKUBU=1195 +OPENVPN_NETWORK_GW_CKUBU="10.1.142.0" +IPV4_OPENVPN_GW_CKUBU="10.1.142.1" +CCD_GW_CKUBU="/etc/openvpn/ccd/server-gw-ckubu" + +MAIN_NETWORK=192.168.142.0 +DNS_SERVER=192.168.142.1 +DOMAIN=123.netz + + + +# ==================== +# - Base Installation OpenVPN +# ==================== + + +## - Package "easy-rsa" contains shell based helper scripts for building +## - certs/keys OpenVPN service and clients. +## - +## - Use the package included scripts for building the keys +## - +apt-get install openvpn easy-rsa + + +## - Make the package included scripts available in directory +## - "/etc/openvpn/easy-rsa" +## - +if [ -d "$EASY_RSA_DIR" ]; then + mv $EASY_RSA_DIR ${EASY_RSA_DIR}.`date +%Y%m%d-%H%M` +fi +/usr/bin/make-cadir $EASY_RSA_DIR + +## - Create key directory +## - +if [ -d "${OPENVPN_BASE_DIR}/keys" ]; then + mv ${OPENVPN_BASE_DIR}/keys ${OPENVPN_BASE_DIR}/keys.`date +%Y%m%d-%H%M` +fi +mkdir ${OPENVPN_BASE_DIR}/keys + + +## - Adjust /etc/default/openvpn +## - +## - AUTOSTART="all" +## - +perl -i -n -p -e "s/^(\s*#\s*AUTOSTART=\"all\".*)/##\1\nAUTOSTART=\"all\"/" /etc/default/openvpn + + +## - Adjust /etc/openvpn/easy-rsa/vars +## - +## - add: +## - export BASE_DIR=$OPENVPN_BASE_DIR +## - +## - replace: +## - export EASY_RSA=\$BASE_DIR/easy_rsa +## - export KEY_DIR=\$BASE_DIR/keys +## - +## - # root CA expires in 30 years (= 10950 days) +## - export CA_EXPIRE=$CA_EXPIRE +## - +## - # certificates expires in 20 years (=7300 days) +## - export KEY_EXPIRE=$KEY_EXPIRE +## - +## - export KEY_COUNTRY="$KEY_COUNTRY" +## - export KEY_PROVINCE="$KEY_PROVINCE" +## - export KEY_CITY="$KEY_CITY" +## - export KEY_ORG="$KEY_ORG" +## - export KEY_EMAIL="$KEY_EMAIL" +## - export KEY_OU="$KEY_OU" +## - +## - export KEY_NAME="$KEY_NAME" +## - +## - #export KEY_CN="$KEY_CN" +## - + +perl -i.ORIG -n -p -e "s&^(\s*#*\s*export\s+EASY_RSA=.*)&##\1\nexport BASE_DIR=\"${OPENVPN_BASE_DIR}\"\nexport EASY_RSA=\"\\\$BASE_DIR/easy-rsa\"&" ${EASY_RSA_DIR}/vars +perl -i -n -p -e "s&^(\s*#*\s*export\s+KEY_DIR=.*)&##\1\nexport KEY_DIR=\"\\\$BASE_DIR/keys\"&" ${EASY_RSA_DIR}/vars + +perl -i -n -p -e "s/^(\s*#*\s*export\s+CA_EXPIRE=.*)/##\1\nexport CA_EXPIRE=$CA_EXPIRE/" ${EASY_RSA_DIR}/vars +perl -i -n -p -e "s/^(\s*#*\s*export\s+KEY_EXPIRE=.*)/##\1\nexport KEY_EXPIRE=$KEY_EXPIRE/" ${EASY_RSA_DIR}/vars + +perl -i -n -p -e "s/^(\s*#*\s*export\s+KEY_COUNTRY=.*)/##\1\nexport KEY_COUNTRY=\"${KEY_COUNTRY}\"/" ${EASY_RSA_DIR}/vars +perl -i -n -p -e "s/^(\s*#*\s*export\s+KEY_PROVINCE=.*)/##\1\nexport KEY_PROVINCE=\"${KEY_PROVINCE}\"/" ${EASY_RSA_DIR}/vars +perl -i -n -p -e "s/^(\s*#*\s*export\s+KEY_CITY=.*)/##\1\nexport KEY_CITY=\"${KEY_CITY}\"/" ${EASY_RSA_DIR}/vars +perl -i -n -p -e "s/^(\s*#*\s*export\s+KEY_ORG=.*)/##\1\nexport KEY_ORG=\"${KEY_ORG}\"/" ${EASY_RSA_DIR}/vars +perl -i -n -p -e "s/^(\s*#*\s*export\s+KEY_EMAIL=.*)/##\1\nexport KEY_EMAIL=\"${KEY_EMAIL}\"/" ${EASY_RSA_DIR}/vars +perl -i -n -p -e "s/^(\s*#*\s*export\s+KEY_OU=.*)/##\1\nexport KEY_OU=\"${KEY_OU}\"/" ${EASY_RSA_DIR}/vars +perl -i -n -p -e "s/^(\s*#*\s*export\s+KEY_NAME=.*)/##\1\nexport KEY_NAME=\"${KEY_NAME}\"/" ${EASY_RSA_DIR}/vars + +perl -i -n -p -e "s/^(\s*#*\s*export\s+KEY_CN=.*)/#\1\nexport KEY_CN=\"${KEY_CN}\"/" ${EASY_RSA_DIR}/vars + +echo -e "\nexport KEY_ALTNAMES=\"$KEY_ALTNAMES\"" >> ${EASY_RSA_DIR}/vars + + +## - Ceate file "serial" in key-directory +## - +echo "01" > $OPENVPN_BASE_DIR/keys/serial + +## - Create empty file index.txt at key-directory +## - +touch $OPENVPN_BASE_DIR/keys/index.txt + + + +# ==================== +# - Initial Setup OpenVPN (Root ca / Server key /..) +# ==================== + +cd $EASY_RSA_DIR + +## - source file vars +## - +. vars + + +## - Create Root CA +## - +./build-ca + + +## - Build Diffie-Hellman parameters for the server side +## - of an SSL/TLS connection. +## . +./build-dh + + +## - Build Sever Key +## - +## - As CommonName choose: +## - AK-VPN-server +## - +./build-key-server server + + +## - For extra security beyond that provided +## - by SSL/TLS, create an "HMAC firewall" +## - to help block DoS attacks and UDP port flooding. +## - +## - Generate with: +## - openvpn --genkey --secret ta.key +openvpn --genkey --secret $OPENVPN_BASE_DIR/keys/ta.key + + +## - Create empty CRL (Certificate Revokation List) +## - +openssl ca -gencrl -out /etc/openvpn/keys/crl.pem -config $KEY_CONFIG + +cd $OPENVPN_BASE_DIR +ln -s keys/crl.pem + + + +# ==================== +# - Generate Client Keys / Certs +# ==================== + +cd $EASY_RSA_DIR + +## - Build clent key with passphrase included +## - +## - As CommonName choose: +## - ${KEY_CN}- +## - +## - Example: +## - VPN-123Comics.chris +## - +./build-key-pass ## for example ./build-key-pass axel + ## results in axel.key, axel.crt + +./build-key-pass chris + + + +# ==================== +# - Setup OpenVPN Services +# ==================== + +# - Create Log Directorie +# - +mkdir /var/log/openvpn + +# - Create (base) Client Directory +mkdir /etc/openvpn/ccd + +# --- +# - Service server-home +# --- + +mkdir $CCD_HOME + +cat < /etc/openvpn/server-home.conf +################################################# +# Sample OpenVPN 2.0 config file for # +# multi-client server. # +# # +# This file is for the server side # +# of a many-clients <-> one-server # +# OpenVPN configuration. # +# # +# OpenVPN also supports # +# single-machine <-> single-machine # +# configurations (See the Examples page # +# on the web site for more info). # +# # +# This config should work on Windows # +# or Linux/BSD systems. Remember on # +# Windows to quote pathnames and use # +# double backslashes, e.g.: # +# "C:\\Program Files\\OpenVPN\\config\\foo.key" # +# # +# Comments are preceded with '#' or ';' # +################################################# + +# Which local IP address should OpenVPN +# listen on? (optional) +;local a.b.c.d + +# Which TCP/UDP port should OpenVPN listen on? +# If you want to run multiple OpenVPN instances +# on the same machine, use a different port +# number for each one. You will need to +# open up this port on your firewall. +port $SERVER_PORT_HOME + +# TCP or UDP server? +;proto tcp +proto udp + + +topology subnet +#route 192.168.63.0 255.255.255.0 10.1.72.1 +#route 192.168.64.0 255.255.255.0 10.1.72.1 + +# "dev tun" will create a routed IP tunnel, +# "dev tap" will create an ethernet tunnel. +# Use "dev tap" if you are ethernet bridging. +# If you want to control access policies +# over the VPN, you must create firewall +# rules for the the TUN/TAP interface. +# On non-Windows systems, you can give +# an explicit unit number, such as tun0. +# On Windows, use "dev-node" for this. +# On most systems, the VPN will not function +# unless you partially or fully disable +# the firewall for the TUN/TAP interface. +;dev tap +dev tun + +# Windows needs the TAP-Win32 adapter name +# from the Network Connections panel if you +# have more than one. On XP SP2 or higher, +# you may need to selectively disable the +# Windows firewall for the TAP adapter. +# Non-Windows systems usually don't need this. +;dev-node MyTap + +# SSL/TLS root certificate (ca), certificate +# (cert), and private key (key). Each client +# and the server must have their own cert and +# key file. The server and all clients will +# use the same ca file. +# +# See the "easy-rsa" directory for a series +# of scripts for generating RSA certificates +# and private keys. Remember to use +# a unique Common Name for the server +# and each of the client certificates. +# +# Any X509 key management system can be used. +# OpenVPN can also use a PKCS #12 formatted key file +# (see "pkcs12" directive in man page). +ca keys/ca.crt +cert keys/server.crt +key keys/server.key # This file should be kept secret + +# Diffie hellman parameters. +# Generate your own with: +# openssl dhparam -out dh1024.pem 1024 +# Substitute 2048 for 1024 if you are using +# 2048 bit keys. +dh keys/dh2048.pem + +# Configure server mode and supply a VPN subnet +# for OpenVPN to draw client addresses from. +# The server will take 10.8.0.1 for itself, +# the rest will be made available to clients. +# Each client will be able to reach the server +# on 10.8.0.1. Comment this line out if you are +# ethernet bridging. See the man page for more info. +server $OPENVPN_NETWORK_HOME 255.255.255.0 + +# Maintain a record of client <-> virtual IP address +# associations in this file. If OpenVPN goes down or +# is restarted, reconnecting clients can be assigned +# the same virtual IP address from the pool that was +# previously assigned. +ifconfig-pool-persist /etc/openvpn/ipp.txt + +# Configure server mode for ethernet bridging. +# You must first use your OS's bridging capability +# to bridge the TAP interface with the ethernet +# NIC interface. Then you must manually set the +# IP/netmask on the bridge interface, here we +# assume 10.8.0.4/255.255.255.0. Finally we +# must set aside an IP range in this subnet +# (start=10.8.0.50 end=10.8.0.100) to allocate +# to connecting clients. Leave this line commented +# out unless you are ethernet bridging. +;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100 + +# Push routes to the client to allow it +# to reach other private subnets behind +# the server. Remember that these +# private subnets will also need +# to know to route the OpenVPN client +# address pool (10.8.0.0/255.255.255.0) +# back to the OpenVPN server. +;push "route 10.8.0.0 255.255.255.0" +push "route $MAIN_NETWORK 255.255.255.0" + +# To assign specific IP addresses to specific +# clients or if a connecting client has a private +# subnet behind it that should also have VPN access, +# use the subdirectory "ccd" for client-specific +# configuration files (see man page for more info). + +client-config-dir $CCD_HOME + +# --- +# EXAMPLE: Suppose the client +# having the certificate common name "Thelonious" +# also has a small subnet behind his connecting +# machine, such as 192.168.40.128/255.255.255.248. +# First, uncomment out these lines: +;client-config-dir /etc/openvpn/ccd +;route 192.168.40.128 255.255.255.248 + +# Then create a file ccd/Thelonious with this line: +# iroute 192.168.40.128 255.255.255.248 +# This will allow Thelonious' private subnet to +# access the VPN. This example will only work +# if you are routing, not bridging, i.e. you are +# using "dev tun" and "server" directives. +# --- + +# --- +# EXAMPLE: Suppose you want to give +# Thelonious a fixed VPN IP address of 10.9.0.1. +# First uncomment out these lines: +;client-config-dir ccd +;route 10.9.0.0 255.255.255.252 + +# Then add this line to ccd/Thelonious: +# ifconfig-push 10.9.0.1 10.9.0.2 +# --- + +# --- +# Suppose that you want to enable different +# firewall access policies for different groups +# of clients. There are two methods: +# (1) Run multiple OpenVPN daemons, one for each +# group, and firewall the TUN/TAP interface +# for each group/daemon appropriately. +# (2) (Advanced) Create a script to dynamically +# modify the firewall in response to access +# from different clients. See man +# page for more info on learn-address script. +;learn-address ./script +# --- + +# If enabled, this directive will configure +# all clients to redirect their default +# network gateway through the VPN, causing +# all IP traffic such as web browsing and +# and DNS lookups to go through the VPN +# (The OpenVPN server machine may need to NAT +# the TUN/TAP interface to the internet in +# order for this to work properly). +# CAVEAT: May break client's network config if +# client's local DHCP server packets get routed +# through the tunnel. Solution: make sure +# client's local DHCP server is reachable via +# a more specific route than the default route +# of 0.0.0.0/0.0.0.0. +;push "redirect-gateway" + +# Certain Windows-specific network settings +# can be pushed to clients, such as DNS +# or WINS server addresses. CAVEAT: +# http://openvpn.net/faq.html#dhcpcaveats +;push "dhcp-option WINS 10.8.0.1" +push "dhcp-option DNS ${DNS_SERVER}" +push "dhcp-option DOMAIN ${DOMAIN}" + +# Uncomment this directive to allow different +# clients to be able to "see" each other. +# By default, clients will only see the server. +# To force clients to only see the server, you +# will also need to appropriately firewall the +# server's TUN/TAP interface. +client-to-client + +# Uncomment this directive if multiple clients +# might connect with the same certificate/key +# files or common names. This is recommended +# only for testing purposes. For production use, +# each client should have its own certificate/key +# pair. +# +# IF YOU HAVE NOT GENERATED INDIVIDUAL +# CERTIFICATE/KEY PAIRS FOR EACH CLIENT, +# EACH HAVING ITS OWN UNIQUE "COMMON NAME", +# UNCOMMENT THIS LINE OUT. +;duplicate-cn + +# The keepalive directive causes ping-like +# messages to be sent back and forth over +# the link so that each side knows when +# the other side has gone down. +# Ping every 10 seconds, assume that remote +# peer is down if no ping received during +# a 120 second time period. +keepalive 10 120 + +# For extra security beyond that provided +# by SSL/TLS, create an "HMAC firewall" +# to help block DoS attacks and UDP port flooding. +# +# Generate with: +# openvpn --genkey --secret ta.key +# +# The server and each client must have +# a copy of this key. +# The second parameter should be '0' +# on the server and '1' on the clients. +;tls-auth ta.key 0 # This file is secret +tls-auth keys/ta.key 0 + +# Select a cryptographic cipher. +# This config item must be copied to +# the client config file as well. +;cipher BF-CBC # Blowfish (default) +;cipher AES-128-CBC # AES +;cipher DES-EDE3-CBC # Triple-DES +cipher AES-256-CBC + +# Enable compression on the VPN link. +# If you enable it here, you must also +# enable it in the client config file. +comp-lzo + +# The maximum number of concurrently connected +# clients we want to allow. +;max-clients 100 + +# It's a good idea to reduce the OpenVPN +# daemon's privileges after initialization. +# +# You can uncomment this out on +# non-Windows systems. +user nobody +group nogroup + +# The persist options will try to avoid +# accessing certain resources on restart +# that may no longer be accessible because +# of the privilege downgrade. +persist-key +persist-tun +persist-local-ip +persist-remote-ip + +# Output a short status file showing +# current connections, truncated +# and rewritten every minute. +status /var/log/openvpn/status-server-home.log + +# By default, log messages will go to the syslog (or +# on Windows, if running as a service, they will go to +# the "\Program Files\OpenVPN\log" directory). +# Use log or log-append to override this default. +# "log" will truncate the log file on OpenVPN startup, +# while "log-append" will append to it. Use one +# or the other (but not both). +log /var/log/openvpn/server-home.log +;log-append openvpn.log + +# Set the appropriate level of log +# file verbosity. +# +# 0 is silent, except for fatal errors +# 4 is reasonable for general usage +# 5 and 6 can help to debug connection problems +# 9 is extremely verbose +verb 4 + +# Silence repeating messages. At most 20 +# sequential messages of the same message +# category will be output to the log. +;mute 20 + +crl-verify /etc/openvpn/keys/crl.pem + +EOF + + +# --- +# - Service server-gw-ckubu +# --- + +mkdir $CCD_GW_CKUBU + +cat < /etc/openvpn/server-gw-ckubu.conf +################################################# +# Sample OpenVPN 2.0 config file for # +# multi-client server. # +# # +# This file is for the server side # +# of a many-clients <-> one-server # +# OpenVPN configuration. # +# # +# OpenVPN also supports # +# single-machine <-> single-machine # +# configurations (See the Examples page # +# on the web site for more info). # +# # +# This config should work on Windows # +# or Linux/BSD systems. Remember on # +# Windows to quote pathnames and use # +# double backslashes, e.g.: # +# "C:\\Program Files\\OpenVPN\\config\\foo.key" # +# # +# Comments are preceded with '#' or ';' # +################################################# + +# Which local IP address should OpenVPN +# listen on? (optional) +;local a.b.c.d + +# Which TCP/UDP port should OpenVPN listen on? +# If you want to run multiple OpenVPN instances +# on the same machine, use a different port +# number for each one. You will need to +# open up this port on your firewall. +port $SERVER_PORT_GW_CKUBU + +# TCP or UDP server? +;proto tcp +proto udp + + +topology subnet +route 192.168.63.0 255.255.255.0 $IPV4_OPENVPN_GW_CKUBU +route 192.168.64.0 255.255.255.0 $IPV4_OPENVPN_GW_CKUBU + +# "dev tun" will create a routed IP tunnel, +# "dev tap" will create an ethernet tunnel. +# Use "dev tap" if you are ethernet bridging. +# If you want to control access policies +# over the VPN, you must create firewall +# rules for the the TUN/TAP interface. +# On non-Windows systems, you can give +# an explicit unit number, such as tun0. +# On Windows, use "dev-node" for this. +# On most systems, the VPN will not function +# unless you partially or fully disable +# the firewall for the TUN/TAP interface. +;dev tap +dev tun + +# Windows needs the TAP-Win32 adapter name +# from the Network Connections panel if you +# have more than one. On XP SP2 or higher, +# you may need to selectively disable the +# Windows firewall for the TAP adapter. +# Non-Windows systems usually don't need this. +;dev-node MyTap + +# SSL/TLS root certificate (ca), certificate +# (cert), and private key (key). Each client +# and the server must have their own cert and +# key file. The server and all clients will +# use the same ca file. +# +# See the "easy-rsa" directory for a series +# of scripts for generating RSA certificates +# and private keys. Remember to use +# a unique Common Name for the server +# and each of the client certificates. +# +# Any X509 key management system can be used. +# OpenVPN can also use a PKCS #12 formatted key file +# (see "pkcs12" directive in man page). +ca keys/ca.crt +cert keys/server.crt +key keys/server.key # This file should be kept secret + +# Diffie hellman parameters. +# Generate your own with: +# openssl dhparam -out dh1024.pem 1024 +# Substitute 2048 for 1024 if you are using +# 2048 bit keys. +dh keys/dh2048.pem + +# Configure server mode and supply a VPN subnet +# for OpenVPN to draw client addresses from. +# The server will take 10.8.0.1 for itself, +# the rest will be made available to clients. +# Each client will be able to reach the server +# on 10.8.0.1. Comment this line out if you are +# ethernet bridging. See the man page for more info. +server $OPENVPN_NETWORK_GW_CKUBU 255.255.255.0 + +# Maintain a record of client <-> virtual IP address +# associations in this file. If OpenVPN goes down or +# is restarted, reconnecting clients can be assigned +# the same virtual IP address from the pool that was +# previously assigned. +ifconfig-pool-persist /etc/openvpn/ipp.txt + +# Configure server mode for ethernet bridging. +# You must first use your OS's bridging capability +# to bridge the TAP interface with the ethernet +# NIC interface. Then you must manually set the +# IP/netmask on the bridge interface, here we +# assume 10.8.0.4/255.255.255.0. Finally we +# must set aside an IP range in this subnet +# (start=10.8.0.50 end=10.8.0.100) to allocate +# to connecting clients. Leave this line commented +# out unless you are ethernet bridging. +;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100 + +# Push routes to the client to allow it +# to reach other private subnets behind +# the server. Remember that these +# private subnets will also need +# to know to route the OpenVPN client +# address pool (10.8.0.0/255.255.255.0) +# back to the OpenVPN server. +;push "route 10.8.0.0 255.255.255.0" +push "route $MAIN_NETWORK 255.255.255.0" + +# To assign specific IP addresses to specific +# clients or if a connecting client has a private +# subnet behind it that should also have VPN access, +# use the subdirectory "ccd" for client-specific +# configuration files (see man page for more info). + +client-config-dir $CCD_GW_CKUBU + +# --- +# EXAMPLE: Suppose the client +# having the certificate common name "Thelonious" +# also has a small subnet behind his connecting +# machine, such as 192.168.40.128/255.255.255.248. +# First, uncomment out these lines: +;client-config-dir /etc/openvpn/ccd +;route 192.168.40.128 255.255.255.248 + +# Then create a file ccd/Thelonious with this line: +# iroute 192.168.40.128 255.255.255.248 +# This will allow Thelonious' private subnet to +# access the VPN. This example will only work +# if you are routing, not bridging, i.e. you are +# using "dev tun" and "server" directives. +# --- + +# --- +# EXAMPLE: Suppose you want to give +# Thelonious a fixed VPN IP address of 10.9.0.1. +# First uncomment out these lines: +;client-config-dir ccd +;route 10.9.0.0 255.255.255.252 + +# Then add this line to ccd/Thelonious: +# ifconfig-push 10.9.0.1 10.9.0.2 +# --- + +# --- +# Suppose that you want to enable different +# firewall access policies for different groups +# of clients. There are two methods: +# (1) Run multiple OpenVPN daemons, one for each +# group, and firewall the TUN/TAP interface +# for each group/daemon appropriately. +# (2) (Advanced) Create a script to dynamically +# modify the firewall in response to access +# from different clients. See man +# page for more info on learn-address script. +;learn-address ./script +# --- + +# If enabled, this directive will configure +# all clients to redirect their default +# network gateway through the VPN, causing +# all IP traffic such as web browsing and +# and DNS lookups to go through the VPN +# (The OpenVPN server machine may need to NAT +# the TUN/TAP interface to the internet in +# order for this to work properly). +# CAVEAT: May break client's network config if +# client's local DHCP server packets get routed +# through the tunnel. Solution: make sure +# client's local DHCP server is reachable via +# a more specific route than the default route +# of 0.0.0.0/0.0.0.0. +;push "redirect-gateway" + +# Certain Windows-specific network settings +# can be pushed to clients, such as DNS +# or WINS server addresses. CAVEAT: +# http://openvpn.net/faq.html#dhcpcaveats +;push "dhcp-option WINS 10.8.0.1" + +# - Do NOT push DNS settings in THIS configuration. We use +# - this VPN tunnel as a static line, and the remote host +# - should user his own dns settings. +# - +;push "dhcp-option DNS ${DNS_SERVER}" +;push "dhcp-option DOMAIN ${DOMAIN}" + +# Uncomment this directive to allow different +# clients to be able to "see" each other. +# By default, clients will only see the server. +# To force clients to only see the server, you +# will also need to appropriately firewall the +# server's TUN/TAP interface. +client-to-client + +# Uncomment this directive if multiple clients +# might connect with the same certificate/key +# files or common names. This is recommended +# only for testing purposes. For production use, +# each client should have its own certificate/key +# pair. +# +# IF YOU HAVE NOT GENERATED INDIVIDUAL +# CERTIFICATE/KEY PAIRS FOR EACH CLIENT, +# EACH HAVING ITS OWN UNIQUE "COMMON NAME", +# UNCOMMENT THIS LINE OUT. +;duplicate-cn + +# The keepalive directive causes ping-like +# messages to be sent back and forth over +# the link so that each side knows when +# the other side has gone down. +# Ping every 10 seconds, assume that remote +# peer is down if no ping received during +# a 120 second time period. +keepalive 10 120 + +# For extra security beyond that provided +# by SSL/TLS, create an "HMAC firewall" +# to help block DoS attacks and UDP port flooding. +# +# Generate with: +# openvpn --genkey --secret ta.key +# +# The server and each client must have +# a copy of this key. +# The second parameter should be '0' +# on the server and '1' on the clients. +;tls-auth ta.key 0 # This file is secret +tls-auth keys/ta.key 0 + +# Select a cryptographic cipher. +# This config item must be copied to +# the client config file as well. +;cipher BF-CBC # Blowfish (default) +;cipher AES-128-CBC # AES +;cipher DES-EDE3-CBC # Triple-DES +cipher AES-256-CBC + +# Enable compression on the VPN link. +# If you enable it here, you must also +# enable it in the client config file. +comp-lzo + +# The maximum number of concurrently connected +# clients we want to allow. +;max-clients 100 + +# It's a good idea to reduce the OpenVPN +# daemon's privileges after initialization. +# +# You can uncomment this out on +# non-Windows systems. +user nobody +group nogroup + +# The persist options will try to avoid +# accessing certain resources on restart +# that may no longer be accessible because +# of the privilege downgrade. +persist-key +persist-tun +persist-local-ip +persist-remote-ip + +# Output a short status file showing +# current connections, truncated +# and rewritten every minute. +status /var/log/openvpn/status-server-gw-ckubu.log + +# By default, log messages will go to the syslog (or +# on Windows, if running as a service, they will go to +# the "\Program Files\OpenVPN\log" directory). +# Use log or log-append to override this default. +# "log" will truncate the log file on OpenVPN startup, +# while "log-append" will append to it. Use one +# or the other (but not both). +log /var/log/openvpn/server-gw-ckubu.log +;log-append openvpn.log + +# Set the appropriate level of log +# file verbosity. +# +# 0 is silent, except for fatal errors +# 4 is reasonable for general usage +# 5 and 6 can help to debug connection problems +# 9 is extremely verbose +verb 4 + +# Silence repeating messages. At most 20 +# sequential messages of the same message +# category will be output to the log. +;mute 20 + +crl-verify /etc/openvpn/keys/crl.pem +EOF + + + +# ==================== +# - Start OpenVPN Services +# ==================== + +# ---- +# - Notice 1: +# - +# - !!! +# - After Creating a new server configuration, you have to restart the +# - whole server. Restarting (only) the OpenVPN service does not work. +# - !!! +# --- + +# --- +# - Notice 2: +# - +# - Add IP Forwarding +# - +# - this works immediately: +# - +# - echo "1" > /proc/sys/net/ipv4/ip_forward +# - +# - to make that persistent against rebooting, +# - adjust /etc/sysctl.conf +# - +# - net.ipv4.ip_forward = 1 +# --- + +#service openvpn start +systemctl start openvpn + + + + +## - ------------------------------------------------------------------ +## - ------------------------------------------------------------------ +## - ------------------------------------------------------------------ + + +## - Create /etc/openvpn/server-home.conf +## - +## - #local 192.168.0.25 +## - port $SERVER_PORT_HOME +## - proto udp +## - dev tun +## - ca keys/ca.crt +## - cert keys/server.crt +## - key keys/server.key +## - dh keys/dh2048.pem +## - server $OPENVPN_NETWORK_HOME 255.255.255.0 +## - ifconfig-pool-persist /etc/openvpn/ipp.txt +## - push "route $MAIN_NETWORK 255.255.255.0" +## - client-config-dir ccd +## - push "dhcp-option DOMAIN $DOMAIN" +## - push "dhcp-option DNS $" +## - client-to-client +## - keepalive 10 120 +## - tls-auth /etc/openvpn/keys/ta.key 0 +## - comp-lzo +## - user nobody +## - group nobody +## - persist-key +## - persist-tun +## - persist-local-ip +## - persist-remote-ip +## - status /var/log/openvpn/status-server-home.log +## - log /var/log/openvpn/server-home.log +## - verb 4 +## - crl-verify /etc/openvpn/keys/crl.pem +## -