In this how to, I am going to share how to install setup OpenVPN on Debian 6.0 Squeeze. I am going to use certificate as an authentication mechanism. This how to has been tested on Windows 7 as OpenVPN client.
First, we must ensure everything are up to date by running the following commands: -
apt-get update apt-get upgrade --show-upgraded
Next, start installing OpenVPN and udev dependency by running the following command: -
apt-get install openvpn udev
Now, copy the ‘easy-rsa’ encryption-related tools by running the following command: -
cp -R /usr/share/doc/openvpn/examples/easy-rsa /etc/openvpn
Lets configure the public key infrastructure for OpenVPN. You need configure some variables near end of the /etc/openvpn/easy-rsa/2.0/vars file to reflect your configuration like below: -
export KEY_CITY="Kuala Lumpur"
export KEY_ORG="My Organization"
Run the following commands below in sequence to initialize the certificate authority and the public key infrastructure: -
Next, generate private key for the server by running the following command: -
. /etc/openvpn/easy-rsa/2.0/build-key-server server
You can change the server to your OpenVPN server hostname. The above script will prompt for information and the Common Name for this key will be server. You can leave blank for challenge password. Lastly, you must answer yes to sign the certificate.
Next, you can generate certificate and private key for OpenVPN client by running the following command: -
. /etc/openvpn/easy-rsa/2.0/build-key client1
Note, client1 above is the name of OpenVPN client. You can replace client1 to match each of your client by repeat the step above to create additional certificate and private key.
Next, generate Diffie Hellman Parameters which govern the method of key exchange and authentication used by OpenVPN server by running the following command: -
Next, copy the certificate, key and Diffie Hellman Parameters files to /etc/openvpn directory by running the following commands: -
cd /etc/openvpn/easy-rsa/2.0/keys cp ca.crt ca.key dh1024.pem server.crt server.key /etc/openvpn
Now, copy the following certificate and key files from /etc/openvpn/easy-rsa/2.0/keys directory using WinSCP to client Windows system: -
Basically, below is my OpenVPN server configuration located at /etc/openvpn/server.conf directory: -
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1"
push "dhcp-option DNS 188.8.131.52"
push "dhcp-option DNS 184.108.40.206"
keepalive 5 30
Next, download OpenVPN client Windows installer. After download completed, install the OpenVPN client. Then, you can proceed to create a client1.ovpn file and copy ca.crt client1.crt client1.key to store in C:\Program Files\OpenVPN\config directory. Below is my OpenVPN client configuration in client1.ovpn for Windows 7: -
remote your.openvpn.server 1194
push redirect-gateway def1 in /etc/openvpn/server.conf file, this will enable full encrypted tunneling of client traffic through OpenVPN. You need to uncomment the following line in /etc/sysctl.conf file to enable IPv4 routing feature: -
However, the feature will commit if you reboot the system but you can commit it by running the following command: -
You need to configure iptables to enable traffic forwarding through OpenVPN. Run the following commands: -
touch /usr/local/bin/firewall.sh chmod +x /usr/local/bin/firewall.sh
Now, add the below at /usr/local/bin/firewall.sh file: -
iptables -t filter -F
iptables -t nat -F
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s $oclient -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s $oclient -o eth0 -j SNAT --to your.openvpn.server.ip
Note, if the above POSTROUTING rule doesn’t work, probably you are using OpenVZ and you need to change
venet0 or you need to change to below: -
iptables -t nat -A POSTROUTING -s $oclient -j MASQUERADE
Next, put a line /usr/local/bin/firewall.sh into /etc/rc.local before exit 0 to ensure the iptables rules is created every reboot or power up.
Nevertheless, you can remove OpenVPN client user access by running the following commands: -
. /etc/openvpn/easy-rsa/2.0/vars . /etc/openvpn/easy-rsa/2.0/revoke-full client1
Note, you need to replace client1 to which user you target to remove.
Finally, with all the configuration above I hope you are able to use and enjoy your encrypted traffic over OpenVPN. Thank you.